Compare commits
No commits in common. "c10s" and "c8-stream-3.0" have entirely different histories.
c10s
...
c8-stream-
1
.freeradius.metadata
Normal file
1
.freeradius.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2
|
46
.gitignore
vendored
46
.gitignore
vendored
@ -1,45 +1 @@
|
|||||||
# Ignore build artifacts and signatures
|
SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||||
*.sig
|
|
||||||
.build*.log
|
|
||||||
freeradius-server-*/
|
|
||||||
x86_64/
|
|
||||||
freeradius-*.src.rpm
|
|
||||||
|
|
||||||
# Automatically added
|
|
||||||
/freeradius-server-2.1.9.tar.bz2
|
|
||||||
/freeradius-server-2.1.10.tar.bz2
|
|
||||||
/freeradius-server-2.1.11.tar.bz2
|
|
||||||
/freeradius-server-2.1.12.tar.bz2
|
|
||||||
/freeradius-server-2.2.0.tar.bz2
|
|
||||||
/freeradius-server-release_3_0_0_rc0.tar.gz
|
|
||||||
/freeradius-server-release_3_0_0_rc1.tar.gz
|
|
||||||
/freeradius-server-3.0.0.tar.bz2
|
|
||||||
/freeradius-server-3.0.1.tar.bz2
|
|
||||||
/freeradius-server-3.0.2.tar.bz2
|
|
||||||
/freeradius-server-3.0.3.tar.bz2
|
|
||||||
/freeradius-server-3.0.4rc2.tar.bz2
|
|
||||||
/freeradius-server-3.0.4.tar.bz2
|
|
||||||
/freeradius-server-3.0.7.tar.bz2
|
|
||||||
/freeradius-server-3.0.8.tar.bz2
|
|
||||||
/freeradius-server-3.0.9.tar.bz2
|
|
||||||
/freeradius-server-3.0.10.tar.bz2
|
|
||||||
/freeradius-server-3.0.11.tar.bz2
|
|
||||||
/freeradius-server-3.0.12.tar.bz2
|
|
||||||
/freeradius-server-3.0.13.tar.bz2
|
|
||||||
/freeradius-server-3.0.14.tar.bz2
|
|
||||||
/freeradius-server-3.0.15.tar.bz2
|
|
||||||
/freeradius-server-3.0.17.tar.bz2
|
|
||||||
/freeradius-server-3.0.18.tar.gz
|
|
||||||
/freeradius-server-3.0.18.tar.bz2
|
|
||||||
/freeradius-server-3.0.19.tar.bz2
|
|
||||||
/freeradius-server-3.0.20.tar.bz2
|
|
||||||
/freeradius-server-3.0.21.tar.bz2
|
|
||||||
/freeradius-server-3.0.22.tar.bz2
|
|
||||||
/freeradius-server-3.0.23.tar.bz2
|
|
||||||
/freeradius-server-3.0.24.tar.bz2
|
|
||||||
/freeradius-server-3.0.25.tar.bz2
|
|
||||||
/freeradius-server-3.2.0.tar.bz2
|
|
||||||
/freeradius-server-3.2.1.tar.bz2
|
|
||||||
/freeradius-server-3.2.2.tar.bz2
|
|
||||||
/freeradius-server-3.2.3.tar.bz2
|
|
||||||
/freeradius-server-3.2.5.tar.bz2
|
|
||||||
|
39
SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
Normal file
39
SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
Author: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||||
|
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
|
||||||
|
|
||||||
|
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
|
||||||
|
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
|
||||||
|
variable to 1 or else FR should exit at start.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
|
||||||
|
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||||
|
---
|
||||||
|
src/main/radiusd.c | 14 ++++++++++++++
|
||||||
|
1 file changed, 14 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
|
||||||
|
index 9739514509..58a48895e6 100644
|
||||||
|
--- a/src/main/radiusd.c
|
||||||
|
+++ b/src/main/radiusd.c
|
||||||
|
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
|
||||||
|
+ */
|
||||||
|
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
|
||||||
|
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||||
|
+ if (fips_file != NULL) {
|
||||||
|
+ int fips_enabled = fgetc(fips_file) - '0';
|
||||||
|
+ fclose(fips_file);
|
||||||
|
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
|
||||||
|
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* According to the talloc peeps, no two threads may modify any part of
|
||||||
|
* a ctx tree with a common root without synchronisation.
|
32
SOURCES/freeradius-Fix-resource-hard-limit-error.patch
Normal file
32
SOURCES/freeradius-Fix-resource-hard-limit-error.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
|
||||||
|
Author: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||||
|
Subject: [PATCH] debug: don't set resource hard limit to zero
|
||||||
|
|
||||||
|
Setting the resource hard limit to zero is irreversible, meaning if it
|
||||||
|
is set to zero then there is no way to set it higher. This means
|
||||||
|
enabling core dump is not possible, since setting a new resource limit
|
||||||
|
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
|
||||||
|
can disable and enable core dumps without failures.
|
||||||
|
|
||||||
|
This fix is present in both main and 3.0.x upstream branches.
|
||||||
|
|
||||||
|
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
|
||||||
|
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||||
|
---
|
||||||
|
src/lib/debug.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/debug.c b/src/lib/debug.c
|
||||||
|
index 576bcb2a65..6330c9cb66 100644
|
||||||
|
--- a/src/lib/debug.c
|
||||||
|
+++ b/src/lib/debug.c
|
||||||
|
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
|
||||||
|
struct rlimit no_core;
|
||||||
|
|
||||||
|
no_core.rlim_cur = 0;
|
||||||
|
- no_core.rlim_max = 0;
|
||||||
|
+ no_core.rlim_max = core_limits.rlim_max;
|
||||||
|
|
||||||
|
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
|
||||||
|
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));
|
@ -0,0 +1,51 @@
|
|||||||
|
From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Alan T. DeKok" <aland@freeradius.org>
|
||||||
|
Date: Wed, 20 Nov 2019 13:59:54 -0500
|
||||||
|
Subject: [PATCH] a better fix for commit 30ffd21
|
||||||
|
|
||||||
|
Which still runs post-proxy-type fail if all of the home servers
|
||||||
|
are dead
|
||||||
|
|
||||||
|
[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
|
||||||
|
[antorres@redhat.com: removed first hunk of commit, already present]
|
||||||
|
---
|
||||||
|
src/main/process.c | 9 +++------
|
||||||
|
1 file changed, 3 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/main/process.c b/src/main/process.c
|
||||||
|
index c8b3af24e2..1a48517d43 100644
|
||||||
|
--- a/src/main/process.c
|
||||||
|
+++ b/src/main/process.c
|
||||||
|
@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
|
||||||
|
}
|
||||||
|
|
||||||
|
old_server = request->server;
|
||||||
|
- rad_assert(request->home_server != NULL);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If the home server is virtual, just run pre_proxy from
|
||||||
|
* that section.
|
||||||
|
*/
|
||||||
|
- if (request->home_server->server) {
|
||||||
|
+ if (request->home_server && request->home_server->server) {
|
||||||
|
request->server = request->home_server->server;
|
||||||
|
|
||||||
|
} else {
|
||||||
|
@@ -3182,13 +3180,12 @@ do_home:
|
||||||
|
}
|
||||||
|
|
||||||
|
old_server = request->server;
|
||||||
|
- rad_assert(request->home_server != NULL);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If the home server is virtual, just run pre_proxy from
|
||||||
|
* that section.
|
||||||
|
*/
|
||||||
|
- if (request->home_server->server) {
|
||||||
|
+ if (request->home_server && request->home_server->server) {
|
||||||
|
request->server = request->home_server->server;
|
||||||
|
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri, 12 Nov 2021 16:23:05 +0100
|
||||||
|
Subject: [PATCH] Fix unterminated strings in SQL queries
|
||||||
|
|
||||||
|
Resolves: bz#2021247
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
raddb/mods-config/sql/ippool/mysql/queries.conf | 2 +-
|
||||||
|
raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||||
|
index 2dfc6574dd..444812a047 100644
|
||||||
|
--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||||
|
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||||
|
@@ -114,7 +114,7 @@ allocate_update = "\
|
||||||
|
nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
|
||||||
|
callingstationid = '%{Calling-Station-Id}', \
|
||||||
|
username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
|
||||||
|
- WHERE framedipaddress = '%I'
|
||||||
|
+ WHERE framedipaddress = '%I'"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Use a stored procedure to find AND allocate the address. Read and customise
|
||||||
|
diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||||
|
index 31a5df3659..e92466108b 100644
|
||||||
|
--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||||
|
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||||
|
@@ -89,7 +89,7 @@ allocate_update = "\
|
||||||
|
callingstationid = '%{Calling-Station-Id}', \
|
||||||
|
username = '%{User-Name}', \
|
||||||
|
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
|
||||||
|
- WHERE framedipaddress = '%I'
|
||||||
|
+ WHERE framedipaddress = '%I'"
|
||||||
|
|
||||||
|
#
|
||||||
|
# This series of queries frees an IP number when an accounting START record arrives
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -4,7 +4,6 @@ Date: Wed, 8 May 2019 10:16:31 -0400
|
|||||||
Subject: [PATCH] Use system-provided crypto-policies by default
|
Subject: [PATCH] Use system-provided crypto-policies by default
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
[antorres@redhat.com]: update patch to 3.2.1 state
|
|
||||||
---
|
---
|
||||||
raddb/mods-available/eap | 4 ++--
|
raddb/mods-available/eap | 4 ++--
|
||||||
raddb/mods-available/inner-eap | 2 +-
|
raddb/mods-available/inner-eap | 2 +-
|
||||||
@ -13,21 +12,21 @@ Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|||||||
4 files changed, 6 insertions(+), 6 deletions(-)
|
4 files changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||||
index 62152a6dfc..9f64963034 100644
|
index 36849e10f2..b28c0f19c6 100644
|
||||||
--- a/raddb/mods-available/eap
|
--- a/raddb/mods-available/eap
|
||||||
+++ b/raddb/mods-available/eap
|
+++ b/raddb/mods-available/eap
|
||||||
@@ -400,7 +400,7 @@ eap {
|
@@ -368,7 +368,7 @@ eap {
|
||||||
# TLS cipher suites. The format is listed
|
#
|
||||||
# in "man 1 ciphers".
|
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||||
#
|
#
|
||||||
- cipher_list = "DEFAULT"
|
- cipher_list = "DEFAULT"
|
||||||
+ cipher_list = "PROFILE=SYSTEM"
|
+ cipher_list = "PROFILE=SYSTEM"
|
||||||
|
|
||||||
# Set this option to specify the allowed
|
# If enabled, OpenSSL will use server cipher list
|
||||||
# TLS signature algorithms for OpenSSL 1.1.1 and above.
|
# (possibly defined by cipher_list option above)
|
||||||
@@ -1082,7 +1082,7 @@ eap {
|
@@ -912,7 +912,7 @@ eap {
|
||||||
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
|
# Note - for OpenSSL 1.1.0 and above you may need
|
||||||
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
|
# to add ":@SECLEVEL=0"
|
||||||
#
|
#
|
||||||
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
|
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||||
+ # cipher_list = "PROFILE=SYSTEM"
|
+ # cipher_list = "PROFILE=SYSTEM"
|
||||||
@ -48,23 +47,23 @@ index 576eb7739e..ffa07188e2 100644
|
|||||||
# You may want to set a very small fragment size.
|
# You may want to set a very small fragment size.
|
||||||
# The TLS data here needs to go inside of the
|
# The TLS data here needs to go inside of the
|
||||||
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
|
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
|
||||||
index b8d0626bbe..073b2933c2 100644
|
index 92f1d6330e..cd69b3905a 100644
|
||||||
--- a/raddb/sites-available/abfab-tls
|
--- a/raddb/sites-available/abfab-tls
|
||||||
+++ b/raddb/sites-available/abfab-tls
|
+++ b/raddb/sites-available/abfab-tls
|
||||||
@@ -20,7 +20,7 @@ listen {
|
@@ -19,7 +19,7 @@ listen {
|
||||||
dh_file = ${certdir}/dh
|
dh_file = ${certdir}/dh
|
||||||
fragment_size = 8192
|
fragment_size = 8192
|
||||||
ca_path = ${cadir}
|
ca_path = ${cadir}
|
||||||
- cipher_list = "DEFAULT"
|
- cipher_list = "DEFAULT"
|
||||||
+ cipher_list = "PROFILE=SYSTEM"
|
+ cipher_list = "PROFILE=SYSTEM"
