.freeradius.metadata

@@ -1 +1 @@
-3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2
+3dd0e18fa04aff410876309e4322313b700db2b7 freeradius-server-3.0.20.tar.bz2

.gitignore

@@ -1 +1,33 @@
-SOURCES/freeradius-server-3.0.20.tar.bz2
+# Ignore build artifacts and signatures
+*.sig
+.build*.log
+freeradius-server-*/
+x86_64/
+freeradius-*.src.rpm
+
+# Automatically added
+/freeradius-server-2.1.9.tar.bz2
+/freeradius-server-2.1.10.tar.bz2
+/freeradius-server-2.1.11.tar.bz2
+/freeradius-server-2.1.12.tar.bz2
+/freeradius-server-2.2.0.tar.bz2
+/freeradius-server-release_3_0_0_rc0.tar.gz
+/freeradius-server-release_3_0_0_rc1.tar.gz
+/freeradius-server-3.0.0.tar.bz2
+/freeradius-server-3.0.1.tar.bz2
+/freeradius-server-3.0.2.tar.bz2
+/freeradius-server-3.0.3.tar.bz2
+/freeradius-server-3.0.4rc2.tar.bz2
+/freeradius-server-3.0.4.tar.bz2
+/freeradius-server-3.0.7.tar.bz2
+/freeradius-server-3.0.8.tar.bz2
+/freeradius-server-3.0.9.tar.bz2
+/freeradius-server-3.0.10.tar.bz2
+/freeradius-server-3.0.11.tar.bz2
+/freeradius-server-3.0.12.tar.bz2
+/freeradius-server-3.0.13.tar.bz2
+/freeradius-server-3.0.14.tar.bz2
+/freeradius-server-3.0.15.tar.bz2
+/release_3_0_17.tar.gz
+/freeradius-server-3.0.17.tar.bz2
+/freeradius-server-3.0.20.tar.bz2

