rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:c8-stream-3.0
rpms:c10s
rpms:a9
rpms:c9-beta
rpms:c9s
rpms:c9
rpms:stream-freeradius-3.0-rhel-8.10.0
rpms:stream-freeradius-3.0-rhel-8.9.0
rpms:c8-beta-stream-3.0
rpms:c8s-stream-3.0
rpms:imports/c10s/freeradius-3.2.5-4.el10
rpms:changed/a9/freeradius-3.0.21-40.el9_4.alma.1
rpms:imports/c9-beta/freeradius-3.0.21-43.el9_4
rpms:imports/c9-beta/freeradius-3.0.21-42.el9
rpms:imports/c10s/freeradius-3.2.5-3.el10
rpms:imports/c9/freeradius-3.0.21-40.el9_4
rpms:imports/c8-stream-3.0/freeradius-3.0.20-15.module+el8.10.0+17558+3f8a93b9
rpms:imports/c10s/freeradius-3.2.5-2.el10
rpms:imports/c9/freeradius-3.0.21-39.el9_3
rpms:imports/c9-beta/freeradius-3.0.21-38.el9
rpms:imports/c8-stream-3.0/freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9
rpms:imports/c9/freeradius-3.0.21-37.el9
rpms:imports/c9-beta/freeradius-3.0.21-37.el9
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9
rpms:imports/c9/freeradius-3.0.21-34.el9
rpms:imports/c9-beta/freeradius-3.0.21-34.el9
rpms:imports/c9/freeradius-3.0.21-26.el9
rpms:imports/c8-stream-3.0/freeradius-3.0.20-12.module+el8.6.0+13617+542eca26
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-12.module+el8.6.0+13617+542eca26
rpms:imports/c9-beta/freeradius-3.0.21-26.el9
rpms:imports/c8-stream-3.0/freeradius-3.0.20-11.module+el8.5.0+13640+a9514344
rpms:imports/c8-stream-3.0/freeradius-3.0.20-10.module+el8.5.0+13440+b1b7f3c7
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-12.module+el8.6.0+13617+542eca26
rpms:imports/c9-beta/freeradius-3.0.21-21.el9
rpms:imports/c9-beta/freeradius-3.0.21-20.el9
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-11.module+el8.6.0+13327+85cf8b97
rpms:imports/c8-stream-3.0/freeradius-3.0.20-9.module+el8.5.0+12103+998f1584
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-9.module+el8.5.0+12103+998f1584
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-3.module+el8.3.0+7597+67902674
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.17-7.module+el8.2.0+4847+336970e8
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-9.module+el8.5.0+12103+998f1584
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-3.module+el8.3.0+7597+67902674
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
rpms:imports/c8-stream-3.0/freeradius-3.0.20-3.module+el8.3.0+7597+67902674
rpms:imports/c8-stream-3.0/freeradius-3.0.17-7.module+el8.2.0+4847+336970e8
rpms:imports/c8-stream-3.0/freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b
rpms:imports/c8-stream-3.0/freeradius-3.0.17-4.module+el8.0.0+3108+851cb559
rpms:imports/c8-stream-3.0/freeradius-3.0.17-3.module+el8+2746+2e560403
...
pull from: rpms:c8-stream-3.0
Branches Tags
rpms:c10s
rpms:a9
rpms:c9-beta
rpms:c9s
rpms:c9
rpms:c8-stream-3.0
rpms:stream-freeradius-3.0-rhel-8.10.0
rpms:stream-freeradius-3.0-rhel-8.9.0
rpms:c8-beta-stream-3.0
rpms:c8s-stream-3.0
rpms:imports/c10s/freeradius-3.2.5-4.el10
rpms:changed/a9/freeradius-3.0.21-40.el9_4.alma.1
rpms:imports/c9-beta/freeradius-3.0.21-43.el9_4
rpms:imports/c9-beta/freeradius-3.0.21-42.el9
rpms:imports/c10s/freeradius-3.2.5-3.el10
rpms:imports/c9/freeradius-3.0.21-40.el9_4
rpms:imports/c8-stream-3.0/freeradius-3.0.20-15.module+el8.10.0+17558+3f8a93b9
rpms:imports/c10s/freeradius-3.2.5-2.el10
rpms:imports/c9/freeradius-3.0.21-39.el9_3
rpms:imports/c9-beta/freeradius-3.0.21-38.el9
rpms:imports/c8-stream-3.0/freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9
rpms:imports/c9/freeradius-3.0.21-37.el9
rpms:imports/c9-beta/freeradius-3.0.21-37.el9
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9
rpms:imports/c9/freeradius-3.0.21-34.el9
rpms:imports/c9-beta/freeradius-3.0.21-34.el9
rpms:imports/c9/freeradius-3.0.21-26.el9
rpms:imports/c8-stream-3.0/freeradius-3.0.20-12.module+el8.6.0+13617+542eca26
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-12.module+el8.6.0+13617+542eca26
rpms:imports/c9-beta/freeradius-3.0.21-26.el9
rpms:imports/c8-stream-3.0/freeradius-3.0.20-11.module+el8.5.0+13640+a9514344
rpms:imports/c8-stream-3.0/freeradius-3.0.20-10.module+el8.5.0+13440+b1b7f3c7
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-12.module+el8.6.0+13617+542eca26
rpms:imports/c9-beta/freeradius-3.0.21-21.el9
rpms:imports/c9-beta/freeradius-3.0.21-20.el9
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-11.module+el8.6.0+13327+85cf8b97
rpms:imports/c8-stream-3.0/freeradius-3.0.20-9.module+el8.5.0+12103+998f1584
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-9.module+el8.5.0+12103+998f1584
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-3.module+el8.3.0+7597+67902674
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.17-7.module+el8.2.0+4847+336970e8
rpms:imports/c8-beta-stream-3.0/freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-9.module+el8.5.0+12103+998f1584
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-3.module+el8.3.0+7597+67902674
rpms:imports/c8s-stream-3.0/freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
rpms:imports/c8-stream-3.0/freeradius-3.0.20-3.module+el8.3.0+7597+67902674
rpms:imports/c8-stream-3.0/freeradius-3.0.17-7.module+el8.2.0+4847+336970e8
rpms:imports/c8-stream-3.0/freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b
rpms:imports/c8-stream-3.0/freeradius-3.0.17-4.module+el8.0.0+3108+851cb559
rpms:imports/c8-stream-3.0/freeradius-3.0.17-3.module+el8+2746+2e560403

No commits in common. "c9" and "c8-stream-3.0" have entirely different histories.
c9 ... c8-stream-

25 changed files with 4135 additions and 19860 deletions
Show Stats Expand all files Collapse all files

2
.freeradius.metadata
View File

@ -1 +1 @@
3d90d63bf1452794cf9d0b04147745a254872c3f SOURCES/freeradius-server-3.0.21.tar.bz2
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeradius-server-3.0.21.tar.bz2
SOURCES/freeradius-server-3.0.20.tar.bz2

18790
SOURCES/freeradius-Backport-OpenSSL3-fixes.patch
View File

File diff suppressed because it is too large Load Diff

39
SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch Normal file
View File

@ -0,0 +1,39 @@
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
variable to 1 or else FR should exit at start.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/main/radiusd.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 9739514509..58a48895e6 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE);
}
+ /*
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
+ */
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (fips_file != NULL) {
+ int fips_enabled = fgetc(fips_file) - '0';
+ fclose(fips_file);
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+
/*
* According to the talloc peeps, no two threads may modify any part of
* a ctx tree with a common root without synchronisation.

