Compare commits
No commits in common. "c8-stream-3.0" and "imports/c9-beta/freeradius-3.0.21-37.el9" have entirely different histories.
c8-stream-
...
imports/c9
|
@ -1 +1 @@
|
|||
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||
3d90d63bf1452794cf9d0b04147745a254872c3f SOURCES/freeradius-server-3.0.21.tar.bz2
|
||||
|
|
|
@ -1 +1 @@
|
|||
SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||
SOURCES/freeradius-server-3.0.21.tar.bz2
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,39 +0,0 @@
|
|||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
|
||||
|
||||
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
|
||||
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
|
||||
variable to 1 or else FR should exit at start.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
src/main/radiusd.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
|
||||
index 9739514509..58a48895e6 100644
|
||||
--- a/src/main/radiusd.c
|
||||
+++ b/src/main/radiusd.c
|
||||
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
|
||||
+ */
|
||||
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
|
||||
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
+ if (fips_file != NULL) {
|
||||
+ int fips_enabled = fgetc(fips_file) - '0';
|
||||
+ fclose(fips_file);
|
||||
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
|
||||
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* According to the talloc peeps, no two threads may modify any part of
|
||||
* a ctx tree with a common root without synchronisation.
|
|
@ -1,51 +0,0 @@
|
|||
From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
|
||||
From: "Alan T. DeKok" <aland@freeradius.org>
|
||||
Date: Wed, 20 Nov 2019 13:59:54 -0500
|
||||
Subject: [PATCH] a better fix for commit 30ffd21
|
||||
|
||||
Which still runs post-proxy-type fail if all of the home servers
|
||||
are dead
|
||||
|
||||
[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
|
||||
[antorres@redhat.com: removed first hunk of commit, already present]
|
||||
---
|
||||
src/main/process.c | 9 +++------
|
||||
1 file changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/main/process.c b/src/main/process.c
|
||||
index c8b3af24e2..1a48517d43 100644
|
||||
--- a/src/main/process.c
|
||||
+++ b/src/main/process.c
|
||||
@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
|
||||
}
|
||||
|
||||
old_server = request->server;
|
||||
- rad_assert(request->home_server != NULL);
|
||||
|
||||
/*
|
||||
* If the home server is virtual, just run pre_proxy from
|
||||
* that section.
|
||||
*/
|
||||
- if (request->home_server->server) {
|
||||
+ if (request->home_server && request->home_server->server) {
|
||||
request->server = request->home_server->server;
|
||||
|
||||
} else {
|
||||
@@ -3182,13 +3180,12 @@ do_home:
|
||||
}
|
||||
|
||||
old_server = request->server;
|
||||
- rad_assert(request->home_server != NULL);
|
||||
|
||||
/*
|
||||
* If the home server is virtual, just run pre_proxy from
|
||||
* that section.
|
||||
*/
|
||||
- if (request->home_server->server) {
|
||||
+ if (request->home_server && request->home_server->server) {
|
||||
request->server = request->home_server->server;
|
||||
|
||||
} else {
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 12 Nov 2021 16:23:05 +0100
|
||||
Subject: [PATCH] Fix unterminated strings in SQL queries
|
||||
|
||||
Resolves: bz#2021247
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
raddb/mods-config/sql/ippool/mysql/queries.conf | 2 +-
|
||||
raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
index 2dfc6574dd..444812a047 100644
|
||||
--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
@@ -114,7 +114,7 @@ allocate_update = "\
|
||||
nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
|
||||
callingstationid = '%{Calling-Station-Id}', \
|
||||
username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
|
||||
- WHERE framedipaddress = '%I'
|
||||
+ WHERE framedipaddress = '%I'"
|
||||
|
||||
#
|
||||
# Use a stored procedure to find AND allocate the address. Read and customise
|
||||
diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
index 31a5df3659..e92466108b 100644
|
||||
--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
@@ -89,7 +89,7 @@ allocate_update = "\
|
||||
callingstationid = '%{Calling-Station-Id}', \
|
||||
username = '%{User-Name}', \
|
||||
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
|
||||
- WHERE framedipaddress = '%I'
|
||||
+ WHERE framedipaddress = '%I'"
|
||||
|
||||
#
|
||||
# This series of queries frees an IP number when an accounting START record arrives
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -1,20 +1,18 @@
|
|||
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
|
||||
From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 15:53:45 -0400
|
||||
Date: Wed, 13 May 2020 10:01:47 -0400
|
||||
Subject: [PATCH] Don't clobber existing files on bootstrap
|
||||
|
||||
Rebased: v3.0.20
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
|
||||
1 file changed, 19 insertions(+), 16 deletions(-)
|
||||
raddb/certs/bootstrap | 31 +++++++++++++++----------------
|
||||
1 file changed, 15 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aa..336a2bd 100755
|
||||
index ede09bc..e555491 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -31,52 +31,55 @@ fi