find_module_deps

@@ -0,0 +1,385 @@
+#!/usr/bin/env python
+
+import exceptions
+import getopt
+import os
+import re
+import rpm
+import select
+import subprocess
+import sys
+
+#------------------------------------------------------------------------------
+
+def get_rlms(root):
+    rlm_re = re.compile(r'^rlm_')
+    version_re = re.compile(r'-[0-9.]+\.so$')
+    names = os.listdir(root)
+    names = [x for x in names if rlm_re.search(x)]
+    names = [x for x in names if not version_re.search(x)]
+    names.sort()
+    return names
+
+#------------------------------------------------------------------------------
+
+debug = False
+verbose = False
+
+exclude_rpms = ['glibc']
+
+build = '2.0.2-1.fc8'
+root_template = '/var/tmp/freeradius-%s-root-jdennis/usr/lib/freeradius'
+libdirs = ['/lib','/usr/lib']
+
+#------------------------------------------------------------------------------
+
+def get_rpm_nvr_from_header(hdr):
+    'Given an RPM header return the package NVR as a string'
+    name    = hdr['name']
+    version = hdr['version']
+    release = hdr['release']
+
+    return "%s-%s-%s" % (name, version, release)
+
+def get_rpm_hdr_by_file_path(path):
+    if path is None:
+        return None
+
+    hdr = None
+    try:
+        ts = rpm.ts()
+        mi = ts.dbMatch(rpm.RPMTAG_BASENAMES, path)
+        for hdr in mi: break
+    except Exception, e:
+        print >> sys.stderr, "failed to retrieve rpm hdr for %s, %s" %(path, e)
+        hdr = None
+    return hdr
+
+def get_rpm_nvr_by_file_path(path):
+    if path is None:
+        return None
+
+    hdr = get_rpm_hdr_by_file_path(path)
+    if not hdr:
+        print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
+    nvr = get_rpm_nvr_from_header(hdr)
+    return nvr
+
+def get_rpm_name_by_file_path(path):
+    if path is None:
+        return None
+
+    hdr = get_rpm_hdr_by_file_path(path)
+    if not hdr:
+        print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
+    name = hdr['name']
+    return name
+
+#------------------------------------------------------------------------------
+
+class CmdError(exceptions.Exception):
+    def __init__(self, errno, msg):
+        self.errno = errno
+        self.msg = msg
+
+
+class Command:
+    def __init__(self, cmd):
+        self.cmd = cmd
+        self.sub_process = None
+        self.bufsize = 1024
+        self.stdout_buf = ''
+        self.stderr_buf = ''
+        self.stdout_lines = []
+        self.stderr_lines = []
+
+    def run(self, stdout_callback=None, stderr_callback=None):
+        self.sub_process = subprocess.Popen(self.cmd, \
+            stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE, \
+            close_fds=True, shell=True)
+        self.stdout = self.sub_process.stdout
+        self.stderr = self.sub_process.stderr
+
+        read_watch = [self.stdout, self.stderr]
+        while read_watch:
+            readable = select.select(read_watch, [], [])[0]
+            for fd in readable:
+                if fd == self.stdout:
+                    data = os.read(fd.fileno(), self.bufsize)
+                    if not data:
+                        read_watch.remove(fd)
+                    else:
+                        self.stdout_buf += data
+                    for line in self.burst_lines('stdout_buf'):
+                        if stdout_callback: stdout_callback(line)
+                        self.stdout_lines.append(line)
+                if fd == self.stderr:
+                    data = os.read(fd.fileno(), self.bufsize)
+                    if not data:
+                        read_watch.remove(fd)
+                    else:
+                        self.stderr_buf += data
+                    for line in self.burst_lines('stderr_buf'):
+                        if stdout_callback: stderr_callback(line)
+                        self.stderr_lines.append(line)
+
+        self.returncode = self.sub_process.wait()
+        if self.returncode:
+            raise CmdError(self.returncode, "cmd \"%s\"\nreturned status %d\n%s" % (self.cmd, self.returncode, ''.join(self.stderr_lines)))
+
+        return self.returncode
+
+    def burst_lines(self, what):
+        buf = getattr(self, what)
+        start = 0
+        end = buf.find('\n', start)
+        while end >= 0:
+            end += 1                # include newline
+            line = buf[start:end]
+            yield line
+            start = end
+            end = buf.find('\n', start)
+        buf = buf[start:]
+        setattr(self, what, buf)
+
+
+#------------------------------------------------------------------------------
+
+def get_so_requires(path):
+    requires = {}
+    cmd = 'ldd %s' % (path)
+    so_re = re.compile(r'^\s*(\S+)\s+=>\s+(\S+)')
+
+    c = Command(cmd)
+    status = c.run()
+
+    for line in c.stdout_lines:
+        line = line.strip()
+        match = so_re.search(line)
+        if match:
+            so_name = match.group(1)
+            if match.group(2).startswith('/'):
+                so_path = match.group(2)
+            else:
+                so_path = None
+
+            requires[so_name] = so_path
+    return requires
+
+def get_so_needed(path):
+    needed = []
+    cmd = 'readelf -d %s' % (path)
+    so_re = re.compile(r'\(NEEDED\)\s+Shared library:\s+\[([^\]]+)\]')
+
+    c = Command(cmd)
+    status = c.run()
+
+    for line in c.stdout_lines:
+        line = line.strip()
+        match = so_re.search(line)
+        if match:
+            so_name = match.group(1)
+            needed.append(so_name)
+    return needed
+
+def format_size(size):
+    if size > 1000000000:
+        return '%.1f GB' % (size/1000000000.0)
+    if size > 1000000:
+        return '%.1f MB' % (size/1000000.0)
+    if size > 1000:
+        return '%.1f KB' % (size/1000.0)
+    return '%d' % (size)
+#------------------------------------------------------------------------------
