- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid

files when loading config files
- Upgrade to new 2.2.0 upstream release

.gitignore

@@ -2,3 +2,4 @@ freeradius-server-2.1.9.tar.bz2
 /freeradius-server-2.1.10.tar.bz2
 /freeradius-server-2.1.11.tar.bz2
 /freeradius-server-2.1.12.tar.bz2
+/freeradius-server-2.2.0.tar.bz2

freeradius-cert-config.patch

@@ -1,51 +1,42 @@
-diff -r -u freeradius-server-2.1.12.orig/raddb/certs/ca.cnf freeradius-server-2.1.12/raddb/certs/ca.cnf
+diff -r -u freeradius-server-2.2.0.orig/raddb/certs/ca.cnf freeradius-server-2.2.0.work/raddb/certs/ca.cnf
---- freeradius-server-2.1.12.orig/raddb/certs/ca.cnf	2011-09-07 06:59:21.000000000 -0400
+--- freeradius-server-2.2.0.orig/raddb/certs/ca.cnf	2012-09-10 07:51:34.000000000 -0400
-+++ freeradius-server-2.1.12/raddb/certs/ca.cnf	2011-09-07 10:28:28.000000000 -0400
++++ freeradius-server-2.2.0.work/raddb/certs/ca.cnf	2012-09-25 15:29:08.792013636 -0400
-@@ -14,9 +14,9 @@
+@@ -14,7 +14,7 @@
  RANDFILE		= $dir/.rand
  name_opt		= ca_default
  cert_opt		= ca_default
 -default_days		= 365
 +default_days		= 60
  default_crl_days	= 30
--default_md		= md5
+ default_md		= sha1
-+default_md		= sha1
  preserve		= no
- policy			= policy_match
+diff -r -u freeradius-server-2.2.0.orig/raddb/certs/client.cnf freeradius-server-2.2.0.work/raddb/certs/client.cnf
- 
+--- freeradius-server-2.2.0.orig/raddb/certs/client.cnf	2012-09-10 07:51:34.000000000 -0400
-diff -r -u freeradius-server-2.1.12.orig/raddb/certs/client.cnf freeradius-server-2.1.12/raddb/certs/client.cnf
++++ freeradius-server-2.2.0.work/raddb/certs/client.cnf	2012-09-25 15:29:19.046932303 -0400
---- freeradius-server-2.1.12.orig/raddb/certs/client.cnf	2011-09-07 06:59:21.000000000 -0400
+@@ -14,7 +14,7 @@
-+++ freeradius-server-2.1.12/raddb/certs/client.cnf	2011-09-07 10:28:28.000000000 -0400
-@@ -14,9 +14,9 @@
  RANDFILE		= $dir/.rand
  name_opt		= ca_default
  cert_opt		= ca_default
 -default_days		= 365
 +default_days		= 60
  default_crl_days	= 30
--default_md		= md5
+ default_md		= sha1
-+default_md		= sha1
  preserve		= no
- policy			= policy_match
+diff -r -u freeradius-server-2.2.0.orig/raddb/certs/server.cnf freeradius-server-2.2.0.work/raddb/certs/server.cnf
- 
+--- freeradius-server-2.2.0.orig/raddb/certs/server.cnf	2012-09-10 07:51:34.000000000 -0400
-diff -r -u freeradius-server-2.1.12.orig/raddb/certs/server.cnf freeradius-server-2.1.12/raddb/certs/server.cnf
++++ freeradius-server-2.2.0.work/raddb/certs/server.cnf	2012-09-25 15:29:26.118877959 -0400
---- freeradius-server-2.1.12.orig/raddb/certs/server.cnf	2011-09-07 06:59:21.000000000 -0400
+@@ -14,7 +14,7 @@
-+++ freeradius-server-2.1.12/raddb/certs/server.cnf	2011-09-07 10:28:28.000000000 -0400
-@@ -14,9 +14,9 @@
  RANDFILE		= $dir/.rand
  name_opt		= ca_default
  cert_opt		= ca_default
 -default_days		= 365
 +default_days		= 60
  default_crl_days	= 30
--default_md		= md5
+ default_md		= sha1
-+default_md		= sha1
  preserve		= no
- policy			= policy_match
+diff -r -u freeradius-server-2.2.0.orig/raddb/eap.conf freeradius-server-2.2.0.work/raddb/eap.conf
- 
+--- freeradius-server-2.2.0.orig/raddb/eap.conf	2012-09-10 07:51:34.000000000 -0400
-diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12/raddb/eap.conf
++++ freeradius-server-2.2.0.work/raddb/eap.conf	2012-09-25 15:31:17.623971648 -0400
---- freeradius-server-2.1.12.orig/raddb/eap.conf	2011-09-07 06:59:21.000000000 -0400
-+++ freeradius-server-2.1.12/raddb/eap.conf	2011-09-07 10:28:28.000000000 -0400
 @@ -281,7 +281,11 @@
  			# for the server to print out an error message,
  			# and refuse to start.
@@ -59,4 +50,3 @@ diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12
  