|
||||||
|
|
||||||
cache {
|
cache {
|
||||||
enable = no
|
enable = no
|
||||||
lifetime = 24 # hours
|
|
||||||
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
|
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
|
||||||
index 137fcbc6cc..a65f8a8711 100644
|
index bbc761b1c5..83cd35b851 100644
|
||||||
--- a/raddb/sites-available/tls
|
--- a/raddb/sites-available/tls
|
||||||
+++ b/raddb/sites-available/tls
|
+++ b/raddb/sites-available/tls
|
||||||
@@ -292,7 +292,7 @@ listen {
|
@@ -215,7 +215,7 @@ listen {
|
||||||
# Set this option to specify the allowed
|
# Set this option to specify the allowed
|
||||||
# TLS cipher suites. The format is listed
|
# TLS cipher suites. The format is listed
|
||||||
# in "man 1 ciphers".
|
# in "man 1 ciphers".
|
||||||
@ -73,15 +72,15 @@ index 137fcbc6cc..a65f8a8711 100644
|
|||||||
|
|
||||||
# If enabled, OpenSSL will use server cipher list
|
# If enabled, OpenSSL will use server cipher list
|
||||||
# (possibly defined by cipher_list option above)
|
# (possibly defined by cipher_list option above)
|
||||||
@@ -676,7 +676,7 @@ home_server tls {
|
@@ -517,7 +517,7 @@ home_server tls {
|
||||||
# Set this option to specify the allowed
|
# Set this option to specify the allowed
|
||||||
# TLS cipher suites. The format is listed
|
# TLS cipher suites. The format is listed
|
||||||
# in "man 1 ciphers".
|
# in "man 1 ciphers".
|
||||||
- cipher_list = "DEFAULT"
|
- cipher_list = "DEFAULT"
|
||||||
+ cipher_list = "PROFILE=SYSTEM"
|
+ cipher_list = "PROFILE=SYSTEM"
|
||||||
|
}
|
||||||
|
|
||||||
#
|
}
|
||||||
# Connection timeout for outgoing TLS connections.
|
|
||||||
--
|
--
|
||||||
2.21.0
|
2.21.0
|
||||||
|
|
1502
SOURCES/freeradius-blastradius-fix.patch
Normal file
1502
SOURCES/freeradius-blastradius-fix.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,18 +1,20 @@
|
|||||||
From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001
|
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
Date: Wed, 13 May 2020 10:01:47 -0400
|
Date: Wed, 5 Aug 2020 15:53:45 -0400
|
||||||
Subject: [PATCH] Don't clobber existing files on bootstrap
|
Subject: [PATCH] Don't clobber existing files on bootstrap
|
||||||
|
|
||||||
|
Rebased: v3.0.20
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
---
|
---
|
||||||
raddb/certs/bootstrap | 31 +++++++++++++++----------------
|
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
|
||||||
1 file changed, 15 insertions(+), 16 deletions(-)
|
1 file changed, 19 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||||
index ede09bc..e555491 100755
|
index 0f719aa..336a2bd 100755
|
||||||
--- a/raddb/certs/bootstrap
|
--- a/raddb/certs/bootstrap
|
||||||
+++ b/raddb/certs/bootstrap
|
+++ b/raddb/certs/bootstrap
|
||||||
@@ -20,56 +20,55 @@ cd `dirname $0`
|
@@ -31,52 +31,55 @@ fi
|
||||||
# Don't edit the following text. Instead, edit the Makefile, and
|
# Don't edit the following text. Instead, edit the Makefile, and
|
||||||
# re-generate these commands.
|
# re-generate these commands.
|
||||||
#
|
#
|
||||||
@ -30,7 +32,7 @@ index ede09bc..e555491 100755
|
|||||||
-if [ ! -f server.key ]; then
|
-if [ ! -f server.key ]; then
|
||||||
+if [ ! -e server.key ]; then
|
+if [ ! -e server.key ]; then
|
||||||
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||||
chmod g+r server.key
|
+ chmod g+r server.key
|
||||||
fi
|
fi
|
||||||
|
|
||||||
-if [ ! -f ca.key ]; then
|
-if [ ! -f ca.key ]; then
|
||||||
@ -56,14 +58,14 @@ index ede09bc..e555491 100755
|
|||||||
-if [ ! -f server.p12 ]; then
|
-if [ ! -f server.p12 ]; then
|
||||||
+if [ ! -e server.p12 ]; then
|
+if [ ! -e server.p12 ]; then
|
||||||
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||||
chmod g+r server.p12
|
+ chmod g+r server.p12
|
||||||
fi
|
fi
|
||||||
|
|
||||||
-if [ ! -f server.pem ]; then
|
-if [ ! -f server.pem ]; then
|
||||||
+if [ ! -e server.pem ]; then
|
+if [ ! -e server.pem ]; then
|
||||||
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||||
openssl verify -CAfile ca.pem server.pem || exit 1
|
openssl verify -CAfile ca.pem server.pem || exit 1
|
||||||
chmod g+r server.pem
|
+ chmod g+r server.pem
|
||||||
fi
|
fi
|
||||||
|
|
||||||
-if [ ! -f ca.der ]; then
|
-if [ ! -f ca.der ]; then
|
||||||
@ -74,7 +76,7 @@ index ede09bc..e555491 100755
|
|||||||
-if [ ! -f client.key ]; then
|
-if [ ! -f client.key ]; then
|
||||||
+if [ ! -e client.key ]; then
|
+if [ ! -e client.key ]; then
|
||||||
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||||
chmod g+r client.key
|
+ chmod g+r client.key
|
||||||
fi
|
fi
|
||||||
|
|
||||||
-if [ ! -f client.crt ]; then
|
-if [ ! -f client.crt ]; then
|
52
SOURCES/freeradius-bootstrap-fixed-dhparam.patch
Normal file
52
SOURCES/freeradius-bootstrap-fixed-dhparam.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Wed, 5 Aug 2020 16:10:52 -0400
|
||||||
|
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
raddb/certs/Makefile | 2 +-
|
||||||
|
raddb/certs/bootstrap | 7 +++++--
|
||||||
|
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||||
|
index 5cbfd46..41b7aea 100644
|
||||||
|
--- a/raddb/certs/Makefile
|
||||||
|
+++ b/raddb/certs/Makefile
|
||||||
|
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
dh:
|
||||||
|
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||||
|
+ cp rfc3526-group-18-8192.dhparam dh
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||||
|
index 9920ecf..59b3310 100755
|
||||||
|
--- a/raddb/certs/bootstrap
|
||||||
|
+++ b/raddb/certs/bootstrap
|
||||||
|
@@ -13,6 +13,10 @@
|
||||||
|
umask 027
|
||||||
|
cd `dirname $0`
|
||||||
|
|
||||||
|
+if [ ! -e random ]; then
|
||||||
|
+ ln -sf /dev/urandom random
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
make -h > /dev/null 2>&1
|
||||||
|
|
||||||
|
#
|
||||||
|
@@ -35,8 +39,7 @@ fi
|
||||||
|
# re-generate these commands.
|
||||||
|
#
|
||||||
|
if [ ! -e dh ]; then
|
||||||
|
- openssl dhparam -out dh 2048 || exit 1
|
||||||
|
- ln -sf /dev/urandom random
|
||||||
|
+ cp rfc3526-group-18-8192.dhparam dh
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -e server.key ]; then
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
72
SOURCES/freeradius-bootstrap-run-only-once.patch
Normal file
72
SOURCES/freeradius-bootstrap-run-only-once.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
Author: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Wed Jul 20 2021
|
||||||
|
Subject: [PATCH] ensure bootstrap script is run only once
|
||||||
|
|
||||||
|
The bootstrap script should only run once. By checking if there are
|
||||||
|
certificates in the directory, we can exit early if certificates were
|
||||||
|
already generated.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
|
||||||
|
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||||
|
---
|
||||||
|
raddb/certs/README | 16 ++++++----------
|
||||||
|
raddb/certs/bootstrap | 18 ++++++++++++------
|
||||||
|
2 files changed, 18 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/raddb/certs/README b/raddb/certs/README
|
||||||
|
index 6288921da1..32413964dd 100644
|
||||||
|
--- a/raddb/certs/README
|
||||||
|
+++ b/raddb/certs/README
|
||||||
|
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
|
||||||
|
your users, and to issue client certificates for EAP-TLS.
|
||||||
|
|
||||||
|
If FreeRADIUS was configured to use OpenSSL, then simply starting
|
||||||
|
-the server in root in debugging mode should also create test
|
||||||
|
-certificates, i.e.:
|
||||||
|
+the server in root mode should also create test certificates.
|
||||||
|
|
||||||
|
-$ radiusd -X
|
||||||
|
-
|
||||||
|
- That will cause the EAP-TLS module to run the "bootstrap" script in
|
||||||
|
-this directory. The script will be executed only once, the first time
|
||||||
|
-the server has been installed on a particular machine. This bootstrap
|
||||||
|
-script SHOULD be run on installation of any pre-built binary package
|
||||||
|
-for your OS. In any case, the script will ensure that it is not run
|
||||||
|
-twice, and that it does not over-write any existing certificates.
|
||||||
|
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
|
||||||
|
+The script will be executed during every start of FreeRADIUS via systemd but
|
||||||
|
+the script will ensure that it does not overwrite any existing certificates.
|
||||||
|
+Ideally, the bootstrap script file should be deleted after new testing certificates
|
||||||
|
+have been generated.
|
||||||
|
|
||||||
|
If you already have CA and server certificates, rename (or delete)
|
||||||
|
this directory, and create a new "certs" directory containing your
|
||||||
|
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||||
|
index 0f719aafd4..92254dc936 100755
|
||||||
|
--- a/raddb/certs/bootstrap
|
||||||
|
+++ b/raddb/certs/bootstrap
|
||||||
|
@@ -1,12 +1,18 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
-# This is a wrapper script to create default certificates when the
|
||||||
|
-# server first starts in debugging mode. Once the certificates have been
|
||||||
|
-# created, this file should be deleted.
|
||||||
|
+# Bootstrap script should be run only once. If there are already certificates
|
||||||
|
+# generated, skip the execution.
|
||||||
|
+#
|
||||||
|
+cd `dirname $0`
|
||||||
|
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
#
|
||||||
|
-# Ideally, this program should be run as part of the installation of any
|
||||||
|
-# binary package. The installation should also ensure that the permissions
|
||||||
|
-# and owners are correct for the files generated by this script.
|
||||||
|
+# This is a wrapper script to create default certificates when the
|
||||||
|
+# server starts via systemd. It should also ensure that the
|
||||||
|
+# permissions and owners are correct for the generated files. Once
|
||||||
|
+# the certificates have been created, this file should be deleted.
|
||||||
|
#
|
||||||
|
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
|
||||||
|
#
|
47
SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
Normal file
47
SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri, 09 Dec 2022
|
||||||
|
Subject: Fix crash on invalid abinary data
|
||||||
|
|
||||||
|
A malicious RADIUS client or home server can send a malformed abinary
|
||||||
|
attribute which can cause the server to crash.
|
||||||
|
|
||||||
|
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
diff --git a/src/lib/filters.c b/src/lib/filters.c
|
||||||
|
index 4868cd385d9f..3f3b63daeef3 100644
|
||||||
|
--- a/src/lib/filters.c
|
||||||
|
+++ b/src/lib/filters.c
|
||||||
|
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if (filter->type == RAD_FILTER_GENERIC) {
|
||||||
|
- int count;
|
||||||
|
+ size_t count, masklen;
|
||||||
|
+
|
||||||
|
+ masklen = ntohs(filter->u.generic.len);
|
||||||
|
+ if (masklen >= sizeof(filter->u.generic.mask)) {
|
||||||
|
+ *p = '\0';
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
|
||||||
|
p += i;
|
||||||
|
|
||||||
|
/* show the mask */
|
||||||
|
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||||
|
+ for (count = 0; count < masklen; count++) {
|
||||||
|
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
|
||||||
|
p += i;
|
||||||
|
outlen -= i;
|
||||||
|
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||||
|
outlen--;
|
||||||
|
|
||||||
|
/* show the value */
|
||||||
|
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||||
|
+ for (count = 0; count < masklen; count++) {
|
||||||
|
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
|
||||||
|
p += i;
|
||||||
|
outlen -= i;
|
115
SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
Normal file
115
SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
Normal file
@ -0,0 +1,115 @@
|
|||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri, 09 Dec 2022
|
||||||
|
Subject: Fix crash on unknown option in EAP-SIM
|
||||||
|
|
||||||
|
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
|
||||||
|
look that option up in the internal dictionaries. This lookup will fail, but the
|
||||||
|
SIM code will not check for that failure. Instead, it will dereference a NULL
|
||||||
|
pointer, and cause the server to crash.
|
||||||
|
|
||||||
|
Backport of:
|
||||||
|
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
|
||||||
|
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||||
|
index cf1e8a7dd92..e438a844eab 100644
|
||||||
|
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||||
|
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||||
|
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
|
||||||
|
newvp->vp_length = 1;
|
||||||
|
fr_pair_add(&(r->vps), newvp);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
|
||||||
|
+ * reserved.
|
||||||
|
+ */
|
||||||
|
attr += 3;
|
||||||
|
attrlen -= 3;
|
||||||
|
|
||||||
|
- /* now, loop processing each attribute that we find */
|
||||||
|
- while(attrlen > 0) {
|
||||||
|
+ /*
|
||||||
|
+ * Loop over each attribute. The format is:
|
||||||
|
+ *
|
||||||
|
+ * 1 octet of type
|
||||||
|
+ * 1 octet of length (value 1..255)
|
||||||
|
+ * ((4 * length) - 2) octets of data.
|
||||||
|
+ */
|
||||||
|
+ while (attrlen > 0) {
|
||||||
|
uint8_t *p;
|
||||||
|
|
||||||
|
- if(attrlen < 2) {
|
||||||
|
+ if (attrlen < 2) {
|
||||||
|
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!attr[1]) {
|
||||||
|
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
|
||||||
|
+ es_attribute_count);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
eapsim_attribute = attr[0];
|
||||||
|
eapsim_len = attr[1] * 4;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * The length includes the 2-byte header.
|
||||||
|
+ */
|
||||||
|
if (eapsim_len > attrlen) {
|
||||||
|
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
|
||||||
|
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(eapsim_len > MAX_STRING_LEN) {
|
||||||
|
- eapsim_len = MAX_STRING_LEN;
|
||||||
|
- }
|
||||||
|
- if (eapsim_len < 2) {
|
||||||
|
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
|
||||||
|
- es_attribute_count);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
|
||||||
|
+ if (!newvp) {
|
||||||
|
+ /*
|
||||||
|
+ * RFC 4186 Section 8.1 says 0..127 are
|
||||||
|
+ * "non-skippable". If one such
|
||||||
|
+ * attribute is found and we don't
|
||||||
|
+ * understand it, the server has to send:
|
||||||
|
+ *
|
||||||
|
+ * EAP-Request/SIM/Notification packet with an
|
||||||
|
+ * (AT_NOTIFICATION code, which implies general failure ("General
|
||||||
|
+ * failure after authentication" (0), or "General failure" (16384),
|
||||||
|
+ * depending on the phase of the exchange), which terminates the
|
||||||
|
+ * authentication exchange.