51
SOURCES/freeradius-Fix-segfault-when-home_server-is-null.patch Normal file
View File

@ -0,0 +1,51 @@
From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 20 Nov 2019 13:59:54 -0500
Subject: [PATCH] a better fix for commit 30ffd21
Which still runs post-proxy-type fail if all of the home servers
are dead
[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
[antorres@redhat.com: removed first hunk of commit, already present]
---
src/main/process.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/main/process.c b/src/main/process.c
index c8b3af24e2..1a48517d43 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
}
old_server = request->server;
- rad_assert(request->home_server != NULL);
/*
* If the home server is virtual, just run pre_proxy from
* that section.
*/
- if (request->home_server->server) {
+ if (request->home_server && request->home_server->server) {
request->server = request->home_server->server;
} else {
@@ -3182,13 +3180,12 @@ do_home:
}
old_server = request->server;
- rad_assert(request->home_server != NULL);
/*
* If the home server is virtual, just run pre_proxy from
* that section.
*/
- if (request->home_server->server) {
+ if (request->home_server && request->home_server->server) {
request->server = request->home_server->server;
} else {
--
2.31.1

41
SOURCES/freeradius-Fix-unterminated-strings-in-SQL-queries.patch Normal file
View File

@ -0,0 +1,41 @@
From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 12 Nov 2021 16:23:05 +0100
Subject: [PATCH] Fix unterminated strings in SQL queries
Resolves: bz#2021247
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
raddb/mods-config/sql/ippool/mysql/queries.conf | 2 +-
raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
index 2dfc6574dd..444812a047 100644
--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
@@ -114,7 +114,7 @@ allocate_update = "\
nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
callingstationid = '%{Calling-Station-Id}', \
username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
- WHERE framedipaddress = '%I'
+ WHERE framedipaddress = '%I'"
#
# Use a stored procedure to find AND allocate the address. Read and customise
diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
index 31a5df3659..e92466108b 100644
--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
@@ -89,7 +89,7 @@ allocate_update = "\
callingstationid = '%{Calling-Station-Id}', \
username = '%{User-Name}', \
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
- WHERE framedipaddress = '%I'
+ WHERE framedipaddress = '%I'"
#
# This series of queries frees an IP number when an accounting START record arrives
--
2.31.1

1502
SOURCES/freeradius-blastradius-fix.patch Normal file
View File

File diff suppressed because it is too large Load Diff

22
SOURCES/freeradius-bootstrap-create-only.patch
View File

@ -1,18 +1,20 @@
From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 13 May 2020 10:01:47 -0400
Date: Wed, 5 Aug 2020 15:53:45 -0400
Subject: [PATCH] Don't clobber existing files on bootstrap
Rebased: v3.0.20
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index ede09bc..e555491 100755
index 0f719aa..336a2bd 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -20,56 +20,55 @@ cd `dirname $0`
@@ -31,52 +31,55 @@ fi
# Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands.
#
@ -30,7 +32,7 @@ index ede09bc..e555491 100755
-if [ ! -f server.key ]; then
+if [ ! -e server.key ]; then
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
chmod g+r server.key
+ chmod g+r server.key
fi
-if [ ! -f ca.key ]; then
@ -56,14 +58,14 @@ index ede09bc..e555491 100755
-if [ ! -f server.p12 ]; then
+if [ ! -e server.p12 ]; then
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
chmod g+r server.p12
+ chmod g+r server.p12
fi
-if [ ! -f server.pem ]; then
+if [ ! -e server.pem ]; then
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
openssl verify -CAfile ca.pem server.pem || exit 1
chmod g+r server.pem
+ chmod g+r server.pem
fi
-if [ ! -f ca.der ]; then
@ -74,7 +76,7 @@ index ede09bc..e555491 100755
-if [ ! -f client.key ]; then
+if [ ! -e client.key ]; then
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
chmod g+r client.key
+ chmod g+r client.key
fi
-if [ ! -f client.crt ]; then

52
SOURCES/freeradius-bootstrap-fixed-dhparam.patch Normal file
View File

@ -0,0 +1,52 @@
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 16:10:52 -0400
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/Makefile | 2 +-
raddb/certs/bootstrap | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd46..41b7aea 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
#
######################################################################
dh:
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ cp rfc3526-group-18-8192.dhparam dh
######################################################################
#
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 9920ecf..59b3310 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -13,6 +13,10 @@
umask 027
cd `dirname $0`
+if [ ! -e random ]; then
+ ln -sf /dev/urandom random
+fi
+
make -h > /dev/null 2>&1
#
@@ -35,8 +39,7 @@ fi
# re-generate these commands.
#
if [ ! -e dh ]; then
- openssl dhparam -out dh 2048 || exit 1
- ln -sf /dev/urandom random
+ cp rfc3526-group-18-8192.dhparam dh
fi
if [ ! -e server.key ]; then
--
2.26.2

136
SOURCES/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
View File

@ -1,136 +0,0 @@
From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 22 Apr 2022 12:27:43 +0200
Subject: [PATCH] bootstrap: pass -noenc to certificate generation
Bootstrap script would fail to generate certificates if run on systems
with FIPS enabled. By passing the -noenc option, we can skip the usage
of unsupported algorithms on these systems.
After generating the certificates, correct permissions are set.
Signed-off-by: Antonio Torres <antorres@redhat.com>
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
In bootstrap diff, -f is changed to -e in conditionals.
---
raddb/certs/Makefile | 20 ++++++++++++++++----
raddb/certs/bootstrap | 6 +++---
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd467ce..cb10394ec3 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
######################################################################
dh:
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ chown root:radiusd dh
+ chmod 640 dh
######################################################################
#
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
@[ -f serial ] || $(MAKE) serial
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
chmod g+r ca.key
+ chown root:radiusd ca.*
+ chmod 640 ca.*
ca.der: ca.pem
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
@@ -81,6 +85,8 @@ ca.crl: ca.pem
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
rm ca-crl.pem
+ chown root:radiusd ca.*
+ chmod 640 ca.*
######################################################################
#
@@ -88,7 +94,7 @@ ca.crl: ca.pem
#
######################################################################
server.csr server.key: server.cnf
- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
chmod g+r server.key
server.crt: server.csr ca.key ca.pem
@@ -101,6 +107,8 @@ server.p12: server.crt
server.pem: server.p12
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
chmod g+r server.pem
+ chown root:radiusd server.*
+ chmod 640 server.*
.PHONY: server.vrfy
server.vrfy: ca.pem
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
#
######################################################################
client.csr client.key: client.cnf
- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
chmod g+r client.key
client.crt: client.csr ca.pem ca.key
@@ -127,6 +135,8 @@ client.pem: client.p12
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
chmod g+r client.pem
cp client.pem $(USER_NAME).pem
+ chown root:radiusd client.*
+ chmod 640 client.*
.PHONY: client.vrfy
client.vrfy: ca.pem client.pem
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
#
######################################################################
inner-server.csr inner-server.key: inner-server.cnf
- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
chmod g+r inner-server.key
inner-server.crt: inner-server.csr ca.key ca.pem
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
inner-server.pem: inner-server.p12
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
chmod g+r inner-server.pem
+ chown root:radiusd inner-server.*
+ chmod 640 inner-server.*
.PHONY: inner-server.vrfy
inner-server.vrfy: ca.pem
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 57de8cf0d7..c258ec45e0 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
fi
if [ ! -e server.key ]; then
- openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
chmod g+r server.key
fi
if [ ! -e ca.key ]; then
- openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
fi
if [ ! -e index.txt ]; then
@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
fi
if [ ! -e client.key ]; then
- openssl req -new -out client.csr -keyout client.key -config ./client.cnf
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
chmod g+r client.key
fi

