From eee86a133efe840654a7c80b4456b239cb760470 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Wed, 3 Oct 2012 15:19:41 -0400 Subject: [PATCH] - Add new patch to avoid reading .rpmnew, .rpmsave and other invalid files when loading config files - Upgrade to new 2.2.0 upstream release --- .gitignore | 1 + freeradius-cert-config.patch | 46 ++-- freeradius-exclude-config-file.patch | 314 +++++++++++++++++++++++++++ freeradius-man.patch | 260 ---------------------- freeradius-perl.patch | 65 ------ freeradius-postgres-sql.patch | 11 - freeradius-unix-passwd-expire.patch | 39 ---- freeradius.spec | 117 +++++++++- sources | 2 +- 9 files changed, 439 insertions(+), 416 deletions(-) create mode 100644 freeradius-exclude-config-file.patch delete mode 100644 freeradius-man.patch delete mode 100644 freeradius-perl.patch delete mode 100644 freeradius-postgres-sql.patch delete mode 100644 freeradius-unix-passwd-expire.patch diff --git a/.gitignore b/.gitignore index 97a00d0..55510b1 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ freeradius-server-2.1.9.tar.bz2 /freeradius-server-2.1.10.tar.bz2 /freeradius-server-2.1.11.tar.bz2 /freeradius-server-2.1.12.tar.bz2 +/freeradius-server-2.2.0.tar.bz2 diff --git a/freeradius-cert-config.patch b/freeradius-cert-config.patch index 9967a15..93d3950 100644 --- a/freeradius-cert-config.patch +++ b/freeradius-cert-config.patch @@ -1,51 +1,42 @@ -diff -r -u freeradius-server-2.1.12.orig/raddb/certs/ca.cnf freeradius-server-2.1.12/raddb/certs/ca.cnf ---- freeradius-server-2.1.12.orig/raddb/certs/ca.cnf 2011-09-07 06:59:21.000000000 -0400 -+++ freeradius-server-2.1.12/raddb/certs/ca.cnf 2011-09-07 10:28:28.000000000 -0400 -@@ -14,9 +14,9 @@ +diff -r -u freeradius-server-2.2.0.orig/raddb/certs/ca.cnf freeradius-server-2.2.0.work/raddb/certs/ca.cnf +--- freeradius-server-2.2.0.orig/raddb/certs/ca.cnf 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.work/raddb/certs/ca.cnf 2012-09-25 15:29:08.792013636 -0400 +@@ -14,7 +14,7 @@ RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default -default_days = 365 +default_days = 60 default_crl_days = 30 --default_md = md5 -+default_md = sha1 + default_md = sha1 preserve = no - policy = policy_match - -diff -r -u freeradius-server-2.1.12.orig/raddb/certs/client.cnf freeradius-server-2.1.12/raddb/certs/client.cnf ---- freeradius-server-2.1.12.orig/raddb/certs/client.cnf 2011-09-07 06:59:21.000000000 -0400 -+++ freeradius-server-2.1.12/raddb/certs/client.cnf 2011-09-07 10:28:28.000000000 -0400 -@@ -14,9 +14,9 @@ +diff -r -u freeradius-server-2.2.0.orig/raddb/certs/client.cnf freeradius-server-2.2.0.work/raddb/certs/client.cnf +--- freeradius-server-2.2.0.orig/raddb/certs/client.cnf 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.work/raddb/certs/client.cnf 2012-09-25 15:29:19.046932303 -0400 +@@ -14,7 +14,7 @@ RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default -default_days = 365 +default_days = 60 default_crl_days = 30 --default_md = md5 -+default_md = sha1 + default_md = sha1 preserve = no - policy = policy_match - -diff -r -u freeradius-server-2.1.12.orig/raddb/certs/server.cnf freeradius-server-2.1.12/raddb/certs/server.cnf ---- freeradius-server-2.1.12.orig/raddb/certs/server.cnf 2011-09-07 06:59:21.000000000 -0400 -+++ freeradius-server-2.1.12/raddb/certs/server.cnf 2011-09-07 10:28:28.000000000 -0400 -@@ -14,9 +14,9 @@ +diff -r -u freeradius-server-2.2.0.orig/raddb/certs/server.cnf freeradius-server-2.2.0.work/raddb/certs/server.cnf +--- freeradius-server-2.2.0.orig/raddb/certs/server.cnf 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.work/raddb/certs/server.cnf 2012-09-25 15:29:26.118877959 -0400 +@@ -14,7 +14,7 @@ RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default -default_days = 365 +default_days = 60 default_crl_days = 30 --default_md = md5 -+default_md = sha1 + default_md = sha1 preserve = no - policy = policy_match - -diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12/raddb/eap.conf ---- freeradius-server-2.1.12.orig/raddb/eap.conf 2011-09-07 06:59:21.000000000 -0400 -+++ freeradius-server-2.1.12/raddb/eap.conf 2011-09-07 10:28:28.000000000 -0400 +diff -r -u freeradius-server-2.2.0.orig/raddb/eap.conf freeradius-server-2.2.0.work/raddb/eap.conf +--- freeradius-server-2.2.0.orig/raddb/eap.conf 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.work/raddb/eap.conf 2012-09-25 15:31:17.623971648 -0400 @@ -281,7 +281,11 @@ # for the server to print out an error message, # and refuse to start. @@ -59,4 +50,3 @@ diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12 # # Elliptical cryptography configuration -Only in freeradius-server-2.1.12/raddb: eap.conf.orig diff --git a/freeradius-exclude-config-file.patch b/freeradius-exclude-config-file.patch new file mode 100644 index 0000000..fecff20 --- /dev/null +++ b/freeradius-exclude-config-file.patch @@ -0,0 +1,314 @@ +diff -b -u -r freeradius-server-2.2.0.orig/src/include/libradius.h freeradius-server-2.2.0.configfile/src/include/libradius.h +--- freeradius-server-2.2.0.orig/src/include/libradius.h 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.configfile/src/include/libradius.h 2012-10-03 09:36:55.764852014 -0400 +@@ -415,6 +415,17 @@ + struct sockaddr_storage *sa, socklen_t *salen); + int fr_sockaddr2ipaddr(const struct sockaddr_storage *sa, socklen_t salen, + fr_ipaddr_t *ipaddr, int * port); ++int ++str_starts_with(const char *subject, const char *pattern); ++int ++strn_starts_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len); ++int ++str_ends_with(const char *subject, const char *pattern); ++int ++strn_ends_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len); ++int ++fr_exclude_config_file(const char *basename); ++ + + + #ifdef ASCEND_BINARY +diff -b -u -r freeradius-server-2.2.0.orig/src/lib/misc.c freeradius-server-2.2.0.configfile/src/lib/misc.c +--- freeradius-server-2.2.0.orig/src/lib/misc.c 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.configfile/src/lib/misc.c 2012-10-03 10:29:43.332507533 -0400 +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + int fr_dns_lookups = 0; + int fr_debug_flag = 0; +@@ -650,3 +651,161 @@ + + return 1; + } ++ ++/* ++ * Return true if subject starts with pattern, false otherwise. ++ * subject and pattern are NULL terminated strings. ++ */ ++int ++str_starts_with(const char *subject, const char *pattern) ++{ ++ size_t sbj_len; ++ size_t pat_len; ++ ++ pat_len = strlen(pattern); ++ sbj_len = strlen(subject); ++ ++ return strn_starts_with(subject, pattern, sbj_len, pat_len); ++} ++ ++/* ++ * Return true if subject starts with pattern, false otherwise. ++ * subject and pattern are terminated by their respective length parameters. ++ */ ++int ++strn_starts_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len) ++{ ++ const char *s = NULL; ++ const char *p = NULL; ++ const char *pat_end = NULL; ++ ++ if (subject == NULL || pattern == NULL) return 0; ++ ++ if (pat_len > sbj_len) return 0; ++ ++ pat_end = pattern + pat_len; ++ ++ for (p = pattern, s = subject; p < pat_end; p++, s++) { ++ if (*p != *s) return 0; ++ } ++ return 1; ++ ++} ++ ++/* ++ * Return true if subject starts with pattern, false otherwise. ++ * subject and pattern are NULL terminated strings. ++ */ ++int ++str_ends_with(const char *subject, const char *pattern) ++{ ++ size_t sbj_len; ++ size_t pat_len; ++ ++ pat_len = strlen(pattern); ++ sbj_len = strlen(subject); ++ ++ return strn_ends_with(subject, pattern, sbj_len, pat_len); ++} ++ ++/* ++ * Return true if subject ends with pattern, false otherwise. ++ * subject and pattern are terminated by their respective length parameters. ++ */ ++int ++strn_ends_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len) ++{ ++ const char *s = NULL; ++ const char *sbj_end = NULL; ++ const char *p = NULL; ++ const char *pat_end = NULL; ++ ++ if (subject == NULL || pattern == NULL) return 0; ++ ++ if (pat_len > sbj_len) return 0; ++ ++ pat_end = pattern + pat_len - 1; ++ sbj_end = subject + sbj_len - 1; ++ ++ for (p = pat_end, s = sbj_end; p >= pattern; p--, s--) { ++ if (*p != *s) return 0; ++ } ++ return 1; ++ ++} ++ ++/* ++ * Tests to see if the basename of a file found in a config directory ++ * should be excluded from being read because it is not a valid config ++ * file. The function returns true if the file basename should be ++ * excluded. ++ * ++ * The following basename's are excluded: ++ * ++ * Any basename beginning with a dot (.) ++ * Any basename beginning with a hash (i.e. pound sign, octothorp) (#) ++ * Any basename ending with a tilde (~) ++ * Any basename ending with the substring ".rpmsave" ++ * Any basename ending with the substring ".rpmnew" ++ * Any basename ending with the substring ".bak" ++ */ ++ ++#ifdef HAVE_REGEX_H ++#include ++ ++/* ++ * Performs test with a regular expression. The regexp is compiled on ++ * first use and then saved in a static variable for future use. ++ */ ++ ++int ++fr_exclude_config_file(const char *basename) ++{ ++ char *pattern = "^\\.