|
||||||
|
+ */
|
||||||
|
+ if (eapsim_attribute <= 127) {
|
||||||
|
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
|
||||||
|
+ eapsim_attribute);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
|
||||||
|
- newvp->vp_length = eapsim_len-2;
|
||||||
|
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||||
|
- memcpy(p, &attr[2], eapsim_len-2);
|
||||||
|
- fr_pair_add(&(r->vps), newvp);
|
||||||
|
- newvp = NULL;
|
||||||
|
+ } else {
|
||||||
|
+ /*
|
||||||
|
+ * It's known, ccount for header, and
|
||||||
|
+ * copy the value over.
|
||||||
|
+ */
|
||||||
|
+ newvp->vp_length = eapsim_len - 2;
|
||||||
|
+
|
||||||
|
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||||
|
+ memcpy(p, &attr[2], newvp->vp_length);
|
||||||
|
+ fr_pair_add(&(r->vps), newvp);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* advance pointers, decrement length */
|
||||||
|
attr += eapsim_len;
|
76
SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
Normal file
76
SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri, 09 Dec 2022
|
||||||
|
Subject: Fix information leakage in EAP-PWD
|
||||||
|
|
||||||
|
The EAP-PWD function compute_password_element() leaks information about the
|
||||||
|
password which allows an attacker to substantially reduce the size of an
|
||||||
|
offline dictionary attack.
|
||||||
|
|
||||||
|
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
index d94851c3aa..9f86b62114 100644
|
||||||
|
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
|
||||||
|
#include <freeradius-devel/radiusd.h>
|
||||||
|
#include <freeradius-devel/modules.h>
|
||||||
|
|
||||||
|
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
|
||||||
|
+
|
||||||
|
/* The random function H(x) = HMAC-SHA256(0^32, x) */
|
||||||
|
static void H_Init(HMAC_CTX *ctx)
|
||||||
|
{
|
||||||
|
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||||
|
uint32_t *token)
|
||||||
|
{
|
||||||
|
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||||
|
- HMAC_CTX *ctx = NULL;
|
||||||
|
+ EVP_MD_CTX *hmac_ctx;
|
||||||
|
+ EVP_PKEY *hmac_pkey;
|
||||||
|
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
|
||||||
|
int nid, is_odd, primebitlen, primebytelen, ret = 0;
|
||||||
|
|
||||||
|
- ctx = HMAC_CTX_new();
|
||||||
|
- if (ctx == NULL) {
|
||||||
|
- DEBUG("failed allocating HMAC context");
|
||||||
|
- goto fail;
|
||||||
|
- }
|
||||||
|
+ MEM(hmac_ctx = EVP_MD_CTX_new());
|
||||||
|
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
|
||||||
|
|
||||||
|
switch (grp_num) { /* from IANA registry for IKE D-H groups */
|
||||||
|
case 19:
|
||||||
|
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||||
|
* pwd-seed = H(token | peer-id | server-id | password |
|
||||||
|
* counter)
|
||||||
|
*/
|
||||||
|
- H_Init(ctx);
|
||||||
|
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
|
||||||
|
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||||
|
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
|
||||||
|
- H_Update(ctx, (uint8_t const *)password, password_len);
|
||||||
|
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||||
|
- H_Final(ctx, pwe_digest);
|
||||||
|
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
|
||||||
|
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||||
|
|
||||||
|
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
|
||||||
|
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
|
||||||
|
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||||
|
BN_clear_free(x_candidate);
|
||||||
|
BN_clear_free(rnd);
|
||||||
|
talloc_free(prfbuf);
|
||||||
|
- HMAC_CTX_free(ctx);
|
||||||
|
+ EVP_MD_CTX_free(hmac_ctx);
|
||||||
|
+ EVP_PKEY_free(hmac_pkey);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
Normal file
1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -26,6 +26,7 @@
|
|||||||
su radiusd radiusd
|
su radiusd radiusd
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/var/log/radius/radius.log {
|
/var/log/radius/radius.log {
|
||||||
monthly
|
monthly
|
||||||
rotate 4
|
rotate 4
|
93
SOURCES/freeradius-man-Fix-some-typos.patch
Normal file
93
SOURCES/freeradius-man-Fix-some-typos.patch
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||||
|
Date: Fri, 14 Sep 2018 11:53:28 +0300
|
||||||
|
Subject: [PATCH] man: Fix some typos
|
||||||
|
|
||||||
|
---
|
||||||
|
man/man1/radzap.1 | 4 ++--
|
||||||
|
man/man5/unlang.5 | 6 +++---
|
||||||
|
man/man8/radcrypt.8 | 2 +-
|
||||||
|
man/man8/radiusd.8 | 4 ++--
|
||||||
|
4 files changed, 8 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
|
||||||
|
index a2d529d064..03b9a43a54 100644
|
||||||
|
--- a/man/man1/radzap.1
|
||||||
|
+++ b/man/man1/radzap.1
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
|
||||||
|
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
|
||||||
|
.SH NAME
|
||||||
|
radzap - remove rogue entries from the active sessions database
|
||||||
|
.SH SYNOPSIS
|
||||||
|
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
|
||||||
|
.RB [ \-x ]
|
||||||
|
\fIserver[:port] secret\fP
|
||||||
|
.SH DESCRIPTION
|
||||||
|
-The FreeRadius server can be configured to maintain an active session
|
||||||
|
+The FreeRADIUS server can be configured to maintain an active session
|
||||||
|
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
|
||||||
|
use this database. Sometimes that database can get out of sync, and
|
||||||
|
then it might contain rogue entries. \fBradzap\fP can clean up this
|
||||||
|
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
|
||||||
|
index 40db5fa6e7..5f765f1787 100644
|
||||||
|
--- a/man/man5/unlang.5
|
||||||
|
+++ b/man/man5/unlang.5
|
||||||
|
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
|
||||||
|
of Version 3, the <list> can be omitted, in which case "request" is
|
||||||
|
assumed.
|
||||||
|
|
||||||
|
-The "control" list is the list of attributes maintainted internally by
|
||||||
|
+The "control" list is the list of attributes maintained internally by
|
||||||
|
the server that controls how the server processes the request. Any
|
||||||
|
attribute that does not go in a packet on the network will generally
|
||||||
|
be placed in the "control" list.
|
||||||
|
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
|
||||||
|
quotes, or back-quoted). Also evaluates to true if 'foo' is a
|
||||||
|
non-zero number. Note that the language is poorly typed, so the
|
||||||
|
string "0000" can be interpreted as a numerical zero. This issue can
|
||||||
|
-be avoided by comparings strings to an empty string, rather than by
|
||||||
|
+be avoided by comparing strings to an empty string, rather than by
|
||||||
|
evaluating the string by itself.
|
||||||
|
|
||||||
|
If the word 'foo' is not a quoted string, then it can be taken as a
|
||||||
|
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
|
||||||
|
.IP ok
|
||||||
|
Instructs the server that the request was processed properly. This
|
||||||
|
keyword can be used to over-ride earlier failures, if the local
|
||||||
|
-administrator determines that the faiures are not catastrophic.
|
||||||
|
+administrator determines that the failures are not catastrophic.
|
||||||
|
.IP reject
|
||||||
|
Causes the request to be immediately rejected
|
||||||
|
.SH MODULE RETURN CODES
|
||||||
|
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
|
||||||
|
index 08336c66f2..2917f60c46 100644
|
||||||
|
--- a/man/man8/radcrypt.8
|
||||||
|
+++ b/man/man8/radcrypt.8
|
||||||
|
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
|
||||||
|
Ignored if performing a password check.
|
||||||
|
.IP "\-c --check"
|
||||||
|
Perform a validation check on a password hash to verify if it matches
|
||||||
|
-the plantext password.
|
||||||
|
+the plaintext password.
|
||||||
|
|
||||||
|
.SH EXAMPLES
|
||||||
|
.nf
|
||||||
|
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||||
|
index 98aef5e1be..2ef5ccf789 100644
|
||||||
|
--- a/man/man8/radiusd.8
|
||||||
|
+++ b/man/man8/radiusd.8
|
||||||
|
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
|
||||||
|
used in the other configuration files. You don't have to modify it.
|
||||||
|
It includes other dictionary files in the same directory.
|
||||||
|
.IP hints
|
||||||
|
-Defines certain hints to the radius server based on the users's loginname
|
||||||
|
+Defines certain hints to the radius server based on the users' loginname
|
||||||
|
or other attributes sent by the access server. It also provides for
|
||||||
|
mapping user names (such as Pusername -> username). This provides the
|
||||||
|
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
|
||||||
|
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
|
||||||
|
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
|
||||||
|
the Livingston way of doing things is also supported, and you can even use
|
||||||
|
both at the same time (within certain limits).
|
||||||
|
.IP huntgroups
|
@ -6,47 +6,45 @@ Subject: [PATCH] Don't generate certificates in reproducible builds
|
|||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
---
|
---
|
||||||
Make.inc.in | 5 +++++
|
Make.inc.in | 5 +++++
|
||||||
configure | 3 +++
|
configure | 4 ++++
|
||||||
configure.ac | 3 +++
|
configure.ac | 3 +++
|
||||||
raddb/all.mk | 4 ++++
|
raddb/all.mk | 4 ++++
|
||||||
4 files changed, 15 insertions(+)
|
4 files changed, 16 insertions(+)
|
||||||
|
|
||||||
diff --git a/Make.inc.in b/Make.inc.in
|
diff --git a/Make.inc.in b/Make.inc.in
|
||||||
index 0b2cd74de8..8c623cf95c 100644
|
index 0b2cd74de8..8c623cf95c 100644
|
||||||
--- a/Make.inc.in
|
--- a/Make.inc.in
|
||||||
+++ b/Make.inc.in
|
+++ b/Make.inc.in
|
||||||
@@ -174,6 +174,10 @@ else
|
@@ -173,3 +173,8 @@ else
|
||||||
|
TESTBINDIR = ./$(BUILD_DIR)/bin
|
||||||
TESTBIN = ./$(BUILD_DIR)/bin
|
TESTBIN = ./$(BUILD_DIR)/bin
|
||||||
endif
|
endif
|
||||||
|
+
|
||||||
+#
|
+#
|
||||||
+# With reproducible builds, do not generate certificates during installation
|
+# With reproducible builds, do not generate certificates during installation
|
||||||
+#
|
+#
|
||||||
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
|
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
|
||||||
|
|
||||||
#
|
|
||||||
# For creating documentation via doc/all.mk
|
|
||||||
diff --git a/configure b/configure
|
diff --git a/configure b/configure
|
||||||
index 5041ca264f..ed01ee2bdd 100755
|
index c2c599c92b..3d4403a844 100755
|
||||||
--- a/configure
|
--- a/configure
|
||||||
+++ b/configure
|
+++ b/configure
|
||||||
@@ -679,6 +679,7 @@ AUTOCONF
|
@@ -655,6 +655,7 @@ RUSERS
|
||||||
ACLOCAL
|
|
||||||
RUSERS
|
|
||||||
SNMPWALK
|
SNMPWALK
|
||||||
+ENABLE_REPRODUCIBLE_BUILDS
|
|
||||||
SNMPGET
|
SNMPGET
|
||||||
|
PERL
|
||||||
|
+ENABLE_REPRODUCIBLE_BUILDS
|
||||||
openssl_version_check_config
|
openssl_version_check_config
|
||||||
WITH_DHCP
|
WITH_DHCP
|
||||||
@@ -6976,6 +6977,7 @@ fi
|
modconfdir
|
||||||
|
@@ -5586,6 +5587,7 @@ else
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Check whether --enable-reproducible-builds was given.
|
|
||||||
+ENABLE_REPRODUCIBLE_BUILDS=yes
|
+ENABLE_REPRODUCIBLE_BUILDS=yes
|
||||||
if test ${enable_reproducible_builds+y}
|
# Check whether --enable-reproducible-builds was given.
|
||||||
then :
|
if test "${enable_reproducible_builds+set}" = set; then :
|
||||||
enableval=$enable_reproducible_builds; case "$enableval" in
|
enableval=$enable_reproducible_builds; case "$enableval" in
|
||||||
@@ -6987,6 +6989,7 @@ printf "%s\n" "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
|
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
reproducible_builds=no
|
reproducible_builds=no
|
||||||
@ -54,11 +52,19 @@ index 5041ca264f..ed01ee2bdd 100755
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
@@ -5604,6 +5607,7 @@ fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
+
|
||||||
|
CHECKRAD=checkrad
|
||||||
|
# Extract the first word of "perl", so it can be a program name with args.
|
||||||
|
set dummy perl; ac_word=$2
|
||||||
diff --git a/configure.ac b/configure.ac
|
diff --git a/configure.ac b/configure.ac
|
||||||
index ce4d9b0ae5..790cbf02a0 100644
|
index a7abf0025a..35b013f4af 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -697,6 +697,7 @@ AC_SUBST([openssl_version_check_config])
|
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
|
||||||
dnl #
|
dnl #
|
||||||
dnl # extra argument: --enable-reproducible-builds
|
dnl # extra argument: --enable-reproducible-builds
|
||||||
dnl #
|
dnl #
|
||||||
@ -66,7 +72,7 @@ index ce4d9b0ae5..790cbf02a0 100644
|
|||||||
AC_ARG_ENABLE(reproducible-builds,
|
AC_ARG_ENABLE(reproducible-builds,
|
||||||
[AS_HELP_STRING([--enable-reproducible-builds],
|
[AS_HELP_STRING([--enable-reproducible-builds],
|
||||||
[ensure the build does not change each time])],
|
[ensure the build does not change each time])],
|
||||||
@@ -708,8 +709,10 @@ AC_ARG_ENABLE(reproducible-builds,
|
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
reproducible_builds=no
|
reproducible_builds=no
|
||||||
@ -75,10 +81,6 @@ index ce4d9b0ae5..790cbf02a0 100644
|
|||||||
)
|
)
|
||||||
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
|
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
|
||||||
|
|
||||||
dnl #
|
|
||||||
dnl # Enable the -fsanitize=fuzzer and link in the address sanitizer
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
dnl #############################################################
|
dnl #############################################################
|
||||||
diff --git a/raddb/all.mk b/raddb/all.mk
|
diff --git a/raddb/all.mk b/raddb/all.mk
|
45
SOURCES/freeradius-no-dh-param-load-FIPS.patch
Normal file
45
SOURCES/freeradius-no-dh-param-load-FIPS.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Wed, 5 Aug 2020 11:39:45 -0400
|
||||||
|
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
|
||||||
|
|
||||||
|
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
|
||||||
|
user-provided dhparams will be ignored (and dhparam generation
|
||||||
|
may fail as well), unless they are on the FIPS approved list of
|
||||||
|
parameters. However, OpenSSL since v1.1.1 will automatically select
|
||||||
|
an appropriate DH parameter set anyways, if the user did not provide
|
||||||
|
any. These will be FIPS approved.