72
SOURCES/freeradius-bootstrap-run-only-once.patch Normal file
View File

@ -0,0 +1,72 @@
Author: Antonio Torres <antorres@redhat.com>
Date: Wed Jul 20 2021
Subject: [PATCH] ensure bootstrap script is run only once
The bootstrap script should only run once. By checking if there are
certificates in the directory, we can exit early if certificates were
already generated.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
Signed-off-by: Antonio Torres antorres@redhat.com
---
raddb/certs/README | 16 ++++++----------
raddb/certs/bootstrap | 18 ++++++++++++------
2 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/README b/raddb/certs/README
index 6288921da1..32413964dd 100644
--- a/raddb/certs/README
+++ b/raddb/certs/README
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
If FreeRADIUS was configured to use OpenSSL, then simply starting
-the server in root in debugging mode should also create test
-certificates, i.e.:
+the server in root mode should also create test certificates.
-$ radiusd -X
-
- That will cause the EAP-TLS module to run the "bootstrap" script in
-this directory. The script will be executed only once, the first time
-the server has been installed on a particular machine. This bootstrap
-script SHOULD be run on installation of any pre-built binary package
-for your OS. In any case, the script will ensure that it is not run
-twice, and that it does not over-write any existing certificates.
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
+The script will be executed during every start of FreeRADIUS via systemd but
+the script will ensure that it does not overwrite any existing certificates.
+Ideally, the bootstrap script file should be deleted after new testing certificates
+have been generated.
If you already have CA and server certificates, rename (or delete)
this directory, and create a new "certs" directory containing your
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 0f719aafd4..92254dc936 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -1,12 +1,18 @@
#!/bin/sh
#
-# This is a wrapper script to create default certificates when the
-# server first starts in debugging mode. Once the certificates have been
-# created, this file should be deleted.
+# Bootstrap script should be run only once. If there are already certificates
+# generated, skip the execution.
+#
+cd `dirname $0`
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
+ exit 0
+fi
+
#
-# Ideally, this program should be run as part of the installation of any
-# binary package. The installation should also ensure that the permissions
-# and owners are correct for the files generated by this script.
+# This is a wrapper script to create default certificates when the
+# server starts via systemd. It should also ensure that the
+# permissions and owners are correct for the generated files. Once
+# the certificates have been created, this file should be deleted.
#
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
#

2
SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
View File

@ -7,7 +7,7 @@ attribute which can cause the server to crash.
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151707
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/lib/filters.c b/src/lib/filters.c

2
SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
View File

@ -11,7 +11,7 @@ Backport of:
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151705
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c

76
SOURCES/freeradius-fix-info-leakage-eap-pwd.patch Normal file
View File

@ -0,0 +1,76 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix information leakage in EAP-PWD
The EAP-PWD function compute_password_element() leaks information about the
password which allows an attacker to substantially reduce the size of an
offline dictionary attack.
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index d94851c3aa..9f86b62114 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
+
/* The random function H(x) = HMAC-SHA256(0^32, x) */
static void H_Init(HMAC_CTX *ctx)
{
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
uint32_t *token)
{
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
- HMAC_CTX *ctx = NULL;
+ EVP_MD_CTX *hmac_ctx;
+ EVP_PKEY *hmac_pkey;
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
int nid, is_odd, primebitlen, primebytelen, ret = 0;
- ctx = HMAC_CTX_new();
- if (ctx == NULL) {
- DEBUG("failed allocating HMAC context");
- goto fail;
- }
+ MEM(hmac_ctx = EVP_MD_CTX_new());
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
switch (grp_num) { /* from IANA registry for IKE D-H groups */
case 19:
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
* pwd-seed = H(token | peer-id | server-id | password |
* counter)
*/
- H_Init(ctx);
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
- H_Update(ctx, (uint8_t const *)password, password_len);
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
- H_Final(ctx, pwe_digest);
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
BN_clear_free(x_candidate);
BN_clear_free(rnd);
talloc_free(prfbuf);
- HMAC_CTX_free(ctx);
+ EVP_MD_CTX_free(hmac_ctx);
+ EVP_PKEY_free(hmac_pkey);
return ret;
}

