rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 9.0.0 Alpha bootstrap

Browse Source 
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/freeradius#2898c9222beb70cb2dc4d5db7f5a37f6988530bc
This commit is contained in:
Petr Šabata 2020-10-15 00:34:59 +02:00
parent aabbc3f704
commit f758b68708
27 changed files with 4025 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
.gitignore vendored
View File

@ -0,0 +1,36 @@
# Ignore build artifacts and signatures
*.sig
.build*.log
freeradius-server-*/
x86_64/
freeradius-*.src.rpm
# Automatically added
/freeradius-server-2.1.9.tar.bz2
/freeradius-server-2.1.10.tar.bz2
/freeradius-server-2.1.11.tar.bz2
/freeradius-server-2.1.12.tar.bz2
/freeradius-server-2.2.0.tar.bz2
/freeradius-server-release_3_0_0_rc0.tar.gz
/freeradius-server-release_3_0_0_rc1.tar.gz
/freeradius-server-3.0.0.tar.bz2
/freeradius-server-3.0.1.tar.bz2
/freeradius-server-3.0.2.tar.bz2
/freeradius-server-3.0.3.tar.bz2
/freeradius-server-3.0.4rc2.tar.bz2
/freeradius-server-3.0.4.tar.bz2
/freeradius-server-3.0.7.tar.bz2
/freeradius-server-3.0.8.tar.bz2
/freeradius-server-3.0.9.tar.bz2
/freeradius-server-3.0.10.tar.bz2
/freeradius-server-3.0.11.tar.bz2
/freeradius-server-3.0.12.tar.bz2
/freeradius-server-3.0.13.tar.bz2
/freeradius-server-3.0.14.tar.bz2
/freeradius-server-3.0.15.tar.bz2
/freeradius-server-3.0.17.tar.bz2
/freeradius-server-3.0.18.tar.gz
/freeradius-server-3.0.18.tar.bz2
/freeradius-server-3.0.19.tar.bz2
/freeradius-server-3.0.20.tar.bz2
/freeradius-server-3.0.21.tar.bz2