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
src/main/tls.c | 17 +++++++++++++++++
|
||||||
|
1 file changed, 17 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/main/tls.c b/src/main/tls.c
|
||||||
|
index 5809a1bd7d..5e6493333c 100644
|
||||||
|
--- a/src/main/tls.c
|
||||||
|
+++ b/src/main/tls.c
|
||||||
|
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
|
||||||
|
|
||||||
|
if (!file) return 0;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Prior to trying to load the file, check what OpenSSL will do with it.
|
||||||
|
+ *
|
||||||
|
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
|
||||||
|
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
|
||||||
|
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
|
||||||
|
+ * anyways, there's no point in attempting to load them.
|
||||||
|
+ *
|
||||||
|
+ * Change suggested by @t8m
|
||||||
|
+ */
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||||
|
+ if (FIPS_mode() > 0) {
|
||||||
|
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
if ((bio = BIO_new_file(file, "r")) == NULL) {
|
||||||
|
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
|
||||||
|
return -1;
|
@ -6,6 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
|
|||||||
Type=forking
|
Type=forking
|
||||||
PIDFile=/var/run/radiusd/radiusd.pid
|
PIDFile=/var/run/radiusd/radiusd.pid
|
||||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||||
|
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
|
||||||
ExecStartPre=/usr/sbin/radiusd -C
|
ExecStartPre=/usr/sbin/radiusd -C
|
||||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||||
ExecReload=/usr/sbin/radiusd -C
|
ExecReload=/usr/sbin/radiusd -C
|
24
SOURCES/rfc3526-group-18-8192.pem
Normal file
24
SOURCES/rfc3526-group-18-8192.pem
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||||
|
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||||
|
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||||
|
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||||
|
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||||
|
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
|
||||||
|
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
|
||||||
|
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
|
||||||
|
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
|
||||||
|
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
|
||||||
|
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
|
||||||
|
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
|
||||||
|
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
|
||||||
|
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
|
||||||
|
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
|
||||||
|
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
|
||||||
|
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
|
||||||
|
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
|
||||||
|
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
|
||||||
|
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
|
||||||
|
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
|
||||||
|
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
@ -1,8 +1,17 @@
|
|||||||
|
%if 0%{?rhel} > 7
|
||||||
|
# Disable python2 build by default
|
||||||
|
%bcond_with python2
|
||||||
|
%else
|
||||||
|
%bcond_without python2
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
Summary: High-performance and highly configurable free RADIUS server
|
Summary: High-performance and highly configurable free RADIUS server
|
||||||
Name: freeradius
|
Name: freeradius
|
||||||
Version: 3.2.5
|
Version: 3.0.20
|
||||||
Release: 4%{?dist}
|
Release: 15%{?dist}
|
||||||
License: GPL-2.0-or-later AND LGPL-2.0-or-later
|
License: GPLv2+ and LGPLv2+
|
||||||
|
Group: System Environment/Daemons
|
||||||
URL: http://www.freeradius.org/
|
URL: http://www.freeradius.org/
|
||||||
|
|
||||||
# Is elliptic curve cryptography supported?
|
# Is elliptic curve cryptography supported?
|
||||||
@ -19,20 +28,26 @@ Source100: radiusd.service
|
|||||||
Source102: freeradius-logrotate
|
Source102: freeradius-logrotate
|
||||||
Source103: freeradius-pam-conf
|
Source103: freeradius-pam-conf
|
||||||
Source104: freeradius-tmpfiles.conf
|
Source104: freeradius-tmpfiles.conf
|
||||||
Source105: freeradius.sysusers
|
Source105: rfc3526-group-18-8192.pem
|
||||||
|
|
||||||
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
|
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
|
||||||
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
|
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
|
||||||
Patch3: freeradius-bootstrap-create-only.patch
|
Patch3: freeradius-bootstrap-create-only.patch
|
||||||
Patch4: freeradius-no-buildtime-cert-gen.patch
|
Patch4: freeradius-no-buildtime-cert-gen.patch
|
||||||
Patch5: freeradius-bootstrap-make-permissions.patch
|
Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
|
||||||
Patch6: freeradius-ldap-infinite-timeout-on-starttls.patch
|
Patch6: freeradius-bootstrap-make-permissions.patch
|
||||||
Patch7: freeradius-ease-openssl-version-check.patch
|
Patch7: freeradius-no-dh-param-load-FIPS.patch
|
||||||
Patch8: freeradius-configure-c99.patch
|
Patch8: freeradius-bootstrap-fixed-dhparam.patch
|
||||||
Patch9: freeradius-no-antora-docs.patch
|
Patch9: freeradius-man-Fix-some-typos.patch
|
||||||
Patch10: freeradius-no-sql-scripts.patch
|
Patch10: freeradius-Fix-resource-hard-limit-error.patch
|
||||||
Patch11: freeradius-disable-openssl-engine.patch
|
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
|
||||||
Patch12: freeradius-disable-perl-script.patch
|
Patch12: freeradius-bootstrap-run-only-once.patch
|
||||||
|
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
|
||||||
|
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
|
||||||
|
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
|
||||||
|
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
|
||||||
|
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
|
||||||
|
Patch18: freeradius-blastradius-fix.patch
|
||||||
|
|
||||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||||
|
|
||||||
@ -50,8 +65,7 @@ BuildRequires: readline-devel
|
|||||||
BuildRequires: libpcap-devel
|
BuildRequires: libpcap-devel
|
||||||
BuildRequires: systemd-units
|
BuildRequires: systemd-units
|
||||||
BuildRequires: libtalloc-devel
|
BuildRequires: libtalloc-devel
|
||||||
BuildRequires: chrpath
|
BuildRequires: pcre-devel
|
||||||
BuildRequires: systemd-rpm-macros
|
|
||||||
|
|
||||||
%if ! 0%{?rhel}
|
%if ! 0%{?rhel}
|
||||||
BuildRequires: libyubikey-devel
|
BuildRequires: libyubikey-devel
|
||||||
@ -64,8 +78,7 @@ Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
|
|||||||
Requires(pre): shadow-utils glibc-common
|
Requires(pre): shadow-utils glibc-common
|
||||||
Requires(post): systemd-sysv
|
Requires(post): systemd-sysv
|
||||||
Requires(post): systemd-units
|
Requires(post): systemd-units
|
||||||
# Needed for certificate generation as upstream bootstrap script isn't
|
# Needed for certificate generation
|
||||||
# compatible with Makefile equivalent.
|
|
||||||
Requires: make
|
Requires: make
|
||||||
Requires(preun): systemd-units
|
Requires(preun): systemd-units
|
||||||
Requires(postun): systemd-units
|
Requires(postun): systemd-units
|
||||||
@ -86,6 +99,7 @@ be centralized, and minimizes the amount of re-configuration which has to be
|
|||||||
done when adding or deleting new users.
|
done when adding or deleting new users.
|
||||||
|
|
||||||
%package doc
|
%package doc
|
||||||
|
Group: Documentation
|
||||||
Summary: FreeRADIUS documentation
|
Summary: FreeRADIUS documentation
|
||||||
|
|
||||||
%description doc
|
%description doc
|
||||||
@ -93,6 +107,7 @@ All documentation supplied by the FreeRADIUS project is included
|
|||||||
in this package.
|
in this package.
|
||||||
|
|
||||||
%package utils
|
%package utils
|
||||||
|
Group: System Environment/Daemons
|
||||||
Summary: FreeRADIUS utilities
|
Summary: FreeRADIUS utilities
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
Requires: libpcap >= 0.9.4
|
Requires: libpcap >= 0.9.4
|
||||||
@ -107,6 +122,7 @@ Support for RFC and VSA Attributes Additional server configuration
|
|||||||
attributes Selecting a particular configuration Authentication methods
|
attributes Selecting a particular configuration Authentication methods
|
||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
|
Group: System Environment/Daemons
|
||||||
Summary: FreeRADIUS development files
|
Summary: FreeRADIUS development files
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
|
||||||
@ -115,6 +131,7 @@ Development headers and libraries for FreeRADIUS.
|
|||||||
|
|
||||||
%package ldap
|
%package ldap
|
||||||
Summary: LDAP support for freeradius
|
Summary: LDAP support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
BuildRequires: openldap-devel
|
BuildRequires: openldap-devel
|
||||||
|
|
||||||
@ -123,6 +140,7 @@ This plugin provides the LDAP support for the FreeRADIUS server project.
|
|||||||
|
|
||||||
%package krb5
|
%package krb5
|
||||||
Summary: Kerberos 5 support for freeradius
|
Summary: Kerberos 5 support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
|
|
||||||
@ -131,7 +149,9 @@ This plugin provides the Kerberos 5 support for the FreeRADIUS server project.
|
|||||||
|
|
||||||
%package perl
|
%package perl
|
||||||
Summary: Perl support for freeradius
|
Summary: Perl support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
|
||||||
%{?fedora:BuildRequires: perl-devel}
|
%{?fedora:BuildRequires: perl-devel}
|
||||||
BuildRequires: perl-devel
|
BuildRequires: perl-devel
|
||||||
BuildRequires: perl-generators
|
BuildRequires: perl-generators
|
||||||
@ -140,9 +160,10 @@ BuildRequires: perl(ExtUtils::Embed)
|
|||||||
%description perl
|
%description perl
|
||||||
This plugin provides the Perl support for the FreeRADIUS server project.
|
This plugin provides the Perl support for the FreeRADIUS server project.
|
||||||
|
|
||||||
%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
|
%if %{with python2}
|
||||||
%package -n python2-freeradius
|
%package -n python2-freeradius
|
||||||
Summary: Python 2 support for freeradius
|
Summary: Python 2 support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
BuildRequires: python2-devel
|
BuildRequires: python2-devel
|
||||||
%{?python_provide:%python_provide python2-freeradius}
|
%{?python_provide:%python_provide python2-freeradius}
|
||||||
@ -153,6 +174,7 @@ Obsoletes: %{name}-python < %{version}-%{release}
|
|||||||
|
|
||||||
%description -n python2-freeradius
|
%description -n python2-freeradius
|
||||||
This plugin provides the Python 2 support for the FreeRADIUS server project.
|
This plugin provides the Python 2 support for the FreeRADIUS server project.
|
||||||
|
# endif: with python2
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%package -n python3-freeradius
|
%package -n python3-freeradius
|
||||||
@ -166,6 +188,7 @@ This plugin provides the Python 3 support for the FreeRADIUS server project.
|
|||||||
|
|
||||||
%package mysql
|
%package mysql
|
||||||
Summary: MySQL support for freeradius
|
Summary: MySQL support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
BuildRequires: mariadb-connector-c-devel
|
BuildRequires: mariadb-connector-c-devel
|
||||||
|
|
||||||
@ -174,14 +197,16 @@ This plugin provides the MySQL support for the FreeRADIUS server project.
|
|||||||
|
|
||||||
%package postgresql
|
%package postgresql
|
||||||
Summary: Postgresql support for freeradius
|
Summary: Postgresql support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
BuildRequires: libpq-devel
|
BuildRequires: postgresql-devel
|
||||||
|
|
||||||
%description postgresql
|
%description postgresql
|
||||||
This plugin provides the postgresql support for the FreeRADIUS server project.
|
This plugin provides the postgresql support for the FreeRADIUS server project.
|
||||||
|
|
||||||
%package sqlite
|
%package sqlite
|
||||||
Summary: SQLite support for freeradius
|
Summary: SQLite support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
BuildRequires: sqlite-devel
|
BuildRequires: sqlite-devel
|
||||||
|
|
||||||
@ -190,6 +215,7 @@ This plugin provides the SQLite support for the FreeRADIUS server project.