|
||||
@@ -20,56 +20,55 @@ cd `dirname $0`
|
||||
# Don't edit the following text. Instead, edit the Makefile, and
|
||||
# re-generate these commands.
|
||||
#
|
||||
|
@ -32,7 +30,7 @@ index 0f719aa..336a2bd 100755
|
|||
-if [ ! -f server.key ]; then
|
||||
+if [ ! -e server.key ]; then
|
||||
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||
+ chmod g+r server.key
|
||||
chmod g+r server.key
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.key ]; then
|
||||
|
@ -58,14 +56,14 @@ index 0f719aa..336a2bd 100755
|
|||
-if [ ! -f server.p12 ]; then
|
||||
+if [ ! -e server.p12 ]; then
|
||||
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
+ chmod g+r server.p12
|
||||
chmod g+r server.p12
|
||||
fi
|
||||
|
||||
-if [ ! -f server.pem ]; then
|
||||
+if [ ! -e server.pem ]; then
|
||||
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
openssl verify -CAfile ca.pem server.pem || exit 1
|
||||
+ chmod g+r server.pem
|
||||
chmod g+r server.pem
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.der ]; then
|
||||
|
@ -76,7 +74,7 @@ index 0f719aa..336a2bd 100755
|
|||
-if [ ! -f client.key ]; then
|
||||
+if [ ! -e client.key ]; then
|
||||
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ chmod g+r client.key
|
||||
chmod g+r client.key
|
||||
fi
|
||||
|
||||
-if [ ! -f client.crt ]; then
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 16:10:52 -0400
|
||||
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/Makefile | 2 +-
|
||||
raddb/certs/bootstrap | 7 +++++--
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||
index 5cbfd46..41b7aea 100644
|
||||
--- a/raddb/certs/Makefile
|
||||
+++ b/raddb/certs/Makefile
|
||||
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||
#
|
||||
######################################################################
|
||||
dh:
|
||||
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||
+ cp rfc3526-group-18-8192.dhparam dh
|
||||
|
||||
######################################################################
|
||||
#
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 9920ecf..59b3310 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -13,6 +13,10 @@
|
||||
umask 027
|
||||
cd `dirname $0`
|
||||
|
||||
+if [ ! -e random ]; then
|
||||
+ ln -sf /dev/urandom random
|
||||
+fi
|
||||
+
|
||||
make -h > /dev/null 2>&1
|
||||
|
||||
#
|
||||
@@ -35,8 +39,7 @@ fi
|
||||
# re-generate these commands.
|
||||
#
|
||||
if [ ! -e dh ]; then
|
||||
- openssl dhparam -out dh 2048 || exit 1
|
||||
- ln -sf /dev/urandom random
|
||||
+ cp rfc3526-group-18-8192.dhparam dh
|
||||
fi
|
||||
|
||||
if [ ! -e server.key ]; then
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -0,0 +1,136 @@
|
|||
From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 22 Apr 2022 12:27:43 +0200
|
||||
Subject: [PATCH] bootstrap: pass -noenc to certificate generation
|
||||
|
||||
Bootstrap script would fail to generate certificates if run on systems
|
||||
with FIPS enabled. By passing the -noenc option, we can skip the usage
|
||||
of unsupported algorithms on these systems.
|
||||
|
||||
After generating the certificates, correct permissions are set.
|
||||
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
|
||||
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
|
||||
In bootstrap diff, -f is changed to -e in conditionals.
|
||||
---
|
||||
raddb/certs/Makefile | 20 ++++++++++++++++----
|
||||
raddb/certs/bootstrap | 6 +++---
|
||||
2 files changed, 19 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||
index 5cbfd467ce..cb10394ec3 100644
|
||||
--- a/raddb/certs/Makefile
|
||||
+++ b/raddb/certs/Makefile
|
||||
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||
######################################################################
|
||||
dh:
|
||||
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||
+ chown root:radiusd dh
|
||||
+ chmod 640 dh
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
|
||||
@[ -f serial ] || $(MAKE) serial
|
||||
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
|
||||
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
|
||||
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
|
||||
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
|
||||
chmod g+r ca.key
|
||||
+ chown root:radiusd ca.*
|
||||
+ chmod 640 ca.*
|
||||
|
||||
ca.der: ca.pem
|
||||
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
|
||||
@@ -81,6 +85,8 @@ ca.crl: ca.pem
|
||||
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
|
||||
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
|
||||
rm ca-crl.pem
|
||||
+ chown root:radiusd ca.*
|
||||
+ chmod 640 ca.*
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@@ -88,7 +94,7 @@ ca.crl: ca.pem
|
||||
#
|
||||
######################################################################
|
||||
server.csr server.key: server.cnf
|
||||
- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
|
||||
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
|
||||
chmod g+r server.key
|
||||
|
||||
server.crt: server.csr ca.key ca.pem
|
||||
@@ -101,6 +107,8 @@ server.p12: server.crt
|
||||
server.pem: server.p12
|
||||
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
|
||||
chmod g+r server.pem
|
||||
+ chown root:radiusd server.*
|
||||
+ chmod 640 server.*
|
||||
|
||||
.PHONY: server.vrfy
|
||||
server.vrfy: ca.pem
|
||||
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
|
||||
#
|
||||
######################################################################
|
||||
client.csr client.key: client.cnf
|
||||
- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
||||
chmod g+r client.key
|
||||
|
||||
client.crt: client.csr ca.pem ca.key
|
||||
@@ -127,6 +135,8 @@ client.pem: client.p12
|
||||
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
|
||||
chmod g+r client.pem
|
||||
cp client.pem $(USER_NAME).pem
|
||||
+ chown root:radiusd client.*
|
||||
+ chmod 640 client.*
|
||||
|
||||
.PHONY: client.vrfy
|
||||
client.vrfy: ca.pem client.pem
|
||||
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
|
||||
#
|
||||
######################################################################
|
||||
inner-server.csr inner-server.key: inner-server.cnf
|
||||
- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
|
||||
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
|
||||
chmod g+r inner-server.key
|
||||
|
||||
inner-server.crt: inner-server.csr ca.key ca.pem
|
||||
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
|
||||
inner-server.pem: inner-server.p12
|
||||
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
|
||||
chmod g+r inner-server.pem
|
||||
+ chown root:radiusd inner-server.*
|
||||
+ chmod 640 inner-server.*
|
||||
|
||||
.PHONY: inner-server.vrfy
|
||||
inner-server.vrfy: ca.pem
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 57de8cf0d7..c258ec45e0 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
|
||||
fi
|
||||
|
||||
if [ ! -e server.key ]; then
|
||||
- openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||
+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
|
||||
chmod g+r server.key
|
||||
fi
|
||||
|
||||
if [ ! -e ca.key ]; then
|
||||
- openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
|
||||
+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
|
||||
fi
|
||||
|
||||
if [ ! -e index.txt ]; then
|
||||
@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
|
||||
fi
|
||||
|
||||
if [ ! -e client.key ]; then
|
||||
- openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
||||
chmod g+r client.key
|
||||
fi
|
||||
|
|
@ -1,72 +0,0 @@
|
|||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Wed Jul 20 2021
|
||||
Subject: [PATCH] ensure bootstrap script is run only once
|
||||
|
||||
The bootstrap script should only run once. By checking if there are
|
||||
certificates in the directory, we can exit early if certificates were
|
||||
already generated.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
raddb/certs/README | 16 ++++++----------
|
||||
raddb/certs/bootstrap | 18 ++++++++++++------
|
||||
2 files changed, 18 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/README b/raddb/certs/README
|
||||
index 6288921da1..32413964dd 100644
|
||||
--- a/raddb/certs/README
|
||||
+++ b/raddb/certs/README
|
||||
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
|
||||
your users, and to issue client certificates for EAP-TLS.