385
find_module_deps Executable file
View File

@ -0,0 +1,385 @@
#!/usr/bin/env python
import exceptions
import getopt
import os
import re
import rpm
import select
import subprocess
import sys
#------------------------------------------------------------------------------
def get_rlms(root):
rlm_re = re.compile(r'^rlm_')
version_re = re.compile(r'-[0-9.]+\.so$')
names = os.listdir(root)
names = [x for x in names if rlm_re.search(x)]
names = [x for x in names if not version_re.search(x)]
names.sort()
return names
#------------------------------------------------------------------------------
debug = False
verbose = False
exclude_rpms = ['glibc']
build = '2.0.2-1.fc8'
root_template = '/var/tmp/freeradius-%s-root-jdennis/usr/lib/freeradius'
libdirs = ['/lib','/usr/lib']
#------------------------------------------------------------------------------
def get_rpm_nvr_from_header(hdr):
'Given an RPM header return the package NVR as a string'
name = hdr['name']
version = hdr['version']
release = hdr['release']
return "%s-%s-%s" % (name, version, release)
def get_rpm_hdr_by_file_path(path):
if path is None:
return None
hdr = None
try:
ts = rpm.ts()
mi = ts.dbMatch(rpm.RPMTAG_BASENAMES, path)
for hdr in mi: break
except Exception, e:
print >> sys.stderr, "failed to retrieve rpm hdr for %s, %s" %(path, e)
hdr = None
return hdr
def get_rpm_nvr_by_file_path(path):
if path is None:
return None
hdr = get_rpm_hdr_by_file_path(path)
if not hdr:
print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
nvr = get_rpm_nvr_from_header(hdr)
return nvr
def get_rpm_name_by_file_path(path):
if path is None:
return None
hdr = get_rpm_hdr_by_file_path(path)
if not hdr:
print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
name = hdr['name']
return name
#------------------------------------------------------------------------------
class CmdError(exceptions.Exception):
def __init__(self, errno, msg):
self.errno = errno
self.msg = msg
class Command:
def __init__(self, cmd):
self.cmd = cmd
self.sub_process = None
self.bufsize = 1024
self.stdout_buf = ''
self.stderr_buf = ''
self.stdout_lines = []
self.stderr_lines = []
def run(self, stdout_callback=None, stderr_callback=None):
self.sub_process = subprocess.Popen(self.cmd, \
stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE, \
close_fds=True, shell=True)
self.stdout = self.sub_process.stdout
self.stderr = self.sub_process.stderr
read_watch = [self.stdout, self.stderr]
while read_watch:
readable = select.select(read_watch, [], [])[0]
for fd in readable:
if fd == self.stdout:
data = os.read(fd.fileno(), self.bufsize)
if not data:
read_watch.remove(fd)
else:
self.stdout_buf += data
for line in self.burst_lines('stdout_buf'):
if stdout_callback: stdout_callback(line)
self.stdout_lines.append(line)
if fd == self.stderr:
data = os.read(fd.fileno(), self.bufsize)
if not data:
read_watch.remove(fd)
else:
self.stderr_buf += data
for line in self.burst_lines('stderr_buf'):
if stdout_callback: stderr_callback(line)
self.stderr_lines.append(line)
self.returncode = self.sub_process.wait()
if self.returncode:
raise CmdError(self.returncode, "cmd \"%s\"\nreturned status %d\n%s" % (self.cmd, self.returncode, ''.join(self.stderr_lines)))
return self.returncode
def burst_lines(self, what):
buf = getattr(self, what)
start = 0
end = buf.find('\n', start)
while end >= 0:
end += 1 # include newline
line = buf[start:end]
yield line
start = end
end = buf.find('\n', start)
buf = buf[start:]
setattr(self, what, buf)
#------------------------------------------------------------------------------
def get_so_requires(path):
requires = {}
cmd = 'ldd %s' % (path)
so_re = re.compile(r'^\s*(\S+)\s+=>\s+(\S+)')
c = Command(cmd)
status = c.run()
for line in c.stdout_lines:
line = line.strip()
match = so_re.search(line)
if match:
so_name = match.group(1)
if match.group(2).startswith('/'):
so_path = match.group(2)
else:
so_path = None
requires[so_name] = so_path
return requires
def get_so_needed(path):
needed = []
cmd = 'readelf -d %s' % (path)
so_re = re.compile(r'\(NEEDED\)\s+Shared library:\s+\[([^\]]+)\]')
c = Command(cmd)
status = c.run()
for line in c.stdout_lines:
line = line.strip()
match = so_re.search(line)
if match:
so_name = match.group(1)
needed.append(so_name)
return needed
def format_size(size):
if size > 1000000000:
return '%.1f GB' % (size/1000000000.0)
if size > 1000000:
return '%.1f MB' % (size/1000000.0)
if size > 1000:
return '%.1f KB' % (size/1000.0)
return '%d' % (size)
