.freeradius.metadata

@@ -1 +0,0 @@
-3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2

.gitignore

@@ -1 +1,45 @@
-SOURCES/freeradius-server-3.0.20.tar.bz2
+# Ignore build artifacts and signatures
+*.sig
+.build*.log
+freeradius-server-*/
+x86_64/
+freeradius-*.src.rpm
+
+# Automatically added
+/freeradius-server-2.1.9.tar.bz2
+/freeradius-server-2.1.10.tar.bz2
+/freeradius-server-2.1.11.tar.bz2
+/freeradius-server-2.1.12.tar.bz2
+/freeradius-server-2.2.0.tar.bz2
+/freeradius-server-release_3_0_0_rc0.tar.gz
+/freeradius-server-release_3_0_0_rc1.tar.gz
+/freeradius-server-3.0.0.tar.bz2
+/freeradius-server-3.0.1.tar.bz2
+/freeradius-server-3.0.2.tar.bz2
+/freeradius-server-3.0.3.tar.bz2
+/freeradius-server-3.0.4rc2.tar.bz2
+/freeradius-server-3.0.4.tar.bz2
+/freeradius-server-3.0.7.tar.bz2
+/freeradius-server-3.0.8.tar.bz2
+/freeradius-server-3.0.9.tar.bz2
+/freeradius-server-3.0.10.tar.bz2
+/freeradius-server-3.0.11.tar.bz2
+/freeradius-server-3.0.12.tar.bz2
+/freeradius-server-3.0.13.tar.bz2
+/freeradius-server-3.0.14.tar.bz2
+/freeradius-server-3.0.15.tar.bz2
+/freeradius-server-3.0.17.tar.bz2
+/freeradius-server-3.0.18.tar.gz
+/freeradius-server-3.0.18.tar.bz2
+/freeradius-server-3.0.19.tar.bz2
+/freeradius-server-3.0.20.tar.bz2
+/freeradius-server-3.0.21.tar.bz2
+/freeradius-server-3.0.22.tar.bz2
+/freeradius-server-3.0.23.tar.bz2
+/freeradius-server-3.0.24.tar.bz2
+/freeradius-server-3.0.25.tar.bz2
+/freeradius-server-3.2.0.tar.bz2
+/freeradius-server-3.2.1.tar.bz2
+/freeradius-server-3.2.2.tar.bz2
+/freeradius-server-3.2.3.tar.bz2
+/freeradius-server-3.2.5.tar.bz2

SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch

@@ -1,39 +0,0 @@
-Author: Antonio Torres <antorres@redhat.com>
-Date:   Fri Jul 2 07:12:48 2021 -0400
-Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
-
-	FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
-	explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
-	variable to 1 or else FR should exit at start.
-	
-	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
-	Signed-off-by: Antonio Torres antorres@redhat.com
----
- src/main/radiusd.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/src/main/radiusd.c b/src/main/radiusd.c
-index 9739514509..58a48895e6 100644
---- a/src/main/radiusd.c
-+++ b/src/main/radiusd.c
-@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
- 		exit(EXIT_FAILURE);
- 	}
- 
-+	/*
-+	 *  If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
-+	 */
-+	char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
-+	FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
-+	if (fips_file != NULL) {
-+		int fips_enabled = fgetc(fips_file) - '0';
-+		fclose(fips_file);
-+		if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
-+			fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
-+			exit(EXIT_FAILURE);
-+		}
-+	}
-+
- 	/*
- 	 *  According to the talloc peeps, no two threads may modify any part of
- 	 *  a ctx tree with a common root without synchronisation.

SOURCES/freeradius-Fix-resource-hard-limit-error.patch

@@ -1,32 +0,0 @@
-commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
-Author: Antonio Torres <antorres@redhat.com>
-Date:   Fri Jul 2 07:12:48 2021 -0400
-Subject: [PATCH] debug: don't set resource hard limit to zero
-
-    Setting the resource hard limit to zero is irreversible, meaning if it
-    is set to zero then there is no way to set it higher. This means
-    enabling core dump is not possible, since setting a new resource limit
-    for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
-    can disable and enable core dumps without failures.
-
-    This fix is present in both main and 3.0.x upstream branches.
-    
-    Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
-    Signed-off-by: Antonio Torres antorres@redhat.com
----
- src/lib/debug.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/lib/debug.c b/src/lib/debug.c
-index 576bcb2a65..6330c9cb66 100644
---- a/src/lib/debug.c
-+++ b/src/lib/debug.c
-@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
- 		struct rlimit no_core;
- 
- 		no_core.rlim_cur = 0;
--		no_core.rlim_max = 0;
-+		no_core.rlim_max = core_limits.rlim_max;
- 
- 		if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
- 			fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

SOURCES/freeradius-Fix-segfault-when-home_server-is-null.patch

@@ -1,51 +0,0 @@
-From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
-From: "Alan T. DeKok" <aland@freeradius.org>
-Date: Wed, 20 Nov 2019 13:59:54 -0500
-Subject: [PATCH] a better fix for commit 30ffd21
-
-Which still runs post-proxy-type fail if all of the home servers
-are dead
-
-[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
-[antorres@redhat.com: removed first hunk of commit, already present]
----
- src/main/process.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/src/main/process.c b/src/main/process.c
-index c8b3af24e2..1a48517d43 100644
---- a/src/main/process.c
-+++ b/src/main/process.c
-@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
- 	}
- 
- 	old_server = request->server;
--	rad_assert(request->home_server != NULL);
- 
- 	/*
- 	 *	If the home server is virtual, just run pre_proxy from
- 	 *	that section.
- 	 */
--	if (request->home_server->server) {
-+	if (request->home_server && request->home_server->server) {
- 		request->server = request->home_server->server;
- 
- 	} else {
-@@ -3182,13 +3180,12 @@ do_home:
- 	}
- 
- 	old_server = request->server;
--	rad_assert(request->home_server != NULL);
- 
- 	/*
- 	 *	If the home server is virtual, just run pre_proxy from
- 	 *	that section.
- 	 */
--	if (request->home_server->server) {
-+	if (request->home_server && request->home_server->server) {
- 		request->server = request->home_server->server;
- 
- 	} else {
--- 
-2.31.1
-

SOURCES/freeradius-Fix-unterminated-strings-in-SQL-queries.patch

@@ -1,41 +0,0 @@
-From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
-From: Antonio Torres <antorres@redhat.com>
-Date: Fri, 12 Nov 2021 16:23:05 +0100
-Subject: [PATCH] Fix unterminated strings in SQL queries
-
-Resolves: bz#2021247
-Signed-off-by: Antonio Torres <antorres@redhat.com>
----
- raddb/mods-config/sql/ippool/mysql/queries.conf  | 2 +-
- raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
-index 2dfc6574dd..444812a047 100644
---- a/raddb/mods-config/sql/ippool/mysql/queries.conf
-+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
-@@ -114,7 +114,7 @@ allocate_update = "\
- 		nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
- 		callingstationid = '%{Calling-Station-Id}', \
- 		username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
--	WHERE framedipaddress = '%I'
-+	WHERE framedipaddress = '%I'"
- 
- #
- #  Use a stored procedure to find AND allocate the address. Read and customise
-diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
-index 31a5df3659..e92466108b 100644
---- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
-+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
-@@ -89,7 +89,7 @@ allocate_update = "\
- 		callingstationid = '%{Calling-Station-Id}', \
- 		username = '%{User-Name}', \
- 		expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
--	WHERE framedipaddress = '%I'
-+	WHERE framedipaddress = '%I'"
- 
- #
- #  This series of queries frees an IP number when an accounting START record arrives
--- 
-2.31.1
-

SOURCES/freeradius-bootstrap-fixed-dhparam.patch

@@ -1,52 +0,0 @@
-From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 5 Aug 2020 16:10:52 -0400
-Subject: [PATCH] Use fixed FIPS-approved dhparam by default
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- raddb/certs/Makefile  | 2 +-
- raddb/certs/bootstrap | 7 +++++--
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
-index 5cbfd46..41b7aea 100644
---- a/raddb/certs/Makefile
-+++ b/raddb/certs/Makefile
-@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
- #
- ######################################################################
- dh:
--	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
-+	cp rfc3526-group-18-8192.dhparam dh
- 
- ######################################################################
- #
-diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
-index 9920ecf..59b3310 100755
---- a/raddb/certs/bootstrap
-+++ b/raddb/certs/bootstrap
-@@ -13,6 +13,10 @@
- umask 027
- cd `dirname $0`
- 
-+if [ ! -e random ]; then
-+  ln -sf /dev/urandom random
-+fi
-+
- make -h > /dev/null 2>&1
- 
- #
-@@ -35,8 +39,7 @@ fi
- #  re-generate these commands.
- #
- if [ ! -e dh ]; then
--  openssl dhparam -out dh 2048 || exit 1
--  ln -sf /dev/urandom random
-+  cp rfc3526-group-18-8192.dhparam dh
- fi
- 
- if [ ! -e server.key ]; then
--- 
-2.26.2
-

