Compare commits

...

No commits in common. "c8-stream-3.0" and "stream-freeradius-3.0-rhel-8.10.0" have entirely different histories.

39 changed files with 992 additions and 2 deletions

View File

@ -1 +0,0 @@
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2

34
.gitignore vendored
View File

@ -1 +1,33 @@
SOURCES/freeradius-server-3.0.20.tar.bz2 # Ignore build artifacts and signatures
*.sig
.build*.log
freeradius-server-*/
x86_64/
freeradius-*.src.rpm
# Automatically added
/freeradius-server-2.1.9.tar.bz2
/freeradius-server-2.1.10.tar.bz2
/freeradius-server-2.1.11.tar.bz2
/freeradius-server-2.1.12.tar.bz2
/freeradius-server-2.2.0.tar.bz2
/freeradius-server-release_3_0_0_rc0.tar.gz
/freeradius-server-release_3_0_0_rc1.tar.gz
/freeradius-server-3.0.0.tar.bz2
/freeradius-server-3.0.1.tar.bz2
/freeradius-server-3.0.2.tar.bz2
/freeradius-server-3.0.3.tar.bz2
/freeradius-server-3.0.4rc2.tar.bz2
/freeradius-server-3.0.4.tar.bz2
/freeradius-server-3.0.7.tar.bz2
/freeradius-server-3.0.8.tar.bz2
/freeradius-server-3.0.9.tar.bz2
/freeradius-server-3.0.10.tar.bz2
/freeradius-server-3.0.11.tar.bz2
/freeradius-server-3.0.12.tar.bz2
/freeradius-server-3.0.13.tar.bz2
/freeradius-server-3.0.14.tar.bz2
/freeradius-server-3.0.15.tar.bz2
/release_3_0_17.tar.gz
/freeradius-server-3.0.17.tar.bz2
/freeradius-server-3.0.20.tar.bz2