+
+class RPM_Prop:
+    def __init__(self, path=None, name=None):
+        self.name = name
+        self.paths = {}
+        self.rpm_hdr = None
+        self.used_by = {}
+        if path:
+            self.register_path(path)
+            if not self.rpm_hdr:
+                self.rpm_hdr = get_rpm_hdr_by_file_path(path)
+            if self.rpm_hdr:
+                if not self.name:
+                    self.name = self.rpm_hdr[rpm.RPMTAG_NAME]
+                self.size = self.rpm_hdr[rpm.RPMTAG_SIZE]
+
+    def __str__(self):
+        return "name=%s paths=%s" % (self.name, ','.join(self.paths.keys()))
+
+    def register_path(self, path, name=None):
+        if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
+        return self.paths.setdefault(path, path)
+
+class RPM_Collection:
+    def __init__(self):
+        self.names = {}
+        self.paths = {}
+
+    def __str__(self):
+        text = ''
+        names = self.get_names()
+        for name in names:
+            text += "%s: %s\n" % (name, self.names[name])
+        return text
+
+    def register_path(self, path):
+        if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
+        rpm_prop = self.paths.get(path)
+        if not rpm_prop:
+            rpm_prop = self.paths.setdefault(path, RPM_Prop(path=path))
+        self.names.setdefault(rpm_prop.name, rpm_prop)
+        return rpm_prop
+
+    def get_names(self):
+        names = self.names.keys()
+        names.sort()
+        return names
+
+    def get_name(self, name):
+        return self.names.get(name)
+
+class SO_File:
+    def __init__(self, name=None, path=None):
+        self.name = name
+        self.path = path
+        self.rpm = None
+
+    def __str__(self):
+        if self.rpm:
+            rpm_name = self.rpm.name
+        else:
+            rpm_name = None
+        return "name=%s rpm=%s" % (self.name, rpm_name)
+
+class SO_Collection:
+    def __init__(self):
+        self.names = {}
+        self.paths = {}
+
+    def __str__(self):
+        text = ''
+        names = self.get_names()
+        for name in names:
+            text += "%s: %s\n" % (name, self.names[name])
+        return text
+
+    def register_path(self, path, name=None):
+        if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
+        so_prop = self.paths.get(path)
+        if not so_prop:
+            so_prop = self.paths.setdefault(path, SO_File(name, path=path))
+        self.names.setdefault(name, so_prop)
+        return so_prop
+
+    def get_names(self):
+        names = self.names.keys()
+        names.sort()
+        return names
+
+class LoadableModule:
+    def __init__(self, path, name=None):
+        if name is None:
+            name = os.path.basename(path)
+        self.name = name
+        self.path = path
+        self.rpm_names = {}
+        self.sos = SO_Collection()
+        self.get_so_requires()
+
+    def __str__(self):
+        text = '%s\n' % (self.name)
+        text += "    RPM's: %s\n" % (','.join(self.get_rpm_names()))
+        text += "    SO's: %s\n" % (','.join(self.sos.get_names()))
+        return text
+
+    def get_so_requires(self):
+        requires = get_so_requires(self.path)
+        needed = get_so_needed(self.path)
+        #print "%s requires=%s" % (self.name, requires)
+        #print "%s needed=%s" % (self.name, needed)
+
+        for so_name, so_path in requires.items():
+            if so_name not in needed: continue
+            if so_path:
+                so_prop = self.sos.register_path(so_path, so_name)
+                rpm_prop = rpms.register_path(so_prop.path)
+                rpm_prop.used_by[self.name] = 1
+                self.rpm_names.setdefault(rpm_prop.name, rpm_prop.name)
+                so_prop.rpm = rpm_prop
+            else:
+                so_prop = None
+            if verbose: print "found so='%s' %s" % (so_name, so_prop)
+
+    def register_so(self, so):
+        if debug: print "%s.register_so: so=%s" % (self.__class__.__name__, so)
+        self.sos.setdefault(so, so)
+        self.names.setdefault(so.name, so)
+        return so
+
+    def get_rpm_names(self):
+        rpm_names = self.rpm_names.keys()
+        rpm_names.sort()
+        return rpm_names
+
+    def get_sos(self):
+        sos = self.sos.keys()
+        sos.sort(lambda a,b: cmp(a.name, b.name))
+        return sos
+
+#------------------------------------------------------------------------------
+
+#------------------------------------------------------------------------------
+
+opts, args = getopt.getopt(sys.argv[1:], "b:v", ['build=','verbose'])
+for o, a in opts:
+    if o in ['-b', '--build']:
+        build = a
+    elif o in ['-v', '--verbose']:
+        verbose = True
+    else:
+        print >> sys.stderr, "Unknown arg: %s" % o
+        sys.exit(1)
+
+root = root_template % build
+modules = get_rlms(root)
+module_paths = [os.path.join(root,x) for x in modules]
+rpms = RPM_Collection()
+
+lms = []
+for module_path in module_paths[:]:
+    lm = LoadableModule(module_path)
+    lms.append(lm)
+
+
+print "RLM Modules(%s): %s\n" % (len(modules), ','.join(modules))
+
+for lm in lms:
+    rpm_names = [x for x in lm.get_rpm_names() if x not in exclude_rpms]
+    if rpm_names:
+        print lm.name
+        print '    %s' % (','.join(rpm_names))
+
+print "--------------"
+
+rpm_props = [x for x in rpms.names.values() if len(x.used_by) and x.name not in exclude_rpms]
+rpm_props.sort(lambda a,b: cmp(a.name, b.name))
+for rpm_prop in rpm_props:
+    used_by = rpm_prop.used_by.keys()
+    used_by.sort()
+    print "%s: %s" % (rpm_prop.name, ','.join(used_by))
+
+print "--------------"
+
+rpm_props.sort(lambda a,b: cmp(a.size, b.size))
+for rpm_prop in rpm_props:
+    print '%10s %s' % (format_size(rpm_prop.size), rpm_prop.name)
+
+
+print "--------------"
+
+for lm in lms:
+    print lm

