rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid

Browse Source 
files when loading config files
- Upgrade to new 2.2.0 upstream release
This commit is contained in:
John Dennis 2012-10-03 15:19:41 -04:00
parent f106651b97
commit eee86a133e
9 changed files with 439 additions and 416 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,3 +2,4 @@ freeradius-server-2.1.9.tar.bz2
/freeradius-server-2.1.10.tar.bz2
/freeradius-server-2.1.11.tar.bz2
/freeradius-server-2.1.12.tar.bz2
/freeradius-server-2.2.0.tar.bz2

46
freeradius-cert-config.patch
View File

@ -1,51 +1,42 @@
diff -r -u freeradius-server-2.1.12.orig/raddb/certs/ca.cnf freeradius-server-2.1.12/raddb/certs/ca.cnf
--- freeradius-server-2.1.12.orig/raddb/certs/ca.cnf 2011-09-07 06:59:21.000000000 -0400
+++ freeradius-server-2.1.12/raddb/certs/ca.cnf 2011-09-07 10:28:28.000000000 -0400
@@ -14,9 +14,9 @@
diff -r -u freeradius-server-2.2.0.orig/raddb/certs/ca.cnf freeradius-server-2.2.0.work/raddb/certs/ca.cnf
--- freeradius-server-2.2.0.orig/raddb/certs/ca.cnf 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.work/raddb/certs/ca.cnf 2012-09-25 15:29:08.792013636 -0400
@@ -14,7 +14,7 @@
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
-default_days = 365
+default_days = 60
default_crl_days = 30
-default_md = md5
+default_md = sha1
default_md = sha1
preserve = no
policy = policy_match
diff -r -u freeradius-server-2.1.12.orig/raddb/certs/client.cnf freeradius-server-2.1.12/raddb/certs/client.cnf
--- freeradius-server-2.1.12.orig/raddb/certs/client.cnf 2011-09-07 06:59:21.000000000 -0400
+++ freeradius-server-2.1.12/raddb/certs/client.cnf 2011-09-07 10:28:28.000000000 -0400
@@ -14,9 +14,9 @@
diff -r -u freeradius-server-2.2.0.orig/raddb/certs/client.cnf freeradius-server-2.2.0.work/raddb/certs/client.cnf
--- freeradius-server-2.2.0.orig/raddb/certs/client.cnf 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.work/raddb/certs/client.cnf 2012-09-25 15:29:19.046932303 -0400
@@ -14,7 +14,7 @@
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
-default_days = 365
+default_days = 60
default_crl_days = 30
-default_md = md5
+default_md = sha1
default_md = sha1
preserve = no
policy = policy_match
diff -r -u freeradius-server-2.1.12.orig/raddb/certs/server.cnf freeradius-server-2.1.12/raddb/certs/server.cnf
--- freeradius-server-2.1.12.orig/raddb/certs/server.cnf 2011-09-07 06:59:21.000000000 -0400
+++ freeradius-server-2.1.12/raddb/certs/server.cnf 2011-09-07 10:28:28.000000000 -0400
@@ -14,9 +14,9 @@
diff -r -u freeradius-server-2.2.0.orig/raddb/certs/server.cnf freeradius-server-2.2.0.work/raddb/certs/server.cnf
--- freeradius-server-2.2.0.orig/raddb/certs/server.cnf 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.work/raddb/certs/server.cnf 2012-09-25 15:29:26.118877959 -0400
@@ -14,7 +14,7 @@
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
-default_days = 365
+default_days = 60
default_crl_days = 30
-default_md = md5
+default_md = sha1
default_md = sha1
preserve = no
policy = policy_match
diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12/raddb/eap.conf
--- freeradius-server-2.1.12.orig/raddb/eap.conf 2011-09-07 06:59:21.000000000 -0400
+++ freeradius-server-2.1.12/raddb/eap.conf 2011-09-07 10:28:28.000000000 -0400
diff -r -u freeradius-server-2.2.0.orig/raddb/eap.conf freeradius-server-2.2.0.work/raddb/eap.conf
--- freeradius-server-2.2.0.orig/raddb/eap.conf 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.work/raddb/eap.conf 2012-09-25 15:31:17.623971648 -0400
@@ -281,7 +281,11 @@
# for the server to print out an error message,
# and refuse to start.
@ -59,4 +50,3 @@ diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12
#
# Elliptical cryptography configuration
Only in freeradius-server-2.1.12/raddb: eap.conf.orig