|
||||
|
||||
If FreeRADIUS was configured to use OpenSSL, then simply starting
|
||||
-the server in root in debugging mode should also create test
|
||||
-certificates, i.e.:
|
||||
+the server in root mode should also create test certificates.
|
||||
|
||||
-$ radiusd -X
|
||||
-
|
||||
- That will cause the EAP-TLS module to run the "bootstrap" script in
|
||||
-this directory. The script will be executed only once, the first time
|
||||
-the server has been installed on a particular machine. This bootstrap
|
||||
-script SHOULD be run on installation of any pre-built binary package
|
||||
-for your OS. In any case, the script will ensure that it is not run
|
||||
-twice, and that it does not over-write any existing certificates.
|
||||
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
|
||||
+The script will be executed during every start of FreeRADIUS via systemd but
|
||||
+the script will ensure that it does not overwrite any existing certificates.
|
||||
+Ideally, the bootstrap script file should be deleted after new testing certificates
|
||||
+have been generated.
|
||||
|
||||
If you already have CA and server certificates, rename (or delete)
|
||||
this directory, and create a new "certs" directory containing your
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aafd4..92254dc936 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -1,12 +1,18 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
-# This is a wrapper script to create default certificates when the
|
||||
-# server first starts in debugging mode. Once the certificates have been
|
||||
-# created, this file should be deleted.
|
||||
+# Bootstrap script should be run only once. If there are already certificates
|
||||
+# generated, skip the execution.
|
||||
+#
|
||||
+cd `dirname $0`
|
||||
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
#
|
||||
-# Ideally, this program should be run as part of the installation of any
|
||||
-# binary package. The installation should also ensure that the permissions
|
||||
-# and owners are correct for the files generated by this script.
|
||||
+# This is a wrapper script to create default certificates when the
|
||||
+# server starts via systemd. It should also ensure that the
|
||||
+# permissions and owners are correct for the generated files. Once
|
||||
+# the certificates have been created, this file should be deleted.
|
||||
#
|
||||
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
|
||||
#
|
|
@ -7,7 +7,7 @@ attribute which can cause the server to crash.
|
|||
|
||||
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151707
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/lib/filters.c b/src/lib/filters.c
|
||||
|
|
|
@ -11,7 +11,7 @@ Backport of:
|
|||
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
|
||||
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151705
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
|
|
|
@ -1,76 +0,0 @@
|
|||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 09 Dec 2022
|
||||
Subject: Fix information leakage in EAP-PWD
|
||||
|
||||
The EAP-PWD function compute_password_element() leaks information about the
|
||||
password which allows an attacker to substantially reduce the size of an
|
||||
offline dictionary attack.
|
||||
|
||||
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
index d94851c3aa..9f86b62114 100644
|
||||
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
|
||||
#include <freeradius-devel/radiusd.h>
|
||||
#include <freeradius-devel/modules.h>
|
||||
|
||||
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
|
||||
+
|
||||
/* The random function H(x) = HMAC-SHA256(0^32, x) */
|
||||
static void H_Init(HMAC_CTX *ctx)
|
||||
{
|
||||
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
uint32_t *token)
|
||||
{
|
||||
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||
- HMAC_CTX *ctx = NULL;
|
||||
+ EVP_MD_CTX *hmac_ctx;
|
||||
+ EVP_PKEY *hmac_pkey;
|
||||
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
|
||||
int nid, is_odd, primebitlen, primebytelen, ret = 0;
|
||||
|
||||
- ctx = HMAC_CTX_new();
|
||||
- if (ctx == NULL) {
|
||||
- DEBUG("failed allocating HMAC context");
|
||||
- goto fail;
|
||||
- }
|
||||
+ MEM(hmac_ctx = EVP_MD_CTX_new());
|
||||
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
|
||||
|
||||
switch (grp_num) { /* from IANA registry for IKE D-H groups */
|
||||
case 19:
|
||||
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
* pwd-seed = H(token | peer-id | server-id | password |
|
||||
* counter)
|
||||
*/
|
||||
- H_Init(ctx);
|
||||
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
|
||||
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
|
||||
- H_Update(ctx, (uint8_t const *)password, password_len);
|
||||
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||
- H_Final(ctx, pwe_digest);
|
||||
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||
|
||||
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
|
||||
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
|
||||
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
BN_clear_free(x_candidate);
|
||||
BN_clear_free(rnd);
|
||||
talloc_free(prfbuf);
|
||||
- HMAC_CTX_free(ctx);
|
||||
+ EVP_MD_CTX_free(hmac_ctx);
|
||||
+ EVP_PKEY_free(hmac_pkey);
|
||||
|
||||
return ret;
|
||||
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,31 @@
|
|||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 28 Jan 2022
|
||||
Subject: Use infinite timeout when using LDAP+start-TLS
|
||||
|
||||
This will ensure that the TLS connection to the LDAP server will complete
|
||||
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
|
||||
the process. Infinite timeout is the OpenLDAP default.