  			#
  			#  Elliptical cryptography configuration
-Only in freeradius-server-2.1.12/raddb: eap.conf.orig

freeradius-exclude-config-file.patch

@@ -0,0 +1,314 @@
+diff -b -u -r freeradius-server-2.2.0.orig/src/include/libradius.h freeradius-server-2.2.0.configfile/src/include/libradius.h
+--- freeradius-server-2.2.0.orig/src/include/libradius.h	2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/include/libradius.h	2012-10-03 09:36:55.764852014 -0400
+@@ -415,6 +415,17 @@
+ 		       struct sockaddr_storage *sa, socklen_t *salen);
+ int fr_sockaddr2ipaddr(const struct sockaddr_storage *sa, socklen_t salen,
+ 		       fr_ipaddr_t *ipaddr, int * port);
++int
++str_starts_with(const char *subject, const char *pattern);
++int
++strn_starts_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len);
++int
++str_ends_with(const char *subject, const char *pattern);
++int
++strn_ends_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len);
++int
++fr_exclude_config_file(const char *basename);
++
+
+
+ #ifdef ASCEND_BINARY
+diff -b -u -r freeradius-server-2.2.0.orig/src/lib/misc.c freeradius-server-2.2.0.configfile/src/lib/misc.c
+--- freeradius-server-2.2.0.orig/src/lib/misc.c	2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/lib/misc.c	2012-10-03 10:29:43.332507533 -0400
+@@ -28,6 +28,7 @@
+ #include	<ctype.h>
+ #include	<sys/file.h>
+ #include	<fcntl.h>
++#include	<string.h>
+
+ int		fr_dns_lookups = 0;
+ int		fr_debug_flag = 0;
+@@ -650,3 +651,161 @@
+
+ 	return 1;
+ }
++
++/*
++ * Return true if subject starts with pattern, false otherwise.
++ * subject and pattern are NULL terminated strings.
++ */
++int
++str_starts_with(const char *subject, const char *pattern)
++{
++    size_t sbj_len;
++    size_t pat_len;
++
++    pat_len = strlen(pattern);
++    sbj_len = strlen(subject);
++
++    return strn_starts_with(subject, pattern, sbj_len, pat_len);
++}
++
++/*
++ * Return true if subject starts with pattern, false otherwise.
++ * subject and pattern are terminated by their respective length parameters.
++ */
++int
++strn_starts_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len)
++{
++    const char *s = NULL;
++    const char *p = NULL;
++    const char *pat_end = NULL;
++
++    if (subject == NULL || pattern == NULL) return 0;
++
++    if (pat_len > sbj_len) return 0;
++
++    pat_end = pattern + pat_len;
++
++    for (p = pattern, s = subject; p < pat_end; p++, s++) {
++        if (*p != *s) return 0;
++    }
++    return 1;
++
++}
++
++/*
++ * Return true if subject starts with pattern, false otherwise.
++ * subject and pattern are NULL terminated strings.
++ */
++int
++str_ends_with(const char *subject, const char *pattern)
++{
++    size_t sbj_len;
++    size_t pat_len;
++
++    pat_len = strlen(pattern);
++    sbj_len = strlen(subject);
++
++    return strn_ends_with(subject, pattern, sbj_len, pat_len);
++}
++
++/*
++ * Return true if subject ends with pattern, false otherwise.
++ * subject and pattern are terminated by their respective length parameters.
++ */
++int
++strn_ends_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len)
++{
++    const char *s = NULL;
++    const char *sbj_end = NULL;
++    const char *p = NULL;
++    const char *pat_end = NULL;
++
++    if (subject == NULL || pattern == NULL) return 0;
++
++    if (pat_len > sbj_len) return 0;
++
++    pat_end = pattern + pat_len - 1;
++    sbj_end = subject + sbj_len - 1;
++
++    for (p = pat_end, s = sbj_end; p >= pattern; p--, s--) {
++        if (*p != *s) return 0;
++    }
++    return 1;
++
++}
++
++/*
++ * Tests to see if the basename of a file found in a config directory
++ * should be excluded from being read because it is not a valid config
++ * file. The function returns true if the file basename should be
++ * excluded.
++ *
++ * The following basename's are excluded:
++ *
++ * Any basename beginning with a dot (.)
++ * Any basename beginning with a hash (i.e. pound sign, octothorp) (#)
++ * Any basename ending with a tilde (~)
++ * Any basename ending with the substring ".rpmsave"
++ * Any basename ending with the substring ".rpmnew"
++ * Any basename ending with the substring ".bak"
++ */
++
++#ifdef HAVE_REGEX_H
++#include <regex.h>
++
++/*
++ * Performs test with a regular expression.  The regexp is compiled on
++ * first use and then saved in a static variable for future use.
++ */
++
++int
++fr_exclude_config_file(const char *basename)
++{
++    char *pattern = "^\\.|^#|~$|\\.rpmsave$|\\.rpmnew$|\\.bak$";
++    //char *pattern = "*";
++    int status;
++    static regex_t re;
++    static int compiled = 0;
++
++    if (!compiled) {
++        if ((status = regcomp(&re, pattern, REG_NOSUB | REG_EXTENDED)) != 0) {
++            char error_buf[256];
++
++            regerror(status, &re, error_buf, sizeof(error_buf));