314
freeradius-exclude-config-file.patch Normal file
View File

@ -0,0 +1,314 @@
diff -b -u -r freeradius-server-2.2.0.orig/src/include/libradius.h freeradius-server-2.2.0.configfile/src/include/libradius.h
--- freeradius-server-2.2.0.orig/src/include/libradius.h 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.configfile/src/include/libradius.h 2012-10-03 09:36:55.764852014 -0400
@@ -415,6 +415,17 @@
struct sockaddr_storage *sa, socklen_t *salen);
int fr_sockaddr2ipaddr(const struct sockaddr_storage *sa, socklen_t salen,
fr_ipaddr_t *ipaddr, int * port);
+int
+str_starts_with(const char *subject, const char *pattern);
+int
+strn_starts_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len);
+int
+str_ends_with(const char *subject, const char *pattern);
+int
+strn_ends_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len);
+int
+fr_exclude_config_file(const char *basename);
+
#ifdef ASCEND_BINARY
diff -b -u -r freeradius-server-2.2.0.orig/src/lib/misc.c freeradius-server-2.2.0.configfile/src/lib/misc.c
--- freeradius-server-2.2.0.orig/src/lib/misc.c 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.configfile/src/lib/misc.c 2012-10-03 10:29:43.332507533 -0400
@@ -28,6 +28,7 @@
#include <ctype.h>
#include <sys/file.h>
#include <fcntl.h>
+#include <string.h>
int fr_dns_lookups = 0;
int fr_debug_flag = 0;
@@ -650,3 +651,161 @@
return 1;
}
+
+/*
+ * Return true if subject starts with pattern, false otherwise.
+ * subject and pattern are NULL terminated strings.
+ */
+int
+str_starts_with(const char *subject, const char *pattern)
+{
+ size_t sbj_len;
+ size_t pat_len;
+
+ pat_len = strlen(pattern);
+ sbj_len = strlen(subject);
+
+ return strn_starts_with(subject, pattern, sbj_len, pat_len);
+}
+
+/*
+ * Return true if subject starts with pattern, false otherwise.
+ * subject and pattern are terminated by their respective length parameters.
+ */
+int
+strn_starts_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len)
+{
+ const char *s = NULL;
+ const char *p = NULL;
+ const char *pat_end = NULL;
+
+ if (subject == NULL || pattern == NULL) return 0;
+
+ if (pat_len > sbj_len) return 0;
+
+ pat_end = pattern + pat_len;
+
+ for (p = pattern, s = subject; p < pat_end; p++, s++) {
+ if (*p != *s) return 0;
+ }
+ return 1;
+
+}
+
+/*
+ * Return true if subject starts with pattern, false otherwise.
+ * subject and pattern are NULL terminated strings.
+ */
+int
+str_ends_with(const char *subject, const char *pattern)
+{
+ size_t sbj_len;
+ size_t pat_len;
+
+ pat_len = strlen(pattern);
+ sbj_len = strlen(subject);
+
+ return strn_ends_with(subject, pattern, sbj_len, pat_len);
+}
+
+/*
+ * Return true if subject ends with pattern, false otherwise.
+ * subject and pattern are terminated by their respective length parameters.
+ */
+int
+strn_ends_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len)
+{
+ const char *s = NULL;
+ const char *sbj_end = NULL;
+ const char *p = NULL;
+ const char *pat_end = NULL;
+
+ if (subject == NULL || pattern == NULL) return 0;
+
+ if (pat_len > sbj_len) return 0;
+
+ pat_end = pattern + pat_len - 1;
+ sbj_end = subject + sbj_len - 1;
+
+ for (p = pat_end, s = sbj_end; p >= pattern; p--, s--) {
+ if (*p != *s) return 0;
+ }
+ return 1;
+
+}
+
+/*
+ * Tests to see if the basename of a file found in a config directory
+ * should be excluded from being read because it is not a valid config
+ * file. The function returns true if the file basename should be
+ * excluded.
+ *
+ * The following basename's are excluded:
+ *
+ * Any basename beginning with a dot (.)
+ * Any basename beginning with a hash (i.e. pound sign, octothorp) (#)
+ * Any basename ending with a tilde (~)
+ * Any basename ending with the substring ".rpmsave"
+ * Any basename ending with the substring ".rpmnew"
+ * Any basename ending with the substring ".bak"
+ */
+
+#ifdef HAVE_REGEX_H
+#include <regex.h>
+
+/*
+ * Performs test with a regular expression. The regexp is compiled on
+ * first use and then saved in a static variable for future use.
+ */
+
+int
+fr_exclude_config_file(const char *basename)
+{
+ char *pattern = "^\\.|^#|~$|\\.rpmsave$|\\.rpmnew$|\\.bak$";
+ //char *pattern = "*";
+ int status;