|
||||
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
src/modules/rlm_ldap/ldap.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
||||
index cf7a84e069..841bf888a1 100644
|
||||
--- a/src/modules/rlm_ldap/ldap.c
|
||||
+++ b/src/modules/rlm_ldap/ldap.c
|
||||
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
||||
}
|
||||
|
||||
#ifdef LDAP_OPT_NETWORK_TIMEOUT
|
||||
- if (inst->net_timeout) {
|
||||
+ bool using_tls = inst->start_tls ||
|
||||
+ inst->port == 636 ||
|
||||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
|
||||
+ if (inst->net_timeout && !using_tls) {
|
||||
memset(&tv, 0, sizeof(tv));
|
||||
tv.tv_sec = inst->net_timeout;
|
||||
|
|
@ -26,7 +26,6 @@
|
|||
su radiusd radiusd
|
||||
}
|
||||
|
||||
|
||||
/var/log/radius/radius.log {
|
||||
monthly
|
||||
rotate 4
|
||||
|
|
|
@ -1,93 +0,0 @@
|
|||
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 11:53:28 +0300
|
||||
Subject: [PATCH] man: Fix some typos
|
||||
|
||||
---
|
||||
man/man1/radzap.1 | 4 ++--
|
||||
man/man5/unlang.5 | 6 +++---
|
||||
man/man8/radcrypt.8 | 2 +-
|
||||
man/man8/radiusd.8 | 4 ++--
|
||||
4 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
|
||||
index a2d529d064..03b9a43a54 100644
|
||||
--- a/man/man1/radzap.1
|
||||
+++ b/man/man1/radzap.1
|
||||
@@ -1,4 +1,4 @@
|
||||
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
|
||||
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
|
||||
.SH NAME
|
||||
radzap - remove rogue entries from the active sessions database
|
||||
.SH SYNOPSIS
|
||||
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
|
||||
.RB [ \-x ]
|
||||
\fIserver[:port] secret\fP
|
||||
.SH DESCRIPTION
|
||||
-The FreeRadius server can be configured to maintain an active session
|
||||
+The FreeRADIUS server can be configured to maintain an active session
|
||||
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
|
||||
use this database. Sometimes that database can get out of sync, and
|
||||
then it might contain rogue entries. \fBradzap\fP can clean up this
|
||||
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
|
||||
index 40db5fa6e7..5f765f1787 100644
|
||||
--- a/man/man5/unlang.5
|
||||
+++ b/man/man5/unlang.5
|
||||
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
|
||||
of Version 3, the <list> can be omitted, in which case "request" is
|
||||
assumed.
|
||||
|
||||
-The "control" list is the list of attributes maintainted internally by
|
||||
+The "control" list is the list of attributes maintained internally by
|
||||
the server that controls how the server processes the request. Any
|
||||
attribute that does not go in a packet on the network will generally
|
||||
be placed in the "control" list.
|
||||
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
|
||||
quotes, or back-quoted). Also evaluates to true if 'foo' is a
|
||||
non-zero number. Note that the language is poorly typed, so the
|
||||
string "0000" can be interpreted as a numerical zero. This issue can
|
||||
-be avoided by comparings strings to an empty string, rather than by
|
||||
+be avoided by comparing strings to an empty string, rather than by
|
||||
evaluating the string by itself.
|
||||
|
||||
If the word 'foo' is not a quoted string, then it can be taken as a
|
||||
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
|
||||
.IP ok
|
||||
Instructs the server that the request was processed properly. This
|
||||
keyword can be used to over-ride earlier failures, if the local
|
||||
-administrator determines that the faiures are not catastrophic.
|
||||
+administrator determines that the failures are not catastrophic.
|
||||
.IP reject
|
||||
Causes the request to be immediately rejected
|
||||
.SH MODULE RETURN CODES
|
||||
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
|
||||
index 08336c66f2..2917f60c46 100644
|
||||
--- a/man/man8/radcrypt.8
|
||||
+++ b/man/man8/radcrypt.8
|
||||
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
|
||||
Ignored if performing a password check.
|
||||
.IP "\-c --check"
|
||||
Perform a validation check on a password hash to verify if it matches
|
||||
-the plantext password.
|
||||
+the plaintext password.
|
||||
|
||||
.SH EXAMPLES
|
||||
.nf
|
||||
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||
index 98aef5e1be..2ef5ccf789 100644
|
||||
--- a/man/man8/radiusd.8
|
||||
+++ b/man/man8/radiusd.8
|
||||
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
|
||||
used in the other configuration files. You don't have to modify it.
|
||||
It includes other dictionary files in the same directory.
|
||||
.IP hints
|
||||
-Defines certain hints to the radius server based on the users's loginname
|
||||
+Defines certain hints to the radius server based on the users' loginname
|
||||
or other attributes sent by the access server. It also provides for
|
||||
mapping user names (such as Pusername -> username). This provides the
|
||||
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
|
||||
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
|
||||
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
|
||||
the Livingston way of doing things is also supported, and you can even use
|
||||
both at the same time (within certain limits).
|
||||
.IP huntgroups
|
|
@ -1,45 +0,0 @@
|
|||
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 11:39:45 -0400
|
||||
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
|
||||
|
||||
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
|
||||
user-provided dhparams will be ignored (and dhparam generation
|
||||
may fail as well), unless they are on the FIPS approved list of
|
||||
parameters. However, OpenSSL since v1.1.1 will automatically select
|
||||
an appropriate DH parameter set anyways, if the user did not provide
|
||||
any. These will be FIPS approved.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/main/tls.c | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/main/tls.c b/src/main/tls.c
|
||||
index 5809a1bd7d..5e6493333c 100644
|
||||
--- a/src/main/tls.c
|
||||
+++ b/src/main/tls.c
|
||||
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
|
||||
|
||||
if (!file) return 0;
|
||||
|
||||
+ /*
|
||||
+ * Prior to trying to load the file, check what OpenSSL will do with it.
|
||||
+ *
|
||||
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
|
||||
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
|
||||
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
|
||||
+ * anyways, there's no point in attempting to load them.
