Compare commits

...

No commits in common. "imports/c8-beta-stream-3.0/freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b" and "c8-stream-3.0" have entirely different histories.

29 changed files with 3042 additions and 531 deletions

View File

@ -1 +1 @@
a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeradius-server-3.0.17.tar.bz2
SOURCES/freeradius-server-3.0.20.tar.bz2

View File

@ -1,97 +0,0 @@
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 12:20:11 +0300
Subject: [PATCH] man: Add missing option descriptions
---
man/man8/raddebug.8 | 4 ++++
man/man8/radiusd.8 | 7 +++++++
man/man8/radmin.8 | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
index 66e80e64fa..6e27e2453c 100644
--- a/man/man8/raddebug.8
+++ b/man/man8/raddebug.8
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
.IR condition ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-n
.IR name ]
.RB [ \-i
@@ -73,6 +75,8 @@ option is equivalent to using:
.IP "\-d \fIconfig directory\fP"
The radius configuration directory, usually /etc/raddb. See the
\fIradmin\fP manual page for more description of this option.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-n \fImname\fP"
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
.IP \-I\ \fIipv6-address\fP
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index c825f22d0d..98aef5e1be 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
.RB [ \-C ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-f ]
.RB [ \-h ]
.RB [ \-i
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
.IR name ]
.RB [ \-p
.IR port ]
+.RB [ \-P ]
.RB [ \-s ]
.RB [ \-t ]
.RB [ \-v ]
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
.IP "\-d \fIconfig directory\fP"
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
files such as the \fIdictionary\fP and the \fIusers\fP files.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP \-f
Do not fork, stay running as a foreground process.
.IP \-h
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
\fIradiusd.conf\fP are ignored.
This option MUST be used in conjunction with "-i".
+.IP "\-P
+Always write out PID, even with -f.
.IP \-s
Run in "single server" mode. The server normally runs with multiple
threads and/or processes, which can lower its response time to
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
index 5ecc963d81..5bf661fa71 100644
--- a/man/man8/radmin.8
+++ b/man/man8/radmin.8
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
.B radmin
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-e
.IR command ]
.RB [ \-E ]
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
configuration files to find the "listen" section that defines the
control socket filename.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-e \fIcommand\fP"
Run \fIcommand\fP and exit.
.IP \-E
--
2.18.0

View File

@ -12,24 +12,24 @@ diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 2621e183c..94494b2c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -472,7 +472,7 @@ eap {
#
@@ -533,7 +533,7 @@
# You should also delete all of the files
# in the directory when the server starts.
- # tmpdir = /tmp/radiusd
+ # tmpdir = /var/run/radiusd/tmp
#
- # tmpdir = /tmp/radiusd
+ # tmpdir = /var/run/radiusd/tmp
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
@@ -486,7 +486,7 @@ eap {
# in PEM format. This file is automatically
@@ -548,7 +548,7 @@
# deleted by the server when the command
# returns.
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
#
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
#
# OCSP Configuration
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a83c1f687..e500cf97b 100644
--- a/raddb/radiusd.conf.in

View File

@ -1,45 +0,0 @@
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||

View File

@ -0,0 +1,39 @@
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
variable to 1 or else FR should exit at start.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/main/radiusd.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 9739514509..58a48895e6 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE);
}
+ /*
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
+ */
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (fips_file != NULL) {
+ int fips_enabled = fgetc(fips_file) - '0';
+ fclose(fips_file);
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+
/*
* According to the talloc peeps, no two threads may modify any part of
* a ctx tree with a common root without synchronisation.

View File

@ -0,0 +1,32 @@
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] debug: don't set resource hard limit to zero
Setting the resource hard limit to zero is irreversible, meaning if it
is set to zero then there is no way to set it higher. This means
enabling core dump is not possible, since setting a new resource limit
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
can disable and enable core dumps without failures.
This fix is present in both main and 3.0.x upstream branches.
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/lib/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/debug.c b/src/lib/debug.c
index 576bcb2a65..6330c9cb66 100644
--- a/src/lib/debug.c
+++ b/src/lib/debug.c
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
struct rlimit no_core;
no_core.rlim_cur = 0;
- no_core.rlim_max = 0;
+ no_core.rlim_max = core_limits.rlim_max;
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

View File

@ -0,0 +1,51 @@
From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 20 Nov 2019 13:59:54 -0500
Subject: [PATCH] a better fix for commit 30ffd21
Which still runs post-proxy-type fail if all of the home servers
are dead
[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
[antorres@redhat.com: removed first hunk of commit, already present]
---
src/main/process.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/main/process.c b/src/main/process.c
index c8b3af24e2..1a48517d43 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
}
old_server = request->server;
- rad_assert(request->home_server != NULL);
/*
* If the home server is virtual, just run pre_proxy from
* that section.
*/
- if (request->home_server->server) {
+ if (request->home_server && request->home_server->server) {
request->server = request->home_server->server;
} else {
@@ -3182,13 +3180,12 @@ do_home:
}
old_server = request->server;
- rad_assert(request->home_server != NULL);
/*
* If the home server is virtual, just run pre_proxy from
* that section.
*/
- if (request->home_server->server) {
+ if (request->home_server && request->home_server->server) {
request->server = request->home_server->server;
} else {
--
2.31.1