freeradius-Add-missing-option-descriptions.patch

@@ -0,0 +1,97 @@
+From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Fri, 14 Sep 2018 12:20:11 +0300
+Subject: [PATCH] man: Add missing option descriptions
+
+---
+ man/man8/raddebug.8 | 4 ++++
+ man/man8/radiusd.8  | 7 +++++++
+ man/man8/radmin.8   | 4 ++++
+ 3 files changed, 15 insertions(+)
+
+diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
+index 66e80e64fa..6e27e2453c 100644
+--- a/man/man8/raddebug.8
++++ b/man/man8/raddebug.8
+@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
+ .IR condition ]
+ .RB [ \-d
+ .IR config_directory ]
++.RB [ \-D
++.IR dictionary_directory ]
+ .RB [ \-n
+ .IR name ]
+ .RB [ \-i
+@@ -73,6 +75,8 @@ option is equivalent to using:
+ .IP "\-d \fIconfig directory\fP"
+ The radius configuration directory, usually /etc/raddb.  See the
+ \fIradmin\fP manual page for more description of this option.
++.IP "\-D \fIdictionary directory\fP"
++Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+ .IP "\-n \fImname\fP"
+ Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
+ .IP \-I\ \fIipv6-address\fP
+diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
+index c825f22d0d..98aef5e1be 100644
+--- a/man/man8/radiusd.8
++++ b/man/man8/radiusd.8
+@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
+ .RB [ \-C ]
+ .RB [ \-d
+ .IR config_directory ]
++.RB [ \-D
++.IR dictionary_directory ]
+ .RB [ \-f ]
+ .RB [ \-h ]
+ .RB [ \-i
+@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
+ .IR name ]
+ .RB [ \-p
+ .IR port ]
++.RB [ \-P ]
+ .RB [ \-s ]
+ .RB [ \-t ]
+ .RB [ \-v ]
+@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
+ .IP "\-d \fIconfig directory\fP"
+ Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
+ files such as the \fIdictionary\fP and the \fIusers\fP files.
++.IP "\-D \fIdictionary directory\fP"
++Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+ .IP \-f
+ Do not fork, stay running as a foreground process.
+ .IP \-h
+@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
+ \fIradiusd.conf\fP are ignored.
+ 
+ This option MUST be used in conjunction with "-i".
++.IP "\-P
++Always write out PID, even with -f.
+ .IP \-s
+ Run in "single server" mode.  The server normally runs with multiple
+ threads and/or processes, which can lower its response time to
+diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
+index 5ecc963d81..5bf661fa71 100644
+--- a/man/man8/radmin.8
++++ b/man/man8/radmin.8
+@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
+ .B radmin
+ .RB [ \-d
+ .IR config_directory ]
++.RB [ \-D
++.IR dictionary_directory ]
+ .RB [ \-e
+ .IR command ]
+ .RB [ \-E ]
+@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
+ Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
+ configuration files to find the "listen" section that defines the
+ control socket filename.
++.IP "\-D \fIdictionary directory\fP"
++Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+ .IP "\-e \fIcommand\fP"
+ Run \fIcommand\fP and exit.
+ .IP \-E
+-- 
+2.18.0
+