|
||||
+ *
|
||||
+ * Change suggested by @t8m
|
||||
+ */
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||
+ if (FIPS_mode() > 0) {
|
||||
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if ((bio = BIO_new_file(file, "r")) == NULL) {
|
||||
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
|
||||
return -1;
|
|
@ -1 +1,2 @@
|
|||
D /run/radiusd 0710 radiusd radiusd -
|
||||
D /run/radiusd/tmp 0700 radiusd radiusd -
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
#Type Name ID GECOS Home directory Shell
|
||||
u radiusd 95 "radiusd user" /var/lib/radiusd /sbin/nologin
|
||||
g radiusd 95 - - -
|
|
@ -4,9 +4,8 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
|
|||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/run/radiusd/radiusd.pid
|
||||
PIDFile=/run/radiusd/radiusd.pid
|
||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
|
||||
ExecStartPre=/usr/sbin/radiusd -C
|
||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||
ExecReload=/usr/sbin/radiusd -C
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
|
||||
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
|
||||
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
|
||||
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
|
||||
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
|
||||
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
|
||||
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
|
||||
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
|
||||
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
|
||||
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
|
||||
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
|
||||
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
|
||||
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
|
||||
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
|
||||
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
|
||||
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
|
||||
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
|
@ -1,17 +1,8 @@
|
|||
%if 0%{?rhel} > 7
|
||||
# Disable python2 build by default
|
||||
%bcond_with python2
|
||||
%else
|
||||
%bcond_without python2
|
||||
%endif
|
||||
|
||||
|
||||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.20
|
||||
Release: 14%{?dist}
|
||||
Version: 3.0.21
|
||||
Release: 37%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.freeradius.org/
|
||||
|
||||
# Is elliptic curve cryptography supported?
|
||||
|
@ -28,25 +19,19 @@ Source100: radiusd.service
|
|||
Source102: freeradius-logrotate
|
||||
Source103: freeradius-pam-conf
|
||||
Source104: freeradius-tmpfiles.conf
|
||||
Source105: rfc3526-group-18-8192.pem
|
||||
Source105: freeradius.sysusers
|
||||
|
||||
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
|
||||
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
|
||||
Patch3: freeradius-bootstrap-create-only.patch
|
||||
Patch4: freeradius-no-buildtime-cert-gen.patch
|
||||
Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
|
||||
Patch6: freeradius-bootstrap-make-permissions.patch
|
||||
Patch7: freeradius-no-dh-param-load-FIPS.patch
|
||||
Patch8: freeradius-bootstrap-fixed-dhparam.patch
|
||||
Patch9: freeradius-man-Fix-some-typos.patch
|
||||
Patch10: freeradius-Fix-resource-hard-limit-error.patch
|
||||
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
|
||||
Patch12: freeradius-bootstrap-run-only-once.patch
|
||||
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
|
||||
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
|
||||
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
|
||||
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
|
||||
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
|
||||
Patch5: freeradius-bootstrap-make-permissions.patch
|
||||
Patch6: freeradius-Fix-resource-hard-limit-error.patch
|
||||
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
|
||||
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
|
||||
Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
|
||||
Patch10: freeradius-fix-crash-unknown-eap-sim.patch
|
||||
Patch11: freeradius-fix-crash-on-invalid-abinary-data.patch
|
||||
|
||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||
|
||||
|
@ -65,6 +50,8 @@ BuildRequires: libpcap-devel
|
|||
BuildRequires: systemd-units
|
||||
BuildRequires: libtalloc-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: chrpath
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
%if ! 0%{?rhel}
|
||||
BuildRequires: libyubikey-devel
|
||||
|
@ -73,11 +60,13 @@ BuildRequires: ykclient-devel
|
|||
|
||||
# Require OpenSSL version we built with, or newer, to avoid startup failures
|
||||
# due to runtime OpenSSL version checks.
|
||||
Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
|
||||
Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
|
||||
Requires: openssl-perl
|
||||
Requires(pre): shadow-utils glibc-common
|
||||
Requires(post): systemd-sysv
|
||||
Requires(post): systemd-units
|
||||
# Needed for certificate generation
|
||||
# Needed for certificate generation as upstream bootstrap script isn't
|
||||
# compatible with Makefile equivalent.
|
||||
Requires: make
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
@ -98,7 +87,6 @@ be centralized, and minimizes the amount of re-configuration which has to be
|
|||
done when adding or deleting new users.
|
||||
|
||||
%package doc
|
||||
Group: Documentation
|
||||
Summary: FreeRADIUS documentation
|
||||
|
||||
%description doc
|
||||
|
@ -106,7 +94,6 @@ All documentation supplied by the FreeRADIUS project is included
|
|||
in this package.
|
||||
|
||||
%package utils
|
||||
Group: System Environment/Daemons
|
||||
Summary: FreeRADIUS utilities
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: libpcap >= 0.9.4
|
||||
|
@ -121,7 +108,6 @@ Support for RFC and VSA Attributes Additional server configuration
|
|||
attributes Selecting a particular configuration Authentication methods
|
||||
|
||||
%package devel
|
||||
Group: System Environment/Daemons
|
||||
Summary: FreeRADIUS development files
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
|
@ -130,7 +116,6 @@ Development headers and libraries for FreeRADIUS.
|
|||
|
||||
%package ldap
|
||||
Summary: LDAP support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: openldap-devel
|
||||
|
||||
|
@ -139,7 +124,6 @@ This plugin provides the LDAP support for the FreeRADIUS server project.
|
|||
|
||||
%package krb5
|
||||
Summary: Kerberos 5 support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: krb5-devel
|
||||
|
||||
|
@ -148,7 +132,6 @@ This plugin provides the Kerberos 5 support for the FreeRADIUS server project.
|
|||
|
||||
%package perl
|
||||
Summary: Perl support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
|
||||
%{?fedora:BuildRequires: perl-devel}
|
||||
|
@ -159,10 +142,9 @@ BuildRequires: perl(ExtUtils::Embed)
|
|||
%description perl
|
||||
This plugin provides the Perl support for the FreeRADIUS server project.
|
||||
|
||||
%if %{with python2}
|
||||
%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
|
||||
%package -n python2-freeradius
|
||||
Summary: Python 2 support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: python2-devel
|
||||
%{?python_provide:%python_provide python2-freeradius}
|
||||
|
@ -173,7 +155,6 @@ Obsoletes: %{name}-python < %{version}-%{release}
|
|||
|
||||
%description -n python2-freeradius
|
||||
This plugin provides the Python 2 support for the FreeRADIUS server project.