View File

@ -0,0 +1,41 @@
From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 12 Nov 2021 16:23:05 +0100
Subject: [PATCH] Fix unterminated strings in SQL queries
Resolves: bz#2021247
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
raddb/mods-config/sql/ippool/mysql/queries.conf | 2 +-
raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
index 2dfc6574dd..444812a047 100644
--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
@@ -114,7 +114,7 @@ allocate_update = "\
nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
callingstationid = '%{Calling-Station-Id}', \
username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
- WHERE framedipaddress = '%I'
+ WHERE framedipaddress = '%I'"
#
# Use a stored procedure to find AND allocate the address. Read and customise
diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
index 31a5df3659..e92466108b 100644
--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
@@ -89,7 +89,7 @@ allocate_update = "\
callingstationid = '%{Calling-Station-Id}', \
username = '%{User-Name}', \
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
- WHERE framedipaddress = '%I'
+ WHERE framedipaddress = '%I'"
#
# This series of queries frees an IP number when an accounting START record arrives
--
2.31.1

View File

@ -1,68 +0,0 @@
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 09:54:46 -0400
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-MD5.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
index 2c662ff368..1cca00fa2a 100644
--- a/src/lib/hmacmd5.c
+++ b/src/lib/hmacmd5.c
@@ -27,10 +27,41 @@
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#include <freeradius-devel/md5.h>
-/** Calculate HMAC using MD5
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's MD5 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ *
+ */
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
+
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+#else
+/** Calculate HMAC using internal MD5 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -101,6 +132,7 @@
* hash */
fr_md5_final(digest, &context); /* finish up 2nd pass */
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

View File

@ -1,73 +0,0 @@
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 11:03:52 -0400
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-SHA1.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
index c3cbd87a2c..211470ea35 100644
--- a/src/lib/hmacsha1.c
+++ b/src/lib/hmacsha1.c
@@ -10,13 +10,19 @@
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#ifdef HMAC_SHA1_DATA_PROBLEMS
unsigned int sha1_data_problems = 0;
#endif
-/** Calculate HMAC using SHA1
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's SHA1 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -28,6 +34,26 @@
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
uint8_t const *key, size_t key_len)
{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+
+#else
+
+/** Calculate HMAC using internal SHA1 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ */
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
fr_sha1_ctx context;
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
@@ -142,6 +168,7 @@
}
#endif
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

View File

@ -1,33 +1,43 @@
From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 26 Sep 2016 19:48:36 +0300
Subject: [PATCH] Use system crypto policy by default
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 10:16:31 -0400
Subject: [PATCH] Use system-provided crypto-policies by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/mods-available/eap | 2 +-
raddb/mods-available/eap | 4 ++--
raddb/mods-available/inner-eap | 2 +-
raddb/sites-available/abfab-tls | 2 +-
raddb/sites-available/tls | 4 ++--
4 files changed, 5 insertions(+), 5 deletions(-)
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 94494b2c6..9a8dc9327 100644
index 36849e10f2..b28c0f19c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -323,7 +323,7 @@ eap {
@@ -368,7 +368,7 @@ eap {
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
#
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -912,7 +912,7 @@ eap {
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
#
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+ # cipher_list = "PROFILE=SYSTEM"
# PAC lifetime in seconds (default: seven days)
#
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 2b4df6267..af9aa88cd 100644
index 576eb7739e..ffa07188e2 100644
--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
@@ -68,7 +68,7 @@ eap inner-eap {
@@ -77,7 +77,7 @@ eap inner-eap {
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
@ -37,7 +47,7 @@ index 2b4df6267..af9aa88cd 100644
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 5dbe143da..46b5fea78 100644
index 92f1d6330e..cd69b3905a 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
@ -50,10 +60,10 @@ index 5dbe143da..46b5fea78 100644
cache {
enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index cf1cd7a8a..7dd59cb6f 100644
index bbc761b1c5..83cd35b851 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -197,7 +197,7 @@ listen {
@@ -215,7 +215,7 @@ listen {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
@ -62,7 +72,7 @@ index cf1cd7a8a..7dd59cb6f 100644
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -499,7 +499,7 @@ home_server tls {
@@ -517,7 +517,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
@ -72,5 +82,5 @@ index cf1cd7a8a..7dd59cb6f 100644
}
--
2.13.2
2.21.0

