Compare commits
No commits in common. "c8-stream-3.0" and "c9-beta" have entirely different histories.
c8-stream-
...
c9-beta
@ -1 +1 @@
|
||||
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||
3d90d63bf1452794cf9d0b04147745a254872c3f SOURCES/freeradius-server-3.0.21.tar.bz2
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||
SOURCES/freeradius-server-3.0.21.tar.bz2
|
||||
|
18799
SOURCES/freeradius-Backport-OpenSSL3-fixes.patch
Normal file
18799
SOURCES/freeradius-Backport-OpenSSL3-fixes.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,39 +0,0 @@
|
||||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
|
||||
|
||||
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
|
||||
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
|
||||
variable to 1 or else FR should exit at start.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
src/main/radiusd.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
|
||||
index 9739514509..58a48895e6 100644
|
||||
--- a/src/main/radiusd.c
|
||||
+++ b/src/main/radiusd.c
|
||||
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
|
||||
+ */
|
||||
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
|
||||
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
+ if (fips_file != NULL) {
|
||||
+ int fips_enabled = fgetc(fips_file) - '0';
|
||||
+ fclose(fips_file);
|
||||
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
|
||||
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* According to the talloc peeps, no two threads may modify any part of
|
||||
* a ctx tree with a common root without synchronisation.
|
@ -1,51 +0,0 @@
|
||||
From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
|
||||
From: "Alan T. DeKok" <aland@freeradius.org>
|
||||
Date: Wed, 20 Nov 2019 13:59:54 -0500
|
||||
Subject: [PATCH] a better fix for commit 30ffd21
|
||||
|
||||
Which still runs post-proxy-type fail if all of the home servers
|
||||
are dead
|
||||
|
||||
[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
|
||||
[antorres@redhat.com: removed first hunk of commit, already present]
|
||||
---
|
||||
src/main/process.c | 9 +++------
|
||||
1 file changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/main/process.c b/src/main/process.c
|
||||
index c8b3af24e2..1a48517d43 100644
|
||||
--- a/src/main/process.c
|
||||
+++ b/src/main/process.c
|
||||
@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
|
||||
}
|
||||
|
||||
old_server = request->server;
|
||||
- rad_assert(request->home_server != NULL);
|
||||
|
||||
/*
|
||||
* If the home server is virtual, just run pre_proxy from
|
||||
* that section.
|
||||
*/
|
||||
- if (request->home_server->server) {
|
||||
+ if (request->home_server && request->home_server->server) {
|
||||
request->server = request->home_server->server;
|
||||
|
||||
} else {
|
||||
@@ -3182,13 +3180,12 @@ do_home:
|
||||
}
|
||||
|
||||
old_server = request->server;
|
||||
- rad_assert(request->home_server != NULL);
|
||||
|
||||
/*
|
||||
* If the home server is virtual, just run pre_proxy from
|
||||
* that section.
|
||||
*/
|
||||
- if (request->home_server->server) {
|
||||
+ if (request->home_server && request->home_server->server) {
|
||||
request->server = request->home_server->server;
|
||||
|
||||
} else {
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 12 Nov 2021 16:23:05 +0100
|
||||
Subject: [PATCH] Fix unterminated strings in SQL queries
|
||||
|
||||
Resolves: bz#2021247
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
raddb/mods-config/sql/ippool/mysql/queries.conf | 2 +-
|
||||
raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
index 2dfc6574dd..444812a047 100644
|
||||
--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
@@ -114,7 +114,7 @@ allocate_update = "\
|
||||
nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
|
||||
callingstationid = '%{Calling-Station-Id}', \
|
||||
username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
|
||||
- WHERE framedipaddress = '%I'
|
||||
+ WHERE framedipaddress = '%I'"
|
||||
|
||||
#
|
||||
# Use a stored procedure to find AND allocate the address. Read and customise
|
||||
diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
index 31a5df3659..e92466108b 100644
|
||||
--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
@@ -89,7 +89,7 @@ allocate_update = "\
|
||||
callingstationid = '%{Calling-Station-Id}', \
|
||||
username = '%{User-Name}', \
|
||||
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
|
||||
- WHERE framedipaddress = '%I'
|
||||
+ WHERE framedipaddress = '%I'"
|
||||
|
||||
#
|
||||
# This series of queries frees an IP number when an accounting START record arrives
|
||||
--
|
||||
2.31.1
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,20 +1,18 @@
|
||||
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
|
||||
From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 15:53:45 -0400
|
||||
Date: Wed, 13 May 2020 10:01:47 -0400
|
||||
Subject: [PATCH] Don't clobber existing files on bootstrap
|
||||
|
||||
Rebased: v3.0.20
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
|
||||
1 file changed, 19 insertions(+), 16 deletions(-)
|
||||
raddb/certs/bootstrap | 31 +++++++++++++++----------------
|
||||
1 file changed, 15 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aa..336a2bd 100755
|
||||
index ede09bc..e555491 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -31,52 +31,55 @@ fi
|
||||
@@ -20,56 +20,55 @@ cd `dirname $0`
|
||||
# Don't edit the following text. Instead, edit the Makefile, and
|
||||
# re-generate these commands.
|
||||
#
|
||||
@ -32,7 +30,7 @@ index 0f719aa..336a2bd 100755
|
||||
-if [ ! -f server.key ]; then
|
||||
+if [ ! -e server.key ]; then
|
||||
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||
+ chmod g+r server.key
|
||||
chmod g+r server.key
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.key ]; then
|
||||
@ -58,14 +56,14 @@ index 0f719aa..336a2bd 100755
|
||||
-if [ ! -f server.p12 ]; then
|
||||
+if [ ! -e server.p12 ]; then
|
||||
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
+ chmod g+r server.p12
|
||||
chmod g+r server.p12
|
||||
fi
|
||||
|
||||
-if [ ! -f server.pem ]; then
|
||||
+if [ ! -e server.pem ]; then
|
||||
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
openssl verify -CAfile ca.pem server.pem || exit 1
|
||||
+ chmod g+r server.pem
|
||||
chmod g+r server.pem
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.der ]; then
|
||||
@ -76,7 +74,7 @@ index 0f719aa..336a2bd 100755
|
||||
-if [ ! -f client.key ]; then
|
||||
+if [ ! -e client.key ]; then
|
||||
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ chmod g+r client.key
|
||||
chmod g+r client.key
|
||||
fi
|
||||
|
||||
-if [ ! -f client.crt ]; then
|
||||
|
@ -1,52 +0,0 @@
|
||||
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 16:10:52 -0400
|
||||
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/Makefile | 2 +-
|
||||
raddb/certs/bootstrap | 7 +++++--
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||
index 5cbfd46..41b7aea 100644
|
||||
--- a/raddb/certs/Makefile
|
||||
+++ b/raddb/certs/Makefile
|
||||
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||
#
|
||||
######################################################################
|
||||
dh:
|
||||
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||
+ cp rfc3526-group-18-8192.dhparam dh
|
||||
|
||||
######################################################################
|
||||
#
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 9920ecf..59b3310 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -13,6 +13,10 @@
|
||||
umask 027
|
||||
cd `dirname $0`
|
||||
|
||||
+if [ ! -e random ]; then
|
||||
+ ln -sf /dev/urandom random
|
||||
+fi
|
||||
+
|
||||
make -h > /dev/null 2>&1
|
||||
|
||||
#
|
||||
@@ -35,8 +39,7 @@ fi
|
||||
# re-generate these commands.
|
||||
#
|
||||
if [ ! -e dh ]; then
|
||||
- openssl dhparam -out dh 2048 || exit 1
|
||||
- ln -sf /dev/urandom random
|
||||
+ cp rfc3526-group-18-8192.dhparam dh
|
||||
fi
|
||||
|
||||
if [ ! -e server.key ]; then
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,136 @@
|
||||
From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 22 Apr 2022 12:27:43 +0200
|
||||
Subject: [PATCH] bootstrap: pass -noenc to certificate generation
|
||||
|
||||
Bootstrap script would fail to generate certificates if run on systems
|
||||
with FIPS enabled. By passing the -noenc option, we can skip the usage
|
||||
of unsupported algorithms on these systems.
|
||||
|
||||
After generating the certificates, correct permissions are set.
|
||||
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
|
||||
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
|
||||
In bootstrap diff, -f is changed to -e in conditionals.