#------------------------------------------------------------------------------
class RPM_Prop:
def __init__(self, path=None, name=None):
self.name = name
self.paths = {}
self.rpm_hdr = None
self.used_by = {}
if path:
self.register_path(path)
if not self.rpm_hdr:
self.rpm_hdr = get_rpm_hdr_by_file_path(path)
if self.rpm_hdr:
if not self.name:
self.name = self.rpm_hdr[rpm.RPMTAG_NAME]
self.size = self.rpm_hdr[rpm.RPMTAG_SIZE]
def __str__(self):
return "name=%s paths=%s" % (self.name, ','.join(self.paths.keys()))
def register_path(self, path, name=None):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
return self.paths.setdefault(path, path)
class RPM_Collection:
def __init__(self):
self.names = {}
self.paths = {}
def __str__(self):
text = ''
names = self.get_names()
for name in names:
text += "%s: %s\n" % (name, self.names[name])
return text
def register_path(self, path):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
rpm_prop = self.paths.get(path)
if not rpm_prop:
rpm_prop = self.paths.setdefault(path, RPM_Prop(path=path))
self.names.setdefault(rpm_prop.name, rpm_prop)
return rpm_prop
def get_names(self):
names = self.names.keys()
names.sort()
return names
def get_name(self, name):
return self.names.get(name)
class SO_File:
def __init__(self, name=None, path=None):
self.name = name
self.path = path
self.rpm = None
def __str__(self):
if self.rpm:
rpm_name = self.rpm.name
else:
rpm_name = None
return "name=%s rpm=%s" % (self.name, rpm_name)
class SO_Collection:
def __init__(self):
self.names = {}
self.paths = {}
def __str__(self):
text = ''
names = self.get_names()
for name in names:
text += "%s: %s\n" % (name, self.names[name])
return text
def register_path(self, path, name=None):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
so_prop = self.paths.get(path)
if not so_prop:
so_prop = self.paths.setdefault(path, SO_File(name, path=path))
self.names.setdefault(name, so_prop)
return so_prop
def get_names(self):
names = self.names.keys()
names.sort()
return names
class LoadableModule:
def __init__(self, path, name=None):
if name is None:
name = os.path.basename(path)
self.name = name
self.path = path
self.rpm_names = {}
self.sos = SO_Collection()
self.get_so_requires()
def __str__(self):
text = '%s\n' % (self.name)
text += " RPM's: %s\n" % (','.join(self.get_rpm_names()))
text += " SO's: %s\n" % (','.join(self.sos.get_names()))
return text
def get_so_requires(self):
requires = get_so_requires(self.path)
needed = get_so_needed(self.path)
#print "%s requires=%s" % (self.name, requires)
#print "%s needed=%s" % (self.name, needed)
for so_name, so_path in requires.items():
if so_name not in needed: continue
if so_path:
so_prop = self.sos.register_path(so_path, so_name)
rpm_prop = rpms.register_path(so_prop.path)
rpm_prop.used_by[self.name] = 1
self.rpm_names.setdefault(rpm_prop.name, rpm_prop.name)
so_prop.rpm = rpm_prop
else:
so_prop = None
if verbose: print "found so='%s' %s" % (so_name, so_prop)
def register_so(self, so):
if debug: print "%s.register_so: so=%s" % (self.__class__.__name__, so)
self.sos.setdefault(so, so)
self.names.setdefault(so.name, so)
return so
def get_rpm_names(self):
rpm_names = self.rpm_names.keys()
rpm_names.sort()
return rpm_names
def get_sos(self):
sos = self.sos.keys()
sos.sort(lambda a,b: cmp(a.name, b.name))
return sos
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
opts, args = getopt.getopt(sys.argv[1:], "b:v", ['build=','verbose'])
for o, a in opts:
if o in ['-b', '--build']:
build = a
elif o in ['-v', '--verbose']:
verbose = True
else:
print >> sys.stderr, "Unknown arg: %s" % o
sys.exit(1)
root = root_template % build
modules = get_rlms(root)
module_paths = [os.path.join(root,x) for x in modules]
rpms = RPM_Collection()
lms = []
for module_path in module_paths[:]:
lm = LoadableModule(module_path)
lms.append(lm)
print "RLM Modules(%s): %s\n" % (len(modules), ','.join(modules))
for lm in lms:
rpm_names = [x for x in lm.get_rpm_names() if x not in exclude_rpms]
if rpm_names:
print lm.name
print ' %s' % (','.join(rpm_names))
print "--------------"
rpm_props = [x for x in rpms.names.values() if len(x.used_by) and x.name not in exclude_rpms]
rpm_props.sort(lambda a,b: cmp(a.name, b.name))
for rpm_prop in rpm_props:
used_by = rpm_prop.used_by.keys()
used_by.sort()
print "%s: %s" % (rpm_prop.name, ','.join(used_by))
print "--------------"
rpm_props.sort(lambda a,b: cmp(a.size, b.size))
for rpm_prop in rpm_props:
print '%10s %s' % (format_size(rpm_prop.size), rpm_prop.name)
print "--------------"
for lm in lms:
print lm