+ static regex_t re;
+ static int compiled = 0;
+
+ if (!compiled) {
+ if ((status = regcomp(&re, pattern, REG_NOSUB | REG_EXTENDED)) != 0) {
+ char error_buf[256];
+
+ regerror(status, &re, error_buf, sizeof(error_buf));
+ fprintf(stderr, "fr_exclude_config_file: failed to compile regular expression \"%s\": %s",
+ pattern, error_buf);
+
+ return(0); /* Since we can't perform test, accept all files */
+ }
+ compiled = 1;
+ }
+ status = regexec(&re, basename, (size_t) 0, NULL, 0);
+
+ if (status == 0) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
+#else
+
+/*
+ * Performs the test with starts_with and ends_with string utilities.
+ */
+
+int
+fr_exclude_config_file(const char *basename)
+{
+ if (str_starts_with(basename, ".")) return 1;
+ if (str_starts_with(basename, "#")) return 1;
+
+ if (str_ends_with(basename, "~")) return 1;
+ if (str_ends_with(basename, ".rpmsave")) return 1;
+ if (str_ends_with(basename, ".rpmnew")) return 1;
+ if (str_ends_with(basename, ".bak")) return 1;
+
+ return 0;
+}
+
+#endif
diff -b -u -r freeradius-server-2.2.0.orig/src/main/client.c freeradius-server-2.2.0.configfile/src/main/client.c
--- freeradius-server-2.2.0.orig/src/main/client.c 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.configfile/src/main/client.c 2012-10-03 10:53:33.166452136 -0400
@@ -845,13 +845,24 @@
}
/*
- * Read the directory, ignoring "." files.
+ * Read the directory, ignoring invalid files.
*/
while ((dp = readdir(dir)) != NULL) {
const char *p;
RADCLIENT *dc;
- if (dp->d_name[0] == '.') continue;
+ /*
+ * Check for invalid file names
+ */
+ if (fr_exclude_config_file(dp->d_name)) {
+ if (!(strcmp(dp->d_name, ".") == 0 ||
+ strcmp(dp->d_name, "..") == 0)) {
+ cf_log_info(cs,
+ "skipping client file, invalid name \"%s/%s\"",
+ value, dp->d_name);
+ }
+ continue;
+ }
/*
* Check for valid characters
@@ -863,7 +874,12 @@
(*p == '.')) continue;
break;
}
- if (*p != '\0') continue;
+ if (*p != '\0') {
+ cf_log_info(cs,
+ "skipping client file, invalid characters in name \"%s/%s\"",
+ value, dp->d_name);
+ continue;
+ }
snprintf(buf2, sizeof(buf2), "%s/%s",
value, dp->d_name);
diff -b -u -r freeradius-server-2.2.0.orig/src/main/conffile.c freeradius-server-2.2.0.configfile/src/main/conffile.c
--- freeradius-server-2.2.0.orig/src/main/conffile.c 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.configfile/src/main/conffile.c 2012-10-03 10:55:05.918611881 -0400
@@ -1512,12 +1512,23 @@
}
/*
- * Read the directory, ignoring "." files.
+ * Read the directory, ignoring invalid files.
*/
while ((dp = readdir(dir)) != NULL) {
const char *p;
- if (dp->d_name[0] == '.') continue;
+ /*
+ * Check for invalid file names
+ */
+ if (fr_exclude_config_file(dp->d_name)) {
+ if (!(strcmp(dp->d_name, ".") == 0 ||
+ strcmp(dp->d_name, "..") == 0)) {
+ radlog(L_INFO, "skipping config file, invalid name \"%s%s\"",
+ value, dp->d_name);
+ }
+ continue;
+ }
+
/*
* Check for valid characters
@@ -1530,7 +1541,11 @@
(*p == '.')) continue;
break;
}
- if (*p != '\0') continue;
+ if (*p != '\0') {
+ radlog(L_INFO, "skipping config file, invalid characters in name \"%s%s\"",
+ value, dp->d_name);
+ continue;
+ }
snprintf(buf2, sizeof(buf2), "%s%s",
value, dp->d_name);
diff -b -u -r freeradius-server-2.2.0.orig/src/modules/rlm_policy/parse.c freeradius-server-2.2.0.configfile/src/modules/rlm_policy/parse.c
--- freeradius-server-2.2.0.orig/src/modules/rlm_policy/parse.c 2012-09-10 07:51:34.000000000 -0400
+++ freeradius-server-2.2.0.configfile/src/modules/rlm_policy/parse.c 2012-10-03 10:57:16.985425570 -0400
@@ -1584,13 +1584,22 @@
}
/*
- * Read the directory, ignoring "." files.
+ * Read the directory, ignoring invalid files.
*/
while ((dp = readdir(dir)) != NULL) {
struct stat buf;
- if (dp->d_name[0] == '.') continue;
- if (strchr(dp->d_name, '~') != NULL) continue;
+ /*
+ * Check for invalid file names
+ */
+ if (fr_exclude_config_file(dp->d_name)) {
+ if (!(strcmp(dp->d_name, ".") == 0 ||
+ strcmp(dp->d_name, "..") == 0)) {
+ fprintf(stderr, "skipping policy file, invalid name \"%s%s\"",
+ buffer, dp->d_name);
+ }
+ continue;
+ }
strlcpy(p, dp->d_name,
sizeof(buffer) - (p - buffer));
@@ -1704,4 +1713,3 @@
return 1;
}
-