View File

@ -0,0 +1,91 @@
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 15:53:45 -0400
Subject: [PATCH] Don't clobber existing files on bootstrap
Rebased: v3.0.20
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 0f719aa..336a2bd 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -31,52 +31,55 @@ fi
# Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands.
#
-if [ ! -f dh ]; then
+if [ ! -e dh ]; then
openssl dhparam -out dh 2048 || exit 1
- if [ -e /dev/urandom ] ; then
- ln -sf /dev/urandom random
- else
- date > ./random;
- fi
+ ln -sf /dev/urandom random
fi
-if [ ! -f server.key ]; then
+if [ ! -e server.key ]; then
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
+ chmod g+r server.key
fi
-if [ ! -f ca.key ]; then
+if [ ! -e ca.key ]; then
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
fi
-if [ ! -f index.txt ]; then
+if [ ! -e index.txt ]; then
touch index.txt
fi
-if [ ! -f serial ]; then
+if [ ! -e serial ]; then
echo '01' > serial
fi
-if [ ! -f server.crt ]; then
+if [ ! -e server.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
fi
-if [ ! -f server.p12 ]; then
+if [ ! -e server.p12 ]; then
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+ chmod g+r server.p12
fi
-if [ ! -f server.pem ]; then
+if [ ! -e server.pem ]; then
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
openssl verify -CAfile ca.pem server.pem || exit 1
+ chmod g+r server.pem
fi
-if [ ! -f ca.der ]; then
+if [ ! -e ca.der ]; then
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
fi
-if [ ! -f client.key ]; then
+if [ ! -e client.key ]; then
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
+ chmod g+r client.key
fi
-if [ ! -f client.crt ]; then
+if [ ! -e client.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
fi
+
+chown root:radiusd dh ca.* client.* server.*
+chmod 640 dh ca.* client.* server.*
--
2.26.2

View File

@ -0,0 +1,52 @@
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 16:10:52 -0400
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/Makefile | 2 +-
raddb/certs/bootstrap | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd46..41b7aea 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
#
######################################################################
dh:
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ cp rfc3526-group-18-8192.dhparam dh
######################################################################
#
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 9920ecf..59b3310 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -13,6 +13,10 @@
umask 027
cd `dirname $0`
+if [ ! -e random ]; then
+ ln -sf /dev/urandom random
+fi
+
make -h > /dev/null 2>&1
#
@@ -35,8 +39,7 @@ fi
# re-generate these commands.
#
if [ ! -e dh ]; then
- openssl dhparam -out dh 2048 || exit 1
- ln -sf /dev/urandom random
+ cp rfc3526-group-18-8192.dhparam dh
fi
if [ ! -e server.key ]; then
--
2.26.2

View File

@ -0,0 +1,29 @@
From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 4 Aug 2020 10:08:15 -0400
Subject: [PATCH] Fix permissions after generating certificates with make
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 336a2bd..9920ecf 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
#
if [ "$?" = "0" ]; then
make all
- exit $?
+ ret=$?
+ chown root:radiusd dh ca.* client.* server.*
+ chmod 640 dh ca.* client.* server.*
+ exit $ret
fi
#
--
2.26.2

View File

@ -0,0 +1,72 @@
Author: Antonio Torres <antorres@redhat.com>
Date: Wed Jul 20 2021
Subject: [PATCH] ensure bootstrap script is run only once
The bootstrap script should only run once. By checking if there are
certificates in the directory, we can exit early if certificates were
already generated.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
Signed-off-by: Antonio Torres antorres@redhat.com
---
raddb/certs/README | 16 ++++++----------
raddb/certs/bootstrap | 18 ++++++++++++------
2 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/README b/raddb/certs/README
index 6288921da1..32413964dd 100644
--- a/raddb/certs/README
+++ b/raddb/certs/README
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
If FreeRADIUS was configured to use OpenSSL, then simply starting
-the server in root in debugging mode should also create test
-certificates, i.e.:
+the server in root mode should also create test certificates.
-$ radiusd -X
-
- That will cause the EAP-TLS module to run the "bootstrap" script in
-this directory. The script will be executed only once, the first time
-the server has been installed on a particular machine. This bootstrap
-script SHOULD be run on installation of any pre-built binary package
-for your OS. In any case, the script will ensure that it is not run
-twice, and that it does not over-write any existing certificates.
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
+The script will be executed during every start of FreeRADIUS via systemd but
+the script will ensure that it does not overwrite any existing certificates.
+Ideally, the bootstrap script file should be deleted after new testing certificates
+have been generated.
If you already have CA and server certificates, rename (or delete)
this directory, and create a new "certs" directory containing your
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 0f719aafd4..92254dc936 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -1,12 +1,18 @@
#!/bin/sh
#
-# This is a wrapper script to create default certificates when the
-# server first starts in debugging mode. Once the certificates have been
-# created, this file should be deleted.
+# Bootstrap script should be run only once. If there are already certificates
+# generated, skip the execution.
+#
+cd `dirname $0`
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
+ exit 0
+fi
+
#
-# Ideally, this program should be run as part of the installation of any
-# binary package. The installation should also ensure that the permissions
-# and owners are correct for the files generated by this script.
+# This is a wrapper script to create default certificates when the
+# server starts via systemd. It should also ensure that the
+# permissions and owners are correct for the generated files. Once
+# the certificates have been created, this file should be deleted.
#
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
#