|^#|~$|\\.rpmsave$|\\.rpmnew$|\\.bak$"; ++ //char *pattern = "*"; ++ int status; ++ static regex_t re; ++ static int compiled = 0; ++ ++ if (!compiled) { ++ if ((status = regcomp(&re, pattern, REG_NOSUB | REG_EXTENDED)) != 0) { ++ char error_buf[256]; ++ ++ regerror(status, &re, error_buf, sizeof(error_buf)); ++ fprintf(stderr, "fr_exclude_config_file: failed to compile regular expression \"%s\": %s", ++ pattern, error_buf); ++ ++ return(0); /* Since we can't perform test, accept all files */ ++ } ++ compiled = 1; ++ } ++ status = regexec(&re, basename, (size_t) 0, NULL, 0); ++ ++ if (status == 0) { ++ return 1; ++ } else { ++ return 0; ++ } ++} ++ ++#else ++ ++/* ++ * Performs the test with starts_with and ends_with string utilities. ++ */ ++ ++int ++fr_exclude_config_file(const char *basename) ++{ ++ if (str_starts_with(basename, ".")) return 1; ++ if (str_starts_with(basename, "#")) return 1; ++ ++ if (str_ends_with(basename, "~")) return 1; ++ if (str_ends_with(basename, ".rpmsave")) return 1; ++ if (str_ends_with(basename, ".rpmnew")) return 1; ++ if (str_ends_with(basename, ".bak")) return 1; ++ ++ return 0; ++} ++ ++#endif +diff -b -u -r freeradius-server-2.2.0.orig/src/main/client.c freeradius-server-2.2.0.configfile/src/main/client.c +--- freeradius-server-2.2.0.orig/src/main/client.c 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.configfile/src/main/client.c 2012-10-03 10:53:33.166452136 -0400 +@@ -845,13 +845,24 @@ + } + + /* +- * Read the directory, ignoring "." files. ++ * Read the directory, ignoring invalid files. + */ + while ((dp = readdir(dir)) != NULL) { + const char *p; + RADCLIENT *dc; + +- if (dp->d_name[0] == '.') continue; ++ /* ++ * Check for invalid file names ++ */ ++ if (fr_exclude_config_file(dp->d_name)) { ++ if (!(strcmp(dp->d_name, ".") == 0 || ++ strcmp(dp->d_name, "..") == 0)) { ++ cf_log_info(cs, ++ "skipping client file, invalid name \"%s/%s\"", ++ value, dp->d_name); ++ } ++ continue; ++ } + + /* + * Check for valid characters +@@ -863,7 +874,12 @@ + (*p == '.')) continue; + break; + } +- if (*p != '\0') continue; ++ if (*p != '\0') { ++ cf_log_info(cs, ++ "skipping client file, invalid characters in name \"%s/%s\"", ++ value, dp->d_name); ++ continue; ++ } + + snprintf(buf2, sizeof(buf2), "%s/%s", + value, dp->d_name); +diff -b -u -r freeradius-server-2.2.0.orig/src/main/conffile.c freeradius-server-2.2.0.configfile/src/main/conffile.c +--- freeradius-server-2.2.0.orig/src/main/conffile.c 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.configfile/src/main/conffile.c 2012-10-03 10:55:05.918611881 -0400 +@@ -1512,12 +1512,23 @@ + } + + /* +- * Read the directory, ignoring "." files. ++ * Read the directory, ignoring invalid files. + */ + while ((dp = readdir(dir)) != NULL) { + const char *p; + +- if (dp->d_name[0] == '.') continue; ++ /* ++ * Check for invalid file names ++ */ ++ if (fr_exclude_config_file(dp->d_name)) { ++ if (!(strcmp(dp->d_name, ".") == 0 || ++ strcmp(dp->d_name, "..") == 0)) { ++ radlog(L_INFO, "skipping config file, invalid name \"%s%s\"", ++ value, dp->d_name); ++ } ++ continue; ++ } ++ + + /* + * Check for valid characters +@@ -1530,7 +1541,11 @@ + (*p == '.')) continue; + break; + } +- if (*p != '\0') continue; ++ if (*p != '\0') { ++ radlog(L_INFO, "skipping config file, invalid characters in name \"%s%s\"", ++ value, dp->d_name); ++ continue; ++ } + + snprintf(buf2, sizeof(buf2), "%s%s", + value, dp->d_name); +diff -b -u -r freeradius-server-2.2.0.orig/src/modules/rlm_policy/parse.c freeradius-server-2.2.0.configfile/src/modules/rlm_policy/parse.c +--- freeradius-server-2.2.0.orig/src/modules/rlm_policy/parse.c 2012-09-10 07:51:34.000000000 -0400 ++++ freeradius-server-2.2.0.configfile/src/modules/rlm_policy/parse.c 2012-10-03 10:57:16.985425570 -0400 +@@ -1584,13 +1584,22 @@ + } + + /* +- * Read the directory, ignoring "." files. ++ * Read the directory, ignoring invalid files. + */ + while ((dp = readdir(dir)) != NULL) { + struct stat buf; + +- if (dp->d_name[0] == '.') continue; +- if (strchr(dp->d_name, '~') != NULL) continue; ++ /* ++ * Check for invalid file names ++ */ ++ if (fr_exclude_config_file(dp->d_name)) { ++ if (!