385
find_module_deps Executable file
View File

@ -0,0 +1,385 @@
#!/usr/bin/env python
import exceptions
import getopt
import os
import re
import rpm
import select
import subprocess
import sys
#------------------------------------------------------------------------------
def get_rlms(root):
rlm_re = re.compile(r'^rlm_')
version_re = re.compile(r'-[0-9.]+\.so$')
names = os.listdir(root)
names = [x for x in names if rlm_re.search(x)]
names = [x for x in names if not version_re.search(x)]
names.sort()
return names
#------------------------------------------------------------------------------
debug = False
verbose = False
exclude_rpms = ['glibc']
build = '2.0.2-1.fc8'
root_template = '/var/tmp/freeradius-%s-root-jdennis/usr/lib/freeradius'
libdirs = ['/lib','/usr/lib']
#------------------------------------------------------------------------------
def get_rpm_nvr_from_header(hdr):
'Given an RPM header return the package NVR as a string'
name = hdr['name']
version = hdr['version']
release = hdr['release']
return "%s-%s-%s" % (name, version, release)
def get_rpm_hdr_by_file_path(path):
if path is None:
return None
hdr = None
try:
ts = rpm.ts()
mi = ts.dbMatch(rpm.RPMTAG_BASENAMES, path)
for hdr in mi: break
except Exception, e:
print >> sys.stderr, "failed to retrieve rpm hdr for %s, %s" %(path, e)
hdr = None
return hdr
def get_rpm_nvr_by_file_path(path):
if path is None:
return None
hdr = get_rpm_hdr_by_file_path(path)
if not hdr:
print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
nvr = get_rpm_nvr_from_header(hdr)
return nvr
def get_rpm_name_by_file_path(path):
if path is None:
return None
hdr = get_rpm_hdr_by_file_path(path)
if not hdr:
print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
name = hdr['name']
return name
#------------------------------------------------------------------------------
class CmdError(exceptions.Exception):
def __init__(self, errno, msg):
self.errno = errno
self.msg = msg
class Command:
def __init__(self, cmd):
self.cmd = cmd
self.sub_process = None
self.bufsize = 1024
self.stdout_buf = ''
self.stderr_buf = ''
self.stdout_lines = []
self.stderr_lines = []
def run(self, stdout_callback=None, stderr_callback=None):
self.sub_process = subprocess.Popen(self.cmd, \
stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE, \
close_fds=True, shell=True)
self.stdout = self.sub_process.stdout
self.stderr = self.sub_process.stderr
read_watch = [self.stdout, self.stderr]
while read_watch:
readable = select.select(read_watch, [], [])[0]
for fd in readable:
if fd == self.stdout:
data = os.read(fd.fileno(), self.bufsize)
if not data:
read_watch.remove(fd)
else:
self.stdout_buf += data
for line in self.burst_lines('stdout_buf'):
if stdout_callback: stdout_callback(line)
self.stdout_lines.append(line)
if fd == self.stderr:
data = os.read(fd.fileno(), self.bufsize)
if not data:
read_watch.remove(fd)
else:
self.stderr_buf += data
for line in self.burst_lines('stderr_buf'):
if stdout_callback: stderr_callback(line)
self.stderr_lines.append(line)
self.returncode = self.sub_process.wait()
if self.returncode:
raise CmdError(self.returncode, "cmd \"%s\"\nreturned status %d\n%s" % (self.cmd, self.returncode, ''.join(self.stderr_lines)))
return self.returncode
def burst_lines(self, what):
buf = getattr(self, what)
start = 0
end = buf.find('\n', start)
while end >= 0:
end += 1 # include newline
line = buf[start:end]
yield line
start = end
end = buf.find('\n', start)
buf = buf[start:]
setattr(self, what, buf)
#------------------------------------------------------------------------------
def get_so_requires(path):
requires = {}
cmd = 'ldd %s' % (path)
so_re = re.compile(r'^\s*(\S+)\s+=>\s+(\S+)')
c = Command(cmd)
status = c.run()
for line in c.stdout_lines:
line = line.strip()
match = so_re.search(line)
if match:
so_name = match.group(1)
if match.group(2).startswith('/'):
so_path = match.group(2)
else:
so_path = None
requires[so_name] = so_path
return requires
def get_so_needed(path):
needed = []
cmd = 'readelf -d %s' % (path)
so_re = re.compile(r'\(NEEDED\)\s+Shared library:\s+\[([^\]]+)\]')
c = Command(cmd)
status = c.run()
for line in c.stdout_lines:
line = line.strip()
match = so_re.search(line)
if match:
so_name = match.group(1)
needed.append(so_name)
return needed
def format_size(size):
if size > 1000000000:
return '%.1f GB' % (size/1000000000.0)
if size > 1000000:
return '%.1f MB' % (size/1000000.0)
if size > 1000:
return '%.1f KB' % (size/1000.0)
return '%d' % (size)