SOURCES/freeradius-bootstrap-run-only-once.patch

@@ -1,72 +0,0 @@
-Author: Antonio Torres <antorres@redhat.com>
-Date:   Wed Jul 20 2021
-Subject: [PATCH] ensure bootstrap script is run only once
-
-	The bootstrap script should only run once. By checking if there are
-	certificates in the directory, we can exit early if certificates were
-	already generated.
-
-	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
-	Signed-off-by: Antonio Torres antorres@redhat.com
----
- raddb/certs/README    | 16 ++++++----------
- raddb/certs/bootstrap | 18 ++++++++++++------
- 2 files changed, 18 insertions(+), 16 deletions(-)
-
-diff --git a/raddb/certs/README b/raddb/certs/README
-index 6288921da1..32413964dd 100644
---- a/raddb/certs/README
-+++ b/raddb/certs/README
-@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
- your users, and to issue client certificates for EAP-TLS.
- 
-   If FreeRADIUS was configured to use OpenSSL, then simply starting
--the server in root in debugging mode should also create test
--certificates, i.e.:
-+the server in root mode should also create test certificates.
- 
--$ radiusd -X
--
--  That will cause the EAP-TLS module to run the "bootstrap" script in
--this directory.  The script will be executed only once, the first time
--the server has been installed on a particular machine.  This bootstrap
--script SHOULD be run on installation of any pre-built binary package
--for your OS.  In any case, the script will ensure that it is not run
--twice, and that it does not over-write any existing certificates.
-+  The start of FreeRADIUS will cause to run the "bootstrap" script.
-+The script will be executed during every start of FreeRADIUS via systemd but
-+the script will ensure that it does not overwrite any existing certificates.
-+Ideally, the bootstrap script file should be deleted after new testing certificates
-+have been generated.
- 
-   If you already have CA and server certificates, rename (or delete)
- this directory, and create a new "certs" directory containing your
-diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
-index 0f719aafd4..92254dc936 100755
---- a/raddb/certs/bootstrap
-+++ b/raddb/certs/bootstrap
-@@ -1,12 +1,18 @@
- #!/bin/sh
- #
--#  This is a wrapper script to create default certificates when the
--#  server first starts in debugging mode.  Once the certificates have been
--#  created, this file should be deleted.
-+# Bootstrap script should be run only once. If there are already certificates
-+# generated, skip the execution.
-+#
-+cd `dirname $0`
-+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
-+  exit 0
-+fi
-+
- #
--#  Ideally, this program should be run as part of the installation of any
--#  binary package.  The installation should also ensure that the permissions
--#  and owners are correct for the files generated by this script.
-+#  This is a wrapper script to create default certificates when the
-+#  server starts via systemd. It should also ensure that the
-+#  permissions and owners are correct for the generated files. Once
-+# the certificates have been created, this file should be deleted.
- #
- #  $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
- #

SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch

@@ -1,47 +0,0 @@
-From: Antonio Torres <antorres@redhat.com>
-Date: Fri, 09 Dec 2022
-Subject: Fix crash on invalid abinary data
-
-A malicious RADIUS client or home server can send a malformed abinary
-attribute which can cause the server to crash.
-
-Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
-Signed-off-by: Antonio Torres <antorres@redhat.com>
----
-diff --git a/src/lib/filters.c b/src/lib/filters.c
-index 4868cd385d9f..3f3b63daeef3 100644
---- a/src/lib/filters.c
-+++ b/src/lib/filters.c
-@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
- 			}
- 		}
- 	} else if (filter->type == RAD_FILTER_GENERIC) {
--		int count;
-+		size_t count, masklen;
-+
-+		masklen = ntohs(filter->u.generic.len);
-+		if (masklen >= sizeof(filter->u.generic.mask)) {
-+			*p = '\0';
-+			return;
-+		}
- 
- 		i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
- 		p += i;
- 
- 		/* show the mask */
--		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
-+		for (count = 0; count < masklen; count++) {
- 			i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
- 			p += i;
- 			outlen -= i;
-@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
- 		outlen--;
- 
- 		/* show the value */
--		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
-+		for (count = 0; count < masklen; count++) {
- 			i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
- 			p += i;
- 			outlen -= i;

SOURCES/freeradius-fix-crash-unknown-eap-sim.patch

@@ -1,115 +0,0 @@
-From: Antonio Torres <antorres@redhat.com>
-Date: Fri, 09 Dec 2022
-Subject: Fix crash on unknown option in EAP-SIM
-
-When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
-look that option up in the internal dictionaries. This lookup will fail, but the
-SIM code will not check for that failure. Instead, it will dereference a NULL
-pointer, and cause the server to crash.
-
-Backport of:
-https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
-https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
-Signed-off-by: Antonio Torres <antorres@redhat.com>
----
-diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
-index cf1e8a7dd92..e438a844eab 100644
---- a/src/modules/rlm_eap/libeap/eapsimlib.c
-+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
-@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
- 	newvp->vp_length = 1;
- 	fr_pair_add(&(r->vps), newvp);
- 
-+	/*
-+	 *	EAP-SIM has a 1 octet of subtype, and 2 octets
-+	 *	reserved.
-+	 */
- 	attr     += 3;
- 	attrlen  -= 3;
- 
--	/* now, loop processing each attribute that we find */
--	while(attrlen > 0) {
-+	/*
-+	 *	Loop over each attribute.  The format is:
-+	 *
-+	 *	1 octet of type
-+	 *	1 octet of length (value 1..255)
-+	 *	((4 * length) - 2) octets of data.
-+	 */
-+	while (attrlen > 0) {
- 		uint8_t *p;
- 
--		if(attrlen < 2) {
-+		if (attrlen < 2) {
- 			fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
- 			return 0;
- 		}
- 
-+		if (!attr[1]) {
-+			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
-+					   es_attribute_count);
-+			return 0;
-+		}
-+
- 		eapsim_attribute = attr[0];
- 		eapsim_len = attr[1] * 4;
- 
-+		/*
-+		 *	The length includes the 2-byte header.
-+		 */
- 		if (eapsim_len > attrlen) {
- 			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
- 					   eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
- 			return 0;
- 		}
- 
--		if(eapsim_len > MAX_STRING_LEN) {
--			eapsim_len = MAX_STRING_LEN;
--		}
--		if (eapsim_len < 2) {
--			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
--					   es_attribute_count);
--			return 0;
--		}
-+		newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
-+		if (!newvp) {
-+			/*
-+			 *	RFC 4186 Section 8.1 says 0..127 are
-+			 *	"non-skippable".  If one such
-+			 *	attribute is found and we don't
-+			 *	understand it, the server has to send:
-+			 *
-+			 *	EAP-Request/SIM/Notification packet with an
-+			 *	(AT_NOTIFICATION code, which implies general failure ("General
-+			 *	failure after authentication" (0), or "General failure" (16384),
-+			 *	depending on the phase of the exchange), which terminates the
-+			 *	authentication exchange.
-+			 */
-+			if (eapsim_attribute <= 127) {
-+				fr_strerror_printf("Unknown mandatory attribute %d, failing",
-+						   eapsim_attribute);
-+				return 0;
-+			}
- 
--		newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
--		newvp->vp_length = eapsim_len-2;
--		newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
--		memcpy(p, &attr[2], eapsim_len-2);
--		fr_pair_add(&(r->vps), newvp);
--		newvp = NULL;
-+		} else {
-+			/*
-+			 *	It's known, ccount for header, and
-+			 *	copy the value over.
-+			 */
-+			newvp->vp_length = eapsim_len - 2;
-+
-+			newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
-+			memcpy(p, &attr[2], newvp->vp_length);
-+			fr_pair_add(&(r->vps), newvp);
-+		}
- 
- 		/* advance pointers, decrement length */
- 		attr += eapsim_len;

SOURCES/freeradius-fix-info-leakage-eap-pwd.patch

@@ -1,76 +0,0 @@
-From: Antonio Torres <antorres@redhat.com>
-Date: Fri, 09 Dec 2022
-Subject: Fix information leakage in EAP-PWD
-
-The EAP-PWD function compute_password_element() leaks information about the 
-password which allows an attacker to substantially reduce the size of an 
-offline dictionary attack.
-
-Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
-Signed-off-by: Antonio Torres <antorres@redhat.com>
----
-diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
-index d94851c3aa..9f86b62114 100644
---- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
-+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
-@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
- #include <freeradius-devel/radiusd.h>
- #include <freeradius-devel/modules.h>
- 
-+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
-+
- /* The random function H(x) = HMAC-SHA256(0^32, x) */
- static void H_Init(HMAC_CTX *ctx)
- {
-@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
- 			      uint32_t *token)
- {
- 	BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
--	HMAC_CTX *ctx = NULL;
-+	EVP_MD_CTX *hmac_ctx;
-+	EVP_PKEY *hmac_pkey;
- 	uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
- 	int nid, is_odd, primebitlen, primebytelen, ret = 0;
- 
--	ctx = HMAC_CTX_new();
--	if (ctx == NULL) {
--		DEBUG("failed allocating HMAC context");
--		goto fail;
--	}
-+	MEM(hmac_ctx = EVP_MD_CTX_new());
-+	MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
- 
- 	switch (grp_num) { /* from IANA registry for IKE D-H groups */
- 	case 19:
-@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
- 		 *    pwd-seed = H(token | peer-id | server-id | password |
- 		 *		   counter)
- 		 */
--		H_Init(ctx);
--		H_Update(ctx, (uint8_t *)token, sizeof(*token));
--		H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
--		H_Update(ctx, (uint8_t const *)id_server, id_server_len);
--		H_Update(ctx, (uint8_t const *)password, password_len);
--		H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
--		H_Final(ctx, pwe_digest);
-+		EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
-+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
-+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
-+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
-+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
-+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
- 
- 		BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
- 		if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
-@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
- 	BN_clear_free(x_candidate);
- 	BN_clear_free(rnd);
- 	talloc_free(prfbuf);
--	HMAC_CTX_free(ctx);
-+	EVP_MD_CTX_free(hmac_ctx);
-+	EVP_PKEY_free(hmac_pkey);
- 
- 	return ret;
- }