97
freeradius-Add-missing-option-descriptions.patch Normal file
View File

@ -0,0 +1,97 @@
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 12:20:11 +0300
Subject: [PATCH] man: Add missing option descriptions
---
man/man8/raddebug.8 | 4 ++++
man/man8/radiusd.8 | 7 +++++++
man/man8/radmin.8 | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
index 66e80e64fa..6e27e2453c 100644
--- a/man/man8/raddebug.8
+++ b/man/man8/raddebug.8
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
.IR condition ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-n
.IR name ]
.RB [ \-i
@@ -73,6 +75,8 @@ option is equivalent to using:
.IP "\-d \fIconfig directory\fP"
The radius configuration directory, usually /etc/raddb. See the
\fIradmin\fP manual page for more description of this option.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-n \fImname\fP"
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
.IP \-I\ \fIipv6-address\fP
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index c825f22d0d..98aef5e1be 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
.RB [ \-C ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-f ]
.RB [ \-h ]
.RB [ \-i
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
.IR name ]
.RB [ \-p
.IR port ]
+.RB [ \-P ]
.RB [ \-s ]
.RB [ \-t ]
.RB [ \-v ]
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
.IP "\-d \fIconfig directory\fP"
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
files such as the \fIdictionary\fP and the \fIusers\fP files.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP \-f
Do not fork, stay running as a foreground process.
.IP \-h
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
\fIradiusd.conf\fP are ignored.
This option MUST be used in conjunction with "-i".
+.IP "\-P
+Always write out PID, even with -f.
.IP \-s
Run in "single server" mode. The server normally runs with multiple
threads and/or processes, which can lower its response time to
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
index 5ecc963d81..5bf661fa71 100644
--- a/man/man8/radmin.8
+++ b/man/man8/radmin.8
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
.B radmin
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-e
.IR command ]
.RB [ \-E ]
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
configuration files to find the "listen" section that defines the
control socket filename.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-e \fIcommand\fP"
Run \fIcommand\fP and exit.
.IP \-E
--
2.18.0

60
freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch Normal file
View File

@ -0,0 +1,60 @@
From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 8 Sep 2014 12:32:13 +0300
Subject: [PATCH] Adjust configuration to fit Red Hat specifics
---
raddb/mods-available/eap | 4 ++--
raddb/radiusd.conf.in | 7 +++----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 2621e183c..94494b2c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -533,7 +533,7 @@
# You should also delete all of the files
# in the directory when the server starts.
#
- # tmpdir = /tmp/radiusd
+ # tmpdir = /var/run/radiusd/tmp
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
@@ -548,7 +548,7 @@
# deleted by the server when the command
# returns.
#
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
# OCSP Configuration
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a83c1f687..e500cf97b 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
+db_dir = ${localstatedir}/lib/radiusd
#
# libdir: Where to find the rlm_* modules.
@@ -398,8 +397,8 @@ security {
# member. This can allow for some finer-grained access
# controls.
#
-# user = radius
-# group = radius
+ user = radiusd
+ group = radiusd
# Core dumps are a bad thing. This should only be set to
# 'yes' if you're debugging a problem with the server.
--
2.13.2

68
freeradius-OpenSSL-HMAC-MD5.patch Normal file
View File

@ -0,0 +1,68 @@
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 09:54:46 -0400
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-MD5.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
index 2c662ff368..1cca00fa2a 100644
--- a/src/lib/hmacmd5.c
+++ b/src/lib/hmacmd5.c
@@ -27,10 +27,41 @@
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#include <freeradius-devel/md5.h>
-/** Calculate HMAC using MD5
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's MD5 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ *
+ */
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
+
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+#else
+/** Calculate HMAC using internal MD5 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -101,6 +132,7 @@
* hash */
fr_md5_final(digest, &context); /* finish up 2nd pass */
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

73
freeradius-OpenSSL-HMAC-SHA1.patch Normal file
View File

@ -0,0 +1,73 @@
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 11:03:52 -0400
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-SHA1.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
index c3cbd87a2c..211470ea35 100644
--- a/src/lib/hmacsha1.c
+++ b/src/lib/hmacsha1.c
@@ -10,13 +10,19 @@
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#ifdef HMAC_SHA1_DATA_PROBLEMS
unsigned int sha1_data_problems = 0;
#endif
-/** Calculate HMAC using SHA1
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's SHA1 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -28,6 +34,26 @@
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
uint8_t const *key, size_t key_len)
{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+
+#else
+
+/** Calculate HMAC using internal SHA1 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ */
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
fr_sha1_ctx context;
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
@@ -142,6 +168,7 @@
}
#endif
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

86
freeradius-Use-system-crypto-policy-by-default.patch Normal file
View File

@ -0,0 +1,86 @@
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 10:16:31 -0400
Subject: [PATCH] Use system-provided crypto-policies by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/mods-available/eap | 4 ++--
raddb/mods-available/inner-eap | 2 +-
raddb/sites-available/abfab-tls | 2 +-
raddb/sites-available/tls | 4 ++--
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 36849e10f2..b28c0f19c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -368,7 +368,7 @@ eap {
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
#
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -912,7 +912,7 @@ eap {
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
#
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+ # cipher_list = "PROFILE=SYSTEM"
# PAC lifetime in seconds (default: seven days)
#
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 576eb7739e..ffa07188e2 100644
--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
@@ -77,7 +77,7 @@ eap inner-eap {
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 92f1d6330e..cd69b3905a 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
cache {
enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index bbc761b1c5..83cd35b851 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -215,7 +215,7 @@ listen {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -517,7 +517,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
}
}
--
2.21.0