(strcmp(dp->d_name, ".") == 0 || ++ strcmp(dp->d_name, "..") == 0)) { ++ fprintf(stderr, "skipping policy file, invalid name \"%s%s\"", ++ buffer, dp->d_name); ++ } ++ continue; ++ } + + strlcpy(p, dp->d_name, + sizeof(buffer) - (p - buffer)); +@@ -1704,4 +1713,3 @@ + + return 1; + } +- diff --git a/freeradius-man.patch b/freeradius-man.patch deleted file mode 100644 index 6c694c5..0000000 --- a/freeradius-man.patch +++ /dev/null @@ -1,260 +0,0 @@ -From 12bbe0c8289260f7db62e010a5e7168ce7bc5644 Mon Sep 17 00:00:00 2001 -From: John Dennis -Date: Fri, 13 Jan 2012 12:45:14 -0500 -Subject: [PATCH] Fix typo in name of rlm_dbm_parser man page -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -It was rlm_dbm_parse but should be rlm_dbm_parser to match the -executable name. Also fix name in man page. ---- - src/modules/rlm_dbm/Makefile.in | 2 +- - src/modules/rlm_dbm/rlm_dbm_parse.8 | 109 ---------------------------------- - src/modules/rlm_dbm/rlm_dbm_parser.8 | 109 ++++++++++++++++++++++++++++++++++ - 3 files changed, 110 insertions(+), 110 deletions(-) - delete mode 100644 src/modules/rlm_dbm/rlm_dbm_parse.8 - create mode 100644 src/modules/rlm_dbm/rlm_dbm_parser.8 - -diff --git a/src/modules/rlm_dbm/Makefile.in b/src/modules/rlm_dbm/Makefile.in -index f970538..cd537ec 100644 ---- a/src/modules/rlm_dbm/Makefile.in -+++ b/src/modules/rlm_dbm/Makefile.in -@@ -29,4 +29,4 @@ rlm_dbm_install: rlm_dbm_cat rlm_dbm_parser - $(LIBTOOL) --mode=install $(INSTALL) -m 755 $(INSTALLSTRIP) \ - rlm_dbm_parser$(EXEEXT) $(R)$(bindir) - $(INSTALL) -m 644 rlm_dbm_cat.8 $(R)$(mandir)/man8 -- $(INSTALL) -m 644 rlm_dbm_parse.8 $(R)$(mandir)/man8 -+ $(INSTALL) -m 644 rlm_dbm_parser.8 $(R)$(mandir)/man8 -diff --git a/src/modules/rlm_dbm/rlm_dbm_parse.8 b/src/modules/rlm_dbm/rlm_dbm_parse.8 -deleted file mode 100644 -index 51dd1fc..0000000 ---- a/src/modules/rlm_dbm/rlm_dbm_parse.8 -+++ /dev/null -@@ -1,109 +0,0 @@ --.TH RLM_DBM_PARSE 8 --.SH NAME --rlm_dbm_parse - transforms simple syntax into rlm_dbm format --.SH SYNOPSIS --.B rlm_dbm_parse --.RB [ \-c ] --.RB [ \-d --.IR raddb ] --.RB [ \-i --.IR inputfile ] --.RB [ \-o --.IR outputfile ] --.RB [ \-x ] --.RB [ \-v ] --.RB [ \-q ] --[\fIusername ...\fP] -- --.SH DESCRIPTION --\fBrlm_dbm_parse\fP reads a file of the syntax defined below, and writes --a database file usable by rlm_dbm or edits current database. --.PP -- --.SH INPUT FORMAT -- --\fIrlm_dbm_parse\fP reads a format similar to the one used by the files --module. In incomplete RFC2234 ABNF, it looks like this: -- --.nf --entries = *entry --entry = identifier TAB definition --identifier = username / group-name --username = +PCHAR --groupname = +PCHAR --definition = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF --check-item = AS IN FILES --reply-item = AS IN FILES --* need definition of username and groupname --.fi -- --As an example, these are the standard files definitions (files module). -- --.nf --DEFAULT Service-Type == Framed-User -- Framed-IP-Address = 255.255.255.254, -- Framed-MTU = 576, -- Service-Type = Framed-User, -- Fall-Through = Yes -- --#except who call from number 555-666 --DEFAULT Auth-Type := Reject,Service-Type ==Framed-User, -- Calling-Station-ID == "555-666" -- --#or call number 555-667 --DEFAULT Auth-Type := Reject,Service-Type ==Framed-User, -- Calling-Station-ID == "555-667" --.fi -- --To be a valid rlm_dbm input file, it should look like this: -- --.nf --DEFAULT Service-Type == Framed-User # (1) -- Framed-IP-Address = 255.255.255.254, # comma, list cont'd -- Framed-MTU = 576, -- Service-Type = Framed-User, -- Fall-Through = Yes # \\n, end of list -- Auth-Type := Reject,Service-Type ==Framed-User, # (2) -- Calling-Station-ID == "555-666" -- ; # ;, no reply items -- Auth-Type := Reject,Service-Type ==Framed-User, # (3) -- Calling-Station-ID == "555-667" -- ; # ditto --.fi -- --This user (the DEFAULT user) contains three entries, 1, 2 and 3. The --first entry has a list of reply items, terminated by a reply item --without a trailing comma. Entries 2 and 3 has empty reply lists, as --indicated by the semicolon. This is necessary to separate an empty --line (which is ignored) from the empty list. --Definition Fall-Through = Yes used in order to say module to check next --record. By default Fall-Through = Yes. -- --.SH OPTIONS -- --.IP \-d\ \fIraddb\fP --Use \fIraddb\fP as the radiusd configuration directory. --.IP \-i\ \fIinputfile\fP --Use \fIfile\fP as the input file. If not defined then use standard input. --.IP \-o\ \fIoutputfile\fP --Use \fIfile\fP as the output file. --.IP \-c --Create a new database (empty output file before writing) --.IP \-x --Enable debug mode. Multiple x flags increase debug level. --.IP \-q --Do not print statistics (quiet). --.IP \-v --Print the version and exit. --.IP \-r --Remove a username or group name from the database. -- --.SH SEE ALSO --radiusd(8) --.SH AUTHORS --.TP --Author: --Andrei Koulik --.TP --Documentation: --Bjørn Nordbø -diff --git a/src/modules/rlm_dbm/rlm_dbm_parser.8 b/src/modules/rlm_dbm/rlm_dbm_parser.8 -new file mode 100644 -index 0000000..94137da ---- /dev/null -+++ b/src/modules/rlm_dbm/rlm_dbm_parser.8 -@@ -0,0 +1,109 @@ -+.TH RLM_DBM_PARSER 8 -+.SH NAME -+rlm_dbm_parser - transforms simple syntax into rlm_dbm format -+.SH SYNOPSIS -+.B rlm_dbm_parser -+.RB [ \-c ] -+.RB [ \-d -+.IR raddb ] -+.RB [ \-i -+.IR inputfile ] -+.RB [ \-o -+.IR outputfile ] -+.RB [ \-x ] -+.RB [ \-v ] -+.RB [ \-q ] -+[\fIusername ...\fP] -+ -+.SH DESCRIPTION -+\fBrlm_dbm_parser\fP reads a file of the syntax defined below, and writes -+a database file usable by rlm_dbm or edits current database. -+.PP -+ -+.SH INPUT FORMAT -+ -+\fIrlm_dbm_parser\fP reads a format similar to the one used by the files -+module. In incomplete RFC2234 ABNF, it looks like this: -+ -+.nf -+entries = *entry -+entry = identifier TAB definition -+identifier = username / group-name -+username = +PCHAR -+groupname = +PCHAR -+definition = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF -+check-item = AS IN FILES -+reply-item = AS IN FILES -+* need definition of username and groupname -+.fi -+ -+As an example, these are the standard files definitions (files module). -+ -+.nf -+DEFAULT Service-Type == Framed-User -+ Framed-IP-Address = 255.255.255.254, -+ Framed-MTU = 576, -+ Service-Type = Framed-User, -+ Fall-Through = Yes -+ -+#except who call from number 555-666 -+DEFAULT Auth-Type := Reject,Service-Type ==Framed-User, -+ Calling-Station-ID == "555-666" -+ -+#or call number 555-667 -+DEFAULT Auth-Type := Reject,Service-Type ==Framed-User, -+ Calling-Station-ID == "555-667" -+.fi -+ -+To be a valid rlm_dbm input file, it should look like this: -+ -+.nf -+DEFAULT Service-Type == Framed-User # (1) -+ Framed-IP-Address = 255.255.255.254, # comma, list cont'd -+ Framed-MTU = 576, -+ Service-Type = Framed-User, -+ Fall-Through = Yes # \\n, end of list -+ Auth-Type := Reject,Service-Type ==Framed-User, # (2) -+ Calling-Station-ID == "555-666" -+ ; # ;, no reply items -+ Auth-Type := Reject,Service-Type ==Framed-User, # (3) -+ Calling-Station-ID == "555-667" -+ ; # ditto -+.fi -+ -+This user (the DEFAULT user) contains three entries, 1, 2 and 3. The -+first entry has a list of reply items, terminated by a reply item -+without a trailing comma. Entries 2 and 3 has empty reply lists, as -+indicated by the semicolon. This is necessary to separate an empty -+line (which is ignored) from the empty list. -+Definition Fall-Through = Yes used in order to say module to check next -+record. By default Fall-Through = Yes. -+ -+.SH OPTIONS -+ -+.IP \-d\ \fIraddb\fP -+Use \fIraddb\fP as the radiusd configuration directory. -+.IP \-i\ \fIinputfile\fP -+Use \fIfile\fP as the input file. If not defined then use standard input. -+.IP \-o\ \fIoutputfile\fP -+Use \fIfile\fP as the output file. -+.IP \-c -+Create a new database (empty output file before writing) -+.IP \-x -+Enable debug mode. Multiple x flags increase debug level. -+.IP \-q -+Do not print statistics (quiet). -+.IP \-v -+Print the version and exit. -+.IP \-r -+Remove a username or group name from the database. -+ -+.SH SEE ALSO -+radiusd(8) -+.SH AUTHORS -+.TP -+Author: -+Andrei Koulik -+.TP -+Documentation: -+Bjørn Nordbø --- -1.7.7.5 - diff --git a/freeradius-perl.patch b/freeradius-perl.patch deleted file mode 100644 index 8e45142..0000000 --- a/freeradius-perl.