SOURCES/freeradius-man-Fix-some-typos.patch

@@ -1,93 +0,0 @@
-From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
-From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
-Date: Fri, 14 Sep 2018 11:53:28 +0300
-Subject: [PATCH] man: Fix some typos
-
----
- man/man1/radzap.1   | 4 ++--
- man/man5/unlang.5   | 6 +++---
- man/man8/radcrypt.8 | 2 +-
- man/man8/radiusd.8  | 4 ++--
- 4 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
-index a2d529d064..03b9a43a54 100644
---- a/man/man1/radzap.1
-+++ b/man/man1/radzap.1
-@@ -1,4 +1,4 @@
--.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
-+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
- .SH NAME
- radzap - remove rogue entries from the active sessions database
- .SH SYNOPSIS
-@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
- .RB [ \-x ]
- \fIserver[:port] secret\fP
- .SH DESCRIPTION
--The FreeRadius server can be configured to maintain an active session
-+The FreeRADIUS server can be configured to maintain an active session
- database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
- use this database. Sometimes that database can get out of sync, and
- then it might contain rogue entries. \fBradzap\fP can clean up this
-diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
-index 40db5fa6e7..5f765f1787 100644
---- a/man/man5/unlang.5
-+++ b/man/man5/unlang.5
-@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
- of Version 3, the <list> can be omitted, in which case "request" is
- assumed.
- 
--The "control" list is the list of attributes maintainted internally by
-+The "control" list is the list of attributes maintained internally by
- the server that controls how the server processes the request.  Any
- attribute that does not go in a packet on the network will generally
- be placed in the "control" list.
-@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
- quotes, or back-quoted).  Also evaluates to true if 'foo' is a
- non-zero number.  Note that the language is poorly typed, so the
- string "0000" can be interpreted as a numerical zero.  This issue can
--be avoided by comparings strings to an empty string, rather than by
-+be avoided by comparing strings to an empty string, rather than by
- evaluating the string by itself.
- 
- If the word 'foo' is not a quoted string, then it can be taken as a
-@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
- .IP ok
- Instructs the server that the request was processed properly.  This
- keyword can be used to over-ride earlier failures, if the local
--administrator determines that the faiures are not catastrophic.
-+administrator determines that the failures are not catastrophic.
- .IP reject
- Causes the request to be immediately rejected
- .SH MODULE RETURN CODES
-diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
-index 08336c66f2..2917f60c46 100644
---- a/man/man8/radcrypt.8
-+++ b/man/man8/radcrypt.8
-@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
- Ignored if performing a password check.
- .IP "\-c --check"
- Perform a validation check on a password hash to verify if it matches
--the plantext password.
-+the plaintext password.
- 
- .SH EXAMPLES
- .nf
-diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
-index 98aef5e1be..2ef5ccf789 100644
---- a/man/man8/radiusd.8
-+++ b/man/man8/radiusd.8
-@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
- used in the other configuration files.  You don't have to modify it.
- It includes other dictionary files in the same directory.
- .IP hints
--Defines certain hints to the radius server based on the users's loginname
-+Defines certain hints to the radius server based on the users' loginname
- or other attributes sent by the access server. It also provides for
- mapping user names (such as Pusername -> username). This provides the
- functionality that the \fILivingston 2.0\fP server has as "Prefix" and
--"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
-+"Suffix" support in the \fIusers\fP file, but is more general. Of course
- the Livingston way of doing things is also supported, and you can even use
- both at the same time (within certain limits).
- .IP huntgroups

SOURCES/freeradius-no-dh-param-load-FIPS.patch

@@ -1,45 +0,0 @@
-From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 5 Aug 2020 11:39:45 -0400
-Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
-
-OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
-user-provided dhparams will be ignored (and dhparam generation
-may fail as well), unless they are on the FIPS approved list of
-parameters. However, OpenSSL since v1.1.1 will automatically select
-an appropriate DH parameter set anyways, if the user did not provide
-any. These will be FIPS approved.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- src/main/tls.c | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/src/main/tls.c b/src/main/tls.c
-index 5809a1bd7d..5e6493333c 100644
---- a/src/main/tls.c
-+++ b/src/main/tls.c
-@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
-
- 	if (!file) return 0;
-
-+	/*
-+	 * Prior to trying to load the file, check what OpenSSL will do with it.
-+	 *
-+	 * Certain downstreams (such as RHEL) will ignore user-provided dhparams
-+	 * in FIPS mode, unless the specified parameters are FIPS-approved.
-+	 * However, since OpenSSL >= 1.1.1 will automatically select parameters
-+	 * anyways, there's no point in attempting to load them.
-+	 *
-+	 * Change suggested by @t8m
-+	 */
-+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-+	if (FIPS_mode() > 0) {
-+		WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
-+		return 0;
-+	}
-+#endif
-+
- 	if ((bio = BIO_new_file(file, "r")) == NULL) {
- 		ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
- 		return -1;

SOURCES/rfc3526-group-18-8192.pem

@@ -1,24 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
-IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
-awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
-mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
-fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
-5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
-fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
-ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
-ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
-+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
-HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
-3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
-7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
-A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
-xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
-8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
-WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
-ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
-xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
-Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
-aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
-38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
------END DH PARAMETERS-----

freeradius-Use-system-crypto-policy-by-default.patch

@@ -4,6 +4,7 @@ Date: Wed, 8 May 2019 10:16:31 -0400
 Subject: [PATCH] Use system-provided crypto-policies by default
 
 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+[antorres@redhat.com]: update patch to 3.2.1 state
 ---
  raddb/mods-available/eap        | 4 ++--
  raddb/mods-available/inner-eap  | 2 +-
@@ -12,21 +13,21 @@ Signed-off-by: Alexander Scheel <ascheel@redhat.com>
  4 files changed, 6 insertions(+), 6 deletions(-)
 
 diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
-index 36849e10f2..b28c0f19c6 100644
+index 62152a6dfc..9f64963034 100644
 --- a/raddb/mods-available/eap
 +++ b/raddb/mods-available/eap
-@@ -368,7 +368,7 @@ eap {
- 		#
- 		#  For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+@@ -400,7 +400,7 @@ eap {
+ 		#  TLS cipher suites.  The format is listed
+ 		#  in "man 1 ciphers".
  		#
 -		cipher_list = "DEFAULT"
 +		cipher_list = "PROFILE=SYSTEM"
  
- 		#  If enabled, OpenSSL will use server cipher list
- 		#  (possibly defined by cipher_list option above)
-@@ -912,7 +912,7 @@ eap {
- 		#  Note - for OpenSSL 1.1.0 and above you may need
- 		#  to add ":@SECLEVEL=0"
+ 		#  Set this option to specify the allowed
+ 		#  TLS signature algorithms for OpenSSL 1.1.1 and above.
+@@ -1082,7 +1082,7 @@ eap {
+ 		#  "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+ 		#  recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
  		#
 -	#	cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
 +	#	cipher_list = "PROFILE=SYSTEM"
@@ -47,23 +48,23 @@ index 576eb7739e..ffa07188e2 100644
  		#  You may want to set a very small fragment size.
  		#  The TLS data here needs to go inside of the
 diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
-index 92f1d6330e..cd69b3905a 100644
+index b8d0626bbe..073b2933c2 100644
 --- a/raddb/sites-available/abfab-tls
 +++ b/raddb/sites-available/abfab-tls
-@@ -19,7 +19,7 @@ listen {
+@@ -20,7 +20,7 @@ listen {
  		dh_file = ${certdir}/dh
  		fragment_size = 8192
  		ca_path = ${cadir}
 -		cipher_list = "DEFAULT"
 +		cipher_list = "PROFILE=SYSTEM"
- 
  		cache {
  			enable = no
+ 			lifetime = 24 # hours
 diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
-index bbc761b1c5..83cd35b851 100644
+index 137fcbc6cc..a65f8a8711 100644
 --- a/raddb/sites-available/tls
 +++ b/raddb/sites-available/tls
-@@ -215,7 +215,7 @@ listen {
+@@ -292,7 +292,7 @@ listen {
  		# Set this option to specify the allowed
  		# TLS cipher suites.  The format is listed
  		# in "man 1 ciphers".
@@ -72,15 +73,15 @@ index bbc761b1c5..83cd35b851 100644
  
  		# If enabled, OpenSSL will use server cipher list
  		# (possibly defined by cipher_list option above)
-@@ -517,7 +517,7 @@ home_server tls {
+@@ -676,7 +676,7 @@ home_server tls {
  		# Set this option to specify the allowed
  		# TLS cipher suites.  The format is listed
  		# in "man 1 ciphers".
 -		cipher_list = "DEFAULT"
 +		cipher_list = "PROFILE=SYSTEM"
- 	}
  
- }
+ 		#
+ 		#  Connection timeout for outgoing TLS connections.
 -- 
 2.21.0
 

freeradius-bootstrap-create-only.patch

@@ -1,20 +1,18 @@
-From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
+From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001
 From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 5 Aug 2020 15:53:45 -0400
+Date: Wed, 13 May 2020 10:01:47 -0400
 Subject: [PATCH] Don't clobber existing files on bootstrap
 
-Rebased: v3.0.20
-
 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
 ---
- raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
- 1 file changed, 19 insertions(+), 16 deletions(-)
+ raddb/certs/bootstrap | 31 +++++++++++++++----------------
+ 1 file changed, 15 insertions(+), 16 deletions(-)
 
 diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
-index 0f719aa..336a2bd 100755
+index ede09bc..e555491 100755
 --- a/raddb/certs/bootstrap
 +++ b/raddb/certs/bootstrap
-@@ -31,52 +31,55 @@ fi
+@@ -20,56 +20,55 @@ cd `dirname $0`
  #  Don't edit the following text.  Instead, edit the Makefile, and
  #  re-generate these commands.
  #
@@ -32,7 +30,7 @@ index 0f719aa..336a2bd 100755
 -if [ ! -f server.key ]; then
 +if [ ! -e server.key ]; then
    openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
-+  chmod g+r server.key
+   chmod g+r server.key
  fi
  