635
SOURCES/freeradius-fix-python3-library-suffix.patch
View File

@ -1,635 +0,0 @@
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 06 Nov 2023
Subject: Fix Python3.8+ library name suffix
Python 3.8 has removed the "m" suffix in the library name, add a check for it.
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/fa837465493158257e600f28bca009ba890db863
Resolves: https://issues.redhat.com/browse/RHEL-15503
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_python3/configure b/src/modules/rlm_python3/configure
index f421558ac0c0..05907f12c359 100755
--- a/src/modules/rlm_python3/configure
+++ b/src/modules/rlm_python3/configure
@@ -588,7 +588,17 @@ LIBOBJS
targetname
mod_cflags
mod_ldflags
+AWK
PYTHON3_CONFIG_BIN
+pkgpyexecdir
+pyexecdir
+pkgpythondir
+pythondir
+PYTHON_PLATFORM
+PYTHON_EXEC_PREFIX
+PYTHON_PREFIX
+PYTHON_VERSION
+PYTHON
CPP
OBJEXT
EXEEXT
@@ -648,7 +658,8 @@ CFLAGS
LDFLAGS
LIBS
CPPFLAGS
-CPP'
+CPP
+PYTHON'
# Initialize some variables set by options.
@@ -1266,6 +1277,7 @@ Some influential environment variables:
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
+ PYTHON the Python interpreter
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
@@ -1421,6 +1433,119 @@ fi
as_fn_set_status $ac_retval
} # ac_fn_c_try_cpp
+
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ rm -f conftest.$ac_objext conftest$ac_exeext
+ if { { ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_link") 2>conftest.err
+ ac_status=$?
+ if test -s conftest.err; then
+ grep -v '^ *+' conftest.err >conftest.er1
+ cat conftest.er1 >&5
+ mv -f conftest.er1 conftest.err
+ fi
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ test -x conftest$ac_exeext
+ }; then :
+ ac_retval=0
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_retval=1
+fi
+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+ # interfere with the next link command; also delete a directory that is
+ # left behind by Apple's compiler. We do this before executing the actions.
+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+ as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_link
+
+# ac_fn_c_check_func LINENO FUNC VAR
+# ----------------------------------
+# Tests whether FUNC exists, setting the cache variable VAR accordingly
+ac_fn_c_check_func ()
+{
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if eval \${$3+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+/* Define $2 to an innocuous variant, in case <limits.h> declares $2.
+ For example, HP-UX 11i <limits.h> declares gettimeofday. */
+#define $2 innocuous_$2
+
+/* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $2 (); below.
+ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ <limits.h> exists even on freestanding compilers. */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $2
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $2 ();
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+#if defined __stub_$2 || defined __stub___$2
+choke me
+#endif
+
+int
+main ()
+{
+return $2 ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ eval "$3=yes"
+else
+ eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_func
cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
@@ -2705,6 +2830,267 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+
+
+ if test -n "$PYTHON"; then
+ # If the user set $PYTHON, use it and don't search something else.
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.0" >&5
+$as_echo_n "checking whether $PYTHON version is >= 3.0... " >&6; }
+ prog="import sys
+# split strings by '.' and convert to numeric. Append some zeros
+# because we need at least 4 digits for the hex conversion.
+# map returns an iterator in Python 3.0 and a list in 2.x
+minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0]
+minverhex = 0
+# xrange is not present in Python 3.0 and range returns an iterator
+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
+sys.exit(sys.hexversion < minverhex)"
+ if { echo "$as_me:$LINENO: $PYTHON -c "$prog"" >&5
+ ($PYTHON -c "$prog") >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ as_fn_error $? "Python interpreter is too old" "$LINENO" 5
+fi
+ am_display_PYTHON=$PYTHON
+ else
+ # Otherwise, try each interpreter until we find one that satisfies
+ # VERSION.
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.0" >&5
+$as_echo_n "checking for a Python interpreter with version >= 3.0... " >&6; }
+if ${am_cv_pathless_PYTHON+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ for am_cv_pathless_PYTHON in python python2 python3 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 none; do
+ test "$am_cv_pathless_PYTHON" = none && break
+ prog="import sys
+# split strings by '.' and convert to numeric. Append some zeros
+# because we need at least 4 digits for the hex conversion.
+# map returns an iterator in Python 3.0 and a list in 2.x
+minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0]
+minverhex = 0
+# xrange is not present in Python 3.0 and range returns an iterator
+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
+sys.exit(sys.hexversion < minverhex)"
+ if { echo "$as_me:$LINENO: $am_cv_pathless_PYTHON -c "$prog"" >&5
+ ($am_cv_pathless_PYTHON -c "$prog") >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; then :
+ break
+fi
+ done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_pathless_PYTHON" >&5
+$as_echo "$am_cv_pathless_PYTHON" >&6; }
+ # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON.
+ if test "$am_cv_pathless_PYTHON" = none; then
+ PYTHON=:
+ else
+ # Extract the first word of "$am_cv_pathless_PYTHON", so it can be a program name with args.
+set dummy $am_cv_pathless_PYTHON; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PYTHON+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $PYTHON in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+PYTHON=$ac_cv_path_PYTHON
+if test -n "$PYTHON"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5
+$as_echo "$PYTHON" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ fi
+ am_display_PYTHON=$am_cv_pathless_PYTHON
+ fi
+
+
+ if test "$PYTHON" = :; then
+ :
+ else
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5
+$as_echo_n "checking for $am_display_PYTHON version... " >&6; }
+if ${am_cv_python_version+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"`
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5
+$as_echo "$am_cv_python_version" >&6; }
+ PYTHON_VERSION=$am_cv_python_version
+
+
+
+ PYTHON_PREFIX='${prefix}'
+
+ PYTHON_EXEC_PREFIX='${exec_prefix}'
+
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5
+$as_echo_n "checking for $am_display_PYTHON platform... " >&6; }
+if ${am_cv_python_platform+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"`
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5
+$as_echo "$am_cv_python_platform" >&6; }
+ PYTHON_PLATFORM=$am_cv_python_platform
+
+
+ # Just factor out some code duplication.
+ am_python_setup_sysconfig="\
+import sys
+# Prefer sysconfig over distutils.sysconfig, for better compatibility
+# with python 3.x. See automake bug#10227.
+try:
+ import sysconfig
+except ImportError:
+ can_use_sysconfig = 0
+else:
+ can_use_sysconfig = 1
+# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs:
+# <https://github.com/pypa/virtualenv/issues/118>
+try:
+ from platform import python_implementation
+ if python_implementation() == 'CPython' and sys.version[:3] == '2.7':
+ can_use_sysconfig = 0
+except ImportError:
+ pass"
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5
+$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; }
+if ${am_cv_python_pythondir+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test "x$prefix" = xNONE
+ then
+ am_py_prefix=$ac_default_prefix
+ else
+ am_py_prefix=$prefix
+ fi
+ am_cv_python_pythondir=`$PYTHON -c "
+$am_python_setup_sysconfig
+if can_use_sysconfig:
+ sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'})
+else:
+ from distutils import sysconfig
+ sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix')
+sys.stdout.write(sitedir)"`
+ case $am_cv_python_pythondir in
+ $am_py_prefix*)
+ am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'`
+ am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"`
+ ;;
+ *)
+ case $am_py_prefix in
+ /usr|/System*) ;;
+ *)
+ am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages
+ ;;
+ esac
+ ;;
+ esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5
+$as_echo "$am_cv_python_pythondir" >&6; }
+ pythondir=$am_cv_python_pythondir
+
+
+
+ pkgpythondir=\${pythondir}/$PACKAGE
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5
+$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; }
+if ${am_cv_python_pyexecdir+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test "x$exec_prefix" = xNONE
+ then
+ am_py_exec_prefix=$am_py_prefix
+ else
+ am_py_exec_prefix=$exec_prefix
+ fi
+ am_cv_python_pyexecdir=`$PYTHON -c "
+$am_python_setup_sysconfig
+if can_use_sysconfig:
+ sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'})
+else:
+ from distutils import sysconfig
+ sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix')
+sys.stdout.write(sitedir)"`
+ case $am_cv_python_pyexecdir in
+ $am_py_exec_prefix*)
+ am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'`
+ am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"`
+ ;;
+ *)
+ case $am_py_exec_prefix in
+ /usr|/System*) ;;
+ *)
+ am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages
+ ;;
+ esac
+ ;;
+ esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5
+$as_echo "$am_cv_python_pyexecdir" >&6; }
+ pyexecdir=$am_cv_python_pyexecdir
+
+
+
+ pkgpyexecdir=\${pyexecdir}/$PACKAGE
+
+
+
+ fi
+
+
+
PYTHON3_CONFIG_BIN=
# Check whether --with-rlm-python3-config-bin was given.
@@ -2771,8 +3157,6 @@ test -n "$PYTHON3_CONFIG_BIN" || PYTHON3_CONFIG_BIN="not-found"
fi
if test "x$PYTHON3_CONFIG_BIN" = xnot-found; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: python3-config not found" >&5
-$as_echo "$as_me: WARNING: python3-config not found" >&2;}
fail="$fail python3-config"
else
old_CFLAGS="$CFLAGS"
@@ -2794,7 +3178,85 @@ $as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"" >&6
{ $as_echo "$as_me:${as_lineno-$LINENO}: Sanitized cflags were \"${mod_cflags}\"" >&5
$as_echo "$as_me: Sanitized cflags were \"${mod_cflags}\"" >&6;}
- python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags`
+ for ac_prog in gawk mawk nawk awk
+do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_AWK+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$AWK"; then
+ ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_AWK="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5
+$as_echo "$AWK" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$AWK" && break
+done
+
+
+
+
+ # Used to indicate true or false condition
+ ax_compare_version=false
+
+ # Convert the two version strings to be compared into a format that
+ # allows a simple string comparison. The end result is that a version
+ # string of the form 1.12.5-r617 will be converted to the form
+ # 0001001200050617. In other words, each number is zero padded to four
+ # digits, and non digits are removed.
+
+ ax_compare_version_A=`echo "${PYTHON_VERSION}" | sed -e 's/\([0-9]*\)/Z\1Z/g' \
+ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \
+ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \
+ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \
+ -e 's/[^0-9]//g'`
+
+
+ ax_compare_version_B=`echo "3.8" | sed -e 's/\([0-9]*\)/Z\1Z/g' \
+ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \
+ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \
+ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \
+ -e 's/[^0-9]//g'`
+
+
+ ax_compare_version=`echo "x$ax_compare_version_A
+x$ax_compare_version_B" | sed 's/^ *//' | sort -r | sed "s/x${ax_compare_version_A}/true/;s/x${ax_compare_version_B}/false/;1q"`
+
+
+
+ if test "$ax_compare_version" = "true" ; then
+ EMBED="--embed"
+ fi
+
+
+ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED`
{ $as_echo "$as_me:${as_lineno-$LINENO}: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&5
$as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&6;}
@@ -2811,6 +3273,18 @@ $as_echo "$as_me: Sanitized ldflags were \"${mod_ldflags}\"" >&6;}
targetname="rlm_python3"
fi
+
+for ac_func in dl_iterate_phdr
+do :
+ ac_fn_c_check_func "$LINENO" "dl_iterate_phdr" "ac_cv_func_dl_iterate_phdr"
+if test "x$ac_cv_func_dl_iterate_phdr" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_DL_ITERATE_PHDR 1
+_ACEOF
+
+fi
+done
+
else
targetname=
echo \*\*\* module rlm_python3 is disabled.
@@ -2833,11 +3307,7 @@ ac_config_headers="$ac_config_headers config.h"
-
- unset ac_cv_env_LIBS_set
- unset ac_cv_env_LIBS_value
-
- ac_config_files="$ac_config_files all.mk"
+ac_config_files="$ac_config_files all.mk"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@@ -3417,6 +3887,7 @@ gives unlimited permission to copy, distribute and modify it."
ac_pwd='$ac_pwd'
srcdir='$srcdir'
+AWK='$AWK'
test -n "\$AWK" || AWK=awk
_ACEOF
@@ -4111,4 +4582,3 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
fi
-
diff --git a/src/modules/rlm_python3/configure.ac b/src/modules/rlm_python3/configure.ac
index 295a2486d2ac..698a8c1d1874 100644
--- a/src/modules/rlm_python3/configure.ac
+++ b/src/modules/rlm_python3/configure.ac
@@ -7,6 +7,7 @@ if test x$with_[]modname != xno; then
AC_PROG_CC
AC_PROG_CPP
+ AM_PATH_PYTHON([3.0],, [:])
dnl extra argument: --with-rlm-python3-config-bin
PYTHON3_CONFIG_BIN=
@@ -58,7 +59,11 @@ if test x$with_[]modname != xno; then
'`
AC_MSG_NOTICE([Sanitized cflags were \"${mod_cflags}\"])
- python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags`
+ dnl # From python 3.8, --embed is required
+ dnl # https://bugs.python.org/issue36721
+ AX_COMPARE_VERSION(${PYTHON_VERSION}, [ge], [3.8], [EMBED="--embed"], [])
+
+ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED`
AC_MSG_NOTICE([${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"])
dnl # Strip -Wl,-O1... Is -O even a valid linker flag??
@@ -77,6 +82,7 @@ if test x$with_[]modname != xno; then
targetname="rlm_python3"
fi
+ AC_CHECK_FUNCS([dl_iterate_phdr])
else
targetname=
echo \*\*\* module modname is disabled.
diff --git a/src/modules/rlm_python3/rlm_python3.c b/src/modules/rlm_python3/rlm_python3.c
index df223f0f401b..5da23f4d7116 100644
--- a/src/modules/rlm_python3/rlm_python3.c
+++ b/src/modules/rlm_python3/rlm_python3.c
@@ -41,8 +41,17 @@ RCSID("$Id$")
#include <link.h>
#endif
+/*
+ * Since version 3.8, the "m" suffix is no longer available.
+ * https://bugs.python.org/issue36707
+ */
+#if PY_MINOR_VERSION >= 8
+#define LIBPYTHON_LINKER_NAME \
+ "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) LT_SHREXT
+#else
#define LIBPYTHON_LINKER_NAME \
"libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) "m" LT_SHREXT
+#endif
static uint32_t python_instances = 0;
static void *python_dlhandle;