|
||||
---
|
||||
raddb/certs/Makefile | 20 ++++++++++++++++----
|
||||
raddb/certs/bootstrap | 6 +++---
|
||||
2 files changed, 19 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||
index 5cbfd467ce..cb10394ec3 100644
|
||||
--- a/raddb/certs/Makefile
|
||||
+++ b/raddb/certs/Makefile
|
||||
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||
######################################################################
|
||||
dh:
|
||||
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||
+ chown root:radiusd dh
|
||||
+ chmod 640 dh
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
|
||||
@[ -f serial ] || $(MAKE) serial
|
||||
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
|
||||
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
|
||||
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
|
||||
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
|
||||
chmod g+r ca.key
|
||||
+ chown root:radiusd ca.*
|
||||
+ chmod 640 ca.*
|
||||
|
||||
ca.der: ca.pem
|
||||
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
|
||||
@@ -81,6 +85,8 @@ ca.crl: ca.pem
|
||||
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
|
||||
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
|
||||
rm ca-crl.pem
|
||||
+ chown root:radiusd ca.*
|
||||
+ chmod 640 ca.*
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@@ -88,7 +94,7 @@ ca.crl: ca.pem
|
||||
#
|
||||
######################################################################
|
||||
server.csr server.key: server.cnf
|
||||
- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
|
||||
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
|
||||
chmod g+r server.key
|
||||
|
||||
server.crt: server.csr ca.key ca.pem
|
||||
@@ -101,6 +107,8 @@ server.p12: server.crt
|
||||
server.pem: server.p12
|
||||
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
|
||||
chmod g+r server.pem
|
||||
+ chown root:radiusd server.*
|
||||
+ chmod 640 server.*
|
||||
|
||||
.PHONY: server.vrfy
|
||||
server.vrfy: ca.pem
|
||||
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
|
||||
#
|
||||
######################################################################
|
||||
client.csr client.key: client.cnf
|
||||
- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
||||
chmod g+r client.key
|
||||
|
||||
client.crt: client.csr ca.pem ca.key
|
||||
@@ -127,6 +135,8 @@ client.pem: client.p12
|
||||
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
|
||||
chmod g+r client.pem
|
||||
cp client.pem $(USER_NAME).pem
|
||||
+ chown root:radiusd client.*
|
||||
+ chmod 640 client.*
|
||||
|
||||
.PHONY: client.vrfy
|
||||
client.vrfy: ca.pem client.pem
|
||||
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
|
||||
#
|
||||
######################################################################
|
||||
inner-server.csr inner-server.key: inner-server.cnf
|
||||
- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
|
||||
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
|
||||
chmod g+r inner-server.key
|
||||
|
||||
inner-server.crt: inner-server.csr ca.key ca.pem
|
||||
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
|
||||
inner-server.pem: inner-server.p12
|
||||
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
|
||||
chmod g+r inner-server.pem
|
||||
+ chown root:radiusd inner-server.*
|
||||
+ chmod 640 inner-server.*
|
||||
|
||||
.PHONY: inner-server.vrfy
|
||||
inner-server.vrfy: ca.pem
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 57de8cf0d7..c258ec45e0 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
|
||||
fi
|
||||
|
||||
if [ ! -e server.key ]; then
|
||||
- openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||
+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
|
||||
chmod g+r server.key
|
||||
fi
|
||||
|
||||
if [ ! -e ca.key ]; then
|
||||
- openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
|
||||
+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
|
||||
fi
|
||||
|
||||
if [ ! -e index.txt ]; then
|
||||
@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
|
||||
fi
|
||||
|
||||
if [ ! -e client.key ]; then
|
||||
- openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
||||
chmod g+r client.key
|
||||
fi
|
||||
|
@ -1,72 +0,0 @@
|
||||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Wed Jul 20 2021
|
||||
Subject: [PATCH] ensure bootstrap script is run only once
|
||||
|
||||
The bootstrap script should only run once. By checking if there are
|
||||
certificates in the directory, we can exit early if certificates were
|
||||
already generated.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
raddb/certs/README | 16 ++++++----------
|
||||
raddb/certs/bootstrap | 18 ++++++++++++------
|
||||
2 files changed, 18 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/README b/raddb/certs/README
|
||||
index 6288921da1..32413964dd 100644
|
||||
--- a/raddb/certs/README
|
||||
+++ b/raddb/certs/README
|
||||
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
|
||||
your users, and to issue client certificates for EAP-TLS.
|
||||
|
||||
If FreeRADIUS was configured to use OpenSSL, then simply starting
|
||||
-the server in root in debugging mode should also create test
|
||||
-certificates, i.e.:
|
||||
+the server in root mode should also create test certificates.
|
||||
|
||||
-$ radiusd -X
|
||||
-
|
||||
- That will cause the EAP-TLS module to run the "bootstrap" script in
|
||||
-this directory. The script will be executed only once, the first time
|
||||
-the server has been installed on a particular machine. This bootstrap
|
||||
-script SHOULD be run on installation of any pre-built binary package
|
||||
-for your OS. In any case, the script will ensure that it is not run
|
||||
-twice, and that it does not over-write any existing certificates.
|
||||
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
|
||||
+The script will be executed during every start of FreeRADIUS via systemd but
|
||||
+the script will ensure that it does not overwrite any existing certificates.
|
||||
+Ideally, the bootstrap script file should be deleted after new testing certificates
|
||||
+have been generated.
|
||||
|
||||
If you already have CA and server certificates, rename (or delete)
|
||||
this directory, and create a new "certs" directory containing your
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aafd4..92254dc936 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -1,12 +1,18 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
-# This is a wrapper script to create default certificates when the
|
||||
-# server first starts in debugging mode. Once the certificates have been
|
||||
-# created, this file should be deleted.
|
||||
+# Bootstrap script should be run only once. If there are already certificates
|
||||
+# generated, skip the execution.
|
||||
+#
|
||||
+cd `dirname $0`
|
||||
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
#
|
||||
-# Ideally, this program should be run as part of the installation of any
|
||||
-# binary package. The installation should also ensure that the permissions
|
||||
-# and owners are correct for the files generated by this script.
|
||||
+# This is a wrapper script to create default certificates when the
|
||||
+# server starts via systemd. It should also ensure that the
|
||||
+# permissions and owners are correct for the generated files. Once
|
||||
+# the certificates have been created, this file should be deleted.
|
||||
#
|
||||
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
|
||||
#
|
@ -7,7 +7,7 @@ attribute which can cause the server to crash.
|
||||
|
||||
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151707
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/lib/filters.c b/src/lib/filters.c
|
||||
|
@ -11,7 +11,7 @@ Backport of:
|
||||
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
|
||||
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151705
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
|
@ -1,76 +0,0 @@
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 09 Dec 2022
|
||||
Subject: Fix information leakage in EAP-PWD
|
||||
|
||||
The EAP-PWD function compute_password_element() leaks information about the
|
||||
password which allows an attacker to substantially reduce the size of an
|
||||
offline dictionary attack.
|
||||
|
||||
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
index d94851c3aa..9f86b62114 100644
|
||||
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
|
||||
#include <freeradius-devel/radiusd.h>
|
||||
#include <freeradius-devel/modules.h>
|
||||
|
||||
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
|
||||
+
|
||||
/* The random function H(x) = HMAC-SHA256(0^32, x) */
|
||||
static void H_Init(HMAC_CTX *ctx)
|
||||
{
|
||||
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
uint32_t *token)
|
||||
{
|
||||
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||
- HMAC_CTX *ctx = NULL;
|
||||
+ EVP_MD_CTX *hmac_ctx;
|
||||
+ EVP_PKEY *hmac_pkey;
|
||||
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
|
||||
int nid, is_odd, primebitlen, primebytelen, ret = 0;
|
||||
|
||||
- ctx = HMAC_CTX_new();
|
||||
- if (ctx == NULL) {
|
||||
- DEBUG("failed allocating HMAC context");
|
||||
- goto fail;
|
||||
- }
|
||||
+ MEM(hmac_ctx = EVP_MD_CTX_new());
|
||||
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
|
||||
|
||||
switch (grp_num) { /* from IANA registry for IKE D-H groups */
|
||||
case 19:
|
||||
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
* pwd-seed = H(token | peer-id | server-id | password |
|
||||
* counter)
|
||||
*/
|
||||
- H_Init(ctx);
|
||||
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
|
||||
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
|
||||
- H_Update(ctx, (uint8_t const *)password, password_len);
|
||||
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||
- H_Final(ctx, pwe_digest);
|
||||
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||
|
||||
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
|
||||
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
|
||||
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
BN_clear_free(x_candidate);
|
||||
BN_clear_free(rnd);
|
||||
talloc_free(prfbuf);
|
||||
- HMAC_CTX_free(ctx);
|
||||
+ EVP_MD_CTX_free(hmac_ctx);
|
||||
+ EVP_PKEY_free(hmac_pkey);
|
||||
|
||||
return ret;
|
||||
}
|
635
SOURCES/freeradius-fix-python3-library-suffix.patch
Normal file
635
SOURCES/freeradius-fix-python3-library-suffix.patch
Normal file
@ -0,0 +1,635 @@
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Mon, 06 Nov 2023
|
||||
Subject: Fix Python3.8+ library name suffix
|
||||
|
||||
Python 3.8 has removed the "m" suffix in the library name, add a check for it.
|
||||
|
||||
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/fa837465493158257e600f28bca009ba890db863
|
||||
|
||||
Resolves: https://issues.redhat.com/browse/RHEL-15503
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_python3/configure b/src/modules/rlm_python3/configure
|
||||
index f421558ac0c0..05907f12c359 100755
|
||||
--- a/src/modules/rlm_python3/configure
|
||||
+++ b/src/modules/rlm_python3/configure
|
||||
@@ -588,7 +588,17 @@ LIBOBJS
|
||||
targetname
|
||||
mod_cflags
|
||||
mod_ldflags
|
||||
+AWK
|
||||
PYTHON3_CONFIG_BIN
|
||||
+pkgpyexecdir
|
||||
+pyexecdir
|
||||
+pkgpythondir
|
||||
+pythondir
|
||||
+PYTHON_PLATFORM
|
||||
+PYTHON_EXEC_PREFIX
|
||||
+PYTHON_PREFIX
|
||||
+PYTHON_VERSION
|
||||
+PYTHON
|
||||
CPP
|
||||
OBJEXT
|
||||
EXEEXT
|
||||
@@ -648,7 +658,8 @@ CFLAGS
|
||||
LDFLAGS
|
||||
LIBS
|
||||
CPPFLAGS
|
||||
-CPP'
|
||||
+CPP
|
||||
+PYTHON'
|
||||
|
||||
|
||||
# Initialize some variables set by options.
|
||||
@@ -1266,6 +1277,7 @@ Some influential environment variables:
|
||||
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
|
||||
you have headers in a nonstandard directory <include dir>
|
||||
CPP C preprocessor
|
||||
+ PYTHON the Python interpreter
|
||||
|
||||
Use these variables to override the choices made by `configure' or to help
|
||||
it to find libraries and programs with nonstandard names/locations.