View File

@ -0,0 +1,47 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix crash on invalid abinary data
A malicious RADIUS client or home server can send a malformed abinary
attribute which can cause the server to crash.
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/lib/filters.c b/src/lib/filters.c
index 4868cd385d9f..3f3b63daeef3 100644
--- a/src/lib/filters.c
+++ b/src/lib/filters.c
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
}
}
} else if (filter->type == RAD_FILTER_GENERIC) {
- int count;
+ size_t count, masklen;
+
+ masklen = ntohs(filter->u.generic.len);
+ if (masklen >= sizeof(filter->u.generic.mask)) {
+ *p = '\0';
+ return;
+ }
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
p += i;
/* show the mask */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
p += i;
outlen -= i;
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
outlen--;
/* show the value */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
p += i;
outlen -= i;

View File

@ -0,0 +1,115 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix crash on unknown option in EAP-SIM
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
look that option up in the internal dictionaries. This lookup will fail, but the
SIM code will not check for that failure. Instead, it will dereference a NULL
pointer, and cause the server to crash.
Backport of:
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
index cf1e8a7dd92..e438a844eab 100644
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
newvp->vp_length = 1;
fr_pair_add(&(r->vps), newvp);
+ /*
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
+ * reserved.
+ */
attr += 3;
attrlen -= 3;
- /* now, loop processing each attribute that we find */
- while(attrlen > 0) {
+ /*
+ * Loop over each attribute. The format is:
+ *
+ * 1 octet of type
+ * 1 octet of length (value 1..255)
+ * ((4 * length) - 2) octets of data.
+ */
+ while (attrlen > 0) {
uint8_t *p;
- if(attrlen < 2) {
+ if (attrlen < 2) {
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
return 0;
}
+ if (!attr[1]) {
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
+ es_attribute_count);
+ return 0;
+ }
+
eapsim_attribute = attr[0];
eapsim_len = attr[1] * 4;
+ /*
+ * The length includes the 2-byte header.
+ */
if (eapsim_len > attrlen) {
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
return 0;
}
- if(eapsim_len > MAX_STRING_LEN) {
- eapsim_len = MAX_STRING_LEN;
- }
- if (eapsim_len < 2) {
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
- es_attribute_count);
- return 0;
- }
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
+ if (!newvp) {
+ /*
+ * RFC 4186 Section 8.1 says 0..127 are
+ * "non-skippable". If one such
+ * attribute is found and we don't
+ * understand it, the server has to send:
+ *
+ * EAP-Request/SIM/Notification packet with an
+ * (AT_NOTIFICATION code, which implies general failure ("General
+ * failure after authentication" (0), or "General failure" (16384),
+ * depending on the phase of the exchange), which terminates the
+ * authentication exchange.
+ */
+ if (eapsim_attribute <= 127) {
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
+ eapsim_attribute);
+ return 0;
+ }
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
- newvp->vp_length = eapsim_len-2;
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
- memcpy(p, &attr[2], eapsim_len-2);
- fr_pair_add(&(r->vps), newvp);
- newvp = NULL;
+ } else {
+ /*
+ * It's known, ccount for header, and
+ * copy the value over.
+ */
+ newvp->vp_length = eapsim_len - 2;
+
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+ memcpy(p, &attr[2], newvp->vp_length);
+ fr_pair_add(&(r->vps), newvp);
+ }
/* advance pointers, decrement length */
attr += eapsim_len;

View File

@ -0,0 +1,76 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix information leakage in EAP-PWD
The EAP-PWD function compute_password_element() leaks information about the
password which allows an attacker to substantially reduce the size of an
offline dictionary attack.
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index d94851c3aa..9f86b62114 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
+
/* The random function H(x) = HMAC-SHA256(0^32, x) */
static void H_Init(HMAC_CTX *ctx)
{
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
uint32_t *token)
{
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
- HMAC_CTX *ctx = NULL;
+ EVP_MD_CTX *hmac_ctx;
+ EVP_PKEY *hmac_pkey;
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
int nid, is_odd, primebitlen, primebytelen, ret = 0;
- ctx = HMAC_CTX_new();
- if (ctx == NULL) {
- DEBUG("failed allocating HMAC context");
- goto fail;
- }
+ MEM(hmac_ctx = EVP_MD_CTX_new());
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
switch (grp_num) { /* from IANA registry for IKE D-H groups */
case 19:
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
* pwd-seed = H(token | peer-id | server-id | password |
* counter)
*/
- H_Init(ctx);
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
- H_Update(ctx, (uint8_t const *)password, password_len);
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
- H_Final(ctx, pwe_digest);
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
BN_clear_free(x_candidate);
BN_clear_free(rnd);
talloc_free(prfbuf);
- HMAC_CTX_free(ctx);
+ EVP_MD_CTX_free(hmac_ctx);
+ EVP_PKEY_free(hmac_pkey);
return ret;
}