21
freeradius-autogen.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/sh -e
parentdir=`dirname $0`
cd $parentdir
parentdir=`pwd`
libtoolize -f -c
#aclocal
autoheader
autoconf
mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`"
mysubdirs=`echo $mysubdirs`
for F in $mysubdirs
do
echo "Configuring in $F..."
(cd $F && grep "^AC_CONFIG_HEADER" configure.in > /dev/null && autoheader -I$parentdir)
(cd $F && autoconf -I$parentdir)
done

89
freeradius-bootstrap-create-only.patch Normal file
View File

@ -0,0 +1,89 @@
From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 13 May 2020 10:01:47 -0400
Subject: [PATCH] Don't clobber existing files on bootstrap
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index ede09bc..e555491 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -20,56 +20,55 @@ cd `dirname $0`
# Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands.
#
-if [ ! -f dh ]; then
+if [ ! -e dh ]; then
openssl dhparam -out dh 2048 || exit 1
- if [ -e /dev/urandom ] ; then
- ln -sf /dev/urandom random
- else
- date > ./random;
- fi
+ ln -sf /dev/urandom random
fi
-if [ ! -f server.key ]; then
+if [ ! -e server.key ]; then
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
chmod g+r server.key
fi
-if [ ! -f ca.key ]; then
+if [ ! -e ca.key ]; then
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
fi
-if [ ! -f index.txt ]; then
+if [ ! -e index.txt ]; then
touch index.txt
fi
-if [ ! -f serial ]; then
+if [ ! -e serial ]; then
echo '01' > serial
fi
-if [ ! -f server.crt ]; then
+if [ ! -e server.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
fi
-if [ ! -f server.p12 ]; then
+if [ ! -e server.p12 ]; then
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
chmod g+r server.p12
fi
-if [ ! -f server.pem ]; then
+if [ ! -e server.pem ]; then
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
openssl verify -CAfile ca.pem server.pem || exit 1
chmod g+r server.pem
fi
-if [ ! -f ca.der ]; then
+if [ ! -e ca.der ]; then
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
fi
-if [ ! -f client.key ]; then
+if [ ! -e client.key ]; then
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
chmod g+r client.key
fi
-if [ ! -f client.crt ]; then
+if [ ! -e client.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
fi
+
+chown root:radiusd dh ca.* client.* server.*
+chmod 640 dh ca.* client.* server.*
--
2.26.2

29
freeradius-bootstrap-make-permissions.patch Normal file
View File

@ -0,0 +1,29 @@
From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 4 Aug 2020 10:08:15 -0400
Subject: [PATCH] Fix permissions after generating certificates with make
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 336a2bd..9920ecf 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
#
if [ "$?" = "0" ]; then
make all
- exit $?
+ ret=$?
+ chown root:radiusd dh ca.* client.* server.*
+ chmod 640 dh ca.* client.* server.*
+ exit $ret
fi
#
--
2.26.2

56
freeradius-logrotate Normal file
View File

@ -0,0 +1,56 @@
# You can use this to rotate the /var/log/radius/* files, simply copy
# it to /etc/logrotate.d/radiusd
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/radius/radacct/*/detail {
monthly
rotate 4
nocreate
missingok
compress
su radiusd radiusd
}
/var/log/radius/checkrad.log {
monthly
rotate 4
create
missingok
compress
su radiusd radiusd
}
/var/log/radius/radius.log {
monthly
rotate 4
create
missingok
compress
su radiusd radiusd
postrotate
/usr/bin/systemctl reload-or-try-restart radiusd
endscript
}
/var/log/radius/radwtmp {
monthly
rotate 4
create
compress
missingok
su radiusd radiusd
}
/var/log/radius/sqltrace.sql {
monthly
rotate 4
create
compress
missingok
su radiusd radiusd
}