|
||||
@@ -1421,6 +1433,119 @@ fi
|
||||
as_fn_set_status $ac_retval
|
||||
|
||||
} # ac_fn_c_try_cpp
|
||||
+
|
||||
+# ac_fn_c_try_link LINENO
|
||||
+# -----------------------
|
||||
+# Try to link conftest.$ac_ext, and return whether this succeeded.
|
||||
+ac_fn_c_try_link ()
|
||||
+{
|
||||
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
|
||||
+ rm -f conftest.$ac_objext conftest$ac_exeext
|
||||
+ if { { ac_try="$ac_link"
|
||||
+case "(($ac_try" in
|
||||
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
|
||||
+ *) ac_try_echo=$ac_try;;
|
||||
+esac
|
||||
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
|
||||
+$as_echo "$ac_try_echo"; } >&5
|
||||
+ (eval "$ac_link") 2>conftest.err
|
||||
+ ac_status=$?
|
||||
+ if test -s conftest.err; then
|
||||
+ grep -v '^ *+' conftest.err >conftest.er1
|
||||
+ cat conftest.er1 >&5
|
||||
+ mv -f conftest.er1 conftest.err
|
||||
+ fi
|
||||
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
|
||||
+ test $ac_status = 0; } && {
|
||||
+ test -z "$ac_c_werror_flag" ||
|
||||
+ test ! -s conftest.err
|
||||
+ } && test -s conftest$ac_exeext && {
|
||||
+ test "$cross_compiling" = yes ||
|
||||
+ test -x conftest$ac_exeext
|
||||
+ }; then :
|
||||
+ ac_retval=0
|
||||
+else
|
||||
+ $as_echo "$as_me: failed program was:" >&5
|
||||
+sed 's/^/| /' conftest.$ac_ext >&5
|
||||
+
|
||||
+ ac_retval=1
|
||||
+fi
|
||||
+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
|
||||
+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
|
||||
+ # interfere with the next link command; also delete a directory that is
|
||||
+ # left behind by Apple's compiler. We do this before executing the actions.
|
||||
+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
|
||||
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
|
||||
+ as_fn_set_status $ac_retval
|
||||
+
|
||||
+} # ac_fn_c_try_link
|
||||
+
|
||||
+# ac_fn_c_check_func LINENO FUNC VAR
|
||||
+# ----------------------------------
|
||||
+# Tests whether FUNC exists, setting the cache variable VAR accordingly
|
||||
+ac_fn_c_check_func ()
|
||||
+{
|
||||
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
|
||||
+$as_echo_n "checking for $2... " >&6; }
|
||||
+if eval \${$3+:} false; then :
|
||||
+ $as_echo_n "(cached) " >&6
|
||||
+else
|
||||
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
+/* end confdefs.h. */
|
||||
+/* Define $2 to an innocuous variant, in case <limits.h> declares $2.
|
||||
+ For example, HP-UX 11i <limits.h> declares gettimeofday. */
|
||||
+#define $2 innocuous_$2
|
||||
+
|
||||
+/* System header to define __stub macros and hopefully few prototypes,
|
||||
+ which can conflict with char $2 (); below.
|
||||
+ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
|
||||
+ <limits.h> exists even on freestanding compilers. */
|
||||
+
|
||||
+#ifdef __STDC__
|
||||
+# include <limits.h>
|
||||
+#else
|
||||
+# include <assert.h>
|
||||
+#endif
|
||||
+
|
||||
+#undef $2
|
||||
+
|
||||
+/* Override any GCC internal prototype to avoid an error.
|
||||
+ Use char because int might match the return type of a GCC
|
||||
+ builtin and then its argument prototype would still apply. */
|
||||
+#ifdef __cplusplus
|
||||
+extern "C"
|
||||
+#endif
|
||||
+char $2 ();
|
||||
+/* The GNU C library defines this for functions which it implements
|
||||
+ to always fail with ENOSYS. Some functions are actually named
|
||||
+ something starting with __ and the normal name is an alias. */
|
||||
+#if defined __stub_$2 || defined __stub___$2
|
||||
+choke me
|
||||
+#endif
|
||||
+
|
||||
+int
|
||||
+main ()
|
||||
+{
|
||||
+return $2 ();
|
||||
+ ;
|
||||
+ return 0;
|
||||
+}
|
||||
+_ACEOF
|
||||
+if ac_fn_c_try_link "$LINENO"; then :
|
||||
+ eval "$3=yes"
|
||||
+else
|
||||
+ eval "$3=no"
|
||||
+fi
|
||||
+rm -f core conftest.err conftest.$ac_objext \
|
||||
+ conftest$ac_exeext conftest.$ac_ext
|
||||
+fi
|
||||
+eval ac_res=\$$3
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
|
||||
+$as_echo "$ac_res" >&6; }
|
||||
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
|
||||
+
|
||||
+} # ac_fn_c_check_func
|
||||
cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
@@ -2705,6 +2830,267 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
|
||||
ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
|
||||
+
|
||||
+
|
||||
+
|
||||
+
|
||||
+
|
||||
+ if test -n "$PYTHON"; then
|
||||
+ # If the user set $PYTHON, use it and don't search something else.
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.0" >&5
|
||||
+$as_echo_n "checking whether $PYTHON version is >= 3.0... " >&6; }
|
||||
+ prog="import sys
|
||||
+# split strings by '.' and convert to numeric. Append some zeros
|
||||
+# because we need at least 4 digits for the hex conversion.
|
||||
+# map returns an iterator in Python 3.0 and a list in 2.x
|
||||
+minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0]
|
||||
+minverhex = 0
|
||||
+# xrange is not present in Python 3.0 and range returns an iterator
|
||||
+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
|
||||
+sys.exit(sys.hexversion < minverhex)"
|
||||
+ if { echo "$as_me:$LINENO: $PYTHON -c "$prog"" >&5
|
||||
+ ($PYTHON -c "$prog") >&5 2>&5
|
||||
+ ac_status=$?
|
||||
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
|
||||
+ (exit $ac_status); }; then :
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
+$as_echo "yes" >&6; }
|
||||
+else
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
+$as_echo "no" >&6; }
|
||||
+ as_fn_error $? "Python interpreter is too old" "$LINENO" 5
|
||||
+fi
|
||||
+ am_display_PYTHON=$PYTHON
|
||||
+ else
|
||||
+ # Otherwise, try each interpreter until we find one that satisfies
|
||||
+ # VERSION.
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.0" >&5
|
||||
+$as_echo_n "checking for a Python interpreter with version >= 3.0... " >&6; }
|
||||
+if ${am_cv_pathless_PYTHON+:} false; then :
|
||||
+ $as_echo_n "(cached) " >&6
|
||||
+else
|
||||
+
|
||||
+ for am_cv_pathless_PYTHON in python python2 python3 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 none; do
|
||||
+ test "$am_cv_pathless_PYTHON" = none && break
|
||||
+ prog="import sys
|
||||
+# split strings by '.' and convert to numeric. Append some zeros
|
||||
+# because we need at least 4 digits for the hex conversion.
|
||||
+# map returns an iterator in Python 3.0 and a list in 2.x
|
||||
+minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0]
|
||||
+minverhex = 0
|
||||
+# xrange is not present in Python 3.0 and range returns an iterator
|
||||
+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
|
||||
+sys.exit(sys.hexversion < minverhex)"
|
||||
+ if { echo "$as_me:$LINENO: $am_cv_pathless_PYTHON -c "$prog"" >&5
|
||||
+ ($am_cv_pathless_PYTHON -c "$prog") >&5 2>&5
|
||||
+ ac_status=$?
|
||||
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
|
||||
+ (exit $ac_status); }; then :
|
||||
+ break
|
||||
+fi
|
||||
+ done
|
||||
+fi
|
||||
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_pathless_PYTHON" >&5
|
||||
+$as_echo "$am_cv_pathless_PYTHON" >&6; }
|
||||
+ # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON.
|
||||
+ if test "$am_cv_pathless_PYTHON" = none; then
|
||||
+ PYTHON=:
|
||||
+ else
|
||||
+ # Extract the first word of "$am_cv_pathless_PYTHON", so it can be a program name with args.
|
||||
+set dummy $am_cv_pathless_PYTHON; ac_word=$2
|
||||
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
+$as_echo_n "checking for $ac_word... " >&6; }
|
||||
+if ${ac_cv_path_PYTHON+:} false; then :
|
||||
+ $as_echo_n "(cached) " >&6
|
||||
+else
|
||||
+ case $PYTHON in
|
||||
+ [\\/]* | ?:[\\/]*)
|
||||
+ ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path.
|
||||
+ ;;
|
||||
+ *)
|
||||
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
+for as_dir in $PATH
|
||||
+do
|
||||
+ IFS=$as_save_IFS
|
||||
+ test -z "$as_dir" && as_dir=.