 -if [ ! -f ca.key ]; then
@@ -58,14 +56,14 @@ index 0f719aa..336a2bd 100755
 -if [ ! -f server.p12 ]; then
 +if [ ! -e server.p12 ]; then
    openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
-+  chmod g+r server.p12
+   chmod g+r server.p12
  fi
  
 -if [ ! -f server.pem ]; then
 +if [ ! -e server.pem ]; then
    openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
    openssl verify -CAfile ca.pem server.pem || exit 1
-+  chmod g+r server.pem
+   chmod g+r server.pem
  fi
  
 -if [ ! -f ca.der ]; then
@@ -76,7 +74,7 @@ index 0f719aa..336a2bd 100755
 -if [ ! -f client.key ]; then
 +if [ ! -e client.key ]; then
    openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
-+  chmod g+r client.key
+   chmod g+r client.key
  fi
  
 -if [ ! -f client.crt ]; then

freeradius-configure-c99.patch

@@ -0,0 +1,35 @@
+The backtrace_symbols function expects a pointer to an array of void *
+values, not a pointer to an array of a single element. Removing the
+address operator ensures that the right type is used.
+
+This avoids an unconditional failure of this probe with compilers that
+treat incompatible pointer types as a compilation error.
+
+Submitted upstream: <https://github.com/FreeRADIUS/freeradius-server/pull/5246>
+
+diff --git a/configure b/configure
+index ed01ee2bdd912f63..1e6d2284779cdd58 100755
+--- a/configure
++++ b/configure
+@@ -13390,7 +13390,7 @@ main (void)
+ {
+ 
+         void *sym[1];
+-        backtrace_symbols(&sym, sizeof(sym))
++        backtrace_symbols(sym, sizeof(sym))
+   ;
+   return 0;
+ }
+diff --git a/configure.ac b/configure.ac
+index 76320213b51d7bb4..6a689711d6c90483 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2168,7 +2168,7 @@ if test "x$ac_cv_header_execinfo_h" = "xyes"; then
+         #include <execinfo.h>
+       ]], [[
+         void *sym[1];
+-        backtrace_symbols(&sym, sizeof(sym)) ]])],[
++        backtrace_symbols(sym, sizeof(sym)) ]])],[
+         AC_MSG_RESULT(yes)
+         ac_cv_lib_execinfo_backtrace_symbols="yes"
+       ],[

freeradius-disable-openssl-engine.patch

@@ -0,0 +1,55 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Wed, 10 Jul 2024
+Subject: Remove OpenSSL Engine usage
+
+Engine functionality from OpenSSL is deprecated and shouldn't be used.
+
+Related: https://gitlab.com/redhat/centos-stream/rpms/openssl/-/merge_requests/144
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ configure         | 2 +-
+ configure.ac      | 3 +--
+ src/include/tls-h | 3 ---
+ 3 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/configure b/configure
+index 5041ca264f..5ccb061a4c 100755
+--- a/configure
++++ b/configure
+@@ -10515,7 +10515,7 @@ smart_prefix=
+ printf "%s\n" "#define HAVE_OPENSSL_SSL_H 1" >>confdefs.h
+ 
+ 
+-           for ac_header in openssl/asn1.h openssl/conf.h openssl/crypto.h openssl/err.h openssl/evp.h openssl/hmac.h openssl/md5.h openssl/md4.h openssl/rand.h openssl/sha.h openssl/ssl.h openssl/ocsp.h openssl/engine.h
++           for ac_header in openssl/asn1.h openssl/conf.h openssl/crypto.h openssl/err.h openssl/evp.h openssl/hmac.h openssl/md5.h openssl/md4.h openssl/rand.h openssl/sha.h openssl/ssl.h openssl/ocsp.h
+ do :
+   as_ac_Header=`printf "%s\n" "ac_cv_header_$ac_header" | $as_tr_sh`
+ ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+diff --git a/configure.ac b/configure.ac
+index a24a8061f6..f6074f694e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1446,8 +1446,7 @@ if test "x$WITH_OPENSSL" = xyes; then
+       openssl/rand.h \
+       openssl/sha.h \
+       openssl/ssl.h \
+-      openssl/ocsp.h \
+-      openssl/engine.h,
++      openssl/ocsp.h,
+       [ OPENSSL_CPPFLAGS="$smart_include" ],
+       [
+         AC_MSG_FAILURE([failed locating OpenSSL headers. Use --with-openssl-include-dir=<path>, or --with-openssl=no (builds without OpenSSL)])
+diff --git a/src/include/tls-h b/src/include/tls-h
+index 506fb19778..b195ec9fdb 100644
+--- a/src/include/tls-h
++++ b/src/include/tls-h
+@@ -37,9 +37,6 @@ RCSIDH(tls_h, "$Id$")
+ #  define OPENSSL_NO_KRB5
+ #endif
+ #include <openssl/err.h>
+-#ifdef HAVE_OPENSSL_ENGINE_H
+-#  include <openssl/engine.h>
+-#endif
+ #include <openssl/ssl.h>
+ 
+ #ifdef __cplusplus

freeradius-disable-perl-script.patch

@@ -0,0 +1,22 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Wed, 10 Jul 2024
+Subject: Remove unsupported Perl script from package
+
+The recently added radsecret script depends on unsupported packages
+(Convert::Base32 and Crypt::URandom, which are available only in EPEL), so
+remove it from package.
+
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ src/main/all.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/main/all.mk b/src/main/all.mk
+index f3db386a2a..2517cd215a 100644
+--- a/src/main/all.mk
++++ b/src/main/all.mk
+@@ -1,3 +1,3 @@
+ SUBMAKEFILES := radclient.mk radiusd.mk radsniff.mk radmin.mk radattr.mk \
+-	radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk radsecret.mk \
++	radwho.mk radlast.mk radtest.mk radzap.mk checkrad.mk \
+ 	libfreeradius-server.mk unittest.mk

freeradius-ease-openssl-version-check.patch

@@ -0,0 +1,35 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Tue, 12 Sep 2023
+Subject: Ease OpenSSL version check requirement
+
+FreeRADIUS includes an OpenSSL version check that compares built vs linked version,
+and fails to start if this check fails. We can ease this requirement in Fedora/RHEL as 
+ABI changes are tracked and soname is changed accordingly, as discussed in previous 
+Bugzilla for this issue [1].
+
+[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1299388
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2238511
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ src/main/version.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/main/version.c b/src/main/version.c
+index c190337c1d..fee2150eb2 100644
+--- a/src/main/version.c
++++ b/src/main/version.c
+@@ -79,11 +79,11 @@ int ssl_check_consistency(void)
+ 	 */
+ 	if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
+ 	mismatch:
+-		ERROR("libssl version mismatch.  built: %lx linked: %lx",
++		DEBUG2("libssl version mismatch.  built: %lx linked: %lx",
+ 		      (unsigned long) ssl_built,
+ 		      (unsigned long) ssl_linked);
+ 
+-		return -1;
++		return 0;
+ 	}
+ 
+ 	/*

freeradius-ldap-infinite-timeout-on-starttls.patch

@@ -0,0 +1,31 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 28 Jan 2022
+Subject: Use infinite timeout when using LDAP+start-TLS
+
+This will ensure that the TLS connection to the LDAP server will complete
+before starting FreeRADIUS, as it forces libldap to use a blocking socket during 
+the process. Infinite timeout is the OpenLDAP default.
+Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ src/modules/rlm_ldap/ldap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
+index cf7a84e069..841bf888a1 100644
+--- a/src/modules/rlm_ldap/ldap.c
++++ b/src/modules/rlm_ldap/ldap.c
+@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
+ 	}
+ 
+ #ifdef LDAP_OPT_NETWORK_TIMEOUT
+-	if (inst->net_timeout) {
++	bool using_tls = inst->start_tls ||
++					 inst->port == 636 ||
++					 strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
++	if (inst->net_timeout && !using_tls) {
+ 		memset(&tv, 0, sizeof(tv));
+ 		tv.tv_sec = inst->net_timeout;
+ 

freeradius-logrotate

@@ -26,7 +26,6 @@
 	su radiusd radiusd
 }
 
-
 /var/log/radius/radius.log {
 	monthly
 	rotate 4

freeradius-no-buildtime-cert-gen.patch

@@ -6,45 +6,47 @@ Subject: [PATCH] Don't generate certificates in reproducible builds
 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
 ---
  Make.inc.in  | 5 +++++
- configure    | 4 ++++
+ configure    | 3 +++
  configure.ac | 3 +++
  raddb/all.mk | 4 ++++
- 4 files changed, 16 insertions(+)
+ 4 files changed, 15 insertions(+)
 
 diff --git a/Make.inc.in b/Make.inc.in
 index 0b2cd74de8..8c623cf95c 100644
 --- a/Make.inc.in
 +++ b/Make.inc.in
-@@ -173,3 +173,8 @@ else
- 	TESTBINDIR = ./$(BUILD_DIR)/bin
+@@ -174,6 +174,10 @@ else
  	TESTBIN    = ./$(BUILD_DIR)/bin
  endif
-+
+ 
 +#
 +#  With reproducible builds, do not generate certificates during installation
 +#
 +ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
+ 
+ #
+ #  For creating documentation via doc/all.mk
 diff --git a/configure b/configure
-index c2c599c92b..3d4403a844 100755
+index 5041ca264f..ed01ee2bdd 100755
 --- a/configure
 +++ b/configure
-@@ -655,6 +655,7 @@ RUSERS
+@@ -679,6 +679,7 @@ AUTOCONF
+ ACLOCAL
+ RUSERS
  SNMPWALK
- SNMPGET
- PERL
 +ENABLE_REPRODUCIBLE_BUILDS
+ SNMPGET
  openssl_version_check_config
  WITH_DHCP
- modconfdir
-@@ -5586,6 +5587,7 @@ else
- fi
+@@ -6976,6 +6977,7 @@ fi
  