++            fprintf(stderr, "fr_exclude_config_file: failed to compile regular expression \"%s\": %s",
++                    pattern, error_buf);
++
++            return(0);      /* Since we can't perform test, accept all files */
++        }
++        compiled = 1;
++    }
++    status = regexec(&re, basename, (size_t) 0, NULL, 0);
++
++    if (status == 0) {
++        return 1;
++    } else {
++        return 0;
++    }
++}
++
++#else
++
++/*
++ * Performs the test with starts_with and ends_with string utilities.
++ */
++
++int
++fr_exclude_config_file(const char *basename)
++{
++    if (str_starts_with(basename, ".")) return 1;
++    if (str_starts_with(basename, "#")) return 1;
++
++    if (str_ends_with(basename, "~")) return 1;
++    if (str_ends_with(basename, ".rpmsave")) return 1;
++    if (str_ends_with(basename, ".rpmnew")) return 1;
++    if (str_ends_with(basename, ".bak")) return 1;
++
++    return 0;
++}
++
++#endif
+diff -b -u -r freeradius-server-2.2.0.orig/src/main/client.c freeradius-server-2.2.0.configfile/src/main/client.c
+--- freeradius-server-2.2.0.orig/src/main/client.c	2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/main/client.c	2012-10-03 10:53:33.166452136 -0400
+@@ -845,13 +845,24 @@
+ 			}
+
+ 			/*
+-			 *	Read the directory, ignoring "." files.
++			 *	Read the directory, ignoring invalid files.
+ 			 */
+ 			while ((dp = readdir(dir)) != NULL) {
+ 				const char *p;
+ 				RADCLIENT *dc;
+
+-				if (dp->d_name[0] == '.') continue;
++				/*
++				 *	Check for invalid file names
++				 */
++				if (fr_exclude_config_file(dp->d_name)) {
++					if (!(strcmp(dp->d_name, ".")  == 0 ||
++					      strcmp(dp->d_name, "..") == 0)) {
++						cf_log_info(cs,
++						"skipping client file, invalid name \"%s/%s\"",
++						value, dp->d_name);
++					}
++					continue;
++				}
+
+ 				/*
+ 				 *	Check for valid characters
+@@ -863,7 +874,12 @@
+ 					    (*p == '.')) continue;
+ 						break;
+ 				}
+-				if (*p != '\0') continue;
++				if (*p != '\0') {
++					cf_log_info(cs,
++					"skipping client file, invalid characters in name \"%s/%s\"",
++					value, dp->d_name);
++					continue;
++                                }
+
+ 				snprintf(buf2, sizeof(buf2), "%s/%s",
+ 					 value, dp->d_name);
+diff -b -u -r freeradius-server-2.2.0.orig/src/main/conffile.c freeradius-server-2.2.0.configfile/src/main/conffile.c
+--- freeradius-server-2.2.0.orig/src/main/conffile.c	2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/main/conffile.c	2012-10-03 10:55:05.918611881 -0400
+@@ -1512,12 +1512,23 @@
+ 				}
+
+ 				/*
+-				 *	Read the directory, ignoring "." files.
++				 *	Read the directory, ignoring invalid files.
+ 				 */
+ 				while ((dp = readdir(dir)) != NULL) {
+ 					const char *p;
+
+-					if (dp->d_name[0] == '.') continue;
++					/*
++					 *	Check for invalid file names
++					 */
++					if (fr_exclude_config_file(dp->d_name)) {
++						if (!(strcmp(dp->d_name, ".")  == 0 ||
++						      strcmp(dp->d_name, "..") == 0)) {
++							radlog(L_INFO, "skipping config file, invalid name \"%s%s\"",
++							value, dp->d_name);
++						}
++						continue;
++					}
++
+
+ 					/*
+ 					 *	Check for valid characters
+@@ -1530,7 +1541,11 @@
+ 						    (*p == '.')) continue;
+ 						break;
+ 					}
+-					if (*p != '\0') continue;
++					if (*p != '\0') {
++                                            radlog(L_INFO, "skipping config file, invalid characters in name \"%s%s\"",
++                                                   value, dp->d_name);
++                                            continue;
++                                        }
+
+ 					snprintf(buf2, sizeof(buf2), "%s%s",
+ 						 value, dp->d_name);
+diff -b -u -r freeradius-server-2.2.0.orig/src/modules/rlm_policy/parse.c freeradius-server-2.2.0.configfile/src/modules/rlm_policy/parse.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_policy/parse.c	2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/modules/rlm_policy/parse.c	2012-10-03 10:57:16.985425570 -0400
+@@ -1584,13 +1584,22 @@
+ 			}
+
+ 			/*
+-			 *	Read the directory, ignoring "." files.
++			 *	Read the directory, ignoring invalid files.
+ 			 */
+ 			while ((dp = readdir(dir)) != NULL) {
+ 				struct stat buf;
+
+-				if (dp->d_name[0] == '.') continue;
+-				if (strchr(dp->d_name, '~') != NULL) continue;
++				/*
++				 *	Check for invalid file names
++				 */
++				if (fr_exclude_config_file(dp->d_name)) {
++					if (!(strcmp(dp->d_name, ".")  == 0 ||
++					      strcmp(dp->d_name, "..") == 0)) {
++	                                    fprintf(stderr, "skipping policy file, invalid name \"%s%s\"",
++						buffer, dp->d_name);
++					}
++					continue;
++				}
+
+ 				strlcpy(p, dp->d_name,
+ 					sizeof(buffer) - (p - buffer));
+@@ -1704,4 +1713,3 @@
+
+ 	return 1;
+ }
+-