File diff suppressed because it is too large Load Diff

View File

@ -1,42 +0,0 @@
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 22 Apr 2019 14:38:19 -0400
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
which effectively result in a listen.ipaddr only allowing hostnames to
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
it'll bail with the error message:
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
Name or service not known
This directly contradicts the language in the default configuration
file, so support resolving both IPv4-only and IPv6-only hostnames.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/misc.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index dff21e33f7..5520d8a0a4 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
fr_strerror_printf("Invalid address");
return -1;
}
-
- /*
- * Fall through to resolving the address, using
- * whatever address family they prefer. If they
- * don't specify an address family, force IPv4.
- */
- if (af == AF_UNSPEC) af = AF_INET;
}
/*

View File

@ -4,91 +4,90 @@ Date: Fri, 14 Sep 2018 11:53:28 +0300
Subject: [PATCH] man: Fix some typos
---
man/man5/radrelay.conf.5 | 2 +-
man/man5/rlm_files.5 | 2 +-
man/man5/unlang.5 | 8 ++++----
man/man8/radrelay.8 | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
man/man1/radzap.1 | 4 ++--
man/man5/unlang.5 | 6 +++---
man/man8/radcrypt.8 | 2 +-
man/man8/radiusd.8 | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
index 5fb38bfc4e..e3e665024b 100644
--- a/man/man5/radrelay.conf.5
+++ b/man/man5/radrelay.conf.5
@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
backup server. When the primary goes down, most NASes detect that and
switch to the backup server.
-That will cause your accounting packets to go the the backup server -
+That will cause your accounting packets to go to the backup server -
and some NASes don't even switch back to the primary server when it
comes back up.
diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
index bfee5030ff..52f4734ae3 100644
--- a/man/man5/rlm_files.5
+++ b/man/man5/rlm_files.5
@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
perform per-group checks, and return per-group attributes, where the
group membership is dynamically defined by a previous module. It also
lets you do things like key off of attributes in the reply, and
-express policies like like "when I send replies containing attribute
+express policies like "when I send replies containing attribute
FOO with value BAR, do more checks, and maybe send additional
attributes".
.SH CONFIGURATION
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
index a2d529d064..03b9a43a54 100644
--- a/man/man1/radzap.1
+++ b/man/man1/radzap.1
@@ -1,4 +1,4 @@
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
.SH NAME
radzap - remove rogue entries from the active sessions database
.SH SYNOPSIS
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
.RB [ \-x ]
\fIserver[:port] secret\fP
.SH DESCRIPTION
-The FreeRadius server can be configured to maintain an active session
+The FreeRADIUS server can be configured to maintain an active session
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
use this database. Sometimes that database can get out of sync, and
then it might contain rogue entries. \fBradzap\fP can clean up this
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
index 76db8f2d1c..12fe7855b2 100644
index 40db5fa6e7..5f765f1787 100644
--- a/man/man5/unlang.5
+++ b/man/man5/unlang.5
@@ -36,7 +36,7 @@ the pre-defined keywords here.
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
of Version 3, the <list> can be omitted, in which case "request" is
assumed.
Subject to a few limitations described below, any keyword can appear
in any context. The language consists of a series of entries, each
-one one line. Each entry begins with a keyword. Entries are
+one line. Each entry begins with a keyword. Entries are
organized into lists. Processing of the language is line by line,
from the start of the list to the end. Actions are executed
per-keyword.
@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below. The match is
then performed on the string returned from the expansion. If the
argument is an attribute reference (e.g. &User-Name), then the match
is performed on the value of that attribute. Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
+is taken to be a literal string, and matching is done via simple
comparison.
-The "control" list is the list of attributes maintainted internally by
+The "control" list is the list of attributes maintained internally by
the server that controls how the server processes the request. Any
attribute that does not go in a packet on the network will generally
be placed in the "control" list.
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
quotes, or back-quoted). Also evaluates to true if 'foo' is a
non-zero number. Note that the language is poorly typed, so the
string "0000" can be interpreted as a numerical zero. This issue can
-be avoided by comparings strings to an empty string, rather than by
+be avoided by comparing strings to an empty string, rather than by
evaluating the string by itself.
No statement other than "case" can appear in a "switch" block.
@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below. The match is
then performed on the string returned from the expansion. If the
argument is an attribute reference (e.g. &User-Name), then the match
is performed on the value of that attribute. Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
+is taken to be a literal string, and matching is done via simple
comparison.
If the word 'foo' is not a quoted string, then it can be taken as a
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
.IP ok
Instructs the server that the request was processed properly. This
keyword can be used to over-ride earlier failures, if the local
-administrator determines that the faiures are not catastrophic.
+administrator determines that the failures are not catastrophic.
.IP reject
Causes the request to be immediately rejected
.SH MODULE RETURN CODES
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
index 08336c66f2..2917f60c46 100644
--- a/man/man8/radcrypt.8
+++ b/man/man8/radcrypt.8
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
Ignored if performing a password check.
.IP "\-c --check"
Perform a validation check on a password hash to verify if it matches
-the plantext password.
+the plaintext password.
.DS
@@ -799,7 +799,7 @@ regular expression. If no attribute matches, nothing else is done.
The value can be an attribute reference, or an attribute-specific
string.
-When the value is an an attribute reference, it must take the form of
+When the value is an attribute reference, it must take the form of
"&Attribute-Name". The leading "&" signifies that the value is a
reference. The "Attribute-Name" is an attribute name, such as
"User-Name" or "request:User-Name". When an attribute reference is
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
index fdba6995d5..99e65732a2 100644
--- a/man/man8/radrelay.8
+++ b/man/man8/radrelay.8
@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
backup server. When the primary goes down, most NASes detect that and
switch to the backup server.
-That will cause your accounting packets to go the the backup server -
+That will cause your accounting packets to go to the backup server -
and some NASes don't even switch back to the primary server when it
comes back up.
--
2.18.0
.SH EXAMPLES
.nf
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index 98aef5e1be..2ef5ccf789 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
used in the other configuration files. You don't have to modify it.
It includes other dictionary files in the same directory.
.IP hints
-Defines certain hints to the radius server based on the users's loginname
+Defines certain hints to the radius server based on the users' loginname
or other attributes sent by the access server. It also provides for
mapping user names (such as Pusername -> username). This provides the
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
the Livingston way of doing things is also supported, and you can even use
both at the same time (within certain limits).
.IP huntgroups