260
freeradius-man.patch
View File

@ -1,260 +0,0 @@
From 12bbe0c8289260f7db62e010a5e7168ce7bc5644 Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Fri, 13 Jan 2012 12:45:14 -0500
Subject: [PATCH] Fix typo in name of rlm_dbm_parser man page
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
It was rlm_dbm_parse but should be rlm_dbm_parser to match the
executable name. Also fix name in man page.
---
src/modules/rlm_dbm/Makefile.in | 2 +-
src/modules/rlm_dbm/rlm_dbm_parse.8 | 109 ----------------------------------
src/modules/rlm_dbm/rlm_dbm_parser.8 | 109 ++++++++++++++++++++++++++++++++++
3 files changed, 110 insertions(+), 110 deletions(-)
delete mode 100644 src/modules/rlm_dbm/rlm_dbm_parse.8
create mode 100644 src/modules/rlm_dbm/rlm_dbm_parser.8
diff --git a/src/modules/rlm_dbm/Makefile.in b/src/modules/rlm_dbm/Makefile.in
index f970538..cd537ec 100644
--- a/src/modules/rlm_dbm/Makefile.in
+++ b/src/modules/rlm_dbm/Makefile.in
@@ -29,4 +29,4 @@ rlm_dbm_install: rlm_dbm_cat rlm_dbm_parser
$(LIBTOOL) --mode=install $(INSTALL) -m 755 $(INSTALLSTRIP) \
rlm_dbm_parser$(EXEEXT) $(R)$(bindir)
$(INSTALL) -m 644 rlm_dbm_cat.8 $(R)$(mandir)/man8
- $(INSTALL) -m 644 rlm_dbm_parse.8 $(R)$(mandir)/man8
+ $(INSTALL) -m 644 rlm_dbm_parser.8 $(R)$(mandir)/man8
diff --git a/src/modules/rlm_dbm/rlm_dbm_parse.8 b/src/modules/rlm_dbm/rlm_dbm_parse.8
deleted file mode 100644
index 51dd1fc..0000000
--- a/src/modules/rlm_dbm/rlm_dbm_parse.8
+++ /dev/null
@@ -1,109 +0,0 @@
-.TH RLM_DBM_PARSE 8
-.SH NAME
-rlm_dbm_parse - transforms simple syntax into rlm_dbm format
-.SH SYNOPSIS
-.B rlm_dbm_parse
-.RB [ \-c ]
-.RB [ \-d
-.IR raddb ]
-.RB [ \-i
-.IR inputfile ]
-.RB [ \-o
-.IR outputfile ]
-.RB [ \-x ]
-.RB [ \-v ]
-.RB [ \-q ]
-[\fIusername ...\fP]
-
-.SH DESCRIPTION
-\fBrlm_dbm_parse\fP reads a file of the syntax defined below, and writes
-a database file usable by rlm_dbm or edits current database.
-.PP
-
-.SH INPUT FORMAT
-
-\fIrlm_dbm_parse\fP reads a format similar to the one used by the files
-module. In incomplete RFC2234 ABNF, it looks like this:
-
-.nf
-entries = *entry
-entry = identifier TAB definition
-identifier = username / group-name
-username = +PCHAR
-groupname = +PCHAR
-definition = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF
-check-item = AS IN FILES
-reply-item = AS IN FILES
-* need definition of username and groupname
-.fi
-
-As an example, these are the standard files definitions (files module).
-
-.nf
-DEFAULT Service-Type == Framed-User
- Framed-IP-Address = 255.255.255.254,
- Framed-MTU = 576,
- Service-Type = Framed-User,
- Fall-Through = Yes
-
-#except who call from number 555-666
-DEFAULT Auth-Type := Reject,Service-Type ==Framed-User,
- Calling-Station-ID == "555-666"
-
-#or call number 555-667
-DEFAULT Auth-Type := Reject,Service-Type ==Framed-User,
- Calling-Station-ID == "555-667"
-.fi
-
-To be a valid rlm_dbm input file, it should look like this:
-
-.nf
-DEFAULT Service-Type == Framed-User # (1)
- Framed-IP-Address = 255.255.255.254, # comma, list cont'd
- Framed-MTU = 576,
- Service-Type = Framed-User,
- Fall-Through = Yes # \\n, end of list
- Auth-Type := Reject,Service-Type ==Framed-User, # (2)
- Calling-Station-ID == "555-666"
- ; # ;, no reply items
- Auth-Type := Reject,Service-Type ==Framed-User, # (3)
- Calling-Station-ID == "555-667"
- ; # ditto
-.fi
-
-This user (the DEFAULT user) contains three entries, 1, 2 and 3. The
-first entry has a list of reply items, terminated by a reply item
-without a trailing comma. Entries 2 and 3 has empty reply lists, as
-indicated by the semicolon. This is necessary to separate an empty
-line (which is ignored) from the empty list.
-Definition Fall-Through = Yes used in order to say module to check next
-record. By default Fall-Through = Yes.
-
-.SH OPTIONS
-
-.IP \-d\ \fIraddb\fP