|
||||
+ for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
|
||||
+ ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
|
||||
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
|
||||
+ break 2
|
||||
+ fi
|
||||
+done
|
||||
+ done
|
||||
+IFS=$as_save_IFS
|
||||
+
|
||||
+ ;;
|
||||
+esac
|
||||
+fi
|
||||
+PYTHON=$ac_cv_path_PYTHON
|
||||
+if test -n "$PYTHON"; then
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5
|
||||
+$as_echo "$PYTHON" >&6; }
|
||||
+else
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
+$as_echo "no" >&6; }
|
||||
+fi
|
||||
+
|
||||
+
|
||||
+ fi
|
||||
+ am_display_PYTHON=$am_cv_pathless_PYTHON
|
||||
+ fi
|
||||
+
|
||||
+
|
||||
+ if test "$PYTHON" = :; then
|
||||
+ :
|
||||
+ else
|
||||
+
|
||||
+
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5
|
||||
+$as_echo_n "checking for $am_display_PYTHON version... " >&6; }
|
||||
+if ${am_cv_python_version+:} false; then :
|
||||
+ $as_echo_n "(cached) " >&6
|
||||
+else
|
||||
+ am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"`
|
||||
+fi
|
||||
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5
|
||||
+$as_echo "$am_cv_python_version" >&6; }
|
||||
+ PYTHON_VERSION=$am_cv_python_version
|
||||
+
|
||||
+
|
||||
+
|
||||
+ PYTHON_PREFIX='${prefix}'
|
||||
+
|
||||
+ PYTHON_EXEC_PREFIX='${exec_prefix}'
|
||||
+
|
||||
+
|
||||
+
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5
|
||||
+$as_echo_n "checking for $am_display_PYTHON platform... " >&6; }
|
||||
+if ${am_cv_python_platform+:} false; then :
|
||||
+ $as_echo_n "(cached) " >&6
|
||||
+else
|
||||
+ am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"`
|
||||
+fi
|
||||
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5
|
||||
+$as_echo "$am_cv_python_platform" >&6; }
|
||||
+ PYTHON_PLATFORM=$am_cv_python_platform
|
||||
+
|
||||
+
|
||||
+ # Just factor out some code duplication.
|
||||
+ am_python_setup_sysconfig="\
|
||||
+import sys
|
||||
+# Prefer sysconfig over distutils.sysconfig, for better compatibility
|
||||
+# with python 3.x. See automake bug#10227.
|
||||
+try:
|
||||
+ import sysconfig
|
||||
+except ImportError:
|
||||
+ can_use_sysconfig = 0
|
||||
+else:
|
||||
+ can_use_sysconfig = 1
|
||||
+# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs:
|
||||
+# <https://github.com/pypa/virtualenv/issues/118>
|
||||
+try:
|
||||
+ from platform import python_implementation
|
||||
+ if python_implementation() == 'CPython' and sys.version[:3] == '2.7':
|
||||
+ can_use_sysconfig = 0
|
||||
+except ImportError:
|
||||
+ pass"
|
||||
+
|
||||
+
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5
|
||||
+$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; }
|
||||
+if ${am_cv_python_pythondir+:} false; then :
|
||||
+ $as_echo_n "(cached) " >&6
|
||||
+else
|
||||
+ if test "x$prefix" = xNONE
|
||||
+ then
|
||||
+ am_py_prefix=$ac_default_prefix
|
||||
+ else
|
||||
+ am_py_prefix=$prefix
|
||||
+ fi
|
||||
+ am_cv_python_pythondir=`$PYTHON -c "
|
||||
+$am_python_setup_sysconfig
|
||||
+if can_use_sysconfig:
|
||||
+ sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'})
|
||||
+else:
|
||||
+ from distutils import sysconfig
|
||||
+ sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix')
|
||||
+sys.stdout.write(sitedir)"`
|
||||
+ case $am_cv_python_pythondir in
|
||||
+ $am_py_prefix*)
|
||||
+ am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'`
|
||||
+ am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"`
|
||||
+ ;;
|
||||
+ *)
|
||||
+ case $am_py_prefix in
|
||||
+ /usr|/System*) ;;
|
||||
+ *)
|
||||
+ am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages
|
||||
+ ;;
|
||||
+ esac
|
||||
+ ;;
|
||||
+ esac
|
||||
+
|
||||
+fi
|
||||
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5
|
||||
+$as_echo "$am_cv_python_pythondir" >&6; }
|
||||
+ pythondir=$am_cv_python_pythondir
|
||||
+
|
||||
+
|
||||
+
|
||||
+ pkgpythondir=\${pythondir}/$PACKAGE
|
||||
+
|
||||
+
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5
|
||||
+$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; }
|
||||
+if ${am_cv_python_pyexecdir+:} false; then :
|
||||
+ $as_echo_n "(cached) " >&6
|
||||
+else
|
||||
+ if test "x$exec_prefix" = xNONE
|
||||
+ then
|
||||
+ am_py_exec_prefix=$am_py_prefix
|
||||
+ else
|
||||
+ am_py_exec_prefix=$exec_prefix
|
||||
+ fi
|
||||
+ am_cv_python_pyexecdir=`$PYTHON -c "
|
||||
+$am_python_setup_sysconfig
|
||||
+if can_use_sysconfig:
|
||||
+ sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'})
|
||||
+else:
|
||||
+ from distutils import sysconfig
|
||||
+ sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix')
|
||||
+sys.stdout.write(sitedir)"`
|
||||
+ case $am_cv_python_pyexecdir in
|
||||
+ $am_py_exec_prefix*)
|
||||
+ am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'`
|
||||
+ am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"`
|
||||
+ ;;
|
||||
+ *)
|
||||
+ case $am_py_exec_prefix in
|
||||
+ /usr|/System*) ;;
|
||||
+ *)
|
||||
+ am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages
|
||||
+ ;;
|
||||
+ esac
|
||||
+ ;;
|
||||
+ esac
|
||||
+
|
||||
+fi
|
||||
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5
|
||||
+$as_echo "$am_cv_python_pyexecdir" >&6; }
|
||||
+ pyexecdir=$am_cv_python_pyexecdir
|
||||
+
|
||||
+
|
||||
+
|
||||
+ pkgpyexecdir=\${pyexecdir}/$PACKAGE
|
||||
+
|
||||
+
|
||||
+
|
||||
+ fi
|
||||
+
|
||||
+
|
||||
+
|
||||
PYTHON3_CONFIG_BIN=
|
||||
|
||||
# Check whether --with-rlm-python3-config-bin was given.
|
||||
@@ -2771,8 +3157,6 @@ test -n "$PYTHON3_CONFIG_BIN" || PYTHON3_CONFIG_BIN="not-found"
|
||||
fi
|
||||
|
||||
if test "x$PYTHON3_CONFIG_BIN" = xnot-found; then
|
||||
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: python3-config not found" >&5
|
||||
-$as_echo "$as_me: WARNING: python3-config not found" >&2;}
|
||||
fail="$fail python3-config"
|
||||
else
|
||||
old_CFLAGS="$CFLAGS"
|
||||
@@ -2794,7 +3178,85 @@ $as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"" >&6
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: Sanitized cflags were \"${mod_cflags}\"" >&5
|
||||
$as_echo "$as_me: Sanitized cflags were \"${mod_cflags}\"" >&6;}
|
||||
|
||||
- python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags`
|
||||
+ for ac_prog in gawk mawk nawk awk
|
||||
+do
|
||||
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
|
||||
+set dummy $ac_prog; ac_word=$2
|
||||
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
|
||||
+$as_echo_n "checking for $ac_word... " >&6; }
|
||||
+if ${ac_cv_prog_AWK+:} false; then :
|
||||
+ $as_echo_n "(cached) " >&6
|
||||
+else
|
||||
+ if test -n "$AWK"; then
|
||||
+ ac_cv_prog_AWK="$AWK" # Let the user override the test.
|
||||
+else
|
||||
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
|
||||
+for as_dir in $PATH
|
||||
+do
|
||||
+ IFS=$as_save_IFS
|
||||
+ test -z "$as_dir" && as_dir=.
|
||||
+ for ac_exec_ext in '' $ac_executable_extensions; do
|
||||
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
|
||||
+ ac_cv_prog_AWK="$ac_prog"
|
||||
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
|
||||
+ break 2
|
||||
+ fi
|
||||
+done
|
||||
+ done
|
||||
+IFS=$as_save_IFS
|
||||
+
|
||||
+fi
|
||||
+fi
|
||||
+AWK=$ac_cv_prog_AWK
|
||||
+if test -n "$AWK"; then
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5
|
||||
+$as_echo "$AWK" >&6; }
|
||||
+else
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
+$as_echo "no" >&6; }
|
||||
+fi
|
||||
+
|
||||
+
|
||||
+ test -n "$AWK" && break
|
||||
+done
|
||||
+
|
||||
+
|
||||
+
|
||||
+
|
||||
+ # Used to indicate true or false condition
|
||||
+ ax_compare_version=false
|
||||
+
|
||||
+ # Convert the two version strings to be compared into a format that
|
||||
+ # allows a simple string comparison. The end result is that a version
|
||||
+ # string of the form 1.12.5-r617 will be converted to the form
|
||||
+ # 0001001200050617. In other words, each number is zero padded to four
|
||||
+ # digits, and non digits are removed.