View File

@ -0,0 +1,104 @@
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 12:58:02 -0400
Subject: [PATCH] Don't generate certificates in reproducible builds
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
Make.inc.in | 5 +++++
configure | 4 ++++
configure.ac | 3 +++
raddb/all.mk | 4 ++++
4 files changed, 16 insertions(+)
diff --git a/Make.inc.in b/Make.inc.in
index 0b2cd74de8..8c623cf95c 100644
--- a/Make.inc.in
+++ b/Make.inc.in
@@ -173,3 +173,8 @@ else
TESTBINDIR = ./$(BUILD_DIR)/bin
TESTBIN = ./$(BUILD_DIR)/bin
endif
+
+#
+# With reproducible builds, do not generate certificates during installation
+#
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
diff --git a/configure b/configure
index c2c599c92b..3d4403a844 100755
--- a/configure
+++ b/configure
@@ -655,6 +655,7 @@ RUSERS
SNMPWALK
SNMPGET
PERL
+ENABLE_REPRODUCIBLE_BUILDS
openssl_version_check_config
WITH_DHCP
modconfdir
@@ -5586,6 +5587,7 @@ else
fi
+ENABLE_REPRODUCIBLE_BUILDS=yes
# Check whether --enable-reproducible-builds was given.
if test "${enable_reproducible_builds+set}" = set; then :
enableval=$enable_reproducible_builds; case "$enableval" in
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac
fi
@@ -5604,6 +5607,7 @@ fi
+
CHECKRAD=checkrad
# Extract the first word of "perl", so it can be a program name with args.
set dummy perl; ac_word=$2
diff --git a/configure.ac b/configure.ac
index a7abf0025a..35b013f4af 100644
--- a/configure.ac
+++ b/configure.ac
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
dnl #
dnl # extra argument: --enable-reproducible-builds
dnl #
+ENABLE_REPRODUCIBLE_BUILDS=yes
AC_ARG_ENABLE(reproducible-builds,
[AS_HELP_STRING([--enable-reproducible-builds],
[ensure the build does not change each time])],
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac ]
)
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
dnl #############################################################
diff --git a/raddb/all.mk b/raddb/all.mk
index c966edd657..c8e976a499 100644
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
$(LOCAL_CERT_PRODUCTS):
@echo BOOTSTRAP raddb/certs/
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
+else
@$(MAKE) -C $(R)$(raddbdir)/certs/
+endif
# Bootstrap is special
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
--
2.21.0