freeradius-EAP-PWD-curve-handling.patch

@@ -0,0 +1,45 @@
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index 7f91e4b230..848ca2055e 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
+ 	data_len = BN_num_bytes(session->order);
+ 	BN_bin2bn(ptr, data_len, session->peer_scalar);
+
++	/* validate received scalar */
++	if (BN_is_zero(session->peer_scalar) ||
++	    BN_is_one(session->peer_scalar) ||
++	    BN_cmp(session->peer_scalar, session->order) >= 0) {
++		ERROR("Peer's scalar is not within the allowed range");
++		goto finish;
++	}
++
+ 	if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
+ 		DEBUG2("pwd: unable to get coordinates of peer's element");
+ 		goto finish;
+ 	}
+
++	/* validate received element */
++	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
++	    EC_POINT_is_at_infinity(session->group, session->peer_element)) {
++		ERROR("Peer's element is not a point on the elliptic curve");
++		goto finish;
++	}
++
+ 	/* check to ensure peer's element is not in a small sub-group */
+ 	if (BN_cmp(cofactor, BN_value_one())) {
+ 		if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
+@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
+ 		}
+ 	}
+
++	/* detect reflection attacks */
++	if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
++	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
++		ERROR("Reflection attack detected");
++		goto finish;
++	}
++
+ 	/* compute the shared key, k */
+ 	if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
+ 	    (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||

freeradius-EAP-PWD-information-leak-10-iterations.patch

@@ -0,0 +1,38 @@
+From 3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
+Date: Wed, 5 Jun 2019 19:21:06 +0000
+Subject: [PATCH] EAP-pwd: fix side-channel leak where 1 in 2018 handshakes
+ fail
+
+Previously the Hunting and Pecking algorithm of EAP-pwd aborted when
+more than 10 iterations are needed. Every iteration has a 50% chance
+of finding the password element. This means one in every 2048 handshakes
+will fail, in which case an error frame is sent to the client. This
+event leaks information that can be abused in an offline password
+brute-force attack. More precisely, the adversary learns that all 10
+iterations failed for the given random EAP-pwd token. Using the same
+techniques as in the Dragonblood attack, this can be used to brute-force
+the password.
+
+This patch fixes the above issue by executing enough iterations such that
+the password element is always found eventually.
+
+Note that timing and cache leaks remain a risk against the current
+implementation of EAP-pwd.
+---
+ src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index c54f08c030..d94851c3aa 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -192,7 +192,7 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 	}
+ 	ctr = 0;
+ 	while (1) {
+-		if (ctr > 10) {
++		if (ctr > 100) {
+ 			DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num);
+ 			goto fail;
+ 		}

freeradius-OpenSSL-HMAC-MD5.patch

@@ -0,0 +1,68 @@
+From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Sep 2018 09:54:46 -0400
+Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
+
+If OpenSSL EVP is not found, fallback to internal implementation of
+HMAC-MD5.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
+index 2c662ff368..1cca00fa2a 100644
+--- a/src/lib/hmacmd5.c
++++ b/src/lib/hmacmd5.c
+@@ -27,10 +27,41 @@
+
+ RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+
++#ifdef HAVE_OPENSSL_EVP_H
++#include <openssl/hmac.h>
++#include <openssl/evp.h>
++#endif
++
+ #include <freeradius-devel/libradius.h>
+ #include <freeradius-devel/md5.h>
+
+-/** Calculate HMAC using MD5
++#ifdef HAVE_OPENSSL_EVP_H
++/** Calculate HMAC using OpenSSL's MD5 implementation
++ *
++ * @param digest Caller digest to be filled in.
++ * @param text Pointer to data stream.
++ * @param text_len length of data stream.
++ * @param key Pointer to authentication key.
++ * @param key_len Length of authentication key.
++ *
++ */
++void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
++		 uint8_t const *key, size_t key_len)
++{
++	HMAC_CTX *ctx  = HMAC_CTX_new();
++
++#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
++	/* Since MD5 is not allowed by FIPS, explicitly allow it. */
++	HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
++#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
++
++	HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
++	HMAC_Update(ctx, text, text_len);
++	HMAC_Final(ctx, digest, NULL);
++	HMAC_CTX_free(ctx);
++}
++#else
++/** Calculate HMAC using internal MD5 implementation
+  *
+  * @param digest Caller digest to be filled in.
+  * @param text Pointer to data stream.
+@@ -101,6 +132,7 @@
+ 					      * hash */
+ 	fr_md5_final(digest, &context);	  /* finish up 2nd pass */
+ }
++#endif /* HAVE_OPENSSL_EVP_H */
+
+ /*
+ Test Vectors (Trailing '\0' of a character string not included in test):