|
||||
+
|
||||
+ ax_compare_version_A=`echo "${PYTHON_VERSION}" | sed -e 's/\([0-9]*\)/Z\1Z/g' \
|
||||
+ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \
|
||||
+ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \
|
||||
+ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \
|
||||
+ -e 's/[^0-9]//g'`
|
||||
+
|
||||
+
|
||||
+ ax_compare_version_B=`echo "3.8" | sed -e 's/\([0-9]*\)/Z\1Z/g' \
|
||||
+ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \
|
||||
+ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \
|
||||
+ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \
|
||||
+ -e 's/[^0-9]//g'`
|
||||
+
|
||||
+
|
||||
+ ax_compare_version=`echo "x$ax_compare_version_A
|
||||
+x$ax_compare_version_B" | sed 's/^ *//' | sort -r | sed "s/x${ax_compare_version_A}/true/;s/x${ax_compare_version_B}/false/;1q"`
|
||||
+
|
||||
+
|
||||
+
|
||||
+ if test "$ax_compare_version" = "true" ; then
|
||||
+ EMBED="--embed"
|
||||
+ fi
|
||||
+
|
||||
+
|
||||
+ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED`
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&5
|
||||
$as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&6;}
|
||||
|
||||
@@ -2811,6 +3273,18 @@ $as_echo "$as_me: Sanitized ldflags were \"${mod_ldflags}\"" >&6;}
|
||||
|
||||
targetname="rlm_python3"
|
||||
fi
|
||||
+
|
||||
+for ac_func in dl_iterate_phdr
|
||||
+do :
|
||||
+ ac_fn_c_check_func "$LINENO" "dl_iterate_phdr" "ac_cv_func_dl_iterate_phdr"
|
||||
+if test "x$ac_cv_func_dl_iterate_phdr" = xyes; then :
|
||||
+ cat >>confdefs.h <<_ACEOF
|
||||
+#define HAVE_DL_ITERATE_PHDR 1
|
||||
+_ACEOF
|
||||
+
|
||||
+fi
|
||||
+done
|
||||
+
|
||||
else
|
||||
targetname=
|
||||
echo \*\*\* module rlm_python3 is disabled.
|
||||
@@ -2833,11 +3307,7 @@ ac_config_headers="$ac_config_headers config.h"
|
||||
|
||||
|
||||
|
||||
-
|
||||
- unset ac_cv_env_LIBS_set
|
||||
- unset ac_cv_env_LIBS_value
|
||||
-
|
||||
- ac_config_files="$ac_config_files all.mk"
|
||||
+ac_config_files="$ac_config_files all.mk"
|
||||
|
||||
cat >confcache <<\_ACEOF
|
||||
# This file is a shell script that caches the results of configure
|
||||
@@ -3417,6 +3887,7 @@ gives unlimited permission to copy, distribute and modify it."
|
||||
|
||||
ac_pwd='$ac_pwd'
|
||||
srcdir='$srcdir'
|
||||
+AWK='$AWK'
|
||||
test -n "\$AWK" || AWK=awk
|
||||
_ACEOF
|
||||
|
||||
@@ -4111,4 +4582,3 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
|
||||
$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
|
||||
fi
|
||||
|
||||
-
|
||||
diff --git a/src/modules/rlm_python3/configure.ac b/src/modules/rlm_python3/configure.ac
|
||||
index 295a2486d2ac..698a8c1d1874 100644
|
||||
--- a/src/modules/rlm_python3/configure.ac
|
||||
+++ b/src/modules/rlm_python3/configure.ac
|
||||
@@ -7,6 +7,7 @@ if test x$with_[]modname != xno; then
|
||||
|
||||
AC_PROG_CC
|
||||
AC_PROG_CPP
|
||||
+ AM_PATH_PYTHON([3.0],, [:])
|
||||
|
||||
dnl extra argument: --with-rlm-python3-config-bin
|
||||
PYTHON3_CONFIG_BIN=
|
||||
@@ -58,7 +59,11 @@ if test x$with_[]modname != xno; then
|
||||
'`
|
||||
AC_MSG_NOTICE([Sanitized cflags were \"${mod_cflags}\"])
|
||||
|
||||
- python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags`
|
||||
+ dnl # From python 3.8, --embed is required
|
||||
+ dnl # https://bugs.python.org/issue36721
|
||||
+ AX_COMPARE_VERSION(${PYTHON_VERSION}, [ge], [3.8], [EMBED="--embed"], [])
|
||||
+
|
||||
+ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED`
|
||||
AC_MSG_NOTICE([${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"])
|
||||
|
||||
dnl # Strip -Wl,-O1... Is -O even a valid linker flag??
|
||||
@@ -77,6 +82,7 @@ if test x$with_[]modname != xno; then
|
||||
|
||||
targetname="rlm_python3"
|
||||
fi
|
||||
+ AC_CHECK_FUNCS([dl_iterate_phdr])
|
||||
else
|
||||
targetname=
|
||||
echo \*\*\* module modname is disabled.
|
||||
diff --git a/src/modules/rlm_python3/rlm_python3.c b/src/modules/rlm_python3/rlm_python3.c
|
||||
index df223f0f401b..5da23f4d7116 100644
|
||||
--- a/src/modules/rlm_python3/rlm_python3.c
|
||||
+++ b/src/modules/rlm_python3/rlm_python3.c
|
||||
@@ -41,8 +41,17 @@ RCSID("$Id$")
|
||||
#include <link.h>
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ * Since version 3.8, the "m" suffix is no longer available.
|
||||
+ * https://bugs.python.org/issue36707
|
||||
+ */
|
||||
+#if PY_MINOR_VERSION >= 8
|
||||
+#define LIBPYTHON_LINKER_NAME \
|
||||
+ "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) LT_SHREXT
|
||||
+#else
|
||||
#define LIBPYTHON_LINKER_NAME \
|
||||
"libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) "m" LT_SHREXT
|
||||
+#endif
|
||||
|
||||
static uint32_t python_instances = 0;
|
||||
static void *python_dlhandle;
|
File diff suppressed because it is too large
Load Diff
31
SOURCES/freeradius-ldap-infinite-timeout-on-starttls.patch
Normal file
31
SOURCES/freeradius-ldap-infinite-timeout-on-starttls.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 28 Jan 2022
|
||||
Subject: Use infinite timeout when using LDAP+start-TLS
|
||||
|
||||
This will ensure that the TLS connection to the LDAP server will complete
|
||||
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
|
||||
the process. Infinite timeout is the OpenLDAP default.
|
||||
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
src/modules/rlm_ldap/ldap.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
||||
index cf7a84e069..841bf888a1 100644
|
||||
--- a/src/modules/rlm_ldap/ldap.c
|
||||
+++ b/src/modules/rlm_ldap/ldap.c
|
||||
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
||||
}
|
||||
|
||||
#ifdef LDAP_OPT_NETWORK_TIMEOUT
|
||||
- if (inst->net_timeout) {
|
||||
+ bool using_tls = inst->start_tls ||
|
||||
+ inst->port == 636 ||
|
||||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
|
||||
+ if (inst->net_timeout && !using_tls) {
|
||||
memset(&tv, 0, sizeof(tv));
|
||||
tv.tv_sec = inst->net_timeout;
|
||||
|
@ -26,7 +26,6 @@
|
||||
su radiusd radiusd
|
||||
}
|
||||
|
||||
|
||||
/var/log/radius/radius.log {
|
||||
monthly
|
||||
rotate 4
|
||||
|
@ -1,93 +0,0 @@
|
||||
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 11:53:28 +0300
|
||||
Subject: [PATCH] man: Fix some typos
|
||||
|
||||
---
|
||||
man/man1/radzap.1 | 4 ++--
|
||||
man/man5/unlang.5 | 6 +++---
|
||||
man/man8/radcrypt.8 | 2 +-
|
||||
man/man8/radiusd.8 | 4 ++--
|
||||
4 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
|
||||
index a2d529d064..03b9a43a54 100644
|
||||
--- a/man/man1/radzap.1
|
||||
+++ b/man/man1/radzap.1
|
||||
@@ -1,4 +1,4 @@
|
||||
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
|
||||
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
|
||||
.SH NAME
|
||||
radzap - remove rogue entries from the active sessions database
|
||||
.SH SYNOPSIS
|
||||
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
|
||||
.RB [ \-x ]
|
||||
\fIserver[:port] secret\fP
|
||||
.SH DESCRIPTION
|
||||
-The FreeRadius server can be configured to maintain an active session
|
||||
+The FreeRADIUS server can be configured to maintain an active session
|
||||
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
|
||||
use this database. Sometimes that database can get out of sync, and
|
||||
then it might contain rogue entries. \fBradzap\fP can clean up this
|
||||
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
|
||||
index 40db5fa6e7..5f765f1787 100644
|
||||
--- a/man/man5/unlang.5
|
||||
+++ b/man/man5/unlang.5
|
||||
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
|
||||
of Version 3, the <list> can be omitted, in which case "request" is
|
||||
assumed.
|
||||
|
||||
-The "control" list is the list of attributes maintainted internally by
|
||||
+The "control" list is the list of attributes maintained internally by
|
||||
the server that controls how the server processes the request. Any
|
||||
attribute that does not go in a packet on the network will generally
|
||||
be placed in the "control" list.
|
||||
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
|
||||
quotes, or back-quoted). Also evaluates to true if 'foo' is a
|
||||
non-zero number. Note that the language is poorly typed, so the
|
||||
string "0000" can be interpreted as a numerical zero. This issue can
|
||||
-be avoided by comparings strings to an empty string, rather than by
|
||||
+be avoided by comparing strings to an empty string, rather than by
|
||||
evaluating the string by itself.
|
||||
|
||||
If the word 'foo' is not a quoted string, then it can be taken as a
|
||||
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
|
||||
.IP ok
|
||||
Instructs the server that the request was processed properly. This
|
||||
keyword can be used to over-ride earlier failures, if the local
|
||||
-administrator determines that the faiures are not catastrophic.