freeradius-man.patch

@@ -1,260 +0,0 @@
-From 12bbe0c8289260f7db62e010a5e7168ce7bc5644 Mon Sep 17 00:00:00 2001
-From: John Dennis <jdennis@redhat.com>
-Date: Fri, 13 Jan 2012 12:45:14 -0500
-Subject: [PATCH] Fix typo in name of rlm_dbm_parser man page
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-It was rlm_dbm_parse but should be rlm_dbm_parser to match the
-executable name. Also fix name in man page.
----
- src/modules/rlm_dbm/Makefile.in      |    2 +-
- src/modules/rlm_dbm/rlm_dbm_parse.8  |  109 ----------------------------------
- src/modules/rlm_dbm/rlm_dbm_parser.8 |  109 ++++++++++++++++++++++++++++++++++
- 3 files changed, 110 insertions(+), 110 deletions(-)
- delete mode 100644 src/modules/rlm_dbm/rlm_dbm_parse.8
- create mode 100644 src/modules/rlm_dbm/rlm_dbm_parser.8
-
-diff --git a/src/modules/rlm_dbm/Makefile.in b/src/modules/rlm_dbm/Makefile.in
-index f970538..cd537ec 100644
---- a/src/modules/rlm_dbm/Makefile.in
-+++ b/src/modules/rlm_dbm/Makefile.in
-@@ -29,4 +29,4 @@ rlm_dbm_install: rlm_dbm_cat rlm_dbm_parser
- 	$(LIBTOOL) --mode=install $(INSTALL) -m 755 $(INSTALLSTRIP) \
- 		rlm_dbm_parser$(EXEEXT) $(R)$(bindir)
- 	$(INSTALL) -m 644 rlm_dbm_cat.8 $(R)$(mandir)/man8
--	$(INSTALL) -m 644 rlm_dbm_parse.8 $(R)$(mandir)/man8
-+	$(INSTALL) -m 644 rlm_dbm_parser.8 $(R)$(mandir)/man8
-diff --git a/src/modules/rlm_dbm/rlm_dbm_parse.8 b/src/modules/rlm_dbm/rlm_dbm_parse.8
-deleted file mode 100644
-index 51dd1fc..0000000
---- a/src/modules/rlm_dbm/rlm_dbm_parse.8
-+++ /dev/null
-@@ -1,109 +0,0 @@
--.TH RLM_DBM_PARSE 8
--.SH NAME
--rlm_dbm_parse - transforms simple syntax into rlm_dbm format
--.SH SYNOPSIS
--.B rlm_dbm_parse
--.RB [ \-c ]
--.RB [ \-d
--.IR raddb ]
--.RB [ \-i
--.IR inputfile ]
--.RB [ \-o
--.IR outputfile ]
--.RB [ \-x ]
--.RB [ \-v ]
--.RB [ \-q ] 
--[\fIusername ...\fP]
--
--.SH DESCRIPTION
--\fBrlm_dbm_parse\fP reads a file of the syntax defined below, and writes
--a database file usable by rlm_dbm or edits current database.
--.PP
--
--.SH INPUT FORMAT
--
--\fIrlm_dbm_parse\fP reads a format similar to the one used by the files
--module. In incomplete RFC2234 ABNF, it looks like this:
--
--.nf
--entries     = *entry
--entry       = identifier TAB definition
--identifier  = username / group-name
--username    = +PCHAR
--groupname   = +PCHAR
--definition  = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF
--check-item  = AS IN FILES
--reply-item  = AS IN FILES
--* need definition of username and groupname
--.fi
--
--As an example, these are the standard files definitions (files module).
--
--.nf
--DEFAULT   Service-Type == Framed-User
--          Framed-IP-Address = 255.255.255.254,
--          Framed-MTU = 576,
--          Service-Type = Framed-User,
--          Fall-Through = Yes
--
--#except who call from number 555-666
--DEFAULT   Auth-Type := Reject,Service-Type ==Framed-User,
--          Calling-Station-ID == "555-666"
--
--#or call number 555-667
--DEFAULT   Auth-Type := Reject,Service-Type ==Framed-User,
--          Calling-Station-ID == "555-667"
--.fi
--
--To be a valid rlm_dbm input file, it should look like this:
--
--.nf
--DEFAULT   Service-Type == Framed-User                     # (1)
--          Framed-IP-Address = 255.255.255.254,            # comma, list cont'd
--          Framed-MTU = 576,
--          Service-Type = Framed-User,
--          Fall-Through =  Yes                             # \\n, end of list
--          Auth-Type := Reject,Service-Type ==Framed-User, # (2)
--          Calling-Station-ID == "555-666"
--          ;                                               # ;, no reply items
--          Auth-Type := Reject,Service-Type ==Framed-User, # (3)
--          Calling-Station-ID == "555-667"
--          ;                                               # ditto
--.fi
--
--This user (the DEFAULT user) contains three entries, 1, 2 and 3. The
--first entry has a list of reply items, terminated by a reply item
--without a trailing comma. Entries 2 and 3 has empty reply lists, as
--indicated by the semicolon. This is necessary to separate an empty
--line (which is ignored) from the empty list.
--Definition Fall-Through = Yes used in order to say module to check next
--record. By default Fall-Through = Yes.
--
--.SH OPTIONS
--
--.IP \-d\ \fIraddb\fP