  
-+ENABLE_REPRODUCIBLE_BUILDS=yes
  # Check whether --enable-reproducible-builds was given.
- if test "${enable_reproducible_builds+set}" = set; then :
++ENABLE_REPRODUCIBLE_BUILDS=yes
+ if test ${enable_reproducible_builds+y}
+ then :
    enableval=$enable_reproducible_builds;  case "$enableval" in
-@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
+@@ -6987,6 +6989,7 @@ printf "%s\n" "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
      ;;
    *)
      reproducible_builds=no
@@ -52,19 +54,11 @@ index c2c599c92b..3d4403a844 100755
    esac
  
  fi
-@@ -5604,6 +5607,7 @@ fi
- 
- 
- 
-+
- CHECKRAD=checkrad
- # Extract the first word of "perl", so it can be a program name with args.
- set dummy perl; ac_word=$2
 diff --git a/configure.ac b/configure.ac
-index a7abf0025a..35b013f4af 100644
+index ce4d9b0ae5..790cbf02a0 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
+@@ -697,6 +697,7 @@ AC_SUBST([openssl_version_check_config])
  dnl #
  dnl #  extra argument: --enable-reproducible-builds
  dnl #
@@ -72,7 +66,7 @@ index a7abf0025a..35b013f4af 100644
  AC_ARG_ENABLE(reproducible-builds,
  [AS_HELP_STRING([--enable-reproducible-builds],
                  [ensure the build does not change each time])],
-@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
+@@ -708,8 +709,10 @@ AC_ARG_ENABLE(reproducible-builds,
      ;;
    *)
      reproducible_builds=no
@@ -81,6 +75,10 @@ index a7abf0025a..35b013f4af 100644
  )
 +AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
  
+ dnl #
+ dnl #  Enable the -fsanitize=fuzzer and link in the address sanitizer
+
+ 
  
  dnl #############################################################
 diff --git a/raddb/all.mk b/raddb/all.mk

freeradius-no-sql-scripts.patch

@@ -0,0 +1,31 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Wed, 3 Apr 2024
+Subject: Remove SQL helper script from package
+
+This helper script is not needed in RHEL since we stopped supporting the
+freeradius SQL subpackages.
+
+Resolves: RHEL-31745
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ scripts/all.mk | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/scripts/all.mk b/scripts/all.mk
+index a6e90aa3eb..2f7845a632 100644
+--- a/scripts/all.mk
++++ b/scripts/all.mk
+@@ -1,5 +1,5 @@
+ install: $(R)$(sbindir)/rc.radiusd $(R)$(sbindir)/raddebug \
+-	$(R)$(bindir)/radsqlrelay $(R)$(bindir)/radcrypt $(R)$(bindir)/rlm_sqlippool_tool
++	$(R)$(bindir)/radsqlrelay $(R)$(bindir)/radcrypt
+ 
+ $(R)$(sbindir)/rc.radiusd: scripts/rc.radiusd
+ 	@mkdir -p $(dir $@)
+@@ -17,6 +17,3 @@ $(R)$(bindir)/radcrypt: scripts/cryptpasswd
+ 	@mkdir -p $(dir $@)
+ 	@$(INSTALL) -m 755 $< $@
+ 
+-$(R)$(bindir)/rlm_sqlippool_tool: scripts/sql/rlm_sqlippool_tool
+-	@mkdir -p $(dir $@)
+-	@$(INSTALL) -m 755 $< $@

freeradius.spec

@@ -1,17 +1,8 @@
-%if 0%{?rhel} > 7
-# Disable python2 build by default
-%bcond_with python2
-%else
-%bcond_without python2
-%endif
-
-
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
-Version: 3.0.20
-Release: 15%{?dist}
-License: GPLv2+ and LGPLv2+
-Group: System Environment/Daemons
+Version: 3.2.5
+Release: 3%{?dist}
+License: GPL-2.0-or-later AND LGPL-2.0-or-later
 URL: http://www.freeradius.org/
 
 # Is elliptic curve cryptography supported?
@@ -28,26 +19,20 @@ Source100: radiusd.service
 Source102: freeradius-logrotate
 Source103: freeradius-pam-conf
 Source104: freeradius-tmpfiles.conf
-Source105: rfc3526-group-18-8192.pem
+Source105: freeradius.sysusers
 
 Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
 Patch2: freeradius-Use-system-crypto-policy-by-default.patch
 Patch3: freeradius-bootstrap-create-only.patch
 Patch4: freeradius-no-buildtime-cert-gen.patch
-Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
-Patch6: freeradius-bootstrap-make-permissions.patch
-Patch7: freeradius-no-dh-param-load-FIPS.patch
-Patch8: freeradius-bootstrap-fixed-dhparam.patch
-Patch9: freeradius-man-Fix-some-typos.patch
-Patch10: freeradius-Fix-resource-hard-limit-error.patch
-Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
-Patch12: freeradius-bootstrap-run-only-once.patch
-Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
-Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
-Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
-Patch16: freeradius-fix-crash-unknown-eap-sim.patch
-Patch17: freeradius-fix-info-leakage-eap-pwd.patch
-Patch18: freeradius-blastradius-fix.patch
+Patch5: freeradius-bootstrap-make-permissions.patch
+Patch6: freeradius-ldap-infinite-timeout-on-starttls.patch
+Patch7: freeradius-ease-openssl-version-check.patch
+Patch8: freeradius-configure-c99.patch
+Patch9: freeradius-no-antora-docs.patch
+Patch10: freeradius-no-sql-scripts.patch
+Patch11: freeradius-disable-openssl-engine.patch
+Patch12: freeradius-disable-perl-script.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -65,7 +50,8 @@ BuildRequires: readline-devel
 BuildRequires: libpcap-devel
 BuildRequires: systemd-units
 BuildRequires: libtalloc-devel
-BuildRequires: pcre-devel
+BuildRequires: chrpath
+BuildRequires: systemd-rpm-macros
 
 %if ! 0%{?rhel}
 BuildRequires: libyubikey-devel
@@ -78,7 +64,8 @@ Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
 Requires(pre): shadow-utils glibc-common
 Requires(post): systemd-sysv
 Requires(post): systemd-units
-# Needed for certificate generation
+# Needed for certificate generation as upstream bootstrap script isn't
+# compatible with Makefile equivalent.
 Requires: make
 Requires(preun): systemd-units
 Requires(postun): systemd-units
@@ -99,7 +86,6 @@ be centralized, and minimizes the amount of re-configuration which has to be
 done when adding or deleting new users.
 
 %package doc
-Group: Documentation
 Summary: FreeRADIUS documentation
 
 %description doc
@@ -107,7 +93,6 @@ All documentation supplied by the FreeRADIUS project is included
 in this package.
 
 %package utils
-Group: System Environment/Daemons
 Summary: FreeRADIUS utilities
 Requires: %{name} = %{version}-%{release}
 Requires: libpcap >= 0.9.4
@@ -122,7 +107,6 @@ Support for RFC and VSA Attributes Additional server configuration
 attributes Selecting a particular configuration Authentication methods
 
 %package devel
-Group: System Environment/Daemons
 Summary: FreeRADIUS development files
 Requires: %{name} = %{version}-%{release}
 
@@ -131,7 +115,6 @@ Development headers and libraries for FreeRADIUS.
 
 %package ldap
 Summary: LDAP support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: openldap-devel
 
@@ -140,7 +123,6 @@ This plugin provides the LDAP support for the FreeRADIUS server project.
 
 %package krb5
 Summary: Kerberos 5 support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: krb5-devel
 
@@ -149,9 +131,7 @@ This plugin provides the Kerberos 5 support for the FreeRADIUS server project.
 
 %package perl
 Summary: Perl support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
-Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 %{?fedora:BuildRequires: perl-devel}
 BuildRequires: perl-devel
 BuildRequires: perl-generators
@@ -160,10 +140,9 @@ BuildRequires: perl(ExtUtils::Embed)
 %description perl
 This plugin provides the Perl support for the FreeRADIUS server project.
 
-%if %{with python2}
+%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
 %package -n python2-freeradius
 Summary: Python 2 support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: python2-devel
 %{?python_provide:%python_provide python2-freeradius}
@@ -174,7 +153,6 @@ Obsoletes: %{name}-python < %{version}-%{release}
 
 %description -n python2-freeradius
 This plugin provides the Python 2 support for the FreeRADIUS server project.
-# endif: with python2
 %endif
 
 %package -n python3-freeradius
@@ -188,7 +166,6 @@ This plugin provides the Python 3 support for the FreeRADIUS server project.
 
 %package mysql
 Summary: MySQL support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: mariadb-connector-c-devel
 
@@ -197,16 +174,14 @@ This plugin provides the MySQL support for the FreeRADIUS server project.
 
 %package postgresql
 Summary: Postgresql support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
-BuildRequires: postgresql-devel
+BuildRequires: libpq-devel
 
 %description postgresql
 This plugin provides the postgresql support for the FreeRADIUS server project.
 
 %package sqlite
 Summary: SQLite support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: sqlite-devel
 
@@ -215,7 +190,6 @@ This plugin provides the SQLite support for the FreeRADIUS server project.
 