1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch Normal file
View File

File diff suppressed because it is too large Load Diff

31
SOURCES/freeradius-ldap-infinite-timeout-on-starttls.patch
View File

@ -1,31 +0,0 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 28 Jan 2022
Subject: Use infinite timeout when using LDAP+start-TLS
This will ensure that the TLS connection to the LDAP server will complete
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
the process. Infinite timeout is the OpenLDAP default.
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
src/modules/rlm_ldap/ldap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index cf7a84e069..841bf888a1 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
}
#ifdef LDAP_OPT_NETWORK_TIMEOUT
- if (inst->net_timeout) {
+ bool using_tls = inst->start_tls ||
+ inst->port == 636 ||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
+ if (inst->net_timeout && !using_tls) {
memset(&tv, 0, sizeof(tv));
tv.tv_sec = inst->net_timeout;

1
SOURCES/freeradius-logrotate
View File

@ -26,6 +26,7 @@
su radiusd radiusd
}
/var/log/radius/radius.log {
monthly
rotate 4

93
SOURCES/freeradius-man-Fix-some-typos.patch Normal file
View File

@ -0,0 +1,93 @@
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 11:53:28 +0300
Subject: [PATCH] man: Fix some typos
---
man/man1/radzap.1 | 4 ++--
man/man5/unlang.5 | 6 +++---
man/man8/radcrypt.8 | 2 +-
man/man8/radiusd.8 | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
index a2d529d064..03b9a43a54 100644
--- a/man/man1/radzap.1
+++ b/man/man1/radzap.1
@@ -1,4 +1,4 @@
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
.SH NAME
radzap - remove rogue entries from the active sessions database
.SH SYNOPSIS
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
.RB [ \-x ]
\fIserver[:port] secret\fP
.SH DESCRIPTION
-The FreeRadius server can be configured to maintain an active session
+The FreeRADIUS server can be configured to maintain an active session
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
use this database. Sometimes that database can get out of sync, and
then it might contain rogue entries. \fBradzap\fP can clean up this
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
index 40db5fa6e7..5f765f1787 100644
--- a/man/man5/unlang.5
+++ b/man/man5/unlang.5
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
of Version 3, the <list> can be omitted, in which case "request" is
assumed.
-The "control" list is the list of attributes maintainted internally by
+The "control" list is the list of attributes maintained internally by
the server that controls how the server processes the request. Any
attribute that does not go in a packet on the network will generally
be placed in the "control" list.
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
quotes, or back-quoted). Also evaluates to true if 'foo' is a
non-zero number. Note that the language is poorly typed, so the
string "0000" can be interpreted as a numerical zero. This issue can
-be avoided by comparings strings to an empty string, rather than by
+be avoided by comparing strings to an empty string, rather than by
evaluating the string by itself.
If the word 'foo' is not a quoted string, then it can be taken as a
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
.IP ok
Instructs the server that the request was processed properly. This
keyword can be used to over-ride earlier failures, if the local
-administrator determines that the faiures are not catastrophic.
+administrator determines that the failures are not catastrophic.
.IP reject
Causes the request to be immediately rejected
.SH MODULE RETURN CODES
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
index 08336c66f2..2917f60c46 100644
--- a/man/man8/radcrypt.8
+++ b/man/man8/radcrypt.8
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
Ignored if performing a password check.
.IP "\-c --check"
Perform a validation check on a password hash to verify if it matches
-the plantext password.
+the plaintext password.
.SH EXAMPLES
.nf
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index 98aef5e1be..2ef5ccf789 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
used in the other configuration files. You don't have to modify it.
It includes other dictionary files in the same directory.
.IP hints
-Defines certain hints to the radius server based on the users's loginname
+Defines certain hints to the radius server based on the users' loginname
or other attributes sent by the access server. It also provides for
mapping user names (such as Pusername -> username). This provides the
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
the Livingston way of doing things is also supported, and you can even use
both at the same time (within certain limits).
.IP huntgroups

45
SOURCES/freeradius-no-dh-param-load-FIPS.patch Normal file
View File

@ -0,0 +1,45 @@
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 11:39:45 -0400
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
user-provided dhparams will be ignored (and dhparam generation
may fail as well), unless they are on the FIPS approved list of
parameters. However, OpenSSL since v1.1.1 will automatically select
an appropriate DH parameter set anyways, if the user did not provide
any. These will be FIPS approved.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/main/tls.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/main/tls.c b/src/main/tls.c
index 5809a1bd7d..5e6493333c 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
if (!file) return 0;
+ /*
+ * Prior to trying to load the file, check what OpenSSL will do with it.
+ *
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
+ * anyways, there's no point in attempting to load them.
+ *
+ * Change suggested by @t8m
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ if (FIPS_mode() > 0) {
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
+ return 0;
+ }
+#endif
+
if ((bio = BIO_new_file(file, "r")) == NULL) {
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
return -1;

1
SOURCES/freeradius-tmpfiles.conf
View File

@ -1,2 +1 @@
D /run/radiusd 0710 radiusd radiusd -
D /run/radiusd/tmp 0700 radiusd radiusd -

3
SOURCES/freeradius.sysusers
View File

@ -1,3 +0,0 @@
#Type Name ID GECOS Home directory Shell
u radiusd 95 "radiusd user" /var/lib/radiusd /sbin/nologin
g radiusd 95 - - -

3
SOURCES/radiusd.service
View File

@ -4,8 +4,9 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
[Service]
Type=forking
PIDFile=/run/radiusd/radiusd.pid
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C

24
SOURCES/rfc3526-group-18-8192.pem Normal file
View File

@ -0,0 +1,24 @@
-----BEGIN DH PARAMETERS-----
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
-----END DH PARAMETERS-----