--Use \fIraddb\fP as the radiusd configuration directory.
--.IP \-i\ \fIinputfile\fP
--Use \fIfile\fP as the input file. If not defined then use standard input.
--.IP \-o\ \fIoutputfile\fP
--Use \fIfile\fP as the output file.
--.IP \-c
--Create a new database (empty output file before writing)
--.IP \-x
--Enable debug mode. Multiple x flags increase debug level.
--.IP \-q
--Do not print statistics (quiet).
--.IP \-v
--Print the version and exit.
--.IP \-r
--Remove a username or group name from the database.
--
--.SH SEE ALSO
--radiusd(8)
--.SH AUTHORS
--.TP
--Author:
--Andrei Koulik <rlm_dbm@agk.nnov.ru>
--.TP
--Documentation:
--Bjørn Nordbø  <bn@nextra.com>
-diff --git a/src/modules/rlm_dbm/rlm_dbm_parser.8 b/src/modules/rlm_dbm/rlm_dbm_parser.8
-new file mode 100644
-index 0000000..94137da
---- /dev/null
-+++ b/src/modules/rlm_dbm/rlm_dbm_parser.8
-@@ -0,0 +1,109 @@
-+.TH RLM_DBM_PARSER 8
-+.SH NAME
-+rlm_dbm_parser - transforms simple syntax into rlm_dbm format
-+.SH SYNOPSIS
-+.B rlm_dbm_parser
-+.RB [ \-c ]
-+.RB [ \-d
-+.IR raddb ]
-+.RB [ \-i
-+.IR inputfile ]
-+.RB [ \-o
-+.IR outputfile ]
-+.RB [ \-x ]
-+.RB [ \-v ]
-+.RB [ \-q ] 
-+[\fIusername ...\fP]
-+
-+.SH DESCRIPTION
-+\fBrlm_dbm_parser\fP reads a file of the syntax defined below, and writes
-+a database file usable by rlm_dbm or edits current database.
-+.PP
-+
-+.SH INPUT FORMAT
-+
-+\fIrlm_dbm_parser\fP reads a format similar to the one used by the files
-+module. In incomplete RFC2234 ABNF, it looks like this:
-+
-+.nf
-+entries     = *entry
-+entry       = identifier TAB definition
-+identifier  = username / group-name
-+username    = +PCHAR
-+groupname   = +PCHAR
-+definition  = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF
-+check-item  = AS IN FILES
-+reply-item  = AS IN FILES
-+* need definition of username and groupname
-+.fi
-+
-+As an example, these are the standard files definitions (files module).
-+
-+.nf
-+DEFAULT   Service-Type == Framed-User
-+          Framed-IP-Address = 255.255.255.254,
-+          Framed-MTU = 576,
-+          Service-Type = Framed-User,
-+          Fall-Through = Yes
-+
-+#except who call from number 555-666
-+DEFAULT   Auth-Type := Reject,Service-Type ==Framed-User,
-+          Calling-Station-ID == "555-666"
-+
-+#or call number 555-667
-+DEFAULT   Auth-Type := Reject,Service-Type ==Framed-User,
-+          Calling-Station-ID == "555-667"
-+.fi
-+
-+To be a valid rlm_dbm input file, it should look like this:
-+
-+.nf
-+DEFAULT   Service-Type == Framed-User                     # (1)
-+          Framed-IP-Address = 255.255.255.254,            # comma, list cont'd
-+          Framed-MTU = 576,
-+          Service-Type = Framed-User,
-+          Fall-Through =  Yes                             # \\n, end of list
-+          Auth-Type := Reject,Service-Type ==Framed-User, # (2)
-+          Calling-Station-ID == "555-666"
-+          ;                                               # ;, no reply items
-+          Auth-Type := Reject,Service-Type ==Framed-User, # (3)
-+          Calling-Station-ID == "555-667"
-+          ;                                               # ditto
-+.fi
-+
-+This user (the DEFAULT user) contains three entries, 1, 2 and 3. The
-+first entry has a list of reply items, terminated by a reply item
-+without a trailing comma. Entries 2 and 3 has empty reply lists, as
-+indicated by the semicolon. This is necessary to separate an empty
-+line (which is ignored) from the empty list.
-+Definition Fall-Through = Yes used in order to say module to check next
-+record. By default Fall-Through = Yes.
-+
-+.SH OPTIONS
-+
-+.IP \-d\ \fIraddb\fP
-+Use \fIraddb\fP as the radiusd configuration directory.
-+.IP \-i\ \fIinputfile\fP
-+Use \fIfile\fP as the input file. If not defined then use standard input.
-+.IP \-o\ \fIoutputfile\fP
-+Use \fIfile\fP as the output file.
-+.IP \-c
-+Create a new database (empty output file before writing)
-+.IP \-x
-+Enable debug mode. Multiple x flags increase debug level.
-+.IP \-q
-+Do not print statistics (quiet).
-+.IP \-v
-+Print the version and exit.
-+.IP \-r
-+Remove a username or group name from the database.
-+
-+.SH SEE ALSO
-+radiusd(8)
-+.SH AUTHORS
-+.TP
-+Author:
-+Andrei Koulik <rlm_dbm@agk.nnov.ru>
-+.TP
-+Documentation:
-+Bjørn Nordbø  <bn@nextra.com>
--- 
-1.7.7.5
-