#------------------------------------------------------------------------------
class RPM_Prop:
def __init__(self, path=None, name=None):
self.name = name
self.paths = {}
self.rpm_hdr = None
self.used_by = {}
if path:
self.register_path(path)
if not self.rpm_hdr:
self.rpm_hdr = get_rpm_hdr_by_file_path(path)
if self.rpm_hdr:
if not self.name:
self.name = self.rpm_hdr[rpm.RPMTAG_NAME]
self.size = self.rpm_hdr[rpm.RPMTAG_SIZE]
def __str__(self):
return "name=%s paths=%s" % (self.name, ','.join(self.paths.keys()))
def register_path(self, path, name=None):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
return self.paths.setdefault(path, path)
class RPM_Collection:
def __init__(self):
self.names = {}
self.paths = {}
def __str__(self):
text = ''
names = self.get_names()
for name in names:
text += "%s: %s\n" % (name, self.names[name])
return text
def register_path(self, path):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
rpm_prop = self.paths.get(path)
if not rpm_prop:
rpm_prop = self.paths.setdefault(path, RPM_Prop(path=path))
self.names.setdefault(rpm_prop.name, rpm_prop)
return rpm_prop
def get_names(self):
names = self.names.keys()
names.sort()
return names
def get_name(self, name):
return self.names.get(name)
class SO_File:
def __init__(self, name=None, path=None):
self.name = name
self.path = path
self.rpm = None
def __str__(self):
if self.rpm:
rpm_name = self.rpm.name
else:
rpm_name = None
return "name=%s rpm=%s" % (self.name, rpm_name)
class SO_Collection:
def __init__(self):
self.names = {}
self.paths = {}
def __str__(self):
text = ''
names = self.get_names()
for name in names:
text += "%s: %s\n" % (name, self.names[name])
return text
def register_path(self, path, name=None):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
so_prop = self.paths.get(path)
if not so_prop:
so_prop = self.paths.setdefault(path, SO_File(name, path=path))
self.names.setdefault(name, so_prop)
return so_prop
def get_names(self):
names = self.names.keys()
names.sort()
return names
class LoadableModule:
def __init__(self, path, name=None):
if name is None:
name = os.path.basename(path)
self.name = name
self.path = path
self.rpm_names = {}
self.sos = SO_Collection()
self.get_so_requires()
def __str__(self):
text = '%s\n' % (self.name)
text += " RPM's: %s\n" % (','.join(self.get_rpm_names()))
text += " SO's: %s\n" % (','.join(self.sos.get_names()))
return text
def get_so_requires(self):
requires = get_so_requires(self.path)
needed = get_so_needed(self.path)
#print "%s requires=%s" % (self.name, requires)
#print "%s needed=%s" % (self.name, needed)
for so_name, so_path in requires.items():
if so_name not in needed: continue
if so_path:
so_prop = self.sos.register_path(so_path, so_name)
rpm_prop = rpms.register_path(so_prop.path)
rpm_prop.used_by[self.name] = 1
self.rpm_names.setdefault(rpm_prop.name, rpm_prop.name)
so_prop.rpm = rpm_prop
else:
so_prop = None
if verbose: print "found so='%s' %s" % (so_name, so_prop)
def register_so(self, so):
if debug: print "%s.register_so: so=%s" % (self.__class__.__name__, so)
self.sos.setdefault(so, so)
self.names.setdefault(so.name, so)
return so
def get_rpm_names(self):
rpm_names = self.rpm_names.keys()
rpm_names.sort()
return rpm_names
def get_sos(self):
sos = self.sos.keys()
sos.sort(lambda a,b: cmp(a.name, b.name))
return sos
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
opts, args = getopt.getopt(sys.argv[1:], "b:v", ['build=','verbose'])
for o, a in opts:
if o in ['-b', '--build']:
build = a
elif o in ['-v', '--verbose']:
verbose = True
else:
print >> sys.stderr, "Unknown arg: %s" % o
sys.exit(1)
root = root_template % build
modules = get_rlms(root)
module_paths = [os.path.join(root,x) for x in modules]
rpms = RPM_Collection()
lms = []
for module_path in module_paths[:]:
lm = LoadableModule(module_path)
lms.append(lm)
print "RLM Modules(%s): %s\n" % (len(modules), ','.join(modules))
for lm in lms:
rpm_names = [x for x in lm.get_rpm_names() if x not in exclude_rpms]
if rpm_names:
print lm.name
print ' %s' % (','.join(rpm_names))
print "--------------"
rpm_props = [x for x in rpms.names.values() if len(x.used_by) and x.name not in exclude_rpms]
rpm_props.sort(lambda a,b: cmp(a.name, b.name))
for rpm_prop in rpm_props:
used_by = rpm_prop.used_by.keys()
used_by.sort()
print "%s: %s" % (rpm_prop.name, ','.join(used_by))
print "--------------"
rpm_props.sort(lambda a,b: cmp(a.size, b.size))
for rpm_prop in rpm_props:
print '%10s %s' % (format_size(rpm_prop.size), rpm_prop.name)
print "--------------"
for lm in lms:
print lm