-Use \fIraddb\fP as the radiusd configuration directory.
-.IP \-i\ \fIinputfile\fP
-Use \fIfile\fP as the input file. If not defined then use standard input.
-.IP \-o\ \fIoutputfile\fP
-Use \fIfile\fP as the output file.
-.IP \-c
-Create a new database (empty output file before writing)
-.IP \-x
-Enable debug mode. Multiple x flags increase debug level.
-.IP \-q
-Do not print statistics (quiet).
-.IP \-v
-Print the version and exit.
-.IP \-r
-Remove a username or group name from the database.
-
-.SH SEE ALSO
-radiusd(8)
-.SH AUTHORS
-.TP
-Author:
-Andrei Koulik <rlm_dbm@agk.nnov.ru>
-.TP
-Documentation:
-Bjørn Nordbø <bn@nextra.com>
diff --git a/src/modules/rlm_dbm/rlm_dbm_parser.8 b/src/modules/rlm_dbm/rlm_dbm_parser.8
new file mode 100644
index 0000000..94137da
--- /dev/null
+++ b/src/modules/rlm_dbm/rlm_dbm_parser.8
@@ -0,0 +1,109 @@
+.TH RLM_DBM_PARSER 8
+.SH NAME
+rlm_dbm_parser - transforms simple syntax into rlm_dbm format
+.SH SYNOPSIS
+.B rlm_dbm_parser
+.RB [ \-c ]
+.RB [ \-d
+.IR raddb ]
+.RB [ \-i
+.IR inputfile ]
+.RB [ \-o
+.IR outputfile ]
+.RB [ \-x ]
+.RB [ \-v ]
+.RB [ \-q ]
+[\fIusername ...\fP]
+
+.SH DESCRIPTION
+\fBrlm_dbm_parser\fP reads a file of the syntax defined below, and writes
+a database file usable by rlm_dbm or edits current database.
+.PP
+
+.SH INPUT FORMAT
+
+\fIrlm_dbm_parser\fP reads a format similar to the one used by the files
+module. In incomplete RFC2234 ABNF, it looks like this:
+
+.nf
+entries = *entry
+entry = identifier TAB definition
+identifier = username / group-name
+username = +PCHAR
+groupname = +PCHAR
+definition = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF
+check-item = AS IN FILES
+reply-item = AS IN FILES
+* need definition of username and groupname
+.fi
+
+As an example, these are the standard files definitions (files module).
+
+.nf
+DEFAULT Service-Type == Framed-User
+ Framed-IP-Address = 255.255.255.254,
+ Framed-MTU = 576,
+ Service-Type = Framed-User,
+ Fall-Through = Yes
+
+#except who call from number 555-666
+DEFAULT Auth-Type := Reject,Service-Type ==Framed-User,
+ Calling-Station-ID == "555-666"
+
+#or call number 555-667
+DEFAULT Auth-Type := Reject,Service-Type ==Framed-User,
+ Calling-Station-ID == "555-667"
+.fi
+
+To be a valid rlm_dbm input file, it should look like this:
+
+.nf
+DEFAULT Service-Type == Framed-User # (1)
+ Framed-IP-Address = 255.255.255.254, # comma, list cont'd
+ Framed-MTU = 576,
+ Service-Type = Framed-User,
+ Fall-Through = Yes # \\n, end of list
+ Auth-Type := Reject,Service-Type ==Framed-User, # (2)
+ Calling-Station-ID == "555-666"
+ ; # ;, no reply items
+ Auth-Type := Reject,Service-Type ==Framed-User, # (3)
+ Calling-Station-ID == "555-667"
+ ; # ditto
+.fi
+
+This user (the DEFAULT user) contains three entries, 1, 2 and 3. The
+first entry has a list of reply items, terminated by a reply item
+without a trailing comma. Entries 2 and 3 has empty reply lists, as
+indicated by the semicolon. This is necessary to separate an empty
+line (which is ignored) from the empty list.
+Definition Fall-Through = Yes used in order to say module to check next
+record. By default Fall-Through = Yes.
+
+.SH OPTIONS
+
+.IP \-d\ \fIraddb\fP
+Use \fIraddb\fP as the radiusd configuration directory.
+.IP \-i\ \fIinputfile\fP
+Use \fIfile\fP as the input file. If not defined then use standard input.
+.IP \-o\ \fIoutputfile\fP
+Use \fIfile\fP as the output file.
+.IP \-c
+Create a new database (empty output file before writing)
+.IP \-x
+Enable debug mode. Multiple x flags increase debug level.
+.IP \-q
+Do not print statistics (quiet).
+.IP \-v
+Print the version and exit.
+.IP \-r
+Remove a username or group name from the database.
+
+.SH SEE ALSO
+radiusd(8)
+.SH AUTHORS
+.TP
+Author:
+Andrei Koulik <rlm_dbm@agk.nnov.ru>
+.TP
+Documentation:
+Bjørn Nordbø <bn@nextra.com>
--
1.7.7.5