|
||||
# endif: with python2
|
||||
%endif
|
||||
|
||||
%package -n python3-freeradius
|
||||
|
@ -187,7 +168,6 @@ This plugin provides the Python 3 support for the FreeRADIUS server project.
|
|||
|
||||
%package mysql
|
||||
Summary: MySQL support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: mariadb-connector-c-devel
|
||||
|
||||
|
@ -196,16 +176,14 @@ This plugin provides the MySQL support for the FreeRADIUS server project.
|
|||
|
||||
%package postgresql
|
||||
Summary: Postgresql support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: postgresql-devel
|
||||
BuildRequires: libpq-devel
|
||||
|
||||
%description postgresql
|
||||
This plugin provides the postgresql support for the FreeRADIUS server project.
|
||||
|
||||
%package sqlite
|
||||
Summary: SQLite support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: sqlite-devel
|
||||
|
||||
|
@ -214,7 +192,6 @@ This plugin provides the SQLite support for the FreeRADIUS server project.
|
|||
|
||||
%package unixODBC
|
||||
Summary: Unix ODBC support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: unixODBC-devel
|
||||
|
||||
|
@ -223,7 +200,6 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
|
|||
|
||||
%package rest
|
||||
Summary: REST support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: json-c-devel
|
||||
|
@ -246,28 +222,26 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
|||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
|
||||
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
||||
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
|
||||
%build
|
||||
# Force compile/link options, extra security for network facing daemon
|
||||
%global _hardened_build 1
|
||||
|
||||
# Hack: rlm_python3 as stable; prevents building other unstable modules.
|
||||
sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
|
||||
sed 's/rlm_python/rlm_python3/g' src/modules/stable -i
|
||||
|
||||
# python3-config is broken:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
|
||||
export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
|
||||
%global build_ldflags %{build_ldflags} $(python3-config --embed --libs)
|
||||
export PY3_LIB_DIR="$(python3-config --configdir)"
|
||||
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
||||
|
||||
# Enable FIPS support
|
||||
%global build_cflags %{build_cflags} -DWITH_FIPS
|
||||
|
||||
# In order for the above hack to stick, do a fake configure so
|
||||
# we can run reconfig before cleaning up after ourselves and running
|
||||
# configure for real.
|
||||
./configure && make reconfig && (make clean distclean || true)
|
||||
|
||||
%configure \
|
||||
--libdir=%{_libdir}/freeradius \
|
||||
--enable-reproducible-builds \
|
||||
|
@ -286,9 +260,6 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
|
|||
--with-rlm_python3 \
|
||||
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
|
||||
--with-rlm-python3-include-dir=$PY3_INC_DIR \
|
||||
%if %{without python2}
|
||||
--without-rlm-python2 \
|
||||
%endif
|
||||
--without-rlm_eap_ikev2 \
|
||||
--without-rlm_eap_tnc \
|
||||
--without-rlm_sql_iodbc \
|
||||
|
@ -300,7 +271,8 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
|
|||
--without-rlm_rediswho \
|
||||
--without-rlm_cache_memcached
|
||||
|
||||
make
|
||||
# Build fast, but get better errors if we fail
|
||||
make %{?_smp_mflags} || make -j1
|
||||
|
||||
%install
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd
|
||||
|
@ -319,14 +291,21 @@ mkdir -p %{buildroot}%{_localstatedir}/run/
|
|||
install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
|
||||
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
|
||||
|
||||
# Add fixed dhparam file
|
||||
install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf
|
||||
|
||||
# install SNMP MIB files
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
|
||||
# remove rpath where needed
|
||||
chrpath --delete $RPM_BUILD_ROOT%{_libdir}/freeradius/*.so
|
||||
for f in $RPM_BUILD_ROOT/usr/sbin/*; do chrpath --delete $f || true; done
|
||||
for f in $RPM_BUILD_ROOT/usr/bin/*; do chrpath --delete $f || true; done
|
||||
|
||||
# update ld with freeradius libs
|
||||
mkdir -p %{buildroot}/%{_sysconfdir}/ld.so.conf.d
|
||||
echo "%{_libdir}/freeradius" > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
|
||||
|
||||
# remove unneeded stuff
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
|
||||
|
@ -348,6 +327,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la
|
|||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
|
||||
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/mssql
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
|
||||
rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids
|
||||
|
@ -363,12 +343,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
|
|||
|
||||
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
|
||||
|
||||
# Remove yubikey on RHEL
|
||||
%if 0%{?rhel}
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
|
||||
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
|
||||
%endif
|
||||
|
||||
# remove unsupported config files
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
|
||||
|
||||
|
@ -401,30 +375,18 @@ EOF
|
|||
|
||||
# Make sure our user/group is present prior to any package or subpackage installation
|
||||
%pre
|
||||
getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
|
||||
getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1
|
||||
exit 0
|
||||
|
||||
%post
|
||||
%systemd_post radiusd.service
|
||||
exit 0
|
||||
%sysusers_create_compat %{SOURCE105}
|
||||
|
||||
%preun
|
||||
%systemd_preun radiusd.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart radiusd.service
|
||||
if [ $1 -eq 0 ]; then # uninstall
|
||||
getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1
|
||||
getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1
|
||||
fi
|
||||
exit 0
|
||||
|
||||
/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :
|
||||
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
|
||||
# doc
|
||||
%license %{docdir}/LICENSE.gpl
|
||||
|
@ -435,8 +397,10 @@ exit 0
|
|||
# system
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/radiusd
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/radiusd
|
||||
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
|
||||
%{_unitdir}/radiusd.service
|
||||
%{_tmpfilesdir}/radiusd.conf
|
||||
%{_sysusersdir}/freeradius.conf
|
||||
%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
|
||||
%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
|
||||
%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
|
||||
|
@ -472,7 +436,6 @@ exit 0
|
|||
/etc/raddb/certs/README
|
||||
%config(noreplace) /etc/raddb/certs/xpextensions
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
|
||||
|
||||
# mods-config
|
||||
|
@ -584,10 +547,7 @@ exit 0
|
|||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax
|
||||
|
||||
%if ! 0%{?rhel}
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey
|
||||
%endif
|
||||
|
||||
# mods-enabled
|
||||
# symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx
|
||||
|
@ -712,10 +672,7 @@ exit 0
|
|||
%{_libdir}/freeradius/rlm_unpack.so
|
||||
%{_libdir}/freeradius/rlm_utf8.so
|
||||
%{_libdir}/freeradius/rlm_wimax.so
|
||||
|
||||
%if ! 0%{?rhel}
|
||||
%{_libdir}/freeradius/rlm_yubikey.so
|
||||
%endif
|
||||
|
||||
# main man pages
|
||||
%doc %{_mandir}/man5/clients.conf.5.gz
|
||||
|
@ -786,13 +743,12 @@ exit 0
|
|||
|
||||
%{_libdir}/freeradius/rlm_perl.so
|
||||
|
||||
%if %{with python2}
|
||||
