Commit Graph

32 Commits

Author SHA1 Message Date
Antonio Torres
15c420485a
Fix crash when verifying client certificate
A crash would occur when verifying a client certificate when a
certificate chain with two or more intermediate certificates is used.

Resolves: #2183447
Signed-off-by: Antonio Torres <antorres@redhat.com>
2023-05-22 13:37:46 +02:00
Antonio Torres
5c14283a0b
Fix defect found by Covscan
Fix 'warning[-Wmaybe-uninitialized]: 'eapsim_attribute' may be used
uninitialized in this function' by reading directly the attribute list
instead of the unitialized variable.

Resolves: #2151705
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-12-14 14:46:55 +01:00
Antonio Torres
b29a675c94
Fix CVEs 2022-41860, 2022-41859, 2022-41861
Backport multiple changes to fix the mentioned CVEs.

Resolves: #2151705
Resolves: #2151703
Resolves: #2151707
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-12-09 14:45:07 +01:00
Antonio Torres
17ab6cb88f
Rebuild to add subpackages to CRB repository
Some subpackages have been added to CRB repository, we need to rebuild
so that these are added to nightly.

Resolves: #2126380
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-09-16 10:41:32 +02:00
Antonio Torres
d0f786d63c
Use 95 as GID/UID as it's reserved for FreeRADIUS
95 can be used as GID/UID as it's already reserved for us: https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107

Resolves: #2095403
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-06-29 14:00:45 +02:00
Antonio Torres
a45a010a91
Dynamically allocate users using sysusers.d format
Resolves: #2095403
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-06-24 16:00:24 +02:00
Antonio Torres
a9061bf663
Add WITH_FIPS macro to CFLAGS
We need this flag added to CFLAGS in order for FreeRADIUS to run under a
system in FIPS mode.

Resolves: 2083699
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-05-30 18:58:12 +02:00
Antonio Torres
d83b583a42
Fix segfault when trying to access MD4 and MD5 in a FIPS system
This updates the OpenSSL 3.0 backport patch to current 3.0.x branch
state, which includes fixes for accessing MD4 and MD5 algorithms when
the system is in FIPS mode.

Resolves: #2083699
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-05-24 13:00:27 +02:00
Antonio Torres
d1def95634
Add openssl-perl dependency
We need openssl-perl in order to have 'make verify' working correctly on
the certs directory.

Resolves: #2078816
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-05-10 17:21:28 +02:00
Antonio Torres
ef9abe8892
Set correct permissions for certificates generated by bootstrap Makefile
While certificates have correct permissions set if generated through
bootstrap script, they don't if they are generated using "make"
directly. With this change certificate permissions are set to 640 and
ownership to root:radiusd.

Resolves: #2069224
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-04-29 13:04:53 +02:00
Antonio Torres
9ac9146445
bootstrap: pass -noenc to cert generation on script as well
Commit cb13e66776 added this change to
certificate Makefile, change it on base script as well for consistency.

Resolves: #2069224
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-04-25 18:25:16 +02:00
Antonio Torres
cb13e66776
bootstrap: pass -noenc to certificate generation
Bootstrap script would fail to generate certificates if run on systems
with FIPS enabled. By passing the -noenc option, we can skip the usage
of unsupported algorithms on these systems.

Related: rhbz#2069224
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-04-22 13:01:55 +02:00
Antonio Torres
6ae4cff33f
Add tmpfiles.d entry for /run/radiusd/tmp
This was causing a failure when running rpm --verify.

Related: rhbz#2047972
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-01-31 13:48:32 +01:00
Antonio Torres
4f6ca3e9cc
ldap: use infinite timeout when using TLS to connect
Using an infinite timeout will make libldap use blocking thread for
establishing the TLS connection both when using StartTTLS and when using
LDAPS. This leaves the LDAP_OPT_NETWORK_TIMEOUT to its
default (-1) when using TLS connection.

Related: rhbz#1992551
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-01-30 19:50:59 +01:00
Antonio Torres
39a61df66f Avoid segfault when trying to use MD4 with legacy provider disabled
OpenSSL legacy provider should be enabled in order to use MD4 algorithm.

Related: #1978216
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-01-13 14:08:53 +01:00
Antonio Torres
76fc6be83c Backport OpenSSL3 fixes
Backport TLS and OpenSSL3 fixes that will be included in FR 3.0.26.

Resolves: #1978216
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-01-11 19:56:28 +01:00
Antonio Torres
e0e1728663 ldap module: retry on initial connection
LDAP library returns a partially open handle for connection. Retrying
connection on module instantiation helps to succesfully connect
using this partially open handle.

Resolves: #1992551
2021-10-19 17:07:10 +02:00
Antonio Torres
d32a01afd5 Move systemd unit PIDFile from /var/run to /run
Resolves: #2006368
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-09-27 13:55:25 +02:00
Antonio Torres
f5fe0a6077 Rebuild to pick up new build flags from redhat-rpm-config
Related: rhbz#1984652
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-08-19 13:23:52 +02:00
Antonio Torres
e4a59ecad7 Bump release number
Bump release number to account for latest changes in test script from
commit c1e0756a09.

Related: rhbz#1990392
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-08-12 17:10:02 +02:00
Mohan Boddu
2fdb77fa9e Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 20:04:41 +00:00
Antonio Torres
eda4f33e98 Ignore badfuncs error in rpminspect
Usage of the inet_addr function triggers the badfuncs check in
rpminspect. Since this is already fixed upstream, it is safe for us to
ignore this error.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1986972
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-08-03 16:35:32 +02:00
Antonio Torres
e8749e86e7 Remove RPATH usage
RPATH usage is not allowed by rpminspect, so workaround it by removing
the rpath usage and adding the config file for ld.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1986968
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-08-03 15:47:39 +02:00
Antonio Torres
c204840130 Fix coredump not being able to be enabled
Fix resource hard limit being set to zero, since it made it impossible
to reset the limit to a higher value.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1977722
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-07-19 14:05:50 +02:00
Antonio Torres
bb40eedac8 Update release number and changelog
Update release number and changelog to contain latest changes.

Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-06-30 10:12:01 +00:00
Antonio Torres
8f2d2c4e12 Fix python3 not being correctly linked
Since Python 3.8, there is a new way to link against libpython:
https://docs.python.org/3/whatsnew/3.8.html#debug-build-uses-the-same-abi-as-release-build

Resolves: #1948622
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-06-30 11:41:19 +02:00
Mohan Boddu
c4f13d4c66 Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-16 03:24:46 +00:00
Mohan Boddu
9def94b06b - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-15 23:23:50 +00:00
Robbie Harwood
d8cc2ba738 Manual merge with Fedora
Update to cabc34e05a
2021-03-10 17:54:54 -05:00
DistroBaker
b76c67e377 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/freeradius.git#8f248db2e6739c6c401812c544cd4e08ecdd522a
2021-02-09 10:45:07 +00:00
DistroBaker
2245a5e5b3 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/freeradius.git#e2ccd9913fac41fcd0d51d4478068677f21d778e
2021-02-03 14:42:04 +01:00
Petr Šabata
f758b68708 RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/freeradius#2898c9222beb70cb2dc4d5db7f5a37f6988530bc
2020-10-15 00:34:59 +02:00