freeradius-perl.patch

@@ -1,65 +0,0 @@
-commit ecb3cd1dbedb764ab98532dae5e0b5bfc9571b00
-Author: Alan T. DeKok <aland@freeradius.org>
-Date:   Thu Dec 1 14:21:03 2011 +0100
-
-    Perl clone should be called sequentially, not in parallel.
-    
-    Adding a mutex fixes this.
-    
-    Patch from Eike Dehling
-
-diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c
-index 5c82e89..4682ba5 100644
---- a/src/modules/rlm_perl/rlm_perl.c
-+++ b/src/modules/rlm_perl/rlm_perl.c
-@@ -77,6 +77,8 @@ typedef struct perl_inst {
- 	char	*perl_flags;
- 	PerlInterpreter *perl;
- 	pthread_key_t	*thread_key;
-+
-+	pthread_mutex_t clone_mutex;
- } PERL_INST;
- /*
-  *	A mapping of configuration file names to internal variables.
-@@ -434,6 +436,8 @@ static int perl_instantiate(CONF_SECTION *conf, void **instance)
- 	 */
- 
- #ifdef USE_ITHREADS
-+	pthread_mutex_init(&inst->clone_mutex, NULL);
-+
- 	inst->thread_key = rad_malloc(sizeof(*inst->thread_key));
- 	memset(inst->thread_key,0,sizeof(*inst->thread_key));
- 	
-@@ -656,8 +660,10 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name)
- 	HV		*rad_request_hv;
- 	HV		*rad_request_proxy_hv;
- 	HV		*rad_request_proxy_reply_hv;
--
-+	
- #ifdef USE_ITHREADS
-+	pthread_mutex_lock(&inst->clone_mutex);
-+
- 	PerlInterpreter *interp;
- 
- 	interp = rlm_perl_clone(inst->perl,inst->thread_key);
-@@ -665,9 +671,12 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name)
- 	  dTHXa(interp);
- 	  PERL_SET_CONTEXT(interp);
- 	}
-+	
-+	pthread_mutex_unlock(&inst->clone_mutex);
- #else
- 	PERL_SET_CONTEXT(inst->perl);
- #endif
-+
- 	{
- 	dSP;
- 
-@@ -974,6 +983,7 @@ static int perl_detach(void *instance)
- 
- #ifdef USE_ITHREADS
- 	rlm_perl_destruct(inst->perl);
-+	pthread_mutex_destroy(&inst->clone_mutex);
- #else
- 	perl_destruct(inst->perl);
- 	perl_free(inst->perl);

freeradius-postgres-sql.patch

@@ -1,11 +0,0 @@
-diff -r -u freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql
---- freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql	2011-09-30 10:12:07.000000000 -0400
-+++ freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql	2012-02-28 13:16:36.329403383 -0500
-@@ -28,5 +28,5 @@
- /*
-  * The server can write to the accounting and post-auth logging table.
-  */
--GRANT ALL on radius.radacct TO radius;
--GRANT ALL on radius.radpostauth TO radius;
-+GRANT ALL on radacct TO radius;
-+GRANT ALL on radpostauth TO radius;