|
||||
+administrator determines that the failures are not catastrophic.
|
||||
.IP reject
|
||||
Causes the request to be immediately rejected
|
||||
.SH MODULE RETURN CODES
|
||||
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
|
||||
index 08336c66f2..2917f60c46 100644
|
||||
--- a/man/man8/radcrypt.8
|
||||
+++ b/man/man8/radcrypt.8
|
||||
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
|
||||
Ignored if performing a password check.
|
||||
.IP "\-c --check"
|
||||
Perform a validation check on a password hash to verify if it matches
|
||||
-the plantext password.
|
||||
+the plaintext password.
|
||||
|
||||
.SH EXAMPLES
|
||||
.nf
|
||||
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||
index 98aef5e1be..2ef5ccf789 100644
|
||||
--- a/man/man8/radiusd.8
|
||||
+++ b/man/man8/radiusd.8
|
||||
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
|
||||
used in the other configuration files. You don't have to modify it.
|
||||
It includes other dictionary files in the same directory.
|
||||
.IP hints
|
||||
-Defines certain hints to the radius server based on the users's loginname
|
||||
+Defines certain hints to the radius server based on the users' loginname
|
||||
or other attributes sent by the access server. It also provides for
|
||||
mapping user names (such as Pusername -> username). This provides the
|
||||
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
|
||||
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
|
||||
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
|
||||
the Livingston way of doing things is also supported, and you can even use
|
||||
both at the same time (within certain limits).
|
||||
.IP huntgroups
|
@ -1,45 +0,0 @@
|
||||
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 11:39:45 -0400
|
||||
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
|
||||
|
||||
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
|
||||
user-provided dhparams will be ignored (and dhparam generation
|
||||
may fail as well), unless they are on the FIPS approved list of
|
||||
parameters. However, OpenSSL since v1.1.1 will automatically select
|
||||
an appropriate DH parameter set anyways, if the user did not provide
|
||||
any. These will be FIPS approved.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/main/tls.c | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/main/tls.c b/src/main/tls.c
|
||||
index 5809a1bd7d..5e6493333c 100644
|
||||
--- a/src/main/tls.c
|
||||
+++ b/src/main/tls.c
|
||||
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
|
||||
|
||||
if (!file) return 0;
|
||||
|
||||
+ /*
|
||||
+ * Prior to trying to load the file, check what OpenSSL will do with it.
|
||||
+ *
|
||||
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
|
||||
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
|
||||
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
|
||||
+ * anyways, there's no point in attempting to load them.
|
||||
+ *
|
||||
+ * Change suggested by @t8m
|
||||
+ */
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||
+ if (FIPS_mode() > 0) {
|
||||
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if ((bio = BIO_new_file(file, "r")) == NULL) {
|
||||
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
|
||||
return -1;
|
@ -1 +1,2 @@
|
||||
D /run/radiusd 0710 radiusd radiusd -
|
||||
D /run/radiusd/tmp 0700 radiusd radiusd -
|
||||
|
3
SOURCES/freeradius.sysusers
Normal file
3
SOURCES/freeradius.sysusers
Normal file
@ -0,0 +1,3 @@
|
||||
#Type Name ID GECOS Home directory Shell
|
||||
u radiusd 95 "radiusd user" /var/lib/radiusd /sbin/nologin
|
||||
g radiusd 95 - - -
|
@ -4,9 +4,8 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/run/radiusd/radiusd.pid
|
||||
PIDFile=/run/radiusd/radiusd.pid
|
||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
|
||||
ExecStartPre=/usr/sbin/radiusd -C
|
||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||
ExecReload=/usr/sbin/radiusd -C
|
||||
|
@ -1,24 +0,0 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
|
||||
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
|
||||
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
|
||||
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
|
||||
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
|
||||
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
|
||||
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
|
||||
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
|
||||
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
|
||||
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
|
||||
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
|
||||
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
|
||||
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
|
||||
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
|
||||
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
|
||||
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
|
||||
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
@ -1,17 +1,8 @@
|
||||
%if 0%{?rhel} > 7
|
||||
# Disable python2 build by default
|
||||
%bcond_with python2
|
||||
%else
|
||||
%bcond_without python2
|
||||
%endif
|
||||
|
||||
|
||||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.20
|
||||
Release: 15%{?dist}
|
||||
Version: 3.0.21
|
||||
Release: 43%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.freeradius.org/
|
||||
|
||||
# Is elliptic curve cryptography supported?
|
||||
@ -28,26 +19,20 @@ Source100: radiusd.service
|
||||
Source102: freeradius-logrotate
|
||||
Source103: freeradius-pam-conf
|
||||
Source104: freeradius-tmpfiles.conf
|
||||
Source105: rfc3526-group-18-8192.pem
|
||||
Source105: freeradius.sysusers
|
||||
|
||||
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
|
||||
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
|
||||
Patch3: freeradius-bootstrap-create-only.patch
|
||||
Patch4: freeradius-no-buildtime-cert-gen.patch
|
||||
Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
|
||||
Patch6: freeradius-bootstrap-make-permissions.patch
|
||||
Patch7: freeradius-no-dh-param-load-FIPS.patch
|
||||
Patch8: freeradius-bootstrap-fixed-dhparam.patch
|
||||
Patch9: freeradius-man-Fix-some-typos.patch
|
||||
Patch10: freeradius-Fix-resource-hard-limit-error.patch
|
||||
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
|
||||
Patch12: freeradius-bootstrap-run-only-once.patch
|
||||
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
|
||||
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
|
||||
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
|
||||
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
|
||||
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
|
||||
Patch18: freeradius-blastradius-fix.patch
|
||||
Patch5: freeradius-bootstrap-make-permissions.patch
|
||||
Patch6: freeradius-Fix-resource-hard-limit-error.patch
|
||||
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
|
||||
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
|
||||
Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
|
||||
Patch10: freeradius-fix-crash-unknown-eap-sim.patch
|
||||
Patch11: freeradius-fix-crash-on-invalid-abinary-data.patch
|
||||
Patch12: freeradius-fix-python3-library-suffix.patch
|
||||
|
||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -66,6 +51,8 @@ BuildRequires: libpcap-devel
|
||||
BuildRequires: systemd-units
|
||||
BuildRequires: libtalloc-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: chrpath
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
%if ! 0%{?rhel}
|
||||
BuildRequires: libyubikey-devel
|
||||
@ -74,11 +61,13 @@ BuildRequires: ykclient-devel
|
||||
|
||||
# Require OpenSSL version we built with, or newer, to avoid startup failures
|
||||
# due to runtime OpenSSL version checks.
|
||||
Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
|
||||
Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
|
||||
Requires: openssl-perl
|
||||
Requires(pre): shadow-utils glibc-common
|
||||
Requires(post): systemd-sysv
|
||||
Requires(post): systemd-units
|
||||
# Needed for certificate generation
|
||||
# Needed for certificate generation as upstream bootstrap script isn't
|
||||
# compatible with Makefile equivalent.
|
||||
Requires: make
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
@ -99,7 +88,6 @@ be centralized, and minimizes the amount of re-configuration which has to be
|
||||
done when adding or deleting new users.
|
||||
|
||||
%package doc
|
||||
Group: Documentation
|
||||
Summary: FreeRADIUS documentation
|
||||
|
||||
%description doc
|
||||
@ -107,7 +95,6 @@ All documentation supplied by the FreeRADIUS project is included
|
||||
in this package.
|
||||
|
||||
%package utils
|
||||
Group: System Environment/Daemons
|
||||
Summary: FreeRADIUS utilities
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: libpcap >= 0.9.4
|
||||
@ -122,7 +109,6 @@ Support for RFC and VSA Attributes Additional server configuration
|
||||
attributes Selecting a particular configuration Authentication methods
|
||||
|
||||
%package devel
|
||||
Group: System Environment/Daemons
|
||||
Summary: FreeRADIUS development files
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
@ -131,7 +117,6 @@ Development headers and libraries for FreeRADIUS.
|
||||
|
||||
%package ldap
|
||||
Summary: LDAP support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: openldap-devel
|
||||
|
||||
@ -140,7 +125,6 @@ This plugin provides the LDAP support for the FreeRADIUS server project.
|
||||
|
||||
%package krb5
|
||||
Summary: Kerberos 5 support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: krb5-devel
|
||||
|
||||
@ -149,7 +133,6 @@ This plugin provides the Kerberos 5 support for the FreeRADIUS server project.
|
||||
|
||||
%package perl
|
||||
Summary: Perl support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
|
||||
%{?fedora:BuildRequires: perl-devel}
|
||||
@ -160,10 +143,9 @@ BuildRequires: perl(ExtUtils::Embed)
|
||||
%description perl
|
||||
This plugin provides the Perl support for the FreeRADIUS server project.
|
||||
|
||||
%if %{with python2}
|
||||
%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
|
||||
%package -n python2-freeradius
|
||||
Summary: Python 2 support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: python2-devel
|
||||
%{?python_provide:%python_provide python2-freeradius}
|
||||
@ -174,7 +156,6 @@ Obsoletes: %{name}-python < %{version}-%{release}
|
||||
|
||||
%description -n python2-freeradius
|
||||
This plugin provides the Python 2 support for the FreeRADIUS server project.
|
||||
# endif: with python2
|
||||
%endif
|
||||
|
||||
%package -n python3-freeradius
|
||||
@ -188,7 +169,6 @@ This plugin provides the Python 3 support for the FreeRADIUS server project.