View File

@ -0,0 +1,97 @@
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 12:20:11 +0300
Subject: [PATCH] man: Add missing option descriptions
---
man/man8/raddebug.8 | 4 ++++
man/man8/radiusd.8 | 7 +++++++
man/man8/radmin.8 | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
index 66e80e64fa..6e27e2453c 100644
--- a/man/man8/raddebug.8
+++ b/man/man8/raddebug.8
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
.IR condition ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-n
.IR name ]
.RB [ \-i
@@ -73,6 +75,8 @@ option is equivalent to using:
.IP "\-d \fIconfig directory\fP"
The radius configuration directory, usually /etc/raddb. See the
\fIradmin\fP manual page for more description of this option.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-n \fImname\fP"
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
.IP \-I\ \fIipv6-address\fP
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index c825f22d0d..98aef5e1be 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
.RB [ \-C ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-f ]
.RB [ \-h ]
.RB [ \-i
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
.IR name ]
.RB [ \-p
.IR port ]
+.RB [ \-P ]
.RB [ \-s ]
.RB [ \-t ]
.RB [ \-v ]
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
.IP "\-d \fIconfig directory\fP"
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
files such as the \fIdictionary\fP and the \fIusers\fP files.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP \-f
Do not fork, stay running as a foreground process.
.IP \-h
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
\fIradiusd.conf\fP are ignored.
This option MUST be used in conjunction with "-i".
+.IP "\-P
+Always write out PID, even with -f.
.IP \-s
Run in "single server" mode. The server normally runs with multiple
threads and/or processes, which can lower its response time to
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
index 5ecc963d81..5bf661fa71 100644
--- a/man/man8/radmin.8
+++ b/man/man8/radmin.8
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
.B radmin
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-e
.IR command ]
.RB [ \-E ]
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
configuration files to find the "listen" section that defines the
control socket filename.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-e \fIcommand\fP"
Run \fIcommand\fP and exit.
.IP \-E
--
2.18.0

View File

@ -0,0 +1,45 @@
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||

View File

@ -0,0 +1,38 @@
From 3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Date: Wed, 5 Jun 2019 19:21:06 +0000
Subject: [PATCH] EAP-pwd: fix side-channel leak where 1 in 2018 handshakes
fail
Previously the Hunting and Pecking algorithm of EAP-pwd aborted when
more than 10 iterations are needed. Every iteration has a 50% chance
of finding the password element. This means one in every 2048 handshakes
will fail, in which case an error frame is sent to the client. This
event leaks information that can be abused in an offline password
brute-force attack. More precisely, the adversary learns that all 10
iterations failed for the given random EAP-pwd token. Using the same
techniques as in the Dragonblood attack, this can be used to brute-force
the password.
This patch fixes the above issue by executing enough iterations such that
the password element is always found eventually.
Note that timing and cache leaks remain a risk against the current
implementation of EAP-pwd.
---
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index c54f08c030..d94851c3aa 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -192,7 +192,7 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
}
ctr = 0;
while (1) {
- if (ctr > 10) {
+ if (ctr > 100) {
DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num);
goto fail;
}

View File

@ -0,0 +1,68 @@
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 09:54:46 -0400
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-MD5.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
index 2c662ff368..1cca00fa2a 100644
--- a/src/lib/hmacmd5.c
+++ b/src/lib/hmacmd5.c
@@ -27,10 +27,41 @@
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#include <freeradius-devel/md5.h>
-/** Calculate HMAC using MD5
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's MD5 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ *
+ */
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
+
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+#else
+/** Calculate HMAC using internal MD5 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -101,6 +132,7 @@
* hash */
fr_md5_final(digest, &context); /* finish up 2nd pass */
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

View File

@ -0,0 +1,73 @@
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 11:03:52 -0400
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-SHA1.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
index c3cbd87a2c..211470ea35 100644
--- a/src/lib/hmacsha1.c
+++ b/src/lib/hmacsha1.c
@@ -10,13 +10,19 @@
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#ifdef HMAC_SHA1_DATA_PROBLEMS
unsigned int sha1_data_problems = 0;
#endif
-/** Calculate HMAC using SHA1
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's SHA1 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -28,6 +34,26 @@
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
uint8_t const *key, size_t key_len)
{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+
+#else
+
+/** Calculate HMAC using internal SHA1 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ */
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
fr_sha1_ctx context;
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
@@ -142,6 +168,7 @@
}
#endif
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