|
|||||||
|
|
||||||
%package unixODBC
|
%package unixODBC
|
||||||
Summary: Unix ODBC support for freeradius
|
Summary: Unix ODBC support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
BuildRequires: unixODBC-devel
|
BuildRequires: unixODBC-devel
|
||||||
|
|
||||||
@ -198,6 +224,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
|
|||||||
|
|
||||||
%package rest
|
%package rest
|
||||||
Summary: REST support for freeradius
|
Summary: REST support for freeradius
|
||||||
|
Group: System Environment/Daemons
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
BuildRequires: libcurl-devel
|
BuildRequires: libcurl-devel
|
||||||
BuildRequires: json-c-devel
|
BuildRequires: json-c-devel
|
||||||
@ -209,31 +236,38 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
|||||||
%setup -q -n %{dist_base}
|
%setup -q -n %{dist_base}
|
||||||
# Note: We explicitly do not make patch backup files because 'make install'
|
# Note: We explicitly do not make patch backup files because 'make install'
|
||||||
# mistakenly includes the backup files, especially problematic for raddb config files.
|
# mistakenly includes the backup files, especially problematic for raddb config files.
|
||||||
%patch 1 -p1
|
%patch1 -p1
|
||||||
%patch 2 -p1
|
%patch2 -p1
|
||||||
%patch 3 -p1
|
%patch3 -p1
|
||||||
%patch 4 -p1
|
%patch4 -p1
|
||||||
%patch 5 -p1
|
%patch5 -p1
|
||||||
%patch 6 -p1
|
%patch6 -p1
|
||||||
%patch 7 -p1
|
%patch7 -p1
|
||||||
%patch 8 -p1
|
%patch8 -p1
|
||||||
%patch 9 -p1
|
%patch9 -p1
|
||||||
%patch 10 -p1
|
%patch10 -p1
|
||||||
%patch 11 -p1
|
%patch11 -p1
|
||||||
%patch 12 -p1
|
%patch12 -p1
|
||||||
|
%patch13 -p1
|
||||||
|
%patch14 -p1
|
||||||
|
%patch15 -p1
|
||||||
|
%patch16 -p1
|
||||||
|
%patch17 -p1
|
||||||
|
%patch18 -p1
|
||||||
|
|
||||||
|
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
||||||
|
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Force compile/link options, extra security for network facing daemon
|
# Force compile/link options, extra security for network facing daemon
|
||||||
%global _hardened_build 1
|
%global _hardened_build 1
|
||||||
|
|
||||||
# Enable FIPS support
|
# Hack: rlm_python3 as stable; prevents building other unstable modules.
|
||||||
%global build_cflags %{build_cflags} -DWITH_FIPS
|
sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
|
||||||
|
|
||||||
# No OpenSSL Engine as it's deprecated
|
# python3-config is broken:
|
||||||
%global build_cflags %{build_cflags} -UHAVE_OPENSSL_ENGINE_H
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
|
||||||
|
export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
|
||||||
%global build_ldflags %{build_ldflags} $(python3-config --embed --libs)
|
|
||||||
export PY3_LIB_DIR="$(python3-config --configdir)"
|
|
||||||
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
||||||
|
|
||||||
%configure \
|
%configure \
|
||||||
@ -254,7 +288,9 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
|
|||||||
--with-rlm_python3 \
|
--with-rlm_python3 \
|
||||||
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
|
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
|
||||||
--with-rlm-python3-include-dir=$PY3_INC_DIR \
|
--with-rlm-python3-include-dir=$PY3_INC_DIR \
|
||||||
--without-rlm_python \
|
%if %{without python2}
|
||||||
|
--without-rlm-python2 \
|
||||||
|
%endif
|
||||||
--without-rlm_eap_ikev2 \
|
--without-rlm_eap_ikev2 \
|
||||||
--without-rlm_eap_tnc \
|
--without-rlm_eap_tnc \
|
||||||
--without-rlm_sql_iodbc \
|
--without-rlm_sql_iodbc \
|
||||||
@ -266,8 +302,7 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
|
|||||||
--without-rlm_rediswho \
|
--without-rlm_rediswho \
|
||||||
--without-rlm_cache_memcached
|
--without-rlm_cache_memcached
|
||||||
|
|
||||||
# Build fast, but get better errors if we fail
|
make
|
||||||
make %{?_smp_mflags} || make -j1
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd
|
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd
|
||||||
@ -286,21 +321,14 @@ mkdir -p %{buildroot}%{_localstatedir}/run/
|
|||||||
install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
|
install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
|
||||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
|
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
|
||||||
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
|
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
|
||||||
install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf
|
|
||||||
|
# Add fixed dhparam file
|
||||||
|
install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||||
|
|
||||||
# install SNMP MIB files
|
# install SNMP MIB files
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||||
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||||
|
|
||||||
# remove rpath where needed
|
|
||||||
chrpath --delete $RPM_BUILD_ROOT%{_libdir}/freeradius/*.so
|
|
||||||
for f in $RPM_BUILD_ROOT/usr/sbin/*; do chrpath --delete $f || true; done
|
|
||||||
for f in $RPM_BUILD_ROOT/usr/bin/*; do chrpath --delete $f || true; done
|
|
||||||
|
|
||||||
# update ld with freeradius libs
|
|
||||||
mkdir -p %{buildroot}/%{_sysconfdir}/ld.so.conf.d
|
|
||||||
echo "%{_libdir}/freeradius" > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
|
|
||||||
|
|
||||||
# remove unneeded stuff
|
# remove unneeded stuff
|
||||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
|
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
|
||||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
|
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
|
||||||
@ -322,7 +350,6 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la
|
|||||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
|
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
|
||||||
|
|
||||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle
|
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle
|
||||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/mssql
|
|
||||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle
|
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle
|
||||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
|
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
|
||||||
rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids
|
rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids
|
||||||
@ -338,6 +365,12 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
|
|||||||
|
|
||||||
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
|
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
|
||||||
|
|
||||||
|
# Remove yubikey on RHEL
|
||||||
|
%if 0%{?rhel}
|
||||||
|
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
|
||||||
|
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
|
||||||
|
%endif
|
||||||
|
|
||||||
# remove unsupported config files
|
# remove unsupported config files
|
||||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
|
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
|
||||||
|
|
||||||
@ -370,18 +403,30 @@ EOF
|
|||||||
|
|
||||||
# Make sure our user/group is present prior to any package or subpackage installation
|
# Make sure our user/group is present prior to any package or subpackage installation
|
||||||
%pre
|
%pre
|
||||||
%sysusers_create_compat %{SOURCE105}
|
getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
|
||||||
|
getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
%post
|
||||||
|
%systemd_post radiusd.service
|
||||||
|
exit 0
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%systemd_preun radiusd.service
|
%systemd_preun radiusd.service
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
%systemd_postun_with_restart radiusd.service
|
%systemd_postun_with_restart radiusd.service
|
||||||
|
if [ $1 -eq 0 ]; then # uninstall
|
||||||
|
getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1
|
||||||
|
getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
|
|
||||||
/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :
|
/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :
|
||||||
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
|
%defattr(-,root,root)
|
||||||
|
|
||||||
# doc
|
# doc
|
||||||
%license %{docdir}/LICENSE.gpl
|
%license %{docdir}/LICENSE.gpl
|
||||||
@ -392,10 +437,8 @@ EOF
|
|||||||
# system
|
# system
|
||||||
%config(noreplace) %{_sysconfdir}/pam.d/radiusd
|
%config(noreplace) %{_sysconfdir}/pam.d/radiusd
|
||||||
%config(noreplace) %{_sysconfdir}/logrotate.d/radiusd
|
%config(noreplace) %{_sysconfdir}/logrotate.d/radiusd
|
||||||
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
|
|
||||||
%{_unitdir}/radiusd.service
|
%{_unitdir}/radiusd.service
|
||||||
%{_tmpfilesdir}/radiusd.conf
|
%{_tmpfilesdir}/radiusd.conf
|
||||||
%{_sysusersdir}/freeradius.conf
|
|
||||||
%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
|
%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
|
||||||
%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
|
%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
|
||||||
%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
|
%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
|
||||||
@ -428,10 +471,10 @@ EOF
|
|||||||
%dir %attr(770,root,radiusd) /etc/raddb/certs
|
%dir %attr(770,root,radiusd) /etc/raddb/certs
|
||||||
%config(noreplace) /etc/raddb/certs/Makefile
|
%config(noreplace) /etc/raddb/certs/Makefile
|
||||||
%config(noreplace) /etc/raddb/certs/passwords.mk
|
%config(noreplace) /etc/raddb/certs/passwords.mk
|
||||||
/etc/raddb/certs/README.md
|
/etc/raddb/certs/README
|
||||||
/etc/raddb/certs/realms/README.md
|
|
||||||
%config(noreplace) /etc/raddb/certs/xpextensions
|
%config(noreplace) /etc/raddb/certs/xpextensions
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
|
||||||
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||||
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
|
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
|
||||||
|
|
||||||
# mods-config
|
# mods-config
|
||||||
@ -443,7 +486,6 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/files/*
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/files/*
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/preprocess
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/preprocess
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/preprocess/*
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/preprocess/*
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter
|
||||||
@ -455,8 +497,6 @@ EOF
|
|||||||
# sites-available
|
# sites-available
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/sites-available
|
%dir %attr(750,root,radiusd) /etc/raddb/sites-available
|
||||||
/etc/raddb/sites-available/README
|
/etc/raddb/sites-available/README
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/aws-nlb
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/resource-check
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/control-socket
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/control-socket
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/decoupled-accounting
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/decoupled-accounting
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
|
||||||
@ -478,11 +518,8 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/copy-acct-to-home-server
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/copy-acct-to-home-server
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/buffered-sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/buffered-sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/totp
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/google-ldap-auth
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls-cache
|
|
||||||
|
|
||||||
# sites-enabled
|
# sites-enabled
|
||||||
# symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx
|
# symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx
|
||||||
@ -496,7 +533,7 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/always
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/always
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/attr_filter
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/attr_filter
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_auth
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_eap
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/chap
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/chap
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/counter
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/counter
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cui
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cui
|
||||||
@ -505,9 +542,6 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.example.com
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.example.com
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.log
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.log
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_files
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_passwd
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sql
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sqlippool
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sqlippool
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/digest
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/digest
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dynamic_clients
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dynamic_clients
|
||||||
@ -521,8 +555,6 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/idn
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/idn
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/inner-eap
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/inner-eap
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ippool
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ippool
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/json
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap_google
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/linelog
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/linelog
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/logintime
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/logintime
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mac2ip
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mac2ip
|
||||||
@ -530,6 +562,7 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mschap
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mschap
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ntlm_auth
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ntlm_auth
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/opendirectory
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/opendirectory
|
||||||
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/otp
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pam
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pam
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
|
||||||
@ -546,23 +579,24 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/soh
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/soh
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sometimes
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sometimes
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql_map
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlcounter
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlcounter
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/totp