65
freeradius-perl.patch
View File

@ -1,65 +0,0 @@
commit ecb3cd1dbedb764ab98532dae5e0b5bfc9571b00
Author: Alan T. DeKok <aland@freeradius.org>
Date: Thu Dec 1 14:21:03 2011 +0100
Perl clone should be called sequentially, not in parallel.
Adding a mutex fixes this.
Patch from Eike Dehling
diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c
index 5c82e89..4682ba5 100644
--- a/src/modules/rlm_perl/rlm_perl.c
+++ b/src/modules/rlm_perl/rlm_perl.c
@@ -77,6 +77,8 @@ typedef struct perl_inst {
char *perl_flags;
PerlInterpreter *perl;
pthread_key_t *thread_key;
+
+ pthread_mutex_t clone_mutex;
} PERL_INST;
/*
* A mapping of configuration file names to internal variables.
@@ -434,6 +436,8 @@ static int perl_instantiate(CONF_SECTION *conf, void **instance)
*/
#ifdef USE_ITHREADS
+ pthread_mutex_init(&inst->clone_mutex, NULL);
+
inst->thread_key = rad_malloc(sizeof(*inst->thread_key));
memset(inst->thread_key,0,sizeof(*inst->thread_key));
@@ -656,8 +660,10 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name)
HV *rad_request_hv;
HV *rad_request_proxy_hv;
HV *rad_request_proxy_reply_hv;
-
+
#ifdef USE_ITHREADS
+ pthread_mutex_lock(&inst->clone_mutex);
+
PerlInterpreter *interp;
interp = rlm_perl_clone(inst->perl,inst->thread_key);
@@ -665,9 +671,12 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name)
dTHXa(interp);
PERL_SET_CONTEXT(interp);
}
+
+ pthread_mutex_unlock(&inst->clone_mutex);
#else
PERL_SET_CONTEXT(inst->perl);
#endif
+
{
dSP;
@@ -974,6 +983,7 @@ static int perl_detach(void *instance)
#ifdef USE_ITHREADS
rlm_perl_destruct(inst->perl);
+ pthread_mutex_destroy(&inst->clone_mutex);
#else
perl_destruct(inst->perl);
perl_free(inst->perl);

11
freeradius-postgres-sql.patch
View File

@ -1,11 +0,0 @@
diff -r -u freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql
--- freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql 2011-09-30 10:12:07.000000000 -0400
+++ freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql 2012-02-28 13:16:36.329403383 -0500
@@ -28,5 +28,5 @@
/*
* The server can write to the accounting and post-auth logging table.
*/
-GRANT ALL on radius.radacct TO radius;
-GRANT ALL on radius.radpostauth TO radius;
+GRANT ALL on radacct TO radius;
+GRANT ALL on radpostauth TO radius;