 %package unixODBC
 Summary: Unix ODBC support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: unixODBC-devel
 
@@ -224,7 +198,6 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
 
 %package rest
 Summary: REST support for freeradius
-Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: libcurl-devel
 BuildRequires: json-c-devel
@@ -236,38 +209,31 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %setup -q -n %{dist_base}
 # Note: We explicitly do not make patch backup files because 'make install'
 # mistakenly includes the backup files, especially problematic for raddb config files.
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-
-# Add fixed dhparam file to the source to ensure `make tests` can run.
-cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
+%patch 1 -p1
+%patch 2 -p1
+%patch 3 -p1
+%patch 4 -p1
+%patch 5 -p1
+%patch 6 -p1
+%patch 7 -p1
+%patch 8 -p1
+%patch 9 -p1
+%patch 10 -p1
+%patch 11 -p1
+%patch 12 -p1
 
 %build
 # Force compile/link options, extra security for network facing daemon
 %global _hardened_build 1
 
-# Hack: rlm_python3 as stable; prevents building other unstable modules.
-sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
+# Enable FIPS support
+%global build_cflags %{build_cflags} -DWITH_FIPS
 
-# python3-config is broken:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
-export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
+# No OpenSSL Engine as it's deprecated
+%global build_cflags %{build_cflags} -UHAVE_OPENSSL_ENGINE_H
+
+%global build_ldflags %{build_ldflags} $(python3-config --embed --libs)
+export PY3_LIB_DIR="$(python3-config --configdir)"
 export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
 
 %configure \
@@ -288,9 +254,7 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
         --with-rlm_python3 \
         --with-rlm-python3-lib-dir=$PY3_LIB_DIR \
         --with-rlm-python3-include-dir=$PY3_INC_DIR \
-%if %{without python2}
-        --without-rlm-python2 \
-%endif
+        --without-rlm_python \
         --without-rlm_eap_ikev2 \
         --without-rlm_eap_tnc \
         --without-rlm_sql_iodbc \
@@ -302,7 +266,8 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
         --without-rlm_rediswho \
         --without-rlm_cache_memcached
 
-make
+# Build fast, but get better errors if we fail
+make %{?_smp_mflags} || make -j1
 
 %install
 mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd
@@ -321,14 +286,21 @@ mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
 install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
-
-# Add fixed dhparam file
-install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
+install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf
 
 # install SNMP MIB files
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
 install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
 
+# remove rpath where needed
+chrpath --delete $RPM_BUILD_ROOT%{_libdir}/freeradius/*.so
+for f in $RPM_BUILD_ROOT/usr/sbin/*; do chrpath --delete $f || true; done
+for f in $RPM_BUILD_ROOT/usr/bin/*; do chrpath --delete $f || true; done
+
+# update ld with freeradius libs
+mkdir -p %{buildroot}/%{_sysconfdir}/ld.so.conf.d
+echo "%{_libdir}/freeradius" > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+
 # remove unneeded stuff
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
@@ -350,6 +322,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la
 rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
 
 rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle
+rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/mssql
 rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle
 rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
 rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids
@@ -365,12 +338,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
 
 rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
 
-# Remove yubikey on RHEL
-%if 0%{?rhel}
-rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
-rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
-%endif
-
 # remove unsupported config files
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
 
@@ -403,30 +370,18 @@ EOF
 
 # Make sure our user/group is present prior to any package or subpackage installation
 %pre
-getent group  radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
-getent passwd radiusd >/dev/null || /usr/sbin/useradd  -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1
-exit 0
-
-%post
-%systemd_post radiusd.service
-exit 0
+%sysusers_create_compat %{SOURCE105}
 
 %preun
 %systemd_preun radiusd.service
 
 %postun
 %systemd_postun_with_restart radiusd.service
-if [ $1 -eq 0 ]; then           # uninstall
-  getent passwd radiusd >/dev/null && /usr/sbin/userdel  radiusd > /dev/null 2>&1
-  getent group  radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1
-fi
-exit 0
 
 /bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :
 
 
 %files
-%defattr(-,root,root)
 
 # doc
 %license %{docdir}/LICENSE.gpl
@@ -437,8 +392,10 @@ exit 0
 # system
 %config(noreplace) %{_sysconfdir}/pam.d/radiusd
 %config(noreplace) %{_sysconfdir}/logrotate.d/radiusd
+%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 %{_unitdir}/radiusd.service
 %{_tmpfilesdir}/radiusd.conf
+%{_sysusersdir}/freeradius.conf
 %dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
 %dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
 %dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
@@ -471,10 +428,10 @@ exit 0
 %dir %attr(770,root,radiusd) /etc/raddb/certs
 %config(noreplace) /etc/raddb/certs/Makefile
 %config(noreplace) /etc/raddb/certs/passwords.mk
-/etc/raddb/certs/README
+/etc/raddb/certs/README.md
+/etc/raddb/certs/realms/README.md
 %config(noreplace) /etc/raddb/certs/xpextensions
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
-%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
 %attr(750,root,radiusd) /etc/raddb/certs/bootstrap
 
 # mods-config
@@ -486,6 +443,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/files/*
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/preprocess
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/preprocess/*
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh
 
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter
@@ -497,6 +455,8 @@ exit 0
 # sites-available
 %dir %attr(750,root,radiusd) /etc/raddb/sites-available
 /etc/raddb/sites-available/README
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/aws-nlb
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/resource-check
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/control-socket
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/decoupled-accounting
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
@@ -518,8 +478,11 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/copy-acct-to-home-server
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/buffered-sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/totp
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/google-ldap-auth
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls-cache
 
 # sites-enabled
 # symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx
@@ -533,7 +496,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/always
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/attr_filter
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache
-%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_eap
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_auth
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/chap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/counter
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cui
@@ -542,6 +505,9 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.example.com
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.log
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_files
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_passwd
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sqlippool
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/digest
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dynamic_clients
@@ -555,6 +521,8 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/idn
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/inner-eap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ippool
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/json
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap_google
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/linelog
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/logintime
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mac2ip
@@ -562,7 +530,6 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mschap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ntlm_auth
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/opendirectory
-%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/otp
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pam
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
@@ -579,24 +546,23 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/soh
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sometimes
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql_map
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlcounter
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/totp
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax
-
-%if ! 0%{?rhel}
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey
-%endif
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dpsk
 
 # mods-enabled
 # symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx
 %dir %attr(750,root,radiusd) /etc/raddb/mods-enabled
 %config(missingok) /etc/raddb/mods-enabled/always
 %config(missingok) /etc/raddb/mods-enabled/attr_filter
-%config(missingok) /etc/raddb/mods-enabled/cache_eap
 %config(missingok) /etc/raddb/mods-enabled/chap
 %config(missingok) /etc/raddb/mods-enabled/date
 %config(missingok) /etc/raddb/mods-enabled/detail
@@ -621,6 +587,7 @@ exit 0
 %config(missingok) /etc/raddb/mods-enabled/replicate
 %config(missingok) /etc/raddb/mods-enabled/soh
 %config(missingok) /etc/raddb/mods-enabled/sradutmp
+%config(missingok) /etc/raddb/mods-enabled/totp
 %config(missingok) /etc/raddb/mods-enabled/unix
 %config(missingok) /etc/raddb/mods-enabled/unpack
 %config(missingok) /etc/raddb/mods-enabled/utf8
@@ -669,7 +636,6 @@ exit 0
 %{_libdir}/freeradius/rlm_cache_rbtree.so
 %{_libdir}/freeradius/rlm_chap.so
 %{_libdir}/freeradius/rlm_counter.so
-%{_libdir}/freeradius/rlm_cram.so
 %{_libdir}/freeradius/rlm_date.so
 %{_libdir}/freeradius/rlm_detail.so
 %{_libdir}/freeradius/rlm_dhcp.so
@@ -678,7 +644,6 @@ exit 0
 %{_libdir}/freeradius/rlm_eap.so
 %{_libdir}/freeradius/rlm_eap_fast.so
 %{_libdir}/freeradius/rlm_eap_gtc.so
-%{_libdir}/freeradius/rlm_eap_leap.so
 %{_libdir}/freeradius/rlm_eap_md5.so
 %{_libdir}/freeradius/rlm_eap_mschapv2.so
 %{_libdir}/freeradius/rlm_eap_peap.so
@@ -693,10 +658,10 @@ exit 0
 %{_libdir}/freeradius/rlm_expr.so
 %{_libdir}/freeradius/rlm_files.so
 %{_libdir}/freeradius/rlm_ippool.so
+%{_libdir}/freeradius/rlm_json.so
 %{_libdir}/freeradius/rlm_linelog.so
 %{_libdir}/freeradius/rlm_logintime.so
 %{_libdir}/freeradius/rlm_mschap.so
-%{_libdir}/freeradius/rlm_otp.so
 %{_libdir}/freeradius/rlm_pam.so
 %{_libdir}/freeradius/rlm_pap.so
 %{_libdir}/freeradius/rlm_passwd.so
@@ -709,15 +674,16 @@ exit 0
 %{_libdir}/freeradius/rlm_sql.so
 %{_libdir}/freeradius/rlm_sqlcounter.so
 %{_libdir}/freeradius/rlm_sqlippool.so
+%{_libdir}/freeradius/rlm_sql_map.so
 %{_libdir}/freeradius/rlm_sql_null.so
+%{_libdir}/freeradius/rlm_totp.so
 %{_libdir}/freeradius/rlm_unix.so
 %{_libdir}/freeradius/rlm_unpack.so
 %{_libdir}/freeradius/rlm_utf8.so
 %{_libdir}/freeradius/rlm_wimax.so
-
-%if ! 0%{?rhel}
 %{_libdir}/freeradius/rlm_yubikey.so
-%endif
+%{_libdir}/freeradius/rlm_dpsk.so
+%{_libdir}/freeradius/rlm_eap_teap.so
 
 # main man pages
 %doc %{_mandir}/man5/clients.conf.5.gz
@@ -738,6 +704,7 @@ exit 0
 %doc %{_mandir}/man5/rlm_passwd.5.gz
 %doc %{_mandir}/man5/rlm_realm.5.gz
 %doc %{_mandir}/man5/rlm_sql.5.gz
+%doc %{_mandir}/man5/rlm_unbound.5.gz
 %doc %{_mandir}/man5/rlm_unix.5.gz
 %doc %{_mandir}/man5/unlang.5.gz
 %doc %{_mandir}/man5/users.5.gz
@@ -745,6 +712,7 @@ exit 0
 %doc %{_mandir}/man8/radiusd.8.gz
 %doc %{_mandir}/man8/radmin.8.gz
 %doc %{_mandir}/man8/radrelay.8.gz
+%doc %{_mandir}/man8/rlm_sqlippool_tool.8.gz
 