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax
|
||||||
|
|
||||||
|
%if ! 0%{?rhel}
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dpsk
|
%endif
|
||||||
|
|
||||||
# mods-enabled
|
# mods-enabled
|
||||||
# symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx
|
# symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-enabled
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-enabled
|
||||||
%config(missingok) /etc/raddb/mods-enabled/always
|
%config(missingok) /etc/raddb/mods-enabled/always
|
||||||
%config(missingok) /etc/raddb/mods-enabled/attr_filter
|
%config(missingok) /etc/raddb/mods-enabled/attr_filter
|
||||||
|
%config(missingok) /etc/raddb/mods-enabled/cache_eap
|
||||||
%config(missingok) /etc/raddb/mods-enabled/chap
|
%config(missingok) /etc/raddb/mods-enabled/chap
|
||||||
%config(missingok) /etc/raddb/mods-enabled/date
|
%config(missingok) /etc/raddb/mods-enabled/date
|
||||||
%config(missingok) /etc/raddb/mods-enabled/detail
|
%config(missingok) /etc/raddb/mods-enabled/detail
|
||||||
@ -587,7 +621,6 @@ EOF
|
|||||||
%config(missingok) /etc/raddb/mods-enabled/replicate
|
%config(missingok) /etc/raddb/mods-enabled/replicate
|
||||||
%config(missingok) /etc/raddb/mods-enabled/soh
|
%config(missingok) /etc/raddb/mods-enabled/soh
|
||||||
%config(missingok) /etc/raddb/mods-enabled/sradutmp
|
%config(missingok) /etc/raddb/mods-enabled/sradutmp
|
||||||
%config(missingok) /etc/raddb/mods-enabled/totp
|
|
||||||
%config(missingok) /etc/raddb/mods-enabled/unix
|
%config(missingok) /etc/raddb/mods-enabled/unix
|
||||||
%config(missingok) /etc/raddb/mods-enabled/unpack
|
%config(missingok) /etc/raddb/mods-enabled/unpack
|
||||||
%config(missingok) /etc/raddb/mods-enabled/utf8
|
%config(missingok) /etc/raddb/mods-enabled/utf8
|
||||||
@ -636,6 +669,7 @@ EOF
|
|||||||
%{_libdir}/freeradius/rlm_cache_rbtree.so
|
%{_libdir}/freeradius/rlm_cache_rbtree.so
|
||||||
%{_libdir}/freeradius/rlm_chap.so
|
%{_libdir}/freeradius/rlm_chap.so
|
||||||
%{_libdir}/freeradius/rlm_counter.so
|
%{_libdir}/freeradius/rlm_counter.so
|
||||||
|
%{_libdir}/freeradius/rlm_cram.so
|
||||||
%{_libdir}/freeradius/rlm_date.so
|
%{_libdir}/freeradius/rlm_date.so
|
||||||
%{_libdir}/freeradius/rlm_detail.so
|
%{_libdir}/freeradius/rlm_detail.so
|
||||||
%{_libdir}/freeradius/rlm_dhcp.so
|
%{_libdir}/freeradius/rlm_dhcp.so
|
||||||
@ -644,6 +678,7 @@ EOF
|
|||||||
%{_libdir}/freeradius/rlm_eap.so
|
%{_libdir}/freeradius/rlm_eap.so
|
||||||
%{_libdir}/freeradius/rlm_eap_fast.so
|
%{_libdir}/freeradius/rlm_eap_fast.so
|
||||||
%{_libdir}/freeradius/rlm_eap_gtc.so
|
%{_libdir}/freeradius/rlm_eap_gtc.so
|
||||||
|
%{_libdir}/freeradius/rlm_eap_leap.so
|
||||||
%{_libdir}/freeradius/rlm_eap_md5.so
|
%{_libdir}/freeradius/rlm_eap_md5.so
|
||||||
%{_libdir}/freeradius/rlm_eap_mschapv2.so
|
%{_libdir}/freeradius/rlm_eap_mschapv2.so
|
||||||
%{_libdir}/freeradius/rlm_eap_peap.so
|
%{_libdir}/freeradius/rlm_eap_peap.so
|
||||||
@ -658,10 +693,10 @@ EOF
|
|||||||
%{_libdir}/freeradius/rlm_expr.so
|
%{_libdir}/freeradius/rlm_expr.so
|
||||||
%{_libdir}/freeradius/rlm_files.so
|
%{_libdir}/freeradius/rlm_files.so
|
||||||
%{_libdir}/freeradius/rlm_ippool.so
|
%{_libdir}/freeradius/rlm_ippool.so
|
||||||
%{_libdir}/freeradius/rlm_json.so
|
|
||||||
%{_libdir}/freeradius/rlm_linelog.so
|
%{_libdir}/freeradius/rlm_linelog.so
|
||||||
%{_libdir}/freeradius/rlm_logintime.so
|
%{_libdir}/freeradius/rlm_logintime.so
|
||||||
%{_libdir}/freeradius/rlm_mschap.so
|
%{_libdir}/freeradius/rlm_mschap.so
|
||||||
|
%{_libdir}/freeradius/rlm_otp.so
|
||||||
%{_libdir}/freeradius/rlm_pam.so
|
%{_libdir}/freeradius/rlm_pam.so
|
||||||
%{_libdir}/freeradius/rlm_pap.so
|
%{_libdir}/freeradius/rlm_pap.so
|
||||||
%{_libdir}/freeradius/rlm_passwd.so
|
%{_libdir}/freeradius/rlm_passwd.so
|
||||||
@ -674,16 +709,15 @@ EOF
|
|||||||
%{_libdir}/freeradius/rlm_sql.so
|
%{_libdir}/freeradius/rlm_sql.so
|
||||||
%{_libdir}/freeradius/rlm_sqlcounter.so
|
%{_libdir}/freeradius/rlm_sqlcounter.so
|
||||||
%{_libdir}/freeradius/rlm_sqlippool.so
|
%{_libdir}/freeradius/rlm_sqlippool.so
|
||||||
%{_libdir}/freeradius/rlm_sql_map.so
|
|
||||||
%{_libdir}/freeradius/rlm_sql_null.so
|
%{_libdir}/freeradius/rlm_sql_null.so
|
||||||
%{_libdir}/freeradius/rlm_totp.so
|
|
||||||
%{_libdir}/freeradius/rlm_unix.so
|
%{_libdir}/freeradius/rlm_unix.so
|
||||||
%{_libdir}/freeradius/rlm_unpack.so
|
%{_libdir}/freeradius/rlm_unpack.so
|
||||||
%{_libdir}/freeradius/rlm_utf8.so
|
%{_libdir}/freeradius/rlm_utf8.so
|
||||||
%{_libdir}/freeradius/rlm_wimax.so
|
%{_libdir}/freeradius/rlm_wimax.so
|
||||||
|
|
||||||
|
%if ! 0%{?rhel}
|
||||||
%{_libdir}/freeradius/rlm_yubikey.so
|
%{_libdir}/freeradius/rlm_yubikey.so
|
||||||
%{_libdir}/freeradius/rlm_dpsk.so
|
%endif
|
||||||
%{_libdir}/freeradius/rlm_eap_teap.so
|
|
||||||
|
|
||||||
# main man pages
|
# main man pages
|
||||||
%doc %{_mandir}/man5/clients.conf.5.gz
|
%doc %{_mandir}/man5/clients.conf.5.gz
|
||||||
@ -704,7 +738,6 @@ EOF
|
|||||||
%doc %{_mandir}/man5/rlm_passwd.5.gz
|
%doc %{_mandir}/man5/rlm_passwd.5.gz
|
||||||
%doc %{_mandir}/man5/rlm_realm.5.gz
|
%doc %{_mandir}/man5/rlm_realm.5.gz
|
||||||
%doc %{_mandir}/man5/rlm_sql.5.gz
|
%doc %{_mandir}/man5/rlm_sql.5.gz
|
||||||
%doc %{_mandir}/man5/rlm_unbound.5.gz
|
|
||||||
%doc %{_mandir}/man5/rlm_unix.5.gz
|
%doc %{_mandir}/man5/rlm_unix.5.gz
|
||||||
%doc %{_mandir}/man5/unlang.5.gz
|
%doc %{_mandir}/man5/unlang.5.gz
|
||||||
%doc %{_mandir}/man5/users.5.gz
|
%doc %{_mandir}/man5/users.5.gz
|
||||||
@ -712,7 +745,6 @@ EOF
|
|||||||
%doc %{_mandir}/man8/radiusd.8.gz
|
%doc %{_mandir}/man8/radiusd.8.gz
|
||||||
%doc %{_mandir}/man8/radmin.8.gz
|
%doc %{_mandir}/man8/radmin.8.gz
|
||||||
%doc %{_mandir}/man8/radrelay.8.gz
|
%doc %{_mandir}/man8/radrelay.8.gz
|
||||||
%doc %{_mandir}/man8/rlm_sqlippool_tool.8.gz
|
|
||||||
|
|
||||||
# MIB files
|
# MIB files
|
||||||
%{_datadir}/snmp/mibs/*RADIUS*.mib
|
%{_datadir}/snmp/mibs/*RADIUS*.mib
|
||||||
@ -756,12 +788,13 @@ EOF
|
|||||||
|
|
||||||
%{_libdir}/freeradius/rlm_perl.so
|
%{_libdir}/freeradius/rlm_perl.so
|
||||||
|
|
||||||
%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
|
%if %{with python2}
|
||||||
%files -n python2-freeradius
|
%files -n python2-freeradius
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python
|
||||||
/etc/raddb/mods-config/python/example.py*
|
/etc/raddb/mods-config/python/example.py*
|
||||||
/etc/raddb/mods-config/python/radiusd.py*
|
/etc/raddb/mods-config/python/radiusd.py*
|
||||||
%{_libdir}/freeradius/rlm_python.so
|
%{_libdir}/freeradius/rlm_python.so
|
||||||
|
# endif: with python2
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files -n python3-freeradius
|
%files -n python3-freeradius
|
||||||
@ -774,7 +807,6 @@ EOF
|
|||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/weeklycounter.conf
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
|
||||||
|
|
||||||
@ -782,55 +814,19 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/queries.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/queries.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/schema.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/schema.sql
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/queries.conf
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/schema.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/queries.conf
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/schema.sql
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/setup.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/queries.conf
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/schema.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/queries.conf
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/schema.sql
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/setup.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/queries.conf
|
|
||||||
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/schema.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mssql
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/schema.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/schema.sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/process-radacct.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax
|
||||||
@ -848,7 +844,6 @@ EOF
|
|||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/postgresql
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/postgresql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/dailycounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/dailycounter.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf
|
||||||
|
|
||||||
@ -865,7 +860,6 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/queries.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/queries.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/process-radacct.sql
|
|
||||||
|
|
||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf
|
||||||
@ -877,7 +871,6 @@ EOF
|
|||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/sqlite
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/sqlite
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/dailycounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/dailycounter.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf
|
||||||
|
|
||||||
@ -896,9 +889,6 @@ EOF
|
|||||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite
|
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-close-after-reload.pl
|
|
||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-new-data-usage-period.sh
|
|
||||||
|
|
||||||
%{_libdir}/freeradius/rlm_sql_sqlite.so
|
%{_libdir}/freeradius/rlm_sql_sqlite.so
|
||||||
|
|
||||||
@ -914,242 +904,89 @@ EOF
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.2.5-4
|
* Thu Jul 11 2023 Antonio Torres <antorres@redhat.com> - 3.0.20-15
|
||||||
- Bump release for October 2024 mass rebuild:
|
- Backport BlastRADIUS CVE fix
|
||||||
Resolves: RHEL-64018
|
Resolves: RHEL-46572
|
||||||
|
|
||||||
* Thu Aug 08 2024 Troy Dawson <tdawson@redhat.com> - 3.2.5-3
|
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
|
||||||
- Bump release for Aug 2024 java mass rebuild
|
- Fix defect found by Covscan
|
||||||
|
Resolves: #2151704
|
||||||
|
|
||||||
* Wed Jul 10 2024 Antonio Torres <antorres@redhat.com> - 3.2.5-2
|
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
|
||||||
- Disable unsupported Perl script
|
- Fix multiple CVEs
|
||||||
|
- Add rpminspect configuration
|
||||||
|
Resolves: #2151702
|
||||||
|
Resolves: #2151704
|
||||||
|
Resolves: #2151706
|
||||||
|
|
||||||
* Tue Jul 09 2024 Antonio Torres <antorres@redhat.com> - 3.2.5-1
|
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
|
||||||
- Rebase to release 3.2.5
|
- Fix segfault when home_server is null
|
||||||
Resolves: RHEL-46784
|
Resolves: bz#2030173
|
||||||
|
|
||||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.2.3-7
|
* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
|
||||||
- Bump release for June 2024 mass rebuild
|
- Fix unterminated strings in SQL queries
|
||||||
|
Resolves: bz#2021247
|
||||||
|
|
||||||
* Thu Apr 04 2024 Antonio Torres <antorres@redhat.com> - 3.2.3-6
|
* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
|
||||||
- Remove SQL helper script from package
|
- Rebuild to pick up latest json-c
|
||||||
Resolves: RHEL-31745
|
Resolves: bz#2021818
|
||||||
|
|
||||||
* Tue Apr 02 2024 Antonio Torres <antorres@redhat.com> - 3.2.3-5
|
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
|
||||||
- Remove Antora docs from package
|
- radiusd.service: don't fail if bootstrap script is not present
|
||||||
Resolves: RHEL-31184
|
Resolves: bz#1954521
|
||||||
|
|
||||||
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.3-4
|
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
- Extend info about boostrap script in README and comments
|
||||||
|
Resolves: bz#1954521
|
||||||
|
|
||||||
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.3-3
|
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
- Ensure bootstrap script is run only once
|
||||||
|
Resolves: bz#1954521
|
||||||
|
|
||||||
* Tue Dec 19 2023 Florian Weimer <fweimer@redhat.com> - 3.2.3-2
|
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
|
||||||
- Fix C compatibility issue in configure script
|
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
|
||||||
|
Resolves: bz#1958979
|
||||||
|
|
||||||
* Tue Oct 24 2023 Antonio Torres <antorres@redhat.com> - 3.2.3-1
|
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
|
||||||
- Update to upstream release 3.2.3
|
|
||||||
|
|
||||||
* Tue Sep 12 2023 Antonio Torres <antorres@redhat.com> - 3.2.2-5
|
|
||||||
- Ease OpenSSL version check requirement
|
|
||||||
Resolves #2238511
|
|
||||||
|
|
||||||
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.2-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jul 11 2023 Jitka Plesnikova <jplesnik@redhat.com> - 3.2.2-3
|
|
||||||
- Perl 5.38 rebuild
|
|
||||||
|
|
||||||
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.2.2-2
|
|
||||||
- Rebuilt for Python 3.12
|
|
||||||
|
|
||||||
* Tue Mar 21 2023 Antonio Torres <antorres@redhat.com> - 3.2.2-1
|
|
||||||
- Update to upstream release 3.2.2
|
|
||||||
|
|
||||||
* Wed Mar 15 2023 Antonio Torres <antorres@redhat.com> - 3.2.1-4
|
|
||||||
- Migrate to SPDX license
|
|
||||||
|
|
||||||
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.1-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Oct 17 2022 Antonio Torres <antorres@redhat.com> - 3.2.1-2
|
|
||||||
- Remove hack for Python3 support from specfile
|
|
||||||
|
|
||||||
* Mon Oct 17 2022 Antonio Torres <antorres@redhat.com> - 3.2.1-1
|
|
||||||
- Update to 3.2.1 upstream release
|
|
||||||
Resolves #2131850
|
|
||||||
|
|
||||||
* Tue Sep 20 2022 Antonio Torres <antorres@redhat.com> - 3.2.0-4
|
|
||||||
- Remove deprecated pcre-devel dependency
|
|
||||||
Resolves #2128292
|
|
||||||
|
|
||||||
* Mon Sep 5 2022 Antonio Torres <antorres@redhat.com> - 3.2.0-3
|
|
||||||
- configure: allow building with runstatedir option
|
|
||||||
Resolves: #2123374
|
|
||||||
|
|
||||||
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jul 19 2022 Antonio Torres <antorres@redhat.com> - 3.2.0-1
|
|
||||||
- Rebase to 3.2.0 upstream release
|
|
||||||
Related: #2077687
|
|
||||||
|
|
||||||
* Wed Jun 29 2022 Antonio Torres <antorres@redhat.com> - 3.0.25-8
|
|
||||||
- Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107)
|
|
||||||
Related: #2095741
|
|
||||||
|
|
||||||
* Fri Jun 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.25-7
|
|
||||||
- Dynamically allocate users using sysusers.d format
|
|
||||||
Related: #2095741
|
|
||||||
|
|
||||||
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.0.25-6
|
|
||||||
- Rebuilt for Python 3.11
|
|
||||||
|
|
||||||
* Tue May 31 2022 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.25-5
|
|
||||||
- Perl 5.36 rebuild
|
|
||||||
|
|
||||||
* Fri Apr 22 2022 Antonio Torres <antorres@redhat.com> - 3.0.25-4
|
|
||||||
- Use infinite timeout when using LDAP+start-TLS
|
|
||||||
Related: #1983063
|
|
||||||
|
|
||||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.25-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Oct 14 2021 Antonio Torres <antorres@redhat.com> - 3.0.25-2
|
|
||||||
- Fix file conflict in SQL files
|
|
||||||
Resolves: bz#2014014
|
|
||||||
|
|
||||||
* Fri Oct 08 2021 Antonio Torres <antorres@redhat.com> - 3.0.25-1
|
|
||||||
- Update to 3.0.25.