39
freeradius-unix-passwd-expire.patch
View File

@ -1,39 +0,0 @@
--- freeradius-server-2.1.12.orig/src/modules/rlm_unix/rlm_unix.c 2011-09-30 10:12:07.000000000 -0400
+++ freeradius/freeradius-server/src/modules/rlm_unix/rlm_unix.c 2012-02-27 15:10:19.782821614 -0500
@@ -274,9 +274,17 @@
/*
* Check if password has expired.
*/
+ if (spwd && spwd->sp_lstchg > 0 && spwd->sp_max >= 0 &&
+ (request->timestamp / 86400) > (spwd->sp_lstchg + spwd->sp_max)) {
+ radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name);
+ return RLM_MODULE_REJECT;
+ }
+ /*
+ * Check if account has expired.
+ */
if (spwd && spwd->sp_expire > 0 &&
(request->timestamp / 86400) > spwd->sp_expire) {
- radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name);
+ radlog_request(L_AUTH, 0, request, "[%s]: account has expired", name);
return RLM_MODULE_REJECT;
}
#endif
@@ -363,7 +371,7 @@
if (fr_crypt_check((char *) request->password->vp_strvalue,
(char *) vp->vp_strvalue) != 0) {
radlog_request(L_AUTH, 0, request, "invalid password \"%s\"",
- request->username->vp_strvalue);
+ request->password->vp_strvalue);
return RLM_MODULE_REJECT;
}
#endif /* OSFFIA */
@@ -440,7 +448,7 @@
* Which type is this.
*/
if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) {
- radlog(L_ERR, "rlm_unix: no Accounting-Status-Type attribute in request.");
+ RDEBUG("no Accounting-Status-Type attribute in request.");
return RLM_MODULE_NOOP;
}
status = vp->vp_integer;