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit ecb3cd1dbedb764ab98532dae5e0b5bfc9571b00 -Author: Alan T. DeKok -Date: Thu Dec 1 14:21:03 2011 +0100 - - Perl clone should be called sequentially, not in parallel. - - Adding a mutex fixes this. - - Patch from Eike Dehling - -diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c -index 5c82e89..4682ba5 100644 ---- a/src/modules/rlm_perl/rlm_perl.c -+++ b/src/modules/rlm_perl/rlm_perl.c -@@ -77,6 +77,8 @@ typedef struct perl_inst { - char *perl_flags; - PerlInterpreter *perl; - pthread_key_t *thread_key; -+ -+ pthread_mutex_t clone_mutex; - } PERL_INST; - /* - * A mapping of configuration file names to internal variables. -@@ -434,6 +436,8 @@ static int perl_instantiate(CONF_SECTION *conf, void **instance) - */ - - #ifdef USE_ITHREADS -+ pthread_mutex_init(&inst->clone_mutex, NULL); -+ - inst->thread_key = rad_malloc(sizeof(*inst->thread_key)); - memset(inst->thread_key,0,sizeof(*inst->thread_key)); - -@@ -656,8 +660,10 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name) - HV *rad_request_hv; - HV *rad_request_proxy_hv; - HV *rad_request_proxy_reply_hv; -- -+ - #ifdef USE_ITHREADS -+ pthread_mutex_lock(&inst->clone_mutex); -+ - PerlInterpreter *interp; - - interp = rlm_perl_clone(inst->perl,inst->thread_key); -@@ -665,9 +671,12 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name) - dTHXa(interp); - PERL_SET_CONTEXT(interp); - } -+ -+ pthread_mutex_unlock(&inst->clone_mutex); - #else - PERL_SET_CONTEXT(inst->perl); - #endif -+ - { - dSP; - -@@ -974,6 +983,7 @@ static int perl_detach(void *instance) - - #ifdef USE_ITHREADS - rlm_perl_destruct(inst->perl); -+ pthread_mutex_destroy(&inst->clone_mutex); - #else - perl_destruct(inst->perl); - perl_free(inst->perl); diff --git a/freeradius-postgres-sql.patch b/freeradius-postgres-sql.patch deleted file mode 100644 index 08cc706..0000000 --- a/freeradius-postgres-sql.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -r -u freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql ---- freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql 2011-09-30 10:12:07.000000000 -0400 -+++ freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql 2012-02-28 13:16:36.329403383 -0500 -@@ -28,5 +28,5 @@ - /* - * The server can write to the accounting and post-auth logging table. - */ --GRANT ALL on radius.radacct TO radius; --GRANT ALL on radius.radpostauth TO radius; -+GRANT ALL on radacct TO radius; -+GRANT ALL on radpostauth TO radius; diff --git a/freeradius-unix-passwd-expire.patch b/freeradius-unix-passwd-expire.patch deleted file mode 100644 index ee75c3a..0000000 --- a/freeradius-unix-passwd-expire.patch +++ /dev/null @@ -1,39 +0,0 @@ ---- freeradius-server-2.1.12.orig/src/modules/rlm_unix/rlm_unix.c 2011-09-30 10:12:07.000000000 -0400 -+++ freeradius/freeradius-server/src/modules/rlm_unix/rlm_unix.c 2012-02-27 15:10:19.782821614 -0500 -@@ -274,9 +274,17 @@ - /* - * Check if password has expired. - */ -+ if (spwd && spwd->sp_lstchg > 0 && spwd->sp_max >= 0 && -+ (request->timestamp / 86400) > (spwd->sp_lstchg + spwd->sp_max)) { -+ radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name); -+ return RLM_MODULE_REJECT; -+ } -+ /* -+ * Check if account has expired. -+ */ - if (spwd && spwd->sp_expire > 0 && - (request->timestamp / 86400) > spwd->sp_expire) { -- radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name); -+ radlog_request(L_AUTH, 0, request, "[%s]: account has expired", name); - return RLM_MODULE_REJECT; - } - #endif -@@ -363,7 +371,7 @@ - if (fr_crypt_check((char *) request->password->vp_strvalue, - (char *) vp->vp_strvalue) != 0) { - radlog_request(L_AUTH, 0, request, "invalid password \"%s\"", -- request->username->vp_strvalue); -+ request->password->vp_strvalue); - return RLM_MODULE_REJECT; - } - #endif /* OSFFIA */ -@@ -440,7 +448,7 @@ - * Which type is this. - */ - if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) { -- radlog(L_ERR, "rlm_unix: no Accounting-Status-Type attribute in request."); -+ RDEBUG("no Accounting-Status-Type attribute in request."); - return RLM_MODULE_NOOP; - } - status = vp->vp_integer; diff --git a/freeradius.spec b/freeradius.spec index 8ef1a28..5e5c633 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius -Version: 2.1.12 -Release: 8%{?dist} +Version: 2.2.0 +Release: 0%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -14,11 +14,8 @@ Source104: %{name}-tmpfiles.conf Patch1: freeradius-cert-config.patch Patch2: freeradius-radtest.patch -Patch3: freeradius-man.patch -Patch4: freeradius-unix-passwd-expire.patch -Patch5: freeradius-radeapclient-ipv6.patch -Patch6: freeradius-postgres-sql.patch -Patch7: freeradius-perl.patch +Patch3: freeradius-radeapclient-ipv6.patch +Patch4: freeradius-exclude-config-file.patch Obsoletes: freeradius-devel Obsoletes: freeradius-libs @@ -152,11 +149,8 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %setup -q -n freeradius-server-%{version} %patch1 -p1 -b .cert-config %patch2 -p1 -b .radtest -%patch3 -p1 -b .man -%patch4 -p1 -b unix-passwd-expire -%patch5 -p1 -b radeapclient-ipv6 -%patch6 -p1 -b postgres-sql -%patch7 -p1 -b perl +%patch3 -p1 -b radeapclient-ipv6 +%patch4 -p1 -b exclude-config-file # Some source files mistakenly have execute permissions set find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} + @@ -171,6 +165,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic" %configure \ --libdir=%{_libdir}/freeradius \ --with-system-libtool \ + --with-system-libltdl \ --disable-ltdl-install \ --with-udpfromto \ --with-gnu-ld \ @@ -353,6 +348,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/always %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/attr_filter %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/attr_rewrite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/cache %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/chap %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/checkval %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/counter @@ -360,6 +356,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.example.com %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.log +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dhcp_sqlippool %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/digest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dynamic_clients %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/echo @@ -384,6 +381,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/passwd %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/policy %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/preprocess +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/radrelay %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/radutmp %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/realm %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/redis @@ -459,6 +457,8 @@ exit 0 %{_libdir}/freeradius/rlm_attr_filter-%{version}.so %{_libdir}/freeradius/rlm_attr_rewrite.so %{_libdir}/freeradius/rlm_attr_rewrite-%{version}.so +%{_libdir}/freeradius/rlm_cache.so +%{_libdir}/freeradius/rlm_cache-%{version}.so %{_libdir}/freeradius/rlm_chap.so %{_libdir}/freeradius/rlm_chap-%{version}.so %{_libdir}/freeradius/rlm_checkval.so @@ -601,6 +601,99 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so %changelog +* Wed Oct 3 2012 John Dennis - 2.2.0-0 +- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid + files when loading config files +- Upgrade to new 2.2.0 upstream release +- Upstream changelog for 2.1.12: + Feature improvements + * 100% configuration file compatible with 2.1.x. + The only fix needed is to disallow "hashsize=0" for rlm_passwd + * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware, + Redback, and Mikrotik dictionaries + * Switch to using SHA1 for certificate digests instead of MD5. + See raddb/certs/*.cnf + * Added copyright statements to the dictionaries, so that we know + when people are using them. + * Better documentation for radrelay and detail file writer. + See raddb/modules/radrelay and raddb/radrelay.conf + * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard + * Added -F