%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
|
||||
%files -n python2-freeradius
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python
|
||||
/etc/raddb/mods-config/python/example.py*
|
||||
/etc/raddb/mods-config/python/radiusd.py*
|
||||
%{_libdir}/freeradius/rlm_python.so
|
||||
# endif: with python2
|
||||
%endif
|
||||
|
||||
%files -n python3-freeradius
|
||||
|
@ -825,6 +781,7 @@ exit 0
|
|||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/process-radacct.sql
|
||||
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax
|
||||
|
@ -858,6 +815,7 @@ exit 0
|
|||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/process-radacct.sql
|
||||
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf
|
||||
|
@ -887,6 +845,8 @@ exit 0
|
|||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql
|
||||
|
||||
%{_libdir}/freeradius/rlm_sql_sqlite.so
|
||||
|
||||
|
@ -902,85 +862,198 @@ exit 0
|
|||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
|
||||
- Fix defect found by Covscan
|
||||
Resolves: #2151704
|
||||
* Wed Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-37
|
||||
- Fix defect found by covscan
|
||||
Resolves: #2151705
|
||||
|
||||
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
|
||||
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-36
|
||||
- Fix multiple CVEs
|
||||
- Add rpminspect configuration
|
||||
Resolves: #2151702
|
||||
Resolves: #2151704
|
||||
Resolves: #2151706
|
||||
Resolves: #2151705
|
||||
Resolves: #2151703
|
||||
Resolves: #2151707
|
||||
|
||||
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
|
||||
- Fix segfault when home_server is null
|
||||
Resolves: bz#2030173
|
||||
* Fri Sep 16 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-35
|
||||
- Rebuild to add subpackages to CRB report
|
||||
Resolves: #2126380
|
||||
|
||||
* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
|
||||
- Fix unterminated strings in SQL queries
|
||||
Resolves: bz#2021247
|
||||
* Wed Jun 29 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-34
|
||||
- Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107)
|
||||
Resolves: #2095403
|
||||
|
||||
* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
|
||||
- Rebuild to pick up latest json-c
|
||||
Resolves: bz#2021818
|
||||
* Fri Jun 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-33
|
||||
- Dynamically allocate users using sysusers.d format
|
||||
Resolves: #2095403
|
||||
|
||||
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
|
||||
- radiusd.service: don't fail if bootstrap script is not present
|
||||
Resolves: bz#1954521
|
||||
* Mon May 30 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-32
|
||||
- Add WITH_FIPS macro to CFLAGS
|
||||
Related: rhbz#2083699
|
||||
|
||||
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
|
||||
- Extend info about boostrap script in README and comments
|
||||
Resolves: bz#1954521
|
||||
* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
|
||||
- Update OpenSSL 3.0 support backport to current v3.0.x branch state
|
||||
- Add "--enable-fips-workaround" to build options
|
||||
Related: rhbz#2083699
|
||||
|
||||
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
|
||||
- Ensure bootstrap script is run only once
|
||||
Resolves: bz#1954521
|
||||
* Tue May 10 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-30
|
||||
- Add openssl-perl dependency
|
||||
Related: rhbz#2078816
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
|
||||
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
|
||||
Resolves: bz#1958979
|
||||
* Thu Apr 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-29
|
||||
- Set correct permissions for certificates generated by bootstrap Makefile
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
|
||||
* Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
|
||||
- bootstrap: pass -noenc to certificate generation, do it on script as well
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Fri Apr 22 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-27
|
||||
- bootstrap: pass -noenc to certificate generation
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
|
||||
- Move remaining files from /var/run to /run
|
||||
Related: rhbz#2047972
|
||||
|
||||
* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
|
||||
- Revert "Allow to connect to partially open LDAP handle"
|
||||
- Use infinite timeout (openldap default) when using LDAP+start-TLS
|
||||
- Update openssl dependency to not check epoch (was causing detection issues)
|
||||
Related: rhbz#1992551
|
||||
|
||||
* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
|
||||
- Avoid segfault when trying to use MD4 without legacy provider
|
||||
Related: rhbz#1978216
|
||||
|
||||
* Wed Jan 12 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-23
|
||||
- Backport OpenSSL3 fixes
|
||||
Related: rhbz#1978216
|
||||
|
||||
* Wed Oct 13 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-22
|
||||
- Allow to connect to partially open LDAP handle
|
||||
Related: rhbz#1992551
|
||||
|
||||
* Mon Sep 27 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-21
|
||||
- Move FR's systemd unit PID file from /var/run to /run
|
||||
Related: rhbz#2006368
|
||||
|
||||
* Thu Aug 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-20
|
||||
- Rebuild to pick up new build flags from redhat-rpm-config
|
||||
Related: rhbz#1984652
|
||||
|
||||
* Thu Aug 12 2021 Filip Dvorak <fdvorak@redhat.com> - 3.0.21-19
|
||||
- Install psutil module and generate def. certs during test script
|
||||
Resolves: rhbz#1990392
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-18
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-17
|
||||
- Ignore badfuncs error in rpminspect
|
||||
Resolves: bz#1986972
|
||||
|
||||
* Mon Aug 02 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-16
|
||||
- Remove RPATH usage
|
||||
Resolves: bz#1986968
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-15
|
||||
- Fix coredump not being able to be enabled
|
||||
Resolves: bz#1977572
|
||||
Resolves: bz#1977722
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
|
||||
- Fix some manpage typos
|
||||
Resolves: bz#1843807
|
||||
* Wed Jun 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-14
|
||||
- Fix Python3.8 not being linked correctly
|
||||
Related: rhbz#1948622
|
||||
|
||||
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
|
||||
- Require make for proper bootstrap execution, removes post script
|
||||
Resolves: bz#1672285
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-13
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
|
||||
- Fix breakage caused by OpenSSL FIPS regression
|
||||
Related: bz#1855822
|
||||
Related: bz#1810911
|
||||
Resolves: bz#1672285
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-12
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
|
||||
- Update to FreeRADIUS server version 3.0.20
|
||||
- Introduce Python 3 support; resolves: bz#1623069
|
||||
- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
|
||||
- Create tmp files in /run; resolves: bz#1805975
|
||||
* Wed Mar 10 2021 Robbie Harwood <rharwood@redhat.com> - 3.0.21-11
|
||||
- Disable automatic bootstrap
|
||||
|
||||
* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
|
||||
- Fix information leak due to aborting when needing more than 10 iterations
|
||||
Resolves: bz#1751797
|
||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.0.21-10
|
||||
- Rebuilt for updated systemd-rpm-macros
|
||||
See https://pagure.io/fesco/issue/2583.