freeradius-unix-passwd-expire.patch

@@ -1,39 +0,0 @@
---- freeradius-server-2.1.12.orig/src/modules/rlm_unix/rlm_unix.c	2011-09-30 10:12:07.000000000 -0400
-+++ freeradius/freeradius-server/src/modules/rlm_unix/rlm_unix.c	2012-02-27 15:10:19.782821614 -0500
-@@ -274,9 +274,17 @@
- 	/*
- 	 *      Check if password has expired.
- 	 */
-+	if (spwd && spwd->sp_lstchg > 0 && spwd->sp_max >= 0 &&
-+	    (request->timestamp / 86400) > (spwd->sp_lstchg + spwd->sp_max)) {
-+		radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name);
-+		return RLM_MODULE_REJECT;
-+	}
-+	/*
-+	 *      Check if account has expired.
-+	 */
- 	if (spwd && spwd->sp_expire > 0 &&
- 	    (request->timestamp / 86400) > spwd->sp_expire) {
--		radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name);
-+		radlog_request(L_AUTH, 0, request, "[%s]: account has expired", name);
- 		return RLM_MODULE_REJECT;
- 	}
- #endif
-@@ -363,7 +371,7 @@
- 	if (fr_crypt_check((char *) request->password->vp_strvalue,
- 			     (char *) vp->vp_strvalue) != 0) {
- 		radlog_request(L_AUTH, 0, request, "invalid password \"%s\"",
--			       request->username->vp_strvalue);
-+			       request->password->vp_strvalue);
- 		return RLM_MODULE_REJECT;
- 	}
- #endif /* OSFFIA */
-@@ -440,7 +448,7 @@
- 	 *	Which type is this.
- 	 */
- 	if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) {
--		radlog(L_ERR, "rlm_unix: no Accounting-Status-Type attribute in request.");
-+		RDEBUG("no Accounting-Status-Type attribute in request.");
- 		return RLM_MODULE_NOOP;
- 	}
- 	status = vp->vp_integer;

freeradius.spec

@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
-Version: 2.1.12
+Version: 2.2.0
-Release: 8%{?dist}
+Release: 0%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -14,11 +14,8 @@ Source104: %{name}-tmpfiles.conf
 
 Patch1: freeradius-cert-config.patch
 Patch2: freeradius-radtest.patch
-Patch3: freeradius-man.patch
+Patch3: freeradius-radeapclient-ipv6.patch
-Patch4: freeradius-unix-passwd-expire.patch
+Patch4: freeradius-exclude-config-file.patch
-Patch5: freeradius-radeapclient-ipv6.patch
-Patch6: freeradius-postgres-sql.patch
-Patch7: freeradius-perl.patch
 
 Obsoletes: freeradius-devel
 Obsoletes: freeradius-libs
@@ -152,11 +149,8 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
 %setup -q -n freeradius-server-%{version}
 %patch1 -p1 -b .cert-config
 %patch2 -p1 -b .radtest
-%patch3 -p1 -b .man
+%patch3 -p1 -b radeapclient-ipv6
-%patch4 -p1 -b unix-passwd-expire
+%patch4 -p1 -b exclude-config-file
-%patch5 -p1 -b radeapclient-ipv6
-%patch6 -p1 -b postgres-sql
-%patch7 -p1 -b perl
 
 # Some source files mistakenly have execute permissions set
 find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} +
@@ -171,6 +165,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic"
 %configure \
         --libdir=%{_libdir}/freeradius \
         --with-system-libtool \
+        --with-system-libltdl \
         --disable-ltdl-install \
         --with-udpfromto \
         --with-gnu-ld \
@@ -353,6 +348,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/always
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/attr_filter
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/attr_rewrite
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/cache
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/chap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/checkval
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/counter
@@ -360,6 +356,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.example.com
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.log
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dhcp_sqlippool
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/digest
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dynamic_clients
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/echo
@@ -384,6 +381,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/passwd
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/policy
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/preprocess
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/radrelay
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/radutmp
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/realm
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/redis
@@ -459,6 +457,8 @@ exit 0
 %{_libdir}/freeradius/rlm_attr_filter-%{version}.so
 %{_libdir}/freeradius/rlm_attr_rewrite.so
 %{_libdir}/freeradius/rlm_attr_rewrite-%{version}.so
+%{_libdir}/freeradius/rlm_cache.so
+%{_libdir}/freeradius/rlm_cache-%{version}.so
 %{_libdir}/freeradius/rlm_chap.so
 %{_libdir}/freeradius/rlm_chap-%{version}.so
 %{_libdir}/freeradius/rlm_checkval.so
@@ -601,6 +601,99 @@ exit 0
 %{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so
 