 # MIB files
 %{_datadir}/snmp/mibs/*RADIUS*.mib
@@ -788,13 +756,12 @@ exit 0
 
 %{_libdir}/freeradius/rlm_perl.so
 
-%if %{with python2}
+%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
 %files -n python2-freeradius
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/python
 /etc/raddb/mods-config/python/example.py*
 /etc/raddb/mods-config/python/radiusd.py*
 %{_libdir}/freeradius/rlm_python.so
-# endif: with python2
 %endif
 
 %files -n python3-freeradius
@@ -807,6 +774,7 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/weeklycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
 
@@ -814,19 +782,55 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/schema.sql
 
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/schema.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/schema.sql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/setup.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/schema.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/schema.sql
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/setup.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/queries.conf
+%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/schema.sql
+
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql
 
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mssql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql
+
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql
 
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/process-radacct.sql
 
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax
@@ -844,6 +848,7 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/postgresql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/dailycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf
 
@@ -860,6 +865,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/process-radacct.sql
 
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf
@@ -871,6 +877,7 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/sqlite
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/dailycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf
 
@@ -889,6 +896,9 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-close-after-reload.pl
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-new-data-usage-period.sh
 
 %{_libdir}/freeradius/rlm_sql_sqlite.so
 
@@ -904,89 +914,238 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
-* Thu Jul 11 2023 Antonio Torres <antorres@redhat.com> - 3.0.20-15
-- Backport BlastRADIUS CVE fix
-  Resolves: RHEL-46572
+* Thu Aug 08 2024 Troy Dawson <tdawson@redhat.com> - 3.2.5-3
+- Bump release for Aug 2024 java mass rebuild
 
-* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
-- Fix defect found by Covscan
-  Resolves: #2151704
+* Wed Jul 10 2024 Antonio Torres <antorres@redhat.com> - 3.2.5-2
+- Disable unsupported Perl script
 
-* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
-- Fix multiple CVEs
-- Add rpminspect configuration
-  Resolves: #2151702
-  Resolves: #2151704
-  Resolves: #2151706
+* Tue Jul 09 2024 Antonio Torres <antorres@redhat.com> - 3.2.5-1
+- Rebase to release 3.2.5
+  Resolves: RHEL-46784
 
-* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
-- Fix segfault when home_server is null
-  Resolves: bz#2030173
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.2.3-7
+- Bump release for June 2024 mass rebuild
 
-* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
-- Fix unterminated strings in SQL queries
-  Resolves: bz#2021247
+* Thu Apr 04 2024 Antonio Torres <antorres@redhat.com> - 3.2.3-6
+- Remove SQL helper script from package
+  Resolves: RHEL-31745
 
-* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
-- Rebuild to pick up latest json-c
-  Resolves: bz#2021818
+* Tue Apr 02 2024 Antonio Torres <antorres@redhat.com> - 3.2.3-5
+- Remove Antora docs from package
+  Resolves: RHEL-31184
 
-* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
-- radiusd.service: don't fail if bootstrap script is not present
-  Resolves: bz#1954521
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
-- Extend info about boostrap script in README and comments
-  Resolves: bz#1954521
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
-- Ensure bootstrap script is run only once
-  Resolves: bz#1954521
+* Tue Dec 19 2023 Florian Weimer <fweimer@redhat.com> - 3.2.3-2
+- Fix C compatibility issue in configure script
 
-* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
-- Exit if host in FIPS mode and MD5 usage not explicitly allowed
-  Resolves: bz#1958979
+* Tue Oct 24 2023 Antonio Torres <antorres@redhat.com> - 3.2.3-1
+- Update to upstream release 3.2.3
 
-* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
+* Tue Sep 12 2023 Antonio Torres <antorres@redhat.com> - 3.2.2-5
+- Ease OpenSSL version check requirement
+  Resolves #2238511
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jul 11 2023 Jitka Plesnikova <jplesnik@redhat.com> - 3.2.2-3
+- Perl 5.38 rebuild
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.2.2-2
+- Rebuilt for Python 3.12
+
+* Tue Mar 21 2023 Antonio Torres <antorres@redhat.com> - 3.2.2-1
+- Update to upstream release 3.2.2
+
+* Wed Mar 15 2023 Antonio Torres <antorres@redhat.com> - 3.2.1-4
+- Migrate to SPDX license
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Mon Oct 17 2022 Antonio Torres <antorres@redhat.com> - 3.2.1-2
+- Remove hack for Python3 support from specfile
+
+* Mon Oct 17 2022 Antonio Torres <antorres@redhat.com> - 3.2.1-1
+- Update to 3.2.1 upstream release
+  Resolves #2131850
+
+* Tue Sep 20 2022 Antonio Torres <antorres@redhat.com> - 3.2.0-4
+- Remove deprecated pcre-devel dependency
+  Resolves #2128292
+
+* Mon Sep 5 2022 Antonio Torres <antorres@redhat.com> - 3.2.0-3
+- configure: allow building with runstatedir option
+  Resolves: #2123374
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 19 2022 Antonio Torres <antorres@redhat.com> - 3.2.0-1
+- Rebase to 3.2.0 upstream release
+  Related: #2077687
+
+* Wed Jun 29 2022 Antonio Torres <antorres@redhat.com> - 3.0.25-8
+- Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107)
+  Related: #2095741
+
+* Fri Jun 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.25-7
+- Dynamically allocate users using sysusers.d format
+  Related: #2095741
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.0.25-6
+- Rebuilt for Python 3.11
+
+* Tue May 31 2022 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.25-5
+- Perl 5.36 rebuild
+
+* Fri Apr 22 2022 Antonio Torres <antorres@redhat.com> - 3.0.25-4
+- Use infinite timeout when using LDAP+start-TLS
+  Related: #1983063
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.25-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Oct 14 2021 Antonio Torres <antorres@redhat.com> - 3.0.25-2
+- Fix file conflict in SQL files
+  Resolves: bz#2014014 
+
+* Fri Oct 08 2021 Antonio Torres <antorres@redhat.com> - 3.0.25-1
+- Update to 3.0.25.
+  Resolves: bz#2011984
+
+* Thu Sep 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.24-1
+- Update to 3.0.24.
+  Resolves: bz#2009036
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.0.23-7
+- Rebuilt with OpenSSL 3.0.0
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.23-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Jul 15 2021 Antonio Torres <antorres@redhat.com> - 3.0.23-5
 - Fix coredump not being able to be enabled
-  Resolves: bz#1977572
 
-* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
-- Fix some manpage typos
-  Resolves: bz#1843807
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 3.0.23-4
+- Rebuild for versioned symbols in json-c
 
-* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
-- Require make for proper bootstrap execution, removes post script
-  Resolves: bz#1672285
+* Tue Jun 29 2021 Antonio Torres <antorres@redhat.com> - 3.0.23-2
+- Fix rpath not being removed correctly
 
-* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
-- Fix breakage caused by OpenSSL FIPS regression
-  Related: bz#1855822
-  Related: bz#1810911
-  Resolves: bz#1672285
+* Tue Jun 29 2021 Antonio Torres <antorres@redhat.com> - 3.0.23-2
+- Remove RPATH usage from additional binaries
 
-* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
-- Update to FreeRADIUS server version 3.0.20
-- Introduce Python 3 support; resolves: bz#1623069
-- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
-- Create tmp files in /run; resolves: bz#1805975
+* Tue Jun 29 2021 Antonio Torres <antorres@redhat.com> - 3.0.23-1
+- Rebase to 3.0.23
+  Fixes: bz#1970528
 
-* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
-- Fix information leak due to aborting when needing more than 10 iterations
-  Resolves: bz#1751797
+* Tue Jun 29 2021 Antonio Torres <antorres@redhat.com> - 3.0.22-5
+- Fix binaries not being correctly linked after RPATH removal
 
-* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
-- Fix handling of IPv6-only hostnames with listen.ipaddr
-  Resolves: bz#1685546
+* Fri Jun 25 2021 Antonio Torres <antorres@redhat.com> - 3.0.22-4
+- Fix python3 not being correctly linked
 
-* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
-- Fix possible privilege escalation due to insecure logrotate configuration
-  Resolves: bz#1719369
+* Mon Jun 07 2021 Python Maint <python-maint@redhat.com> - 3.0.22-2
+- Rebuilt for Python 3.10
 
-* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-4
-- Fixes two EAP-PWD security issues
-  Resolves: bz#1699417 authentication bypass with an invalid curve attack
-  Resolves: bz#1699421 fake authentication using reflection
+* Fri Jun 4 2021 Antonio Torres <antorres@redhat.com> - 3.0.22-1
+- Rebased to 3.0.22
+  Resolves: bz#1961190
+
+* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.21-12
+- Perl 5.34 rebuild
+
+* Wed Mar 10 2021 Robbie Harwood <rharwood@redhat.com> - 3.0.21-11
+- Disable automatic bootstrap
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.0.21-10
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 3.0.21-9
+- rebuild for libpq ABI fix rhbz#1908268
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-7
+- Fix certificate permissions after make-based generation
+  Resolves: bz#1835249
+
+* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-6
+- Fix certificate permissions after make-based generation
+  Resolves: bz#1835249
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.21-4
+- Perl 5.32 rebuild
+
+* Wed May 13 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-3
+- Fix certificate generation
+  Resolves: bz#1835249
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 3.0.21-2
+- Rebuild (json-c)
+
+* Wed Apr 01 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-1
+- Rebased to 3.0.21
+  Resolves: bz#1816745
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.20-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan 11 2020 Paul Wouters <pwouters@redhat.com> - 3.0.20-2
+- fixup tmpfile to use /run instead of /var/run
+
+* Fri Nov 15 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
+- Rebased to 3.0.20
+  Resolves: bz#1772710
+- Introduced new rlm_python3 module
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.19-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.19-4
+- Perl 5.30 rebuild
+
+* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-3
+- Update boostrap to change ownership of all certificates to root:radiusd
+
+* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2
+- Updated crypto-policies patch
+- Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165 bz#1672284
+- Updated logrotate definitions to run as radiusd:radiusd: bz#1705343
+- Drop python2 package on Fedora 31+
+- Add database dependencies: bz#1658697
+- Don't generate certificate during build
+
+* Wed Apr 10 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-1
+- Rebased to 3.0.19
+
+* Wed Mar 06 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.18-1
+- Rebased to 3.0.18
+
+* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 3.0.17-6
+- Rebuild for readline 8.0
+
+* Tue Feb 05 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
+- Unit file generates certificates if not present.
+  Resolves: bz#1672284
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.17-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.0.17-3
+- Rebuilt for libcrypt.so.2 (#1666033)
 
 * Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-2
 - Updates radiusd.service to start after network-online.target
@@ -999,25 +1158,27 @@ exit 0
 
 * Mon Sep 17 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-18
 - Actually apply patches added previously.
-  Related: Bug#1612512 Man page scan results for freeradius
+  Related: Bug#1611286 Man page scan results for freeradius
 
 * Fri Sep 14 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-17
 - Fix a few minor manpage issues.
-  Resolves: Bug#1612512 Man page scan results for freeradius
+  Resolves: Bug#1611286 Man page scan results for freeradius
 
-* Wed Sep 12 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
-- Add make to Requires(post) to fix certificate generation on install.
-  Resolves: Bug#1628213 FreeRADIUS fails to start due to default certificate
-                        permissions
+* Fri Sep 07 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
+- Add make to BuildRequires and Requires(post) to fix build and certificate
+  generation on install.
+  Resolves: Bug#1574783 Installing freeradius without make results in an
+                        unworkable default configuration
 
-* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 3.0.15-15
-- Rebuild with fixed binutils
+* Tue Sep 04 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-15
+- Add gcc to BuildRequires.
+  Resolves: Bug#1622470 FTBFS freeradius (rawhide)
 
-* Wed Jul 25 2018 Petr Kubat <pkubat@redhat.com> - 3.0.15-14
-- Rebuilt for gdbm
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.15-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
-* Mon Jun 11 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.0.15-13
-- Disable the python2 subpackage
+* Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.15-13
+- Perl 5.28 rebuild
 
 * Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 3.0.15-12
 - Rebuilt for libjson-c.so.4 (json-c v0.13.1)

freeradius.sysusers

@@ -0,0 +1,3 @@
+#Type Name     ID  GECOS           Home directory        Shell
+u     radiusd  95  "radiusd user"  /var/lib/radiusd      /sbin/nologin
+g     radiusd  95  -               -                     -

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

radiusd.service

@@ -6,7 +6,6 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
 Type=forking
 PIDFile=/var/run/radiusd/radiusd.pid
 ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
-ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
 ExecStartPre=/usr/sbin/radiusd -C
 ExecStart=/usr/sbin/radiusd -d /etc/raddb
 ExecReload=/usr/sbin/radiusd -C

rpminspect.yaml

@@ -0,0 +1,3 @@
+---
+inspections:
+    badfuncs: off

sources

@@ -0,0 +1 @@
+SHA512 (freeradius-server-3.2.5.tar.bz2) = 55e653630674a957dcd52ae58e5fd7b5a510b84aaa80e0552bce8089221e02f652618b53753f438981472a5f47df7c8426b9a5ecda0b06ad9f4c25b23604c86b

tests/auth-tests/Makefile

@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: LGPL-2.1+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/freeradius
+#   Description: Test if freeradius authentication workd ok
+#   Author: Susant Sahani<susant@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+export TEST=/CoreOS/freeradius
+export TESTVERSION=1.0
+BUILT_FILES=
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+.PHONY: all install download clean
+run: $(FILES) build
+	./runtest.sh
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+clean:
+	rm -f *~ $(BUILT_FILES)
+include /usr/share/rhts/lib/rhts-make.include
+$(METADATA): Makefile
+	@echo "Owner:           Susant Sahani<susant@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test if the ABI hasn't changed" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          freeradius" >> $(METADATA)
+	@echo "Requires:        freeradius" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -Fedora 28" >> $(METADATA)
+	rhts-lint $(METADATA)

tests/auth-tests/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/freeradius
+Description: tests for freeradius
+Author: Susant Sahani<susant@redhat.com>

tests/auth-tests/authorize

@@ -0,0 +1,2 @@
+fedora-ci Cleartext-Password := "password"
+       Reply-Message = "Hello, %{User-Name}"

tests/auth-tests/clients.conf

@@ -0,0 +1,6 @@
+client localhost {
+     ipaddr = 127.0.0.1
+     secret = testing123
+     require_message_authenticator = no
+     nastype = other
+}

tests/auth-tests/freeradius-tests.py

@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: LGPL-2.1+
+# ~~~
+#   Description: Tests for freeradius
+#
+#   Author: Susant Sahani <susant@redhat.com>
+#   Copyright (c) 2018 Red Hat, Inc.
+# ~~~
+
+import errno
+import os
+import sys
+import time
+import unittest
+import subprocess
+import signal
+import shutil
+import socket
+
+RADIUSD_PID_FILE='/var/run/radiusd/radiusd.pid'
+
+def setUpModule():
+    """Initialize the environment, and perform sanity checks on it."""
+
+    if shutil.which('radiusd') is None:
+        raise OSError(errno.ENOENT, 'radiusd not found')
+
+    if shutil.which('radtest') is None:
+        raise OSError(errno.ENOENT, 'radtest not found')
+
+    if subprocess.call(['systemctl', 'is-active', '--quiet',
+                        'radiusd.service']) == 0:
+        raise unittest.SkipTest('radiusd.service is already active')
+
+def tearDownModule():
+        pass
+
+class GenericUtilities():
+    """Provide a set of utility functions start stop daemons. write config files etc """
+
+    def StartRadiusServer(self):
+        """Start radiusd"""
+        subprocess.check_output(['systemctl', 'start', 'radiusd'])
+
+    def StopRadiusServer(self):
+        """stop radiusd"""
+        subprocess.check_output(['systemctl', 'stop', 'radiusd'])
+
+class RadiousTests(unittest.TestCase, GenericUtilities):
+
+    def setUp(self):
+        self.StartRadiusServer()
+
+    def tearDown(self):
+        self.StopRadiusServer()
+
+    def test_radius_plaintext_auth(self):
+        time.sleep(1)
+        output=subprocess.check_output(['radtest', 'fedora-ci', 'password', '127.0.0.1',  '100', 'testing123']).rstrip().decode('utf-8')
+        print(output)
+
+        self.assertRegex(output, "Received Access-Accept")
+        self.assertRegex(output, "Reply-Message = \"Hello, fedora-ci\"")
+
+if __name__ == '__main__':
+    unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
+                                                     verbosity=3))

tests/auth-tests/runtest.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1+
+# ~~~
+#   runtest.sh of freeradius
+#   Description:  RADIUS server
+#
+#   Author: Susant Sahani <susant@redhat.com>
+#   Copyright (c) 2018 Red Hat, Inc.
+# ~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="freeradius"
+
+RADIUS_CLIENT_CONF="/etc/raddb/clients.conf"
+RADIUD_PALIN_TEXT_AUTH_FILE="/etc/raddb/mods-config/files/authorize"
+
+generate_cert(){
+    pushd /etc/raddb/certs/
+    #remove certificates if exists;generate new certificates
+    if [[ -f /etc/raddb/certs/bootstrap ]]; then
+        rlLog "Destroy and create new default certificates via bootstrap script"
+        rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* dh
+        rlRun "sh /etc/raddb/certs/bootstrap" 0 "Gnenerating certificates"
+    else
+        rlLogWarning "!!! WARNING bootsrap file does not exist !!!"
+        rlLog "Destroy and create new default certificates via make scripts"
+        make destroycerts -C /etc/raddb/certs/
+        #create new certificates
+        make -C /etc/raddb/certs/
+        chown root:radiusd dh ca.* client.* server.*
+        chmod 640 dh ca.* client.* server.*
+    fi
+    popd
+}
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm $PACKAGE
+        rlRun "systemctl stop firewalld" 0,5
+        rlRun "systemctl stop radiusd.service"
+        rlRun "setenforce 0"
+        rlFileBackup "$RADIUS_CLIENT_CONF"
+        rlFileBackup "$RADIUD_PALIN_TEXT_AUTH_FILE"
+
+        rlRun "cp freeradius-tests.py /usr/bin/"
+        rlRun "cp clients.conf $RADIUS_CLIENT_CONF"
+        rlRun "cp authorize $RADIUD_PALIN_TEXT_AUTH_FILE"
+        rlRun "systemctl daemon-reload"
+        generate_cert
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlLog "Starting radius auth tests ..."
+        rlRun "/usr/bin/python3 /usr/bin/freeradius-tests.py"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm /usr/bin/freeradius-tests.py"
+        rlRun "systemctl start firewalld" 0,5
+        rlRun "setenforce 1"
+        rlFileRestore
+        rlLog "freeradius tests done"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
+rlGetTestState

tests/tests.yml

@@ -0,0 +1,12 @@
+- hosts: localhost
+  roles:
+    - role: standard-test-beakerlib
+      tags:
+      - classic
+      tests:
+      - auth-tests
+      required_packages:
+      - python3
+      - systemd
+      - freeradius
+      - freeradius-utils