View File

@ -0,0 +1,45 @@
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 11:39:45 -0400
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
user-provided dhparams will be ignored (and dhparam generation
may fail as well), unless they are on the FIPS approved list of
parameters. However, OpenSSL since v1.1.1 will automatically select
an appropriate DH parameter set anyways, if the user did not provide
any. These will be FIPS approved.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/main/tls.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/main/tls.c b/src/main/tls.c
index 5809a1bd7d..5e6493333c 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
if (!file) return 0;
+ /*
+ * Prior to trying to load the file, check what OpenSSL will do with it.
+ *
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
+ * anyways, there's no point in attempting to load them.
+ *
+ * Change suggested by @t8m
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ if (FIPS_mode() > 0) {
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
+ return 0;
+ }
+#endif
+
if ((bio = BIO_new_file(file, "r")) == NULL) {
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
return -1;

View File

@ -1,64 +0,0 @@
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 18 Oct 2018 12:40:53 -0400
Subject: [PATCH] Clarify shebangs to be python2
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
scripts/radtee | 2 +-
src/modules/rlm_python/example.py | 2 +-
src/modules/rlm_python/prepaid.py | 2 +-
src/modules/rlm_python/radiusd.py | 2 +-
src/modules/rlm_python/radiusd_test.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/scripts/radtee b/scripts/radtee
index 123769d244..78b4bcbe0b 100755
--- a/scripts/radtee
+++ b/scripts/radtee
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python2
from __future__ import with_statement
# RADIUS comparison tee v1.0
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
index 5950a07678..eaf456e349 100644
--- a/src/modules/rlm_python/example.py
+++ b/src/modules/rlm_python/example.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module example file
# Miguel A.L. Paraz <mparaz@mparaz.com>
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
index c3cbf57b8f..3b1dc2e2e8 100644
--- a/src/modules/rlm_python/prepaid.py
+++ b/src/modules/rlm_python/prepaid.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Example Python module for prepaid usage using MySQL
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
index c535bb3caf..7129923994 100644
--- a/src/modules/rlm_python/radiusd.py
+++ b/src/modules/rlm_python/radiusd.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Definitions for RADIUS programs
#
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
index 13b7128b29..97b5b64f08 100644
--- a/src/modules/rlm_python/radiusd_test.py
+++ b/src/modules/rlm_python/radiusd_test.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module test
# Miguel A.L. Paraz <mparaz@mparaz.com>

View File

@ -1 +1 @@
D /var/run/radiusd 0710 radiusd radiusd -
D /run/radiusd 0710 radiusd radiusd -

View File

@ -1,11 +1,12 @@
[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
[Service]
Type=forking
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C

View File

@ -0,0 +1,24 @@
-----BEGIN DH PARAMETERS-----
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
-----END DH PARAMETERS-----