415
SPECS/freeradius.spec
View File

@ -1,8 +1,17 @@
%if 0%{?rhel} > 7
# Disable python2 build by default
%bcond_with python2
%else
%bcond_without python2
%endif
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.21
Release: 40%{?dist}
Version: 3.0.20
Release: 15%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
# Is elliptic curve cryptography supported?
@ -19,20 +28,26 @@ Source100: radiusd.service
Source102: freeradius-logrotate
Source103: freeradius-pam-conf
Source104: freeradius-tmpfiles.conf
Source105: freeradius.sysusers
Source105: rfc3526-group-18-8192.pem
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
Patch3: freeradius-bootstrap-create-only.patch
Patch4: freeradius-no-buildtime-cert-gen.patch
Patch5: freeradius-bootstrap-make-permissions.patch
Patch6: freeradius-Fix-resource-hard-limit-error.patch
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
Patch10: freeradius-fix-crash-unknown-eap-sim.patch
Patch11: freeradius-fix-crash-on-invalid-abinary-data.patch
Patch12: freeradius-fix-python3-library-suffix.patch
Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
Patch6: freeradius-bootstrap-make-permissions.patch
Patch7: freeradius-no-dh-param-load-FIPS.patch
Patch8: freeradius-bootstrap-fixed-dhparam.patch
Patch9: freeradius-man-Fix-some-typos.patch
Patch10: freeradius-Fix-resource-hard-limit-error.patch
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
Patch12: freeradius-bootstrap-run-only-once.patch
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
Patch18: freeradius-blastradius-fix.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -51,8 +66,6 @@ BuildRequires: libpcap-devel
BuildRequires: systemd-units
BuildRequires: libtalloc-devel
BuildRequires: pcre-devel
BuildRequires: chrpath
BuildRequires: systemd-rpm-macros
%if ! 0%{?rhel}
BuildRequires: libyubikey-devel
@ -61,13 +74,11 @@ BuildRequires: ykclient-devel
# Require OpenSSL version we built with, or newer, to avoid startup failures
# due to runtime OpenSSL version checks.
Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
Requires: openssl-perl
Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
Requires(pre): shadow-utils glibc-common
Requires(post): systemd-sysv
Requires(post): systemd-units
# Needed for certificate generation as upstream bootstrap script isn't
# compatible with Makefile equivalent.
# Needed for certificate generation
Requires: make
Requires(preun): systemd-units
Requires(postun): systemd-units
@ -88,6 +99,7 @@ be centralized, and minimizes the amount of re-configuration which has to be
done when adding or deleting new users.
%package doc
Group: Documentation
Summary: FreeRADIUS documentation
%description doc
@ -95,6 +107,7 @@ All documentation supplied by the FreeRADIUS project is included
in this package.
%package utils
Group: System Environment/Daemons
Summary: FreeRADIUS utilities
Requires: %{name} = %{version}-%{release}
Requires: libpcap >= 0.9.4
@ -109,6 +122,7 @@ Support for RFC and VSA Attributes Additional server configuration
attributes Selecting a particular configuration Authentication methods
%package devel
Group: System Environment/Daemons
Summary: FreeRADIUS development files
Requires: %{name} = %{version}-%{release}
@ -117,6 +131,7 @@ Development headers and libraries for FreeRADIUS.
%package ldap
Summary: LDAP support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: openldap-devel
@ -125,6 +140,7 @@ This plugin provides the LDAP support for the FreeRADIUS server project.
%package krb5
Summary: Kerberos 5 support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: krb5-devel
@ -133,6 +149,7 @@ This plugin provides the Kerberos 5 support for the FreeRADIUS server project.
%package perl
Summary: Perl support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
%{?fedora:BuildRequires: perl-devel}
@ -143,9 +160,10 @@ BuildRequires: perl(ExtUtils::Embed)
%description perl
This plugin provides the Perl support for the FreeRADIUS server project.
%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
%if %{with python2}
%package -n python2-freeradius
Summary: Python 2 support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: python2-devel
%{?python_provide:%python_provide python2-freeradius}
@ -156,6 +174,7 @@ Obsoletes: %{name}-python < %{version}-%{release}
%description -n python2-freeradius
This plugin provides the Python 2 support for the FreeRADIUS server project.
# endif: with python2
%endif
%package -n python3-freeradius
@ -169,6 +188,7 @@ This plugin provides the Python 3 support for the FreeRADIUS server project.
%package mysql
Summary: MySQL support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: mariadb-connector-c-devel
@ -177,14 +197,16 @@ This plugin provides the MySQL support for the FreeRADIUS server project.
%package postgresql
Summary: Postgresql support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: libpq-devel
BuildRequires: postgresql-devel
%description postgresql
This plugin provides the postgresql support for the FreeRADIUS server project.
%package sqlite
Summary: SQLite support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: sqlite-devel
@ -193,6 +215,7 @@ This plugin provides the SQLite support for the FreeRADIUS server project.
%package unixODBC
Summary: Unix ODBC support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: unixODBC-devel
@ -201,6 +224,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
%package rest
Summary: REST support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: libcurl-devel
BuildRequires: json-c-devel
@ -224,26 +248,28 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
# Add fixed dhparam file to the source to ensure `make tests` can run.
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
%build
# Force compile/link options, extra security for network facing daemon
%global _hardened_build 1
# Hack: rlm_python3 as stable; prevents building other unstable modules.
sed 's/rlm_python/rlm_python3/g' src/modules/stable -i
sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
%global build_ldflags %{build_ldflags} $(python3-config --embed --libs)
export PY3_LIB_DIR="$(python3-config --configdir)"
# python3-config is broken:
# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
# Enable FIPS support
%global build_cflags %{build_cflags} -DWITH_FIPS
# In order for the above hack to stick, do a fake configure so
# we can run reconfig before cleaning up after ourselves and running
# configure for real.
./configure && make reconfig && (make clean distclean || true)
%configure \
--libdir=%{_libdir}/freeradius \
--enable-reproducible-builds \
@ -262,6 +288,9 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
--with-rlm_python3 \
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
--with-rlm-python3-include-dir=$PY3_INC_DIR \
%if %{without python2}
--without-rlm-python2 \
%endif
--without-rlm_eap_ikev2 \
--without-rlm_eap_tnc \
--without-rlm_sql_iodbc \
@ -273,8 +302,7 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
--without-rlm_rediswho \
--without-rlm_cache_memcached
# Build fast, but get better errors if we fail
make %{?_smp_mflags} || make -j1
make
%install
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd
@ -293,21 +321,14 @@ mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf
# Add fixed dhparam file
install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
# install SNMP MIB files
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
# remove rpath where needed
chrpath --delete $RPM_BUILD_ROOT%{_libdir}/freeradius/*.so
for f in $RPM_BUILD_ROOT/usr/sbin/*; do chrpath --delete $f || true; done
for f in $RPM_BUILD_ROOT/usr/bin/*; do chrpath --delete $f || true; done
# update ld with freeradius libs
mkdir -p %{buildroot}/%{_sysconfdir}/ld.so.conf.d
echo "%{_libdir}/freeradius" > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
# remove unneeded stuff
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
@ -329,7 +350,6 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/mssql
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids
@ -345,6 +365,12 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
# Remove yubikey on RHEL
%if 0%{?rhel}
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
%endif
# remove unsupported config files
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
@ -377,18 +403,30 @@ EOF
# Make sure our user/group is present prior to any package or subpackage installation
%pre
%sysusers_create_compat %{SOURCE105}
getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1
exit 0
%post
%systemd_post radiusd.service
exit 0
%preun
%systemd_preun radiusd.service
%postun
%systemd_postun_with_restart radiusd.service
if [ $1 -eq 0 ]; then # uninstall
getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1
getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1
fi
exit 0
/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :
%files
%defattr(-,root,root)
# doc
%license %{docdir}/LICENSE.gpl
@ -399,10 +437,8 @@ EOF
# system
%config(noreplace) %{_sysconfdir}/pam.d/radiusd
%config(noreplace) %{_sysconfdir}/logrotate.d/radiusd
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%{_unitdir}/radiusd.service
%{_tmpfilesdir}/radiusd.conf
%{_sysusersdir}/freeradius.conf
%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
@ -438,6 +474,7 @@ EOF
/etc/raddb/certs/README
%config(noreplace) /etc/raddb/certs/xpextensions
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
# mods-config
@ -549,7 +586,10 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax
%if ! 0%{?rhel}
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey
%endif
# mods-enabled
# symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx
@ -674,7 +714,10 @@ EOF
%{_libdir}/freeradius/rlm_unpack.so
%{_libdir}/freeradius/rlm_utf8.so
%{_libdir}/freeradius/rlm_wimax.so
%if ! 0%{?rhel}
%{_libdir}/freeradius/rlm_yubikey.so
%endif
# main man pages
%doc %{_mandir}/man5/clients.conf.5.gz
@ -745,12 +788,13 @@ EOF
%{_libdir}/freeradius/rlm_perl.so
%if 0%{?fedora} <= 30 && 0%{?rhel} < 8
%if %{with python2}
%files -n python2-freeradius
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python
/etc/raddb/mods-config/python/example.py*
/etc/raddb/mods-config/python/radiusd.py*
%{_libdir}/freeradius/rlm_python.so
# endif: with python2
%endif
%files -n python3-freeradius
@ -783,7 +827,6 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/process-radacct.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax
@ -817,7 +860,6 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/process-radacct.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf
@ -847,8 +889,6 @@ EOF
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql
%{_libdir}/freeradius/rlm_sql_sqlite.so
@ -864,210 +904,89 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Wed Jul 10 2024 Antonio Torres <antorres@redhat.com> - 3.0.21-40