94
freeradius-man-Fix-some-typos.patch Normal file
View File

@ -0,0 +1,94 @@
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 11:53:28 +0300
Subject: [PATCH] man: Fix some typos
---
man/man5/radrelay.conf.5 | 2 +-
man/man5/rlm_files.5 | 2 +-
man/man5/unlang.5 | 8 ++++----
man/man8/radrelay.8 | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
index 5fb38bfc4e..e3e665024b 100644
--- a/man/man5/radrelay.conf.5
+++ b/man/man5/radrelay.conf.5
@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
backup server. When the primary goes down, most NASes detect that and
switch to the backup server.
-That will cause your accounting packets to go the the backup server -
+That will cause your accounting packets to go to the backup server -
and some NASes don't even switch back to the primary server when it
comes back up.
diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
index bfee5030ff..52f4734ae3 100644
--- a/man/man5/rlm_files.5
+++ b/man/man5/rlm_files.5
@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
perform per-group checks, and return per-group attributes, where the
group membership is dynamically defined by a previous module. It also
lets you do things like key off of attributes in the reply, and
-express policies like like "when I send replies containing attribute
+express policies like "when I send replies containing attribute
FOO with value BAR, do more checks, and maybe send additional
attributes".
.SH CONFIGURATION
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
index 76db8f2d1c..12fe7855b2 100644
--- a/man/man5/unlang.5
+++ b/man/man5/unlang.5
@@ -36,7 +36,7 @@ the pre-defined keywords here.
Subject to a few limitations described below, any keyword can appear
in any context. The language consists of a series of entries, each
-one one line. Each entry begins with a keyword. Entries are
+one line. Each entry begins with a keyword. Entries are
organized into lists. Processing of the language is line by line,
from the start of the list to the end. Actions are executed
per-keyword.
@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below. The match is
then performed on the string returned from the expansion. If the
argument is an attribute reference (e.g. &User-Name), then the match
is performed on the value of that attribute. Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
+is taken to be a literal string, and matching is done via simple
comparison.
No statement other than "case" can appear in a "switch" block.
@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below. The match is
then performed on the string returned from the expansion. If the
argument is an attribute reference (e.g. &User-Name), then the match
is performed on the value of that attribute. Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
+is taken to be a literal string, and matching is done via simple
comparison.
.DS
@@ -799,7 +799,7 @@ regular expression. If no attribute matches, nothing else is done.
The value can be an attribute reference, or an attribute-specific
string.
-When the value is an an attribute reference, it must take the form of
+When the value is an attribute reference, it must take the form of
"&Attribute-Name". The leading "&" signifies that the value is a
reference. The "Attribute-Name" is an attribute name, such as
"User-Name" or "request:User-Name". When an attribute reference is
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
index fdba6995d5..99e65732a2 100644
--- a/man/man8/radrelay.8
+++ b/man/man8/radrelay.8
@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
backup server. When the primary goes down, most NASes detect that and
switch to the backup server.
-That will cause your accounting packets to go the the backup server -
+That will cause your accounting packets to go to the backup server -
and some NASes don't even switch back to the primary server when it
comes back up.
--
2.18.0

104
freeradius-no-buildtime-cert-gen.patch Normal file
View File

@ -0,0 +1,104 @@
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 12:58:02 -0400
Subject: [PATCH] Don't generate certificates in reproducible builds
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
Make.inc.in | 5 +++++
configure | 4 ++++
configure.ac | 3 +++
raddb/all.mk | 4 ++++
4 files changed, 16 insertions(+)
diff --git a/Make.inc.in b/Make.inc.in
index 0b2cd74de8..8c623cf95c 100644
--- a/Make.inc.in
+++ b/Make.inc.in
@@ -173,3 +173,8 @@ else
TESTBINDIR = ./$(BUILD_DIR)/bin
TESTBIN = ./$(BUILD_DIR)/bin
endif
+
+#
+# With reproducible builds, do not generate certificates during installation
+#
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
diff --git a/configure b/configure
index c2c599c92b..3d4403a844 100755
--- a/configure
+++ b/configure
@@ -655,6 +655,7 @@ RUSERS
SNMPWALK
SNMPGET
PERL
+ENABLE_REPRODUCIBLE_BUILDS
openssl_version_check_config
WITH_DHCP
modconfdir
@@ -5586,6 +5587,7 @@ else
fi
+ENABLE_REPRODUCIBLE_BUILDS=yes
# Check whether --enable-reproducible-builds was given.
if test "${enable_reproducible_builds+set}" = set; then :
enableval=$enable_reproducible_builds; case "$enableval" in
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac
fi
@@ -5604,6 +5607,7 @@ fi
+
CHECKRAD=checkrad
# Extract the first word of "perl", so it can be a program name with args.
set dummy perl; ac_word=$2
diff --git a/configure.ac b/configure.ac
index a7abf0025a..35b013f4af 100644
--- a/configure.ac
+++ b/configure.ac
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
dnl #
dnl # extra argument: --enable-reproducible-builds
dnl #
+ENABLE_REPRODUCIBLE_BUILDS=yes
AC_ARG_ENABLE(reproducible-builds,
[AS_HELP_STRING([--enable-reproducible-builds],
[ensure the build does not change each time])],
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac ]
)
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
dnl #############################################################
diff --git a/raddb/all.mk b/raddb/all.mk
index c966edd657..c8e976a499 100644
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
$(LOCAL_CERT_PRODUCTS):
@echo BOOTSTRAP raddb/certs/
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
+else
@$(MAKE) -C $(R)$(raddbdir)/certs/
+endif
# Bootstrap is special
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
--
2.21.0