|
||||
|
||||
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
|
||||
- Fix handling of IPv6-only hostnames with listen.ipaddr
|
||||
Resolves: bz#1685546
|
||||
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 3.0.21-9
|
||||
- rebuild for libpq ABI fix rhbz#1908268
|
||||
|
||||
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
|
||||
- Fix possible privilege escalation due to insecure logrotate configuration
|
||||
Resolves: bz#1719369
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-4
|
||||
- Fixes two EAP-PWD security issues
|
||||
Resolves: bz#1699417 authentication bypass with an invalid curve attack
|
||||
Resolves: bz#1699421 fake authentication using reflection
|
||||
* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-7
|
||||
- Fix certificate permissions after make-based generation
|
||||
Resolves: bz#1835249
|
||||
|
||||
* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-6
|
||||
- Fix certificate permissions after make-based generation
|
||||
Resolves: bz#1835249
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.21-4
|
||||
- Perl 5.32 rebuild
|
||||
|
||||
* Wed May 13 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-3
|
||||
- Fix certificate generation
|
||||
Resolves: bz#1835249
|
||||
|
||||
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 3.0.21-2
|
||||
- Rebuild (json-c)
|
||||
|
||||
* Wed Apr 01 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-1
|
||||
- Rebased to 3.0.21
|
||||
Resolves: bz#1816745
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.20-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Sat Jan 11 2020 Paul Wouters <pwouters@redhat.com> - 3.0.20-2
|
||||
- fixup tmpfile to use /run instead of /var/run
|
||||
|
||||
* Fri Nov 15 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
|
||||
- Rebased to 3.0.20
|
||||
Resolves: bz#1772710
|
||||
- Introduced new rlm_python3 module
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.19-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.19-4
|
||||
- Perl 5.30 rebuild
|
||||
|
||||
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-3
|
||||
- Update boostrap to change ownership of all certificates to root:radiusd
|
||||
|
||||
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2
|
||||
- Updated crypto-policies patch
|
||||
- Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165 bz#1672284
|
||||
- Updated logrotate definitions to run as radiusd:radiusd: bz#1705343
|
||||
- Drop python2 package on Fedora 31+
|
||||
- Add database dependencies: bz#1658697
|
||||
- Don't generate certificate during build
|
||||
|
||||
* Wed Apr 10 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-1
|
||||
- Rebased to 3.0.19
|
||||
|
||||
* Wed Mar 06 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.18-1
|
||||
- Rebased to 3.0.18
|
||||
|
||||
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 3.0.17-6
|
||||
- Rebuild for readline 8.0
|
||||
|
||||
* Tue Feb 05 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
|
||||
- Unit file generates certificates if not present.
|
||||
Resolves: bz#1672284
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.17-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.0.17-3
|
||||
- Rebuilt for libcrypt.so.2 (#1666033)
|
||||
|
||||
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-2
|
||||
- Updates radiusd.service to start after network-online.target
|
||||
|
@ -993,25 +1066,27 @@ exit 0
|
|||
|
||||
* Mon Sep 17 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-18
|
||||
- Actually apply patches added previously.
|
||||
Related: Bug#1612512 Man page scan results for freeradius
|
||||
Related: Bug#1611286 Man page scan results for freeradius
|
||||
|
||||
* Fri Sep 14 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-17
|
||||
- Fix a few minor manpage issues.
|
||||
Resolves: Bug#1612512 Man page scan results for freeradius
|
||||
Resolves: Bug#1611286 Man page scan results for freeradius
|
||||
|
||||
* Wed Sep 12 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
|
||||
- Add make to Requires(post) to fix certificate generation on install.
|
||||
Resolves: Bug#1628213 FreeRADIUS fails to start due to default certificate
|
||||
permissions
|
||||
* Fri Sep 07 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
|
||||
- Add make to BuildRequires and Requires(post) to fix build and certificate
|
||||
generation on install.
|
||||
Resolves: Bug#1574783 Installing freeradius without make results in an
|
||||
unworkable default configuration
|
||||
|
||||
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 3.0.15-15
|
||||
- Rebuild with fixed binutils
|
||||
* Tue Sep 04 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-15
|
||||
- Add gcc to BuildRequires.
|
||||
Resolves: Bug#1622470 FTBFS freeradius (rawhide)
|
||||
|
||||
* Wed Jul 25 2018 Petr Kubat <pkubat@redhat.com> - 3.0.15-14
|
||||
- Rebuilt for gdbm
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.15-14
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Mon Jun 11 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.0.15-13
|
||||
- Disable the python2 subpackage
|
||||
* Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.15-13
|
||||
- Perl 5.28 rebuild
|
||||
|
||||
* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 3.0.15-12
|
||||
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
|
||||
|
|
Loading…
Reference in New Issue