freeradius-OpenSSL-HMAC-SHA1.patch

@@ -0,0 +1,73 @@
+From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Sep 2018 11:03:52 -0400
+Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
+
+If OpenSSL EVP is not found, fallback to internal implementation of
+HMAC-SHA1.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
+index c3cbd87a2c..211470ea35 100644
+--- a/src/lib/hmacsha1.c
++++ b/src/lib/hmacsha1.c
+@@ -10,13 +10,19 @@
+
+ RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+
++#ifdef HAVE_OPENSSL_EVP_H
++#include <openssl/hmac.h>
++#include <openssl/evp.h>
++#endif
++
+ #include <freeradius-devel/libradius.h>
+
+ #ifdef HMAC_SHA1_DATA_PROBLEMS
+ unsigned int sha1_data_problems = 0;
+ #endif
+
+-/** Calculate HMAC using SHA1
++#ifdef HAVE_OPENSSL_EVP_H
++/** Calculate HMAC using OpenSSL's SHA1 implementation
+  *
+  * @param digest Caller digest to be filled in.
+  * @param text Pointer to data stream.
+@@ -28,6 +34,26 @@
+ void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ 		  uint8_t const *key, size_t key_len)
+ {
++	HMAC_CTX *ctx  = HMAC_CTX_new();
++	HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
++	HMAC_Update(ctx, text, text_len);
++	HMAC_Final(ctx, digest, NULL);
++	HMAC_CTX_free(ctx);
++}
++
++#else
++
++/** Calculate HMAC using internal SHA1 implementation
++ *
++ * @param digest Caller digest to be filled in.
++ * @param text Pointer to data stream.
++ * @param text_len length of data stream.
++ * @param key Pointer to authentication key.
++ * @param key_len Length of authentication key.
++ */
++void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
++		  uint8_t const *key, size_t key_len)
++{
+ 	fr_sha1_ctx context;
+ 	uint8_t k_ipad[65];    /* inner padding - key XORd with ipad */
+ 	uint8_t k_opad[65];    /* outer padding - key XORd with opad */
+@@ -142,6 +168,7 @@
+ 	}
+ #endif
+ }
++#endif /* HAVE_OPENSSL_EVP_H */
+
+ /*
+ Test Vectors (Trailing '\0' of a character string not included in test):

freeradius-autogen.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+parentdir=`dirname $0`
+
+cd $parentdir
+parentdir=`pwd`
+
+libtoolize -f -c
+#aclocal
+autoheader
+autoconf
+
+mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`"
+mysubdirs=`echo $mysubdirs`
+
+for F in $mysubdirs
+do
+	echo "Configuring in $F..."
+	(cd $F && grep "^AC_CONFIG_HEADER" configure.in > /dev/null && autoheader -I$parentdir)
+	(cd $F && autoconf -I$parentdir)
+done

freeradius-listen-ipv6-fix.patch

@@ -0,0 +1,42 @@
+From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Mon, 22 Apr 2019 14:38:19 -0400
+Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
+
+In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
+which effectively result in a listen.ipaddr only allowing hostnames to
+resolve to IPv4 addresses. With a hostname with only a IPv6 address,
+it'll bail with the error message:
+
+radiusd: #### Opening IP addresses and Ports ####
+listen {
+        type = "auth"
+Failed resolving "ipv6.cipherboy.com" to IPv4 address:
+    Name or service not known
+
+This directly contradicts the language in the default configuration
+file, so support resolving both IPv4-only and IPv6-only hostnames.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/lib/misc.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/src/lib/misc.c b/src/lib/misc.c
+index dff21e33f7..5520d8a0a4 100644
+--- a/src/lib/misc.c
++++ b/src/lib/misc.c
+@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
+ 			fr_strerror_printf("Invalid address");
+ 			return -1;
+ 		}
+-
+-		/*
+-		 *	Fall through to resolving the address, using
+-		 *	whatever address family they prefer.  If they
+-		 *	don't specify an address family, force IPv4.
+-		 */
+-		if (af == AF_UNSPEC) af = AF_INET;
+ 	}
+ 
+ 	/*