View File

@ -8,8 +8,8 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.17
Release: 6%{?dist}
Version: 3.0.20
Release: 14%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@ -28,16 +28,25 @@ Source100: radiusd.service
Source102: freeradius-logrotate
Source103: freeradius-pam-conf
Source104: freeradius-tmpfiles.conf
Source105: rfc3526-group-18-8192.pem
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
Patch3: freeradius-man-Fix-some-typos.patch
Patch4: freeradius-Add-missing-option-descriptions.patch
Patch5: freeradius-OpenSSL-HMAC-MD5.patch
Patch6: freeradius-OpenSSL-HMAC-SHA1.patch
Patch7: freeradius-python2-shebangs.patch
Patch8: freeradius-EAP-PWD-curve-handling.patch
Patch9: freeradius-listen-ipv6-fix.patch
Patch3: freeradius-bootstrap-create-only.patch
Patch4: freeradius-no-buildtime-cert-gen.patch
Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
Patch6: freeradius-bootstrap-make-permissions.patch
Patch7: freeradius-no-dh-param-load-FIPS.patch
Patch8: freeradius-bootstrap-fixed-dhparam.patch
Patch9: freeradius-man-Fix-some-typos.patch
Patch10: freeradius-Fix-resource-hard-limit-error.patch
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
Patch12: freeradius-bootstrap-run-only-once.patch
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -69,7 +78,7 @@ Requires(pre): shadow-utils glibc-common
Requires(post): systemd-sysv
Requires(post): systemd-units
# Needed for certificate generation
Requires(post): make
Requires: make
Requires(preun): systemd-units
Requires(postun): systemd-units
@ -152,7 +161,7 @@ This plugin provides the Perl support for the FreeRADIUS server project.
%if %{with python2}
%package -n python2-freeradius
Summary: Python support for freeradius
Summary: Python 2 support for freeradius
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
BuildRequires: python2-devel
@ -163,8 +172,18 @@ Provides: %{name}-python%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
%description -n python2-freeradius
This plugin provides the Python support for the FreeRADIUS server project.
%endif # with python2
This plugin provides the Python 2 support for the FreeRADIUS server project.
# endif: with python2
%endif
%package -n python3-freeradius
Summary: Python 3 support for freeradius
Requires: %{name} = %{version}-%{release}
BuildRequires: python3-devel
%{?python_provide:%python_provide python3-freeradius}
%description -n python3-freeradius
This plugin provides the Python 3 support for the FreeRADIUS server project.
%package mysql
Summary: MySQL support for freeradius
@ -225,11 +244,30 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
# Add fixed dhparam file to the source to ensure `make tests` can run.
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
%build
# Force compile/link options, extra security for network facing daemon
%global _hardened_build 1
# Hack: rlm_python3 as stable; prevents building other unstable modules.
sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
# python3-config is broken:
# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
%configure \
--libdir=%{_libdir}/freeradius \
--enable-reproducible-builds \
@ -245,6 +283,12 @@ This plugin provides the REST support for the FreeRADIUS server project.
--with-unixodbc-lib-dir=%{_libdir} \
--with-rlm-dbm-lib-dir=%{_libdir} \
--with-rlm-krb5-include-dir=/usr/kerberos/include \
--with-rlm_python3 \
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
--with-rlm-python3-include-dir=$PY3_INC_DIR \
%if %{without python2}
--without-rlm-python2 \
%endif
--without-rlm_eap_ikev2 \
--without-rlm_eap_tnc \
--without-rlm_sql_iodbc \
@ -252,11 +296,6 @@ This plugin provides the REST support for the FreeRADIUS server project.
--without-rlm_sql_db2 \
--without-rlm_sql_oracle \
--without-rlm_unbound \
%if %{without python2}
--without-rlm_python \
--without-python \
--disable-python \
%endif
--without-rlm_redis \
--without-rlm_rediswho \
--without-rlm_cache_memcached
@ -281,12 +320,16 @@ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
# Add fixed dhparam file
install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
# install SNMP MIB files
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
# remove unneeded stuff
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key
@ -320,11 +363,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
# conditionally remove python due to it being python2-only
%if %{without python2}
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/python
%endif
# Remove yubikey on RHEL
%if 0%{?rhel}
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
@ -334,6 +372,10 @@ rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
# remove unsupported config files
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
# Mongo will never be supported on Fedora or RHEL
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf
# install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do
cp $f $RPM_BUILD_ROOT/%{docdir}
@ -365,12 +407,6 @@ exit 0
%post
%systemd_post radiusd.service
if [ $1 -eq 1 ]; then # install
# Initial installation
if [ ! -e /etc/raddb/certs/server.pem ]; then
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
fi
fi
exit 0
%preun
@ -436,6 +472,7 @@ exit 0
/etc/raddb/certs/README
%config(noreplace) /etc/raddb/certs/xpextensions
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
# mods-config
@ -463,6 +500,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa-relay
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp
@ -527,6 +565,8 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python3
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis
@ -594,6 +634,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/rfc7542
# binaries
@ -751,7 +792,14 @@ exit 0
/etc/raddb/mods-config/python/example.py*
/etc/raddb/mods-config/python/radiusd.py*
%{_libdir}/freeradius/rlm_python.so
%endif # with python2
# endif: with python2
%endif
%files -n python3-freeradius
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python3
/etc/raddb/mods-config/python3/example.py*
/etc/raddb/mods-config/python3/radiusd.py*
%{_libdir}/freeradius/rlm_python3.so
%files mysql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
@ -767,6 +815,7 @@ exit 0
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
@ -803,6 +852,7 @@ exit 0
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/procedure.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
@ -852,6 +902,73 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
- Fix defect found by Covscan
Resolves: #2151704
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
- Fix multiple CVEs
- Add rpminspect configuration
Resolves: #2151702
Resolves: #2151704
Resolves: #2151706
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
- Fix segfault when home_server is null
Resolves: bz#2030173
* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
- Fix unterminated strings in SQL queries
Resolves: bz#2021247
* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
- Rebuild to pick up latest json-c
Resolves: bz#2021818
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
- radiusd.service: don't fail if bootstrap script is not present
Resolves: bz#1954521
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
- Extend info about boostrap script in README and comments
Resolves: bz#1954521
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
- Ensure bootstrap script is run only once
Resolves: bz#1954521
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
Resolves: bz#1958979
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
- Fix coredump not being able to be enabled
Resolves: bz#1977572
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
- Fix some manpage typos
Resolves: bz#1843807
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
- Require make for proper bootstrap execution, removes post script
Resolves: bz#1672285
* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
- Fix breakage caused by OpenSSL FIPS regression
Related: bz#1855822
Related: bz#1810911
Resolves: bz#1672285
* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
- Update to FreeRADIUS server version 3.0.20
- Introduce Python 3 support; resolves: bz#1623069
- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
- Create tmp files in /run; resolves: bz#1805975
* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
- Fix information leak due to aborting when needing more than 10 iterations
Resolves: bz#1751797
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
- Fix handling of IPv6-only hostnames with listen.ipaddr
Resolves: bz#1685546