6
freeradius-pam-conf Normal file
View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth

64
freeradius-python2-shebangs.patch Normal file
View File

@ -0,0 +1,64 @@
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 18 Oct 2018 12:40:53 -0400
Subject: [PATCH] Clarify shebangs to be python2
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
scripts/radtee | 2 +-
src/modules/rlm_python/example.py | 2 +-
src/modules/rlm_python/prepaid.py | 2 +-
src/modules/rlm_python/radiusd.py | 2 +-
src/modules/rlm_python/radiusd_test.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/scripts/radtee b/scripts/radtee
index 123769d244..78b4bcbe0b 100755
--- a/scripts/radtee
+++ b/scripts/radtee
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python2
from __future__ import with_statement
# RADIUS comparison tee v1.0
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
index 5950a07678..eaf456e349 100644
--- a/src/modules/rlm_python/example.py
+++ b/src/modules/rlm_python/example.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module example file
# Miguel A.L. Paraz <mparaz@mparaz.com>
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
index c3cbf57b8f..3b1dc2e2e8 100644
--- a/src/modules/rlm_python/prepaid.py
+++ b/src/modules/rlm_python/prepaid.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Example Python module for prepaid usage using MySQL
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
index c535bb3caf..7129923994 100644
--- a/src/modules/rlm_python/radiusd.py
+++ b/src/modules/rlm_python/radiusd.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Definitions for RADIUS programs
#
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
index 13b7128b29..97b5b64f08 100644
--- a/src/modules/rlm_python/radiusd_test.py
+++ b/src/modules/rlm_python/radiusd_test.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module test
# Miguel A.L. Paraz <mparaz@mparaz.com>

113
freeradius-radiusd-init Normal file
View File

@ -0,0 +1,113 @@
#!/bin/sh
#
# radiusd Start/Stop the FreeRADIUS daemon
#
# chkconfig: - 88 10
# description: Extensible, configurable, high performance RADIUS server.
### BEGIN INIT INFO
# Provides: radiusd
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Should-Start: $time $syslog mysql ldap postgresql samba krb5-kdc
# Should-Stop:
# Short-Description: FreeRADIUS server
# Description: Extensible, configurable, high performance RADIUS server.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
prog=radiusd
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd}
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon --pidfile $pidfile $exec -d $config_dir
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
# radiusd may not be capable of a 100% configuration reload depending
# on which loadable modules are in use, if sending the server a
# HUP is not sufficient then use restart here instead. However, we
# prefer by default to use HUP since it's what is usually desired.
#
# restart
kill -HUP `pidofproc -p $pidfile $prog`
}
force_reload() {
restart
}
rh_status() {
# run checks to determine if the service is running or use generic status
status -p $pidfile $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

1
freeradius-tmpfiles.conf Normal file
View File

@ -0,0 +1 @@
D /run/radiusd 0710 radiusd radiusd -

2450
freeradius.spec Normal file
View File

File diff suppressed because it is too large Load Diff

16
radiusd.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
[Service]
Type=forking
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (freeradius-server-3.0.21.tar.bz2) = 18cc142caad2143e30bc54242e3824b5f659f2f6e8f3401c71ce3b9063de0bd8d206d84822c4ad1d99457dfd7121333d4accd0c8340fcfc6b33b8fbe24a31729