 %changelog
+* Wed Oct  3 2012 John Dennis <jdennis@redhat.com> - 2.2.0-0
+- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid
+  files when loading config files
+- Upgrade to new 2.2.0 upstream release
+- Upstream changelog for 2.1.12:
+  Feature improvements
+  * 100% configuration file compatible with 2.1.x.
+    The only fix needed is to disallow "hashsize=0" for rlm_passwd
+  * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
+    Redback, and Mikrotik dictionaries
+  * Switch to using SHA1 for certificate digests instead of MD5.
+    See raddb/certs/*.cnf
+  * Added copyright statements to the dictionaries, so that we know
+    when people are using them.
+  * Better documentation for radrelay and detail file writer.
+    See raddb/modules/radrelay and raddb/radrelay.conf
+  * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
+  * Added -F <file> to radwho
+  * Added query timeouts to MySQL driver.  Patch from Brian De Wolf.
+  * Add /etc/default/freeradius to debian package.
+    Patch from Matthew Newton
+  * Finalize DHCP and DHCP relay code.  It should now work everywhere.
+    See raddb/sites-available/dhcp, src_ipaddr and src_interface.
+  * DHCP capabilitiies are now compiled in by default.
+    It runs as a DHCP server ONLY when manually enabled.
+  * Added one letter expansions: %G - request minute and %I request
+    ID.
+  * Added script to convert ISC DHCP lease files to SQL pools.
+    See scripts/isc2ippool.pl
+  * Added rlm_cache to cache arbitrary attributes.
+  * Added max_use to rlm_ldap to force connection to be re-established
+    after a given number of queries.
+  * Added configtest option to Debian init scripts, and automatic
+    config test on restart.
+  * Added cache config item to rlm_krb5. When set to "no" ticket
+    caching is disabled which may increase performance.
+
+  Bug fixes
+  * Fix CVE-2012-3547.  All users of 2.1.10, 2.1.11, 2.1.12,
+    and 802.1X should upgrade immediately.
+  * Fix typo in detail file writer, to skip writing if the packet
+    was read from this detail file.
+  * Free cached replies when closing resumed SSL sessions.
+  * Fix a number of issues found by Coverity.
+  * Fix memory leak and race condition in the EAP-TLS session cache.
+    Thanks to Phil Mayers for tracking down OpenSSL APIs.
+  * Restrict ATTRIBUTE names to character sets that make sense.
+  * Fix EAP-TLS session Id length so that OpenSSL doesn't get
+    excited.
+  * Fix SQL IPPool logic for non-timer attributes.  Closes bug #181
+  * Change some informational messages to DEBUG rather than error.
+  * Portability fixes for FreeBSD.  Closes bug #177
+  * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
+    nonsense.
+  * Safely handle extremely long lines in conf file variable expansion
+  * Fix for Debian bug #606450
+  * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
+  * The passwd module no longer permits "hashsize = 0".  Setting that
+    is pointless for a host of reasons.  It will also break the server.
+  * Fix proxied inner-tunnel packets sometimes having zero authentication
+    vector.  Found by Brian Julin.
+  * Added $(EXEEXT) to Makefiles for portability.  Closes bug #188.
+  * Fix minor build issue which would cause rlm_eap to be built twice.
+  * When using "status_check=request" for a home server, the username
+    and password must be specified, or the server will not start.
+  * EAP-SIM now calculates keys from the SIM identity, not from the
+    EAP-Identity.  Changing the EAP type via NAK may result in
+    identities changing.  Bug reported by Microsoft EAP team.
+  * Use home server src_ipaddr when sending Status-Server packets
+  * Decrypt encrypted ERX attributes in CoA packets.
+  * Fix registration of internal xlat's so %{mschap:...} doesn't
+    disappear after a HUP.
+  * Can now reference tagged attributes in expansions.
+    e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
+  * Correct calculation of Message-Authenticator for CoA and Disconnect
+    replies.  Patch from Jouni Malinen
+  * Install rad_counter, for managing rlm_counter files.
+  * Add unique index constraint to all SQL flavours so that alternate
+    queries work correctly.
+  * The TTLS diameter decoder is now more lenient.  It ignores
+    unknown attributes, instead of rejecting the TTLS session.
+  * Use "globfree" in detail file reader.  Prevents very slow leak.
+    Closes bug #207.
+  * Operator =~ shouldn't copy the attribute, like :=.  It should
+    instead behave more like ==.
+  * Build main Debian package without SQL dependencies
+  * Use max_queue_size in threading code
+  * Update permissions in raddb/sql/postgresql/admin.sql
+  * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
+    wouldn't use methods it knew about.
+  * Add more sanity checks in dynamic_clients code so the server won't
+    crash if it attempts to load a badly formated client definition.
+
 * Tue May 15 2012 John Dennis <jdennis@redhat.com> - 2.1.12-8
 - resolves: bug#821407 - openssl dependency
 

sources

@@ -1 +1 @@
-862d3a2c11011e61890ba84fa636ed8c  freeradius-server-2.1.12.tar.bz2
+0fb333fe6a64eb2b1dd6ef67f7bca119  freeradius-server-2.2.0.tar.bz2