|
||||
|
||||
%package mysql
|
||||
Summary: MySQL support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: mariadb-connector-c-devel
|
||||
|
||||
@ -197,16 +177,14 @@ This plugin provides the MySQL support for the FreeRADIUS server project.
|
||||
|
||||
%package postgresql
|
||||
Summary: Postgresql support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: postgresql-devel
|
||||
BuildRequires: libpq-devel
|
||||
|
||||
%description postgresql
|
||||
This plugin provides the postgresql support for the FreeRADIUS server project.
|
||||
|
||||
%package sqlite
|
||||
Summary: SQLite support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: sqlite-devel
|
||||
|
||||
@ -215,7 +193,6 @@ This plugin provides the SQLite support for the FreeRADIUS server project.
|
||||
|
||||
%package unixODBC
|
||||
Summary: Unix ODBC support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: unixODBC-devel
|
||||
|
||||
@ -224,7 +201,6 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
|
||||
|
||||
%package rest
|
||||
Summary: REST support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: json-c-devel
|
||||
@ -248,28 +224,26 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
|
||||
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
||||
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
|
||||
%build
|
||||
# Force compile/link options, extra security for network facing daemon
|
||||
%global _hardened_build 1
|
||||
|
||||
# Hack: rlm_python3 as stable; prevents building other unstable modules.
|
||||
sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
|
||||
sed 's/rlm_python/rlm_python3/g' src/modules/stable -i
|
||||
|
||||
# python3-config is broken:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
|
||||
export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
|
||||
%global build_ldflags %{build_ldflags} $(python3-config --embed --libs)
|
||||
export PY3_LIB_DIR="$(python3-config --configdir)"
|
||||
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
||||
|
||||
# Enable FIPS support
|
||||
%global build_cflags %{build_cflags} -DWITH_FIPS
|
||||
|
||||
# In order for the above hack to stick, do a fake configure so
|
||||
# we can run reconfig before cleaning up after ourselves and running
|
||||
# configure for real.
|
||||
./configure && make reconfig && (make clean distclean || true)
|
||||
|
||||
%configure \
|
||||
--libdir=%{_libdir}/freeradius \
|
||||
--enable-reproducible-builds \
|
||||
@ -288,9 +262,6 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
|
||||
--with-rlm_python3 \
|
||||
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
|
||||
--with-rlm-python3-include-dir=$PY3_INC_DIR \
|
||||
%if %{without python2}
|
||||
--without-rlm-python2 \
|
||||
%endif
|
||||
--without-rlm_eap_ikev2 \
|
||||
--without-rlm_eap_tnc \
|
||||
--without-rlm_sql_iodbc \
|
||||
@ -302,7 +273,8 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
|
||||
--without-rlm_rediswho \
|
||||
--without-rlm_cache_memcached
|
||||
|
||||
make
|
||||
# Build fast, but get better errors if we fail
|
||||
make %{?_smp_mflags} || make -j1
|
||||
|
||||
%install
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd
|
||||
@ -321,14 +293,21 @@ mkdir -p %{buildroot}%{_localstatedir}/run/
|
||||
install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
|
||||
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
|
||||
|
||||
# Add fixed dhparam file
|
||||
install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf
|
||||
|
||||
# install SNMP MIB files
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
|
||||
# remove rpath where needed
|
||||
chrpath --delete $RPM_BUILD_ROOT%{_libdir}/freeradius/*.so
|
||||
for f in $RPM_BUILD_ROOT/usr/sbin/*; do chrpath --delete $f || true; done
|
||||
for f in $RPM_BUILD_ROOT/usr/bin/*; do chrpath --delete $f || true; done
|
||||
|
||||
# update ld with freeradius libs
|
||||
mkdir -p %{buildroot}/%{_sysconfdir}/ld.so.conf.d
|
||||
echo "%{_libdir}/freeradius" > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
|
||||
|
||||
# remove unneeded stuff
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
|
||||
@ -350,6 +329,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
|
||||
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/mssql
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle
|
||||
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
|
||||
rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids
|
||||
@ -365,12 +345,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
|
||||
|
||||
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
|
||||
|
||||
# Remove yubikey on RHEL
|
||||
%if 0%{?rhel}
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
|
||||
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
|
||||
%endif
|
||||
|
||||
# remove unsupported config files
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
|
||||
|
||||
@ -403,30 +377,18 @@ EOF
|
||||
|
||||
# Make sure our user/group is present prior to any package or subpackage installation
|
||||
%pre
|
||||
getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
|
||||
getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1
|
||||
exit 0
|
||||
|
||||
%post
|
||||
%systemd_post radiusd.service
|
||||
exit 0
|
||||
%sysusers_create_compat %{SOURCE105}
|
||||
|
||||
%preun
|
||||
%systemd_preun radiusd.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart radiusd.service
|
||||
if [ $1 -eq 0 ]; then # uninstall
|
||||
getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1
|
||||
getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1
|
||||
fi
|
||||
exit 0
|
||||
|
||||
/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :
|
||||
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
|
||||
# doc
|
||||
%license %{docdir}/LICENSE.gpl
|
||||
@ -437,8 +399,10 @@ exit 0
|
||||
# system
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/radiusd
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/radiusd
|
||||
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
|
||||
%{_unitdir}/radiusd.service
|
||||
%{_tmpfilesdir}/radiusd.conf
|
||||
%{_sysusersdir}/freeradius.conf
|
||||
%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
|
||||
%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
|
||||
%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
|
||||
@ -474,7 +438,6 @@ exit 0
|
||||
/etc/raddb/certs/README
|
||||
%config(noreplace) /etc/raddb/certs/xpextensions
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
|
||||
|
||||
# mods-config
|
||||
@ -586,10 +549,7 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax
|
||||
|
||||
%if ! 0%{?rhel}
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey
|
||||
%endif
|
||||
|
||||
# mods-enabled
|
||||
# symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx
|
||||
@ -714,10 +674,7 @@ exit 0
|
||||
%{_libdir}/freeradius/rlm_unpack.so
|
||||
%{_libdir}/freeradius/rlm_utf8.so
|
||||
%{_libdir}/freeradius/rlm_wimax.so
|
||||
|
||||
%if ! 0%{?rhel}
|
||||
%{_libdir}/freeradius/rlm_yubikey.so
|
||||
%endif
|
||||
|
||||
# main man pages
|
||||
%doc %{_mandir}/man5/clients.conf.5.gz
|
||||
@ -788,13 +745,12 @@ exit 0
|
||||
|
||||
%{_libdir}/freeradius/rlm_perl.so
|
||||
|
||||
%if %{with python2}
|
||||
%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
|
||||
%files -n python2-freeradius
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python
|
||||
/etc/raddb/mods-config/python/example.py*
|
||||
/etc/raddb/mods-config/python/radiusd.py*
|
||||
%{_libdir}/freeradius/rlm_python.so
|
||||
# endif: with python2
|
||||
%endif
|
||||
|
||||
%files -n python3-freeradius
|
||||
@ -827,6 +783,7 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/process-radacct.sql
|
||||
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax
|
||||
@ -860,6 +817,7 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/process-radacct.sql
|
||||
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf
|
||||
@ -889,6 +847,8 @@ exit 0
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql
|
||||
|
||||
%{_libdir}/freeradius/rlm_sql_sqlite.so
|
||||
|
||||
@ -904,89 +864,222 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Thu Jul 11 2023 Antonio Torres <antorres@redhat.com> - 3.0.20-15
|
||||
- Backport BlastRADIUS CVE fix
|
||||
Resolves: RHEL-46572
|
||||
* Tue Oct 01 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-43
|
||||
- Ignore home server ping packets
|
||||
Resolves: RHEL-54312
|
||||
|
||||
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
|
||||
- Fix defect found by Covscan
|
||||
Resolves: #2151704
|
||||
* Wed Jul 10 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-42
|
||||
- Backport fixes for BlastRADIUS CVE
|
||||
Resolves: RHEL-46567
|
||||
|
||||
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
|
||||
* Wed Apr 24 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-41
|
||||
- Rebuild for OpenSSL rebase to 3.2.1
|
||||
Resolves: RHEL-33857
|
||||
|
||||
* Mon Apr 01 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-40
|
||||
- Comment out unneeded options from mods-available/eap
|
||||
Resolves: RHEL-30830
|
||||
|
||||
* Mon Nov 06 2023 Antonio Torres <antorres@redhat.com> - 3.0.21-39
|
||||
- Fix Python3.8+ library name suffix
|
||||
Resolves: #15503
|
||||
|
||||
* Mon May 22 2023 Antonio Torres <antorres@redhat.com> - 3.0.21-38
|
||||
- Fix crash when verifying client certificate
|
||||
Resolves: #2183447
|
||||
|
||||
* Wed Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-37
|
||||
- Fix defect found by covscan
|
||||
Resolves: #2151705
|
||||
|
||||
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-36
|
||||
- Fix multiple CVEs
|
||||
- Add rpminspect configuration
|
||||
Resolves: #2151702
|
||||
Resolves: #2151704
|
||||
Resolves: #2151706
|
||||
Resolves: #2151705
|
||||
Resolves: #2151703
|
||||
Resolves: #2151707
|
||||
|
||||
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
|
||||
- Fix segfault when home_server is null
|
||||
Resolves: bz#2030173
|
||||
* Fri Sep 16 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-35
|
||||
- Rebuild to add subpackages to CRB report
|
||||
Resolves: #2126380
|
||||
|
||||
* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
|
||||
- Fix unterminated strings in SQL queries
|
||||
Resolves: bz#2021247
|
||||
* Wed Jun 29 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-34
|
||||
- Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107)
|
||||
Resolves: #2095403
|
||||
|
||||
* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
|
||||
- Rebuild to pick up latest json-c
|
||||
Resolves: bz#2021818
|
||||