|
|
||||||
Resolves: bz#2011984
|
|
||||||
|
|
||||||
* Thu Sep 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.24-1
|
|
||||||
- Update to 3.0.24.
|
|
||||||
Resolves: bz#2009036
|
|
||||||
|
|
||||||
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.0.23-7
|
|
||||||
- Rebuilt with OpenSSL 3.0.0
|
|
||||||
|
|
||||||
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.23-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jul 15 2021 Antonio Torres <antorres@redhat.com> - 3.0.23-5
|
|
||||||
- Fix coredump not being able to be enabled
|
- Fix coredump not being able to be enabled
|
||||||
|
Resolves: bz#1977572
|
||||||
|
|
||||||
* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 3.0.23-4
|
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
|
||||||
- Rebuild for versioned symbols in json-c
|
- Fix some manpage typos
|
||||||
|
Resolves: bz#1843807
|
||||||
|
|
||||||
* Tue Jun 29 2021 Antonio Torres <antorres@redhat.com> - 3.0.23-2
|
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
|
||||||
- Fix rpath not being removed correctly
|
- Require make for proper bootstrap execution, removes post script
|
||||||
|
Resolves: bz#1672285
|
||||||
|
|
||||||
* Tue Jun 29 2021 Antonio Torres <antorres@redhat.com> - 3.0.23-2
|
* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
|
||||||
- Remove RPATH usage from additional binaries
|
- Fix breakage caused by OpenSSL FIPS regression
|
||||||
|
Related: bz#1855822
|
||||||
|
Related: bz#1810911
|
||||||
|
Resolves: bz#1672285
|
||||||
|
|
||||||
* Tue Jun 29 2021 Antonio Torres <antorres@redhat.com> - 3.0.23-1
|
* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
|
||||||
- Rebase to 3.0.23
|
- Update to FreeRADIUS server version 3.0.20
|
||||||
Fixes: bz#1970528
|
- Introduce Python 3 support; resolves: bz#1623069
|
||||||
|
- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
|
||||||
|
- Create tmp files in /run; resolves: bz#1805975
|
||||||
|
|
||||||
* Tue Jun 29 2021 Antonio Torres <antorres@redhat.com> - 3.0.22-5
|
* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
|
||||||
- Fix binaries not being correctly linked after RPATH removal
|
- Fix information leak due to aborting when needing more than 10 iterations
|
||||||
|
Resolves: bz#1751797
|
||||||
|
|
||||||
* Fri Jun 25 2021 Antonio Torres <antorres@redhat.com> - 3.0.22-4
|
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
|
||||||
- Fix python3 not being correctly linked
|
- Fix handling of IPv6-only hostnames with listen.ipaddr
|
||||||
|
Resolves: bz#1685546
|
||||||
|
|
||||||
* Mon Jun 07 2021 Python Maint <python-maint@redhat.com> - 3.0.22-2
|
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
|
||||||
- Rebuilt for Python 3.10
|
- Fix possible privilege escalation due to insecure logrotate configuration
|
||||||
|
Resolves: bz#1719369
|
||||||
|
|
||||||
* Fri Jun 4 2021 Antonio Torres <antorres@redhat.com> - 3.0.22-1
|
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-4
|
||||||
- Rebased to 3.0.22
|
- Fixes two EAP-PWD security issues
|
||||||
Resolves: bz#1961190
|
Resolves: bz#1699417 authentication bypass with an invalid curve attack
|
||||||
|
Resolves: bz#1699421 fake authentication using reflection
|
||||||
* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.21-12
|
|
||||||
- Perl 5.34 rebuild
|
|
||||||
|
|
||||||
* Wed Mar 10 2021 Robbie Harwood <rharwood@redhat.com> - 3.0.21-11
|
|
||||||
- Disable automatic bootstrap
|
|
||||||
|
|
||||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.0.21-10
|
|
||||||
- Rebuilt for updated systemd-rpm-macros
|
|
||||||
See https://pagure.io/fesco/issue/2583.
|
|
||||||
|
|
||||||
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 3.0.21-9
|
|
||||||
- rebuild for libpq ABI fix rhbz#1908268
|
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-8
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-7
|
|
||||||
- Fix certificate permissions after make-based generation
|
|
||||||
Resolves: bz#1835249
|
|
||||||
|
|
||||||
* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-6
|
|
||||||
- Fix certificate permissions after make-based generation
|
|
||||||
Resolves: bz#1835249
|
|
||||||
|
|
||||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-5
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.21-4
|
|
||||||
- Perl 5.32 rebuild
|
|
||||||
|
|
||||||
* Wed May 13 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-3
|
|
||||||
- Fix certificate generation
|
|
||||||
Resolves: bz#1835249
|
|
||||||
|
|
||||||
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 3.0.21-2
|
|
||||||
- Rebuild (json-c)
|
|
||||||
|
|
||||||
* Wed Apr 01 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-1
|
|
||||||
- Rebased to 3.0.21
|
|
||||||
Resolves: bz#1816745
|
|
||||||
|
|
||||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.20-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sat Jan 11 2020 Paul Wouters <pwouters@redhat.com> - 3.0.20-2
|
|
||||||
- fixup tmpfile to use /run instead of /var/run
|
|
||||||
|
|
||||||
* Fri Nov 15 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
|
|
||||||
- Rebased to 3.0.20
|
|
||||||
Resolves: bz#1772710
|
|
||||||
- Introduced new rlm_python3 module
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.19-5
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.19-4
|
|
||||||
- Perl 5.30 rebuild
|
|
||||||
|
|
||||||
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-3
|
|
||||||
- Update boostrap to change ownership of all certificates to root:radiusd
|
|
||||||
|
|
||||||
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2
|
|
||||||
- Updated crypto-policies patch
|
|
||||||
- Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165 bz#1672284
|
|
||||||
- Updated logrotate definitions to run as radiusd:radiusd: bz#1705343
|
|
||||||
- Drop python2 package on Fedora 31+
|
|
||||||
- Add database dependencies: bz#1658697
|
|
||||||
- Don't generate certificate during build
|
|
||||||
|
|
||||||
* Wed Apr 10 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-1
|
|
||||||
- Rebased to 3.0.19
|
|
||||||
|
|
||||||
* Wed Mar 06 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.18-1
|
|
||||||
- Rebased to 3.0.18
|
|
||||||
|
|
||||||
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 3.0.17-6
|
|
||||||
- Rebuild for readline 8.0
|
|
||||||
|
|
||||||
* Tue Feb 05 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
|
|
||||||
- Unit file generates certificates if not present.
|
|
||||||
Resolves: bz#1672284
|
|
||||||
|
|
||||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.17-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.0.17-3
|
|
||||||
- Rebuilt for libcrypt.so.2 (#1666033)
|
|
||||||
|
|
||||||
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-2
|
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-2
|
||||||
- Updates radiusd.service to start after network-online.target
|
- Updates radiusd.service to start after network-online.target
|
||||||
@ -1162,27 +999,25 @@ EOF
|
|||||||
|
|
||||||
* Mon Sep 17 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-18
|
* Mon Sep 17 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-18
|
||||||
- Actually apply patches added previously.
|
- Actually apply patches added previously.
|
||||||
Related: Bug#1611286 Man page scan results for freeradius
|
Related: Bug#1612512 Man page scan results for freeradius
|
||||||
|
|
||||||
* Fri Sep 14 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-17
|
* Fri Sep 14 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-17
|
||||||
- Fix a few minor manpage issues.
|
- Fix a few minor manpage issues.
|
||||||
Resolves: Bug#1611286 Man page scan results for freeradius
|
Resolves: Bug#1612512 Man page scan results for freeradius
|
||||||
|
|
||||||
* Fri Sep 07 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
|
* Wed Sep 12 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
|
||||||
- Add make to BuildRequires and Requires(post) to fix build and certificate
|
- Add make to Requires(post) to fix certificate generation on install.
|
||||||
generation on install.
|
Resolves: Bug#1628213 FreeRADIUS fails to start due to default certificate
|
||||||
Resolves: Bug#1574783 Installing freeradius without make results in an
|
permissions
|
||||||
unworkable default configuration
|
|
||||||
|
|
||||||
* Tue Sep 04 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-15
|
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 3.0.15-15
|
||||||
- Add gcc to BuildRequires.
|
- Rebuild with fixed binutils
|
||||||
Resolves: Bug#1622470 FTBFS freeradius (rawhide)
|
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.15-14
|
* Wed Jul 25 2018 Petr Kubat <pkubat@redhat.com> - 3.0.15-14
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
- Rebuilt for gdbm
|
||||||
|
|
||||||
* Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.15-13
|
* Mon Jun 11 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.0.15-13
|
||||||
- Perl 5.28 rebuild
|
- Disable the python2 subpackage
|
||||||
|
|
||||||
* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 3.0.15-12
|
* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 3.0.15-12
|
||||||
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
|
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
|
@ -1,35 +0,0 @@
|
|||||||
The backtrace_symbols function expects a pointer to an array of void *
|
|
||||||
values, not a pointer to an array of a single element. Removing the
|
|
||||||
address operator ensures that the right type is used.
|
|
||||||
|
|
||||||
This avoids an unconditional failure of this probe with compilers that
|
|
||||||
treat incompatible pointer types as a compilation error.
|
|
||||||
|
|
||||||
Submitted upstream: <https://github.com/FreeRADIUS/freeradius-server/pull/5246>
|
|
||||||
|
|
||||||
diff --git a/configure b/configure
|
|
||||||
index ed01ee2bdd912f63..1e6d2284779cdd58 100755
|
|
||||||
--- a/configure
|
|
||||||
+++ b/configure
|
|
||||||
@@ -13390,7 +13390,7 @@ main (void)
|
|
||||||
{
|
|
||||||
|
|
||||||
void *sym[1];
|
|
||||||
- backtrace_symbols(&sym, sizeof(sym))
|
|
||||||
+ backtrace_symbols(sym, sizeof(sym))
|
|
||||||
;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 76320213b51d7bb4..6a689711d6c90483 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -2168,7 +2168,7 @@ if test "x$ac_cv_header_execinfo_h" = "xyes"; then
|
|
||||||
#include <execinfo.h>
|
|
||||||
]], [[
|
|
||||||
void *sym[1];
|
|
||||||
- backtrace_symbols(&sym, sizeof(sym)) ]])],[
|
|
||||||
+ backtrace_symbols(sym, sizeof(sym)) ]])],[
|
|
||||||
AC_MSG_RESULT(yes)
|
|
||||||
ac_cv_lib_execinfo_backtrace_symbols="yes"
|
|
||||||
],[
|
|
@ -1,55 +0,0 @@
|
|||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Wed, 10 Jul 2024
|
|
||||||
Subject: Remove OpenSSL Engine usage
|
|
||||||
|
|
||||||
Engine functionality from OpenSSL is deprecated and shouldn't be used.
|
|
||||||
|
|
||||||
Related: https://gitlab.com/redhat/centos-stream/rpms/openssl/-/merge_requests/144
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
configure | 2 +-
|
|
||||||
configure.ac | 3 +--
|
|
||||||
src/include/tls-h | 3 ---
|
|
||||||
3 files changed, 2 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/configure b/configure
|
|
||||||
index 5041ca264f..5ccb061a4c 100755
|
|
||||||
--- a/configure
|
|
||||||
+++ b/configure
|
|
||||||
@@ -10515,7 +10515,7 @@ smart_prefix=
|
|
||||||
printf "%s\n" "#define HAVE_OPENSSL_SSL_H 1" >>confdefs.h
|
|
||||||
|
|
||||||
|
|
||||||
- for ac_header in openssl/asn1.h openssl/conf.h openssl/crypto.h openssl/err.h openssl/evp.h openssl/hmac.h openssl/md5.h openssl/md4.h openssl/rand.h openssl/sha.h openssl/ssl.h openssl/ocsp.h openssl/engine.h
|
|
||||||
+ for ac_header in openssl/asn1.h openssl/conf.h openssl/crypto.h openssl/err.h openssl/evp.h openssl/hmac.h openssl/md5.h openssl/md4.h openssl/rand.h openssl/sha.h openssl/ssl.h openssl/ocsp.h
|
|
||||||
do :
|
|
||||||
as_ac_Header=`printf "%s\n" "ac_cv_header_$ac_header" | $as_tr_sh`
|
|
||||||
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index a24a8061f6..f6074f694e 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -1446,8 +1446,7 @@ if test "x$WITH_OPENSSL" = xyes; then
|
|
||||||
openssl/rand.h \
|
|
||||||
openssl/sha.h \
|
|
||||||
openssl/ssl.h \
|
|
||||||
- openssl/ocsp.h \
|
|
||||||
- openssl/engine.h,
|
|
||||||
+ openssl/ocsp.h,
|
|
||||||
[ OPENSSL_CPPFLAGS="$smart_include" ],
|
|
||||||
[
|
|
||||||
AC_MSG_FAILURE([failed locating OpenSSL headers. Use --with-openssl-include-dir=<path>, or --with-openssl=no (builds without OpenSSL)])
|
|
||||||
diff --git a/src/include/tls-h b/src/include/tls-h
|
|
||||||
index 506fb19778..b195ec9fdb 100644
|
|
||||||
--- a/src/include/tls-h
|
|
||||||
+++ b/src/include/tls-h
|
|
||||||
@@ -37,9 +37,6 @@ RCSIDH(tls_h, "$Id$")
|
|
||||||
# define OPENSSL_NO_KRB5
|
|
||||||
#endif
|
|
||||||
#include <openssl/err.h>
|
|
||||||
-#ifdef HAVE_OPENSSL_ENGINE_H
|
|
||||||
-# include <openssl/engine.h>
|
|
||||||
-#endif
|
|
||||||
#include <openssl/ssl.h>
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
@ -1,22 +0,0 @@
|
|||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Wed, 10 Jul 2024
|
|
||||||
Subject: Remove unsupported Perl script from package
|
|
||||||
|
|
||||||
The recently added radsecret script depends on unsupported packages
|
|
||||||
(Convert::Base32 and Crypt::URandom, which are available only in EPEL), so
|
|
||||||
remove it from package.