- Backport fixes for BlastRADIUS CVE
Resolves: RHEL-46567
* Thu Jul 11 2023 Antonio Torres <antorres@redhat.com> - 3.0.20-15
- Backport BlastRADIUS CVE fix
Resolves: RHEL-46572
* Mon Nov 06 2023 Antonio Torres <antorres@redhat.com> - 3.0.21-39
- Fix Python3.8+ library name suffix
Resolves: #15503
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
- Fix defect found by Covscan
Resolves: #2151704
* Mon May 22 2023 Antonio Torres <antorres@redhat.com> - 3.0.21-38
- Fix crash when verifying client certificate
Resolves: #2183447
* Wed Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-37
- Fix defect found by covscan
Resolves: #2151705
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-36
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
- Fix multiple CVEs
Resolves: #2151705
Resolves: #2151703
Resolves: #2151707
- Add rpminspect configuration
Resolves: #2151702
Resolves: #2151704
Resolves: #2151706
* Fri Sep 16 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-35
- Rebuild to add subpackages to CRB report
Resolves: #2126380
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
- Fix segfault when home_server is null
Resolves: bz#2030173
* Wed Jun 29 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-34
- Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107)
Resolves: #2095403
* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
- Fix unterminated strings in SQL queries
Resolves: bz#2021247
* Fri Jun 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-33
- Dynamically allocate users using sysusers.d format
Resolves: #2095403
* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
- Rebuild to pick up latest json-c
Resolves: bz#2021818
* Mon May 30 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-32
- Add WITH_FIPS macro to CFLAGS
Related: rhbz#2083699
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
- radiusd.service: don't fail if bootstrap script is not present
Resolves: bz#1954521
* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
- Update OpenSSL 3.0 support backport to current v3.0.x branch state
- Add "--enable-fips-workaround" to build options
Related: rhbz#2083699
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
- Extend info about boostrap script in README and comments
Resolves: bz#1954521
* Tue May 10 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-30
- Add openssl-perl dependency
Related: rhbz#2078816
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
- Ensure bootstrap script is run only once
Resolves: bz#1954521
* Thu Apr 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-29
- Set correct permissions for certificates generated by bootstrap Makefile
Related: rhbz#2069224
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
Resolves: bz#1958979
* Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
- bootstrap: pass -noenc to certificate generation, do it on script as well
Related: rhbz#2069224
* Fri Apr 22 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-27
- bootstrap: pass -noenc to certificate generation
Related: rhbz#2069224
* Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
- Move remaining files from /var/run to /run
Related: rhbz#2047972
* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
- Revert "Allow to connect to partially open LDAP handle"
- Use infinite timeout (openldap default) when using LDAP+start-TLS
- Update openssl dependency to not check epoch (was causing detection issues)
Related: rhbz#1992551
* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
- Avoid segfault when trying to use MD4 without legacy provider
Related: rhbz#1978216
* Wed Jan 12 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-23
- Backport OpenSSL3 fixes
Related: rhbz#1978216
* Wed Oct 13 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-22
- Allow to connect to partially open LDAP handle
Related: rhbz#1992551
* Mon Sep 27 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-21
- Move FR's systemd unit PID file from /var/run to /run
Related: rhbz#2006368
* Thu Aug 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-20
- Rebuild to pick up new build flags from redhat-rpm-config
Related: rhbz#1984652
* Thu Aug 12 2021 Filip Dvorak <fdvorak@redhat.com> - 3.0.21-19
- Install psutil module and generate def. certs during test script
Resolves: rhbz#1990392
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-18
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-17
- Ignore badfuncs error in rpminspect
Resolves: bz#1986972
* Mon Aug 02 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-16
- Remove RPATH usage
Resolves: bz#1986968
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-15
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
- Fix coredump not being able to be enabled
Resolves: bz#1977722
Resolves: bz#1977572
* Wed Jun 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-14
- Fix Python3.8 not being linked correctly
Related: rhbz#1948622
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
- Fix some manpage typos
Resolves: bz#1843807
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-13
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
- Require make for proper bootstrap execution, removes post script
Resolves: bz#1672285
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.21-12
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
- Fix breakage caused by OpenSSL FIPS regression
Related: bz#1855822
Related: bz#1810911
Resolves: bz#1672285
* Wed Mar 10 2021 Robbie Harwood <rharwood@redhat.com> - 3.0.21-11
- Disable automatic bootstrap
* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
- Update to FreeRADIUS server version 3.0.20
- Introduce Python 3 support; resolves: bz#1623069
- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
- Create tmp files in /run; resolves: bz#1805975
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.0.21-10
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
- Fix information leak due to aborting when needing more than 10 iterations
Resolves: bz#1751797
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 3.0.21-9
- rebuild for libpq ABI fix rhbz#1908268
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
- Fix handling of IPv6-only hostnames with listen.ipaddr
Resolves: bz#1685546
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
- Fix possible privilege escalation due to insecure logrotate configuration
Resolves: bz#1719369
* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-7
- Fix certificate permissions after make-based generation
Resolves: bz#1835249
* Tue Aug 04 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-6
- Fix certificate permissions after make-based generation
Resolves: bz#1835249
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.21-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.21-4
- Perl 5.32 rebuild
* Wed May 13 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-3
- Fix certificate generation
Resolves: bz#1835249
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 3.0.21-2
- Rebuild (json-c)
* Wed Apr 01 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.21-1
- Rebased to 3.0.21
Resolves: bz#1816745
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.20-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jan 11 2020 Paul Wouters <pwouters@redhat.com> - 3.0.20-2
- fixup tmpfile to use /run instead of /var/run
* Fri Nov 15 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
- Rebased to 3.0.20
Resolves: bz#1772710
- Introduced new rlm_python3 module
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.19-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.19-4
- Perl 5.30 rebuild
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-3
- Update boostrap to change ownership of all certificates to root:radiusd
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2
- Updated crypto-policies patch
- Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165 bz#1672284
- Updated logrotate definitions to run as radiusd:radiusd: bz#1705343
- Drop python2 package on Fedora 31+
- Add database dependencies: bz#1658697
- Don't generate certificate during build
* Wed Apr 10 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-1
- Rebased to 3.0.19
* Wed Mar 06 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.18-1
- Rebased to 3.0.18
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 3.0.17-6
- Rebuild for readline 8.0
* Tue Feb 05 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-5
- Unit file generates certificates if not present.
Resolves: bz#1672284
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.17-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.0.17-3
- Rebuilt for libcrypt.so.2 (#1666033)
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-4
- Fixes two EAP-PWD security issues
Resolves: bz#1699417 authentication bypass with an invalid curve attack
Resolves: bz#1699421 fake authentication using reflection
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-2
- Updates radiusd.service to start after network-online.target
@ -1080,27 +999,25 @@ EOF
* Mon Sep 17 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-18
- Actually apply patches added previously.
Related: Bug#1611286 Man page scan results for freeradius
Related: Bug#1612512 Man page scan results for freeradius
* Fri Sep 14 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-17
- Fix a few minor manpage issues.
Resolves: Bug#1611286 Man page scan results for freeradius
Resolves: Bug#1612512 Man page scan results for freeradius
* Fri Sep 07 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
- Add make to BuildRequires and Requires(post) to fix build and certificate
generation on install.
Resolves: Bug#1574783 Installing freeradius without make results in an
unworkable default configuration
* Wed Sep 12 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-16
- Add make to Requires(post) to fix certificate generation on install.
Resolves: Bug#1628213 FreeRADIUS fails to start due to default certificate
permissions
* Tue Sep 04 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-15
- Add gcc to BuildRequires.
Resolves: Bug#1622470 FTBFS freeradius (rawhide)
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 3.0.15-15
- Rebuild with fixed binutils
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.15-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 25 2018 Petr Kubat <pkubat@redhat.com> - 3.0.15-14
- Rebuilt for gdbm
* Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 3.0.15-13
- Perl 5.28 rebuild
* Mon Jun 11 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.0.15-13
- Disable the python2 subpackage
* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 3.0.15-12
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)