to radwho + * Added query timeouts to MySQL driver. Patch from Brian De Wolf. + * Add /etc/default/freeradius to debian package. + Patch from Matthew Newton + * Finalize DHCP and DHCP relay code. It should now work everywhere. + See raddb/sites-available/dhcp, src_ipaddr and src_interface. + * DHCP capabilitiies are now compiled in by default. + It runs as a DHCP server ONLY when manually enabled. + * Added one letter expansions: %G - request minute and %I request + ID. + * Added script to convert ISC DHCP lease files to SQL pools. + See scripts/isc2ippool.pl + * Added rlm_cache to cache arbitrary attributes. + * Added max_use to rlm_ldap to force connection to be re-established + after a given number of queries. + * Added configtest option to Debian init scripts, and automatic + config test on restart. + * Added cache config item to rlm_krb5. When set to "no" ticket + caching is disabled which may increase performance. + + Bug fixes + * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12, + and 802.1X should upgrade immediately. + * Fix typo in detail file writer, to skip writing if the packet + was read from this detail file. + * Free cached replies when closing resumed SSL sessions. + * Fix a number of issues found by Coverity. + * Fix memory leak and race condition in the EAP-TLS session cache. + Thanks to Phil Mayers for tracking down OpenSSL APIs. + * Restrict ATTRIBUTE names to character sets that make sense. + * Fix EAP-TLS session Id length so that OpenSSL doesn't get + excited. + * Fix SQL IPPool logic for non-timer attributes. Closes bug #181 + * Change some informational messages to DEBUG rather than error. + * Portability fixes for FreeBSD. Closes bug #177 + * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols + nonsense. + * Safely handle extremely long lines in conf file variable expansion + * Fix for Debian bug #606450 + * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling + * The passwd module no longer permits "hashsize = 0". Setting that + is pointless for a host of reasons. It will also break the server. + * Fix proxied inner-tunnel packets sometimes having zero authentication + vector. Found by Brian Julin. + * Added $(EXEEXT) to Makefiles for portability. Closes bug #188. + * Fix minor build issue which would cause rlm_eap to be built twice. + * When using "status_check=request" for a home server, the username + and password must be specified, or the server will not start. + * EAP-SIM now calculates keys from the SIM identity, not from the + EAP-Identity. Changing the EAP type via NAK may result in + identities changing. Bug reported by Microsoft EAP team. + * Use home server src_ipaddr when sending Status-Server packets + * Decrypt encrypted ERX attributes in CoA packets. + * Fix registration of internal xlat's so %{mschap:...} doesn't + disappear after a HUP. + * Can now reference tagged attributes in expansions. + e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work. + * Correct calculation of Message-Authenticator for CoA and Disconnect + replies. Patch from Jouni Malinen + * Install rad_counter, for managing rlm_counter files. + * Add unique index constraint to all SQL flavours so that alternate + queries work correctly. + * The TTLS diameter decoder is now more lenient. It ignores + unknown attributes, instead of rejecting the TTLS session. + * Use "globfree" in detail file reader. Prevents very slow leak. + Closes bug #207. + * Operator =~ shouldn't copy the attribute, like :=. It should + instead behave more like ==. + * Build main Debian package without SQL dependencies + * Use max_queue_size in threading code + * Update permissions in raddb/sql/postgresql/admin.sql + * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL + wouldn't use methods it knew about. + * Add more sanity checks in dynamic_clients code so the server won't + crash if it attempts to load a badly formated client definition. + * Tue May 15 2012 John Dennis - 2.1.12-8 - resolves: bug#821407 - openssl dependency diff --git a/sources b/sources index c9b2a89..768b12e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -862d3a2c11011e61890ba84fa636ed8c freeradius-server-2.1.12.tar.bz2 +0fb333fe6a64eb2b1dd6ef67f7bca119 freeradius-server-2.2.0.tar.bz2