21
freeradius-autogen.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/sh -e
parentdir=`dirname $0`
cd $parentdir
parentdir=`pwd`
libtoolize -f -c
#aclocal
autoheader
autoconf
mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`"
mysubdirs=`echo $mysubdirs`
for F in $mysubdirs
do
echo "Configuring in $F..."
(cd $F && grep "^AC_CONFIG_HEADER" configure.in > /dev/null && autoheader -I$parentdir)
(cd $F && autoconf -I$parentdir)
done

View File

@ -0,0 +1,42 @@
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 22 Apr 2019 14:38:19 -0400
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
which effectively result in a listen.ipaddr only allowing hostnames to
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
it'll bail with the error message:
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
Name or service not known
This directly contradicts the language in the default configuration
file, so support resolving both IPv4-only and IPv6-only hostnames.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/misc.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index dff21e33f7..5520d8a0a4 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
fr_strerror_printf("Invalid address");
return -1;
}
-
- /*
- * Fall through to resolving the address, using
- * whatever address family they prefer. If they
- * don't specify an address family, force IPv4.
- */
- if (af == AF_UNSPEC) af = AF_INET;
}
/*

View File

@ -0,0 +1,64 @@
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 18 Oct 2018 12:40:53 -0400
Subject: [PATCH] Clarify shebangs to be python2
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
scripts/radtee | 2 +-
src/modules/rlm_python/example.py | 2 +-
src/modules/rlm_python/prepaid.py | 2 +-
src/modules/rlm_python/radiusd.py | 2 +-
src/modules/rlm_python/radiusd_test.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/scripts/radtee b/scripts/radtee
index 123769d244..78b4bcbe0b 100755
--- a/scripts/radtee
+++ b/scripts/radtee
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python2
from __future__ import with_statement
# RADIUS comparison tee v1.0
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
index 5950a07678..eaf456e349 100644
--- a/src/modules/rlm_python/example.py
+++ b/src/modules/rlm_python/example.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module example file
# Miguel A.L. Paraz <mparaz@mparaz.com>
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
index c3cbf57b8f..3b1dc2e2e8 100644
--- a/src/modules/rlm_python/prepaid.py
+++ b/src/modules/rlm_python/prepaid.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Example Python module for prepaid usage using MySQL
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
index c535bb3caf..7129923994 100644
--- a/src/modules/rlm_python/radiusd.py
+++ b/src/modules/rlm_python/radiusd.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Definitions for RADIUS programs
#
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
index 13b7128b29..97b5b64f08 100644
--- a/src/modules/rlm_python/radiusd_test.py
+++ b/src/modules/rlm_python/radiusd_test.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module test
# Miguel A.L. Paraz <mparaz@mparaz.com>

113
freeradius-radiusd-init Normal file
View File

@ -0,0 +1,113 @@
#!/bin/sh
#
# radiusd Start/Stop the FreeRADIUS daemon
#
# chkconfig: - 88 10
# description: Extensible, configurable, high performance RADIUS server.
### BEGIN INIT INFO
# Provides: radiusd
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Should-Start: $time $syslog mysql ldap postgresql samba krb5-kdc
# Should-Stop:
# Short-Description: FreeRADIUS server
# Description: Extensible, configurable, high performance RADIUS server.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
prog=radiusd
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd}
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon --pidfile $pidfile $exec -d $config_dir
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
# radiusd may not be capable of a 100% configuration reload depending
# on which loadable modules are in use, if sending the server a
# HUP is not sufficient then use restart here instead. However, we
# prefer by default to use HUP since it's what is usually desired.
#
# restart
kill -HUP `pidofproc -p $pidfile $prog`
}
force_reload() {
restart
}
rh_status() {
# run checks to determine if the service is running or use generic status
status -p $pidfile $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

6
rpminspect.yaml Normal file
View File

@ -0,0 +1,6 @@
---
inspections:
badfuncs: off
runpath:
allowed_paths:
- /usr/lib64

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (freeradius-server-3.0.20.tar.bz2) = d5e0732a75268480092b46822a0e0fffb683adb93be13932eb170d2dc783a46d0daff4cadd0de69fd5ce4578083c9f69a9cccc485ea9c0c2eecf82c772f54b8e