36
tests/auth-tests/Makefile Normal file
View File

@ -0,0 +1,36 @@
# SPDX-License-Identifier: LGPL-2.1+
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/freeradius
# Description: Test if freeradius authentication workd ok
# Author: Susant Sahani<susant@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/freeradius
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Susant Sahani<susant@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test if the ABI hasn't changed" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: freeradius" >> $(METADATA)
@echo "Requires: freeradius" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -Fedora 28" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/auth-tests/PURPOSE Normal file
View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/freeradius
Description: tests for freeradius
Author: Susant Sahani<susant@redhat.com>

2
tests/auth-tests/authorize Normal file
View File

@ -0,0 +1,2 @@
fedora-ci Cleartext-Password := "password"
Reply-Message = "Hello, %{User-Name}"

6
tests/auth-tests/clients.conf Normal file
View File

@ -0,0 +1,6 @@
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
}

68
tests/auth-tests/freeradius-tests.py Executable file
View File

@ -0,0 +1,68 @@
#!/usr/bin/env python3
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# Description: Tests for freeradius
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
import errno
import os
import sys
import time
import unittest
import subprocess
import signal
import shutil
import psutil
import socket
RADIUSD_PID_FILE='/var/run/radiusd/radiusd.pid'
def setUpModule():
"""Initialize the environment, and perform sanity checks on it."""
if shutil.which('radiusd') is None:
raise OSError(errno.ENOENT, 'radiusd not found')
if shutil.which('radtest') is None:
raise OSError(errno.ENOENT, 'radtest not found')
if subprocess.call(['systemctl', 'is-active', '--quiet',
'radiusd.service']) == 0:
raise unittest.SkipTest('radiusd.service is already active')
def tearDownModule():
pass
class GenericUtilities():
"""Provide a set of utility functions start stop daemons. write config files etc """
def StartRadiusServer(self):
"""Start radiusd"""
subprocess.check_output(['systemctl', 'start', 'radiusd'])
def StopRadiusServer(self):
"""stop radiusd"""
subprocess.check_output(['systemctl', 'stop', 'radiusd'])
class RadiousTests(unittest.TestCase, GenericUtilities):
def setUp(self):
self.StartRadiusServer()
def tearDown(self):
self.StopRadiusServer()
def test_radius_plaintext_auth(self):
time.sleep(1)
output=subprocess.check_output(['radtest', 'fedora-ci', 'password', '127.0.0.1', '100', 'testing123']).rstrip().decode('utf-8')
print(output)
self.assertRegex(output, "Received Access-Accept")
self.assertRegex(output, "Reply-Message = \"Hello, fedora-ci\"")
if __name__ == '__main__':
unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
verbosity=3))

49
tests/auth-tests/runtest.sh Executable file
View File

@ -0,0 +1,49 @@
#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# runtest.sh of freeradius
# Description: RADIUS server
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="freeradius"
RADIUS_CLIENT_CONF="/etc/raddb/clients.conf"
RADIUD_PALIN_TEXT_AUTH_FILE="/etc/raddb/mods-config/files/authorize"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "systemctl stop firewalld" 0,5
rlRun "systemctl stop radiusd.service"
rlRun "setenforce 0"
rlFileBackup "$RADIUS_CLIENT_CONF"
rlFileBackup "$RADIUD_PALIN_TEXT_AUTH_FILE"
rlRun "cp freeradius-tests.py /usr/bin/"
rlRun "cp clients.conf $RADIUS_CLIENT_CONF"
rlRun "cp authorize $RADIUD_PALIN_TEXT_AUTH_FILE"
rlRun "systemctl daemon-reload"
rlPhaseEnd
rlPhaseStartTest
rlLog "Starting radius auth tests ..."
rlRun "/usr/bin/python3 /usr/bin/freeradius-tests.py"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm /usr/bin/freeradius-tests.py"
rlRun "systemctl start firewalld" 0,5
rlRun "setenforce 1"
rlFileRestore
rlLog "freeradius tests done"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd
rlGetTestState

12
tests/tests.yml Normal file
View File

@ -0,0 +1,12 @@
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- auth-tests
required_packages:
- python3
- systemd
- freeradius
- freeradius-utils