117
freeradius.spec
View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 2.1.12
Release: 8%{?dist}
Version: 2.2.0
Release: 0%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@ -14,11 +14,8 @@ Source104: %{name}-tmpfiles.conf
Patch1: freeradius-cert-config.patch
Patch2: freeradius-radtest.patch
Patch3: freeradius-man.patch
Patch4: freeradius-unix-passwd-expire.patch
Patch5: freeradius-radeapclient-ipv6.patch
Patch6: freeradius-postgres-sql.patch
Patch7: freeradius-perl.patch
Patch3: freeradius-radeapclient-ipv6.patch
Patch4: freeradius-exclude-config-file.patch
Obsoletes: freeradius-devel
Obsoletes: freeradius-libs
@ -152,11 +149,8 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
%setup -q -n freeradius-server-%{version}
%patch1 -p1 -b .cert-config
%patch2 -p1 -b .radtest
%patch3 -p1 -b .man
%patch4 -p1 -b unix-passwd-expire
%patch5 -p1 -b radeapclient-ipv6
%patch6 -p1 -b postgres-sql
%patch7 -p1 -b perl
%patch3 -p1 -b radeapclient-ipv6
%patch4 -p1 -b exclude-config-file
# Some source files mistakenly have execute permissions set
find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} +
@ -171,6 +165,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic"
%configure \
--libdir=%{_libdir}/freeradius \
--with-system-libtool \
--with-system-libltdl \
--disable-ltdl-install \
--with-udpfromto \
--with-gnu-ld \
@ -353,6 +348,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/always
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/attr_filter
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/attr_rewrite
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/cache
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/chap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/checkval
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/counter
@ -360,6 +356,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.example.com
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.log
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dhcp_sqlippool
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/digest
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dynamic_clients
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/echo
@ -384,6 +381,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/passwd
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/policy
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/preprocess
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/radrelay
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/radutmp
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/realm
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/redis
@ -459,6 +457,8 @@ exit 0
%{_libdir}/freeradius/rlm_attr_filter-%{version}.so
%{_libdir}/freeradius/rlm_attr_rewrite.so
%{_libdir}/freeradius/rlm_attr_rewrite-%{version}.so
%{_libdir}/freeradius/rlm_cache.so
%{_libdir}/freeradius/rlm_cache-%{version}.so
%{_libdir}/freeradius/rlm_chap.so
%{_libdir}/freeradius/rlm_chap-%{version}.so
%{_libdir}/freeradius/rlm_checkval.so
@ -601,6 +601,99 @@ exit 0
%{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so
%changelog
* Wed Oct 3 2012 John Dennis <jdennis@redhat.com> - 2.2.0-0
- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid
files when loading config files
- Upgrade to new 2.2.0 upstream release
- Upstream changelog for 2.1.12:
Feature improvements
* 100% configuration file compatible with 2.1.x.
The only fix needed is to disallow "hashsize=0" for rlm_passwd
* Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
Redback, and Mikrotik dictionaries
* Switch to using SHA1 for certificate digests instead of MD5.
See raddb/certs/*.cnf
* Added copyright statements to the dictionaries, so that we know
when people are using them.
* Better documentation for radrelay and detail file writer.
See raddb/modules/radrelay and raddb/radrelay.conf
* Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
* Added -F <file> to radwho
* Added query timeouts to MySQL driver. Patch from Brian De Wolf.
* Add /etc/default/freeradius to debian package.
Patch from Matthew Newton
* Finalize DHCP and DHCP relay code. It should now work everywhere.
See raddb/sites-available/dhcp, src_ipaddr and src_interface.
* DHCP capabilitiies are now compiled in by default.
It runs as a DHCP server ONLY when manually enabled.
* Added one letter expansions: %G - request minute and %I request
ID.
* Added script to convert ISC DHCP lease files to SQL pools.
See scripts/isc2ippool.pl
* Added rlm_cache to cache arbitrary attributes.
* Added max_use to rlm_ldap to force connection to be re-established
after a given number of queries.
* Added configtest option to Debian init scripts, and automatic
config test on restart.
* Added cache config item to rlm_krb5. When set to "no" ticket
caching is disabled which may increase performance.
Bug fixes
* Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
and 802.1X should upgrade immediately.
* Fix typo in detail file writer, to skip writing if the packet
was read from this detail file.
* Free cached replies when closing resumed SSL sessions.
* Fix a number of issues found by Coverity.
* Fix memory leak and race condition in the EAP-TLS session cache.
Thanks to Phil Mayers for tracking down OpenSSL APIs.
* Restrict ATTRIBUTE names to character sets that make sense.
* Fix EAP-TLS session Id length so that OpenSSL doesn't get
excited.
* Fix SQL IPPool logic for non-timer attributes. Closes bug #181
* Change some informational messages to DEBUG rather than error.
* Portability fixes for FreeBSD. Closes bug #177
* A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
nonsense.
* Safely handle extremely long lines in conf file variable expansion
* Fix for Debian bug #606450
* Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
* The passwd module no longer permits "hashsize = 0". Setting that
is pointless for a host of reasons. It will also break the server.
* Fix proxied inner-tunnel packets sometimes having zero authentication
vector. Found by Brian Julin.
* Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
* Fix minor build issue which would cause rlm_eap to be built twice.
* When using "status_check=request" for a home server, the username
and password must be specified, or the server will not start.
* EAP-SIM now calculates keys from the SIM identity, not from the
EAP-Identity. Changing the EAP type via NAK may result in
identities changing. Bug reported by Microsoft EAP team.
* Use home server src_ipaddr when sending Status-Server packets
* Decrypt encrypted ERX attributes in CoA packets.
* Fix registration of internal xlat's so %{mschap:...} doesn't
disappear after a HUP.
* Can now reference tagged attributes in expansions.
e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
* Correct calculation of Message-Authenticator for CoA and Disconnect
replies. Patch from Jouni Malinen
* Install rad_counter, for managing rlm_counter files.
* Add unique index constraint to all SQL flavours so that alternate
queries work correctly.
* The TTLS diameter decoder is now more lenient. It ignores
unknown attributes, instead of rejecting the TTLS session.
* Use "globfree" in detail file reader. Prevents very slow leak.
Closes bug #207.
* Operator =~ shouldn't copy the attribute, like :=. It should
instead behave more like ==.
* Build main Debian package without SQL dependencies
* Use max_queue_size in threading code
* Update permissions in raddb/sql/postgresql/admin.sql
* Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
wouldn't use methods it knew about.
* Add more sanity checks in dynamic_clients code so the server won't
crash if it attempts to load a badly formated client definition.
* Tue May 15 2012 John Dennis <jdennis@redhat.com> - 2.1.12-8
- resolves: bug#821407 - openssl dependency

2
sources
View File

@ -1 +1 @@
862d3a2c11011e61890ba84fa636ed8c freeradius-server-2.1.12.tar.bz2
0fb333fe6a64eb2b1dd6ef67f7bca119 freeradius-server-2.2.0.tar.bz2