|
|
||||||
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
src/main/all.mk | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/main/all.mk b/src/main/all.mk
|
|
||||||
index f3db386a2a..2517cd215a 100644
|
|
||||||
--- a/src/main/all.mk
|
|
||||||
+++ b/src/main/all.mk
|
|
||||||
@@ -1,3 +1,3 @@
|
|
||||||
SUBMAKEFILES := radclient.mk radiusd.mk radsniff.mk radmin.mk radattr.mk \
|
|
||||||
- radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk radsecret.mk \
|
|
||||||
+ radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk \
|
|
||||||
libfreeradius-server.mk unittest.mk
|
|
@ -1,35 +0,0 @@
|
|||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Tue, 12 Sep 2023
|
|
||||||
Subject: Ease OpenSSL version check requirement
|
|
||||||
|
|
||||||
FreeRADIUS includes an OpenSSL version check that compares built vs linked version,
|
|
||||||
and fails to start if this check fails. We can ease this requirement in Fedora/RHEL as
|
|
||||||
ABI changes are tracked and soname is changed accordingly, as discussed in previous
|
|
||||||
Bugzilla for this issue [1].
|
|
||||||
|
|
||||||
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1299388
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2238511
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
src/main/version.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/main/version.c b/src/main/version.c
|
|
||||||
index c190337c1d..fee2150eb2 100644
|
|
||||||
--- a/src/main/version.c
|
|
||||||
+++ b/src/main/version.c
|
|
||||||
@@ -79,11 +79,11 @@ int ssl_check_consistency(void)
|
|
||||||
*/
|
|
||||||
if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
|
|
||||||
mismatch:
|
|
||||||
- ERROR("libssl version mismatch. built: %lx linked: %lx",
|
|
||||||
+ DEBUG2("libssl version mismatch. built: %lx linked: %lx",
|
|
||||||
(unsigned long) ssl_built,
|
|
||||||
(unsigned long) ssl_linked);
|
|
||||||
|
|
||||||
- return -1;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
@ -1,31 +0,0 @@
|
|||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Fri, 28 Jan 2022
|
|
||||||
Subject: Use infinite timeout when using LDAP+start-TLS
|
|
||||||
|
|
||||||
This will ensure that the TLS connection to the LDAP server will complete
|
|
||||||
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
|
|
||||||
the process. Infinite timeout is the OpenLDAP default.
|
|
||||||
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
src/modules/rlm_ldap/ldap.c | 5 ++++-
|
|
||||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
|
||||||
index cf7a84e069..841bf888a1 100644
|
|
||||||
--- a/src/modules/rlm_ldap/ldap.c
|
|
||||||
+++ b/src/modules/rlm_ldap/ldap.c
|
|
||||||
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef LDAP_OPT_NETWORK_TIMEOUT
|
|
||||||
- if (inst->net_timeout) {
|
|
||||||
+ bool using_tls = inst->start_tls ||
|
|
||||||
+ inst->port == 636 ||
|
|
||||||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
|
|
||||||
+ if (inst->net_timeout && !using_tls) {
|
|
||||||
memset(&tv, 0, sizeof(tv));
|
|
||||||
tv.tv_sec = inst->net_timeout;
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,31 +0,0 @@
|
|||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Wed, 3 Apr 2024
|
|
||||||
Subject: Remove SQL helper script from package
|
|
||||||
|
|
||||||
This helper script is not needed in RHEL since we stopped supporting the
|
|
||||||
freeradius SQL subpackages.
|
|
||||||
|
|
||||||
Resolves: RHEL-31745
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
scripts/all.mk | 5 +----
|
|
||||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/scripts/all.mk b/scripts/all.mk
|
|
||||||
index a6e90aa3eb..2f7845a632 100644
|
|
||||||
--- a/scripts/all.mk
|
|
||||||
+++ b/scripts/all.mk
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
install: $(R)$(sbindir)/rc.radiusd $(R)$(sbindir)/raddebug \
|
|
||||||
- $(R)$(bindir)/radsqlrelay $(R)$(bindir)/radcrypt $(R)$(bindir)/rlm_sqlippool_tool
|
|
||||||
+ $(R)$(bindir)/radsqlrelay $(R)$(bindir)/radcrypt
|
|
||||||
|
|
||||||
$(R)$(sbindir)/rc.radiusd: scripts/rc.radiusd
|
|
||||||
@mkdir -p $(dir $@)
|
|
||||||
@@ -17,6 +17,3 @@ $(R)$(bindir)/radcrypt: scripts/cryptpasswd
|
|
||||||
@mkdir -p $(dir $@)
|
|
||||||
@$(INSTALL) -m 755 $< $@
|
|
||||||
|
|
||||||
-$(R)$(bindir)/rlm_sqlippool_tool: scripts/sql/rlm_sqlippool_tool
|
|
||||||
- @mkdir -p $(dir $@)
|
|
||||||
- @$(INSTALL) -m 755 $< $@
|
|
@ -1,3 +0,0 @@
|
|||||||
#Type Name ID GECOS Home directory Shell
|
|
||||||
u radiusd 95 "radiusd user" /var/lib/radiusd /sbin/nologin
|
|
||||||
g radiusd 95 - - -
|
|
@ -1,6 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-10
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
inspections:
|
|
||||||
badfuncs: off
|
|
1
sources
1
sources
@ -1 +0,0 @@
|
|||||||
SHA512 (freeradius-server-3.2.5.tar.bz2) = 55e653630674a957dcd52ae58e5fd7b5a510b84aaa80e0552bce8089221e02f652618b53753f438981472a5f47df7c8426b9a5ecda0b06ad9f4c25b23604c86b
|
|
@ -1,36 +0,0 @@
|
|||||||
# SPDX-License-Identifier: LGPL-2.1+
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/freeradius
|
|
||||||
# Description: Test if freeradius authentication workd ok
|
|
||||||
# Author: Susant Sahani<susant@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
export TEST=/CoreOS/freeradius
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
BUILT_FILES=
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
.PHONY: all install download clean
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Susant Sahani<susant@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: Test if the ABI hasn't changed" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: freeradius" >> $(METADATA)
|
|
||||||
@echo "Requires: freeradius" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
@echo "Releases: -Fedora 28" >> $(METADATA)
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,3 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/freeradius
|
|
||||||
Description: tests for freeradius
|
|
||||||
Author: Susant Sahani<susant@redhat.com>
|
|
@ -1,2 +0,0 @@
|
|||||||
fedora-ci Cleartext-Password := "password"
|
|
||||||
Reply-Message = "Hello, %{User-Name}"
|
|
@ -1,6 +0,0 @@
|
|||||||
client localhost {
|
|
||||||
ipaddr = 127.0.0.1
|
|
||||||
secret = testing123
|
|
||||||
require_message_authenticator = no
|
|
||||||
nastype = other
|
|
||||||
}
|
|
@ -1,67 +0,0 @@
|
|||||||
#!/usr/bin/env python3
|
|
||||||
# SPDX-License-Identifier: LGPL-2.1+
|
|
||||||
# ~~~
|
|
||||||
# Description: Tests for freeradius
|
|
||||||
#
|
|
||||||
# Author: Susant Sahani <susant@redhat.com>
|
|
||||||
# Copyright (c) 2018 Red Hat, Inc.
|
|
||||||
# ~~~
|
|
||||||
|
|
||||||
import errno
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
import time
|
|
||||||
import unittest
|
|
||||||
import subprocess
|
|
||||||
import signal
|
|
||||||
import shutil
|
|
||||||
import socket
|
|
||||||
|
|
||||||
RADIUSD_PID_FILE='/var/run/radiusd/radiusd.pid'
|
|
||||||
|
|
||||||
def setUpModule():
|
|
||||||
"""Initialize the environment, and perform sanity checks on it."""
|
|
||||||
|
|
||||||
if shutil.which('radiusd') is None:
|
|
||||||
raise OSError(errno.ENOENT, 'radiusd not found')
|
|
||||||
|
|
||||||
if shutil.which('radtest') is None:
|
|
||||||
raise OSError(errno.ENOENT, 'radtest not found')
|
|
||||||
|
|
||||||
if subprocess.call(['systemctl', 'is-active', '--quiet',
|
|
||||||
'radiusd.service']) == 0:
|
|
||||||
raise unittest.SkipTest('radiusd.service is already active')
|
|
||||||
|
|
||||||
def tearDownModule():
|
|
||||||
pass
|
|
||||||
|
|
||||||
class GenericUtilities():
|
|
||||||
"""Provide a set of utility functions start stop daemons. write config files etc """
|
|
||||||
|
|
||||||
def StartRadiusServer(self):
|
|
||||||
"""Start radiusd"""
|
|
||||||
subprocess.check_output(['systemctl', 'start', 'radiusd'])
|
|
||||||
|
|
||||||
def StopRadiusServer(self):
|
|
||||||
"""stop radiusd"""
|
|
||||||
subprocess.check_output(['systemctl', 'stop', 'radiusd'])
|
|
||||||
|
|
||||||
class RadiousTests(unittest.TestCase, GenericUtilities):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
self.StartRadiusServer()
|
|
||||||
|
|
||||||
def tearDown(self):
|
|
||||||
self.StopRadiusServer()
|
|
||||||
|
|
||||||
def test_radius_plaintext_auth(self):
|
|
||||||
time.sleep(1)
|
|
||||||
output=subprocess.check_output(['radtest', 'fedora-ci', 'password', '127.0.0.1', '100', 'testing123']).rstrip().decode('utf-8')
|
|
||||||
print(output)
|
|
||||||
|
|
||||||
self.assertRegex(output, "Received Access-Accept")
|
|
||||||
self.assertRegex(output, "Reply-Message = \"Hello, fedora-ci\"")
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
|
|
||||||
verbosity=3))
|
|
@ -1,69 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# SPDX-License-Identifier: LGPL-2.1+
|
|
||||||
# ~~~
|
|
||||||
# runtest.sh of freeradius
|
|
||||||
# Description: RADIUS server
|
|
||||||
#
|
|
||||||
# Author: Susant Sahani <susant@redhat.com>
|
|
||||||
# Copyright (c) 2018 Red Hat, Inc.
|
|
||||||
# ~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="freeradius"
|
|
||||||
|
|
||||||
RADIUS_CLIENT_CONF="/etc/raddb/clients.conf"
|
|
||||||
RADIUD_PALIN_TEXT_AUTH_FILE="/etc/raddb/mods-config/files/authorize"
|
|
||||||
|
|
||||||
generate_cert(){
|
|
||||||
pushd /etc/raddb/certs/
|
|
||||||
#remove certificates if exists;generate new certificates
|
|
||||||
if [[ -f /etc/raddb/certs/bootstrap ]]; then
|
|
||||||
rlLog "Destroy and create new default certificates via bootstrap script"
|
|
||||||
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* dh
|
|
||||||
rlRun "sh /etc/raddb/certs/bootstrap" 0 "Gnenerating certificates"
|
|
||||||
else
|
|
||||||
rlLogWarning "!!! WARNING bootsrap file does not exist !!!"
|
|
||||||
rlLog "Destroy and create new default certificates via make scripts"
|
|
||||||
make destroycerts -C /etc/raddb/certs/
|
|
||||||
#create new certificates
|
|
||||||
make -C /etc/raddb/certs/
|
|
||||||
chown root:radiusd dh ca.* client.* server.*
|
|
||||||
chmod 640 dh ca.* client.* server.*
|
|
||||||
fi
|
|
||||||
popd
|
|
||||||
}
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
rlRun "systemctl stop firewalld" 0,5
|
|
||||||
rlRun "systemctl stop radiusd.service"
|
|
||||||
rlRun "setenforce 0"
|
|
||||||
rlFileBackup "$RADIUS_CLIENT_CONF"
|
|
||||||
rlFileBackup "$RADIUD_PALIN_TEXT_AUTH_FILE"
|
|
||||||
|
|
||||||
rlRun "cp freeradius-tests.py /usr/bin/"
|
|
||||||
rlRun "cp clients.conf $RADIUS_CLIENT_CONF"
|
|
||||||
rlRun "cp authorize $RADIUD_PALIN_TEXT_AUTH_FILE"
|
|
||||||
rlRun "systemctl daemon-reload"
|
|
||||||
generate_cert
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest
|
|
||||||
rlLog "Starting radius auth tests ..."
|
|
||||||
rlRun "/usr/bin/python3 /usr/bin/freeradius-tests.py"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun "rm /usr/bin/freeradius-tests.py"
|
|
||||||
rlRun "systemctl start firewalld" 0,5
|
|
||||||
rlRun "setenforce 1"
|
|
||||||
rlFileRestore
|
|
||||||
rlLog "freeradius tests done"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
||||||
|
|
||||||
rlGetTestState
|
|
@ -1,12 +0,0 @@
|
|||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
tests:
|
|
||||||
- auth-tests
|
|
||||||
required_packages:
|
|
||||||
- python3
|
|
||||||
- systemd
|
|
||||||
- freeradius
|
|
||||||
- freeradius-utils
|
|
Loading…
Reference in New Issue
Block a user