freeradius-python2-shebangs.patch

@@ -0,0 +1,64 @@
+From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Thu, 18 Oct 2018 12:40:53 -0400
+Subject: [PATCH] Clarify shebangs to be python2
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ scripts/radtee                         | 2 +-
+ src/modules/rlm_python/example.py      | 2 +-
+ src/modules/rlm_python/prepaid.py      | 2 +-
+ src/modules/rlm_python/radiusd.py      | 2 +-
+ src/modules/rlm_python/radiusd_test.py | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/scripts/radtee b/scripts/radtee
+index 123769d244..78b4bcbe0b 100755
+--- a/scripts/radtee
++++ b/scripts/radtee
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python2
+ from __future__ import with_statement 
+ 
+ # RADIUS comparison tee v1.0
+diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
+index 5950a07678..eaf456e349 100644
+--- a/src/modules/rlm_python/example.py
++++ b/src/modules/rlm_python/example.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Python module example file
+ # Miguel A.L. Paraz <mparaz@mparaz.com>
+diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
+index c3cbf57b8f..3b1dc2e2e8 100644
+--- a/src/modules/rlm_python/prepaid.py
++++ b/src/modules/rlm_python/prepaid.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Example Python module for prepaid usage using MySQL
+ 
+diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
+index c535bb3caf..7129923994 100644
+--- a/src/modules/rlm_python/radiusd.py
++++ b/src/modules/rlm_python/radiusd.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Definitions for RADIUS programs
+ #
+diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
+index 13b7128b29..97b5b64f08 100644
+--- a/src/modules/rlm_python/radiusd_test.py
++++ b/src/modules/rlm_python/radiusd_test.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Python module test
+ # Miguel A.L. Paraz <mparaz@mparaz.com>

freeradius-radiusd-init

@@ -0,0 +1,113 @@
+#!/bin/sh
+#
+# radiusd Start/Stop the FreeRADIUS daemon
+#
+# chkconfig: - 88 10
+# description: Extensible, configurable, high performance RADIUS server.
+
+### BEGIN INIT INFO
+# Provides: radiusd
+# Required-Start: $network
+# Required-Stop:
+# Default-Start:
+# Default-Stop:
+# Should-Start: $time $syslog mysql ldap postgresql samba krb5-kdc
+# Should-Stop:
+# Short-Description: FreeRADIUS server
+# Description: Extensible, configurable, high performance RADIUS server.
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog=radiusd
+
+[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
+
+exec=${exec:=/usr/sbin/$prog}
+config_dir=${config_dir:=/etc/raddb}
+config=${config:=$config_dir/radiusd.conf}
+pidfile=${pidfile:=/var/run/$prog/$prog.pid}
+lockfile=${lockfile:=/var/lock/subsys/radiusd}
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon --pidfile $pidfile $exec -d $config_dir
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc -p $pidfile $prog
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    # radiusd may not be capable of a 100% configuration reload depending
+    # on which loadable modules are in use, if sending the server a
+    # HUP is not sufficient then use restart here instead. However, we
+    # prefer by default to use HUP since it's what is usually desired.
+    #    
+    # restart
+
+    kill -HUP `pidofproc -p $pidfile $prog`
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    # run checks to determine if the service is running or use generic status
+    status -p $pidfile $prog
+}
+
+rh_status_q() {
+    rh_status >/dev/null 2>&1
+}
+
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

rpminspect.yaml

@@ -0,0 +1,6 @@
+---
+inspections:
+    badfuncs: off
+runpath:
+    allowed_paths:
+        - /usr/lib64

sources

@@ -0,0 +1 @@
+SHA512 (freeradius-server-3.0.20.tar.bz2) = d5e0732a75268480092b46822a0e0fffb683adb93be13932eb170d2dc783a46d0daff4cadd0de69fd5ce4578083c9f69a9cccc485ea9c0c2eecf82c772f54b8e