* Fri Jun 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-33
|
||||
- Dynamically allocate users using sysusers.d format
|
||||
Resolves: #2095403
|
||||
|
||||
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
|
||||
- radiusd.service: don't fail if bootstrap script is not present
|
||||
Resolves: bz#1954521
|
||||
* Mon May 30 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-32
|
||||
- Add WITH_FIPS macro to CFLAGS
|
||||
Related: rhbz#2083699
|
||||
|
||||
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
|
||||
- Extend info about boostrap script in README and comments
|
||||
Resolves: bz#1954521
|
||||
* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
|
||||
- Update OpenSSL 3.0 support backport to current v3.0.x branch state
|
||||
- Add "--enable-fips-workaround" to build options
|
||||
Related: rhbz#2083699
|
||||
|
||||
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
|
||||
- Ensure bootstrap script is run only once
|
||||
Resolves: bz#1954521
|
||||
* Tue May 10 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-30
|
||||
- Add openssl-perl dependency
|
||||
Related: rhbz#2078816
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
|
||||
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
|
||||
Resolves: bz#1958979
|
||||
* Thu Apr 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-29
|
||||
- Set correct permissions for certificates generated by bootstrap Makefile
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
|
||||
* Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
|
||||
- bootstrap: pass -noenc to certificate generation, do it on script as well
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Fri Apr 22 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-27
|
||||
- bootstrap: pass -noenc to certificate generation
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
|
||||
- Move remaining files from /var/run to /run
|
||||
Related: rhbz#2047972
|
||||
|
||||
* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
|
||||
- Revert "Allow to connect to partially open LDAP handle"
|
||||
- Use infinite timeout (openldap default) when using LDAP+start-TLS
|
||||
- Update openssl dependency to not check epoch (was causing detection issues)
|
||||
Related: rhbz#1992551
|
||||
|
||||
* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
|
||||
- Avoid segfault when trying to use MD4 without legacy provider
|
||||
Related: rhbz#1978216
|
||||
|
||||
* Wed Jan 12 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-23
|
||||
- Backport OpenSSL3 fixes
|
||||
Related: rhbz#1978216
|
||||
|
||||
* Wed Oct 13 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-22
|
||||
- Allow to connect to partially open LDAP handle
|
||||
Related: rhbz#1992551
|
||||
|
||||
* Mon Sep 27 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-21
|
||||
- Move FR's systemd unit PID file from /var/run to /run
|
||||
Related: rhbz#2006368
|
||||
|
||||
* Thu Aug 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-20
|
||||
- Rebuild to pick up new build flags from redhat-rpm-config
|
||||
Related: rhbz#1984652
|
||||
|
||||
* Thu Aug 12 2021 Filip Dvorak <fdvorak@redhat.com> - 3.0.21-19
|
||||
- Install psutil module and generate def. certs during test script
|
||||
Resolves: rhbz#1990392
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-18
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-17
|
||||
- Ignore badfuncs error in rpminspect
|
||||
Resolves: bz#1986972
|
||||
|
||||
* Mon Aug 02 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-16
|
||||
- Remove RPATH usage
|
||||
Resolves: bz#1986968
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-15
|
||||
- Fix coredump not being able to be enabled
|
||||
Resolves: bz#1977572
|
||||
Resolves: bz#1977722
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
|
||||
- Fix some manpage typos
|
||||
Resolves: bz#1843807
|
||||
* Wed Jun 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-14
|
||||
- Fix Python3.8 not being linked correctly
|
||||
Related: rhbz#1948622
|
||||
|
||||
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
|
||||
- Require make for proper bootstrap execution, removes post script
|
||||
Resolves: bz#1672285
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-13
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
|
||||
- Fix breakage caused by OpenSSL FIPS regression
|
||||
Related: bz#1855822
|
||||
Related: bz#1810911
|
||||
Resolves: bz#1672285
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-12
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
|
||||
- Update to FreeRADIUS server version 3.0.20
|
||||
- Introduce Python 3 support; resolves: bz#1623069
|
||||
- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
|
||||
- Create tmp files in /run; resolves: bz#1805975
|
||||
* Wed Mar 10 2021 Robbie Harwood <rharwood@redhat.com> - 3.0.21-11
|
||||
- Disable automatic bootstrap
|
||||
|
||||
* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
|
||||
- Fix information leak due to aborting when needing more than 10 iterations
|
||||
Resolves: bz#1751797
|
||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.0.21-10
|
||||
- Rebuilt for updated systemd-rpm-macros
|
||||
See https://pagure.io/fesco/issue/2583.
|
||||
|
||||
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
|
||||
- Fix handling of IPv6-only hostnames with listen.ipaddr
|
||||
Resolves: bz#1685546
|
||||
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 3.0.21-9
|
||||
- rebuild for libpq ABI fix rhbz#1908268
|
||||
|
||||
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
|
||||
- Fix possible privilege escalation due to insecure logrotate configuration
|
||||
Resolves: bz#1719369
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-4
|
||||
- Fixes two EAP-PWD security issues
|
||||
Resolves: bz#1699417 authentication bypass with an invalid curve attack
|
||||
Resolves: bz#1699421 fake authentication using reflection
|
||||
* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-7
|
||||
- Fix certificate permissions after make-based generation
|
||||
Resolves: bz#1835249
|
||||
|
||||
* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-6
|
||||
- Fix certificate permissions after make-based generation
|
||||
Resolves: bz#1835249
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.21-4
|
||||
- Perl 5.32 rebuild
|
||||
|
||||
* Wed May 13 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-3
|
||||
- Fix certificate generation
|
||||
Resolves: bz#1835249
|
||||
|
||||
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 3.0.21-2
|
||||
- Rebuild (json-c)
|
||||
|
||||
* Wed Apr 01 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-1
|
||||
- Rebased to 3.0.21
|
||||
Resolves: bz#1816745
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.20-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Sat Jan 11 2020 Paul Wouters <pwouters@redhat.com> - 3.0.20-2
|
||||
- fixup tmpfile to use /run instead of /var/run
|
||||
|
||||
* Fri Nov 15 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
|
||||
- Rebased to 3.0.20
|
||||
Resolves: bz#1772710
|
||||
- Introduced new rlm_python3 module
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.19-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.19-4
|
||||
- Perl 5.30 rebuild
|
||||
|
||||
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-3
|
||||
- Update boostrap to change ownership of all certificates to root:radiusd
|
||||
|
||||
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2
|
||||
- Updated crypto-policies patch
|
||||
- Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165 bz#1672284
|
||||
- Updated logrotate definitions to run as radiusd:radiusd: bz#1705343
|
||||
- Drop python2 package on Fedora 31+
|
||||
- Add database dependencies: bz#1658697
|
||||
- Don't generate certificate during build
|
||||
|
||||
* Wed Apr 10 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-1
|
||||
- Rebased to 3.0.19
|
||||
|
||||
* Wed Mar 06 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.18-1
|
||||
- Rebased to 3.0.18
|
||||
|
||||
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 3.0.17-6
|
||||
- Rebuild for readline 8.0
|
||||
|
||||
* Tue Feb 05 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
|
||||
- Unit file generates certificates if not present.
|
||||
Resolves: bz#1672284
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.17-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.0.17-3
|
||||
- Rebuilt for libcrypt.so.2 (#1666033)
|
||||
|
||||
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-2
|
||||
- Updates radiusd.service to start after network-online.target
|
||||
@ -999,25 +1092,27 @@ exit 0
|
||||
|
||||
* Mon Sep 17 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-18
|
||||
- Actually apply patches added previously.
|
||||
Related: Bug#1612512 Man page scan results for freeradius
|
||||
Related: Bug#1611286 Man page scan results for freeradius
|
||||
|
||||
* Fri Sep 14 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-17
|
||||
- Fix a few minor manpage issues.
|
||||
Resolves: Bug#1612512 Man page scan results for freeradius
|
||||
Resolves: Bug#1611286 Man page scan results for freeradius
|
||||
|
||||
* Wed Sep 12 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
|
||||
- Add make to Requires(post) to fix certificate generation on install.
|
||||
Resolves: Bug#1628213 FreeRADIUS fails to start due to default certificate
|
||||
permissions
|
||||
* Fri Sep 07 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
|
||||
- Add make to BuildRequires and Requires(post) to fix build and certificate
|
||||
generation on install.
|
||||
Resolves: Bug#1574783 Installing freeradius without make results in an
|
||||
unworkable default configuration
|
||||
|
||||
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 3.0.15-15
|
||||
- Rebuild with fixed binutils
|
||||
* Tue Sep 04 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-15
|
||||
- Add gcc to BuildRequires.
|
||||
Resolves: Bug#1622470 FTBFS freeradius (rawhide)
|
||||
|
||||
* Wed Jul 25 2018 Petr Kubat <pkubat@redhat.com> - 3.0.15-14
|
||||
- Rebuilt for gdbm
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.15-14
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Mon Jun 11 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.0.15-13
|
||||
- Disable the python2 subpackage
|
||||
* Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.15-13
|
||||
- Perl 5.28 rebuild
|
||||
|
||||
* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 3.0.15-12
|
||||
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
|
||||
|
Loading…
Reference in New Issue
Block a user