29 changed files with 3042 additions and 531 deletions
--- a/.freeradius.metadata
+++ b/.freeradius.metadata
@ -1 +1 @@
-a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2
+3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/freeradius-server-3.0.17.tar.bz2
+SOURCES/freeradius-server-3.0.20.tar.bz2
--- a/SOURCES/freeradius-Add-missing-option-descriptions.patch
+++ b/SOURCES/freeradius-Add-missing-option-descriptions.patch
@ -1,97 +0,0 @@
-From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
-From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
-Date: Fri, 14 Sep 2018 12:20:11 +0300
-Subject: [PATCH] man: Add missing option descriptions
-
---
- man/man8/raddebug.8 | 4 ++++
- man/man8/radiusd.8  | 7 +++++++
- man/man8/radmin.8   | 4 ++++
- 3 files changed, 15 insertions(+)
-
-diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
-index 66e80e64fa..6e27e2453c 100644
--- a/man/man8/raddebug.8
-+++ b/man/man8/raddebug.8
-@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
- .IR condition ]
- .RB [ \-d
- .IR config_directory ]
-+.RB [ \-D
-+.IR dictionary_directory ]
- .RB [ \-n
- .IR name ]
- .RB [ \-i
-@@ -73,6 +75,8 @@ option is equivalent to using:
- .IP "\-d \fIconfig directory\fP"
- The radius configuration directory, usually /etc/raddb.  See the
- \fIradmin\fP manual page for more description of this option.
-+.IP "\-D \fIdictionary directory\fP"
-+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
- .IP "\-n \fImname\fP"
- Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
- .IP \-I\ \fIipv6-address\fP
-diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
-index c825f22d0d..98aef5e1be 100644
--- a/man/man8/radiusd.8
-+++ b/man/man8/radiusd.8
-@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
- .RB [ \-C ]
- .RB [ \-d
- .IR config_directory ]
-+.RB [ \-D
-+.IR dictionary_directory ]
- .RB [ \-f ]
- .RB [ \-h ]
- .RB [ \-i
-@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
- .IR name ]
- .RB [ \-p
- .IR port ]
-+.RB [ \-P ]
- .RB [ \-s ]
- .RB [ \-t ]
- .RB [ \-v ]
-@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
- .IP "\-d \fIconfig directory\fP"
- Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
- files such as the \fIdictionary\fP and the \fIusers\fP files.
-+.IP "\-D \fIdictionary directory\fP"
-+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
- .IP \-f
- Do not fork, stay running as a foreground process.
- .IP \-h
-@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
- \fIradiusd.conf\fP are ignored.
- 
- This option MUST be used in conjunction with "-i".
-+.IP "\-P
-+Always write out PID, even with -f.
- .IP \-s
- Run in "single server" mode.  The server normally runs with multiple
- threads and/or processes, which can lower its response time to
-diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
-index 5ecc963d81..5bf661fa71 100644
--- a/man/man8/radmin.8
-+++ b/man/man8/radmin.8
-@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
- .B radmin
- .RB [ \-d
- .IR config_directory ]
-+.RB [ \-D
-+.IR dictionary_directory ]
- .RB [ \-e
- .IR command ]
- .RB [ \-E ]
-@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
- Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
- configuration files to find the "listen" section that defines the
- control socket filename.
-+.IP "\-D \fIdictionary directory\fP"
-+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
- .IP "\-e \fIcommand\fP"
- Run \fIcommand\fP and exit.
- .IP \-E
-- 
-2.18.0
-
--- a/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
+++ b/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
@ -12,24 +12,24 @@ diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
 index 2621e183c..94494b2c6 100644
 --- a/raddb/mods-available/eap
 +++ b/raddb/mods-available/eap
-@@ -472,7 +472,7 @@ eap {
- 			#
+@@ -533,7 +533,7 @@
 			#  You should also delete all of the files
 			#  in the directory when the server starts.
-	#		tmpdir = /tmp/radiusd
-+	#		tmpdir = /var/run/radiusd/tmp
+ 			#
+-		#	tmpdir = /tmp/radiusd
+		#	tmpdir = /var/run/radiusd/tmp
 
 			#  The command used to verify the client cert.
 			#  We recommend using the OpenSSL command-line
-@@ -486,7 +486,7 @@ eap {
- 			#  in PEM format.  This file is automatically
+@@ -548,7 +548,7 @@
 			#  deleted by the server when the command
 			#  returns.
-	#		client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
-+	#		client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ 			#
+-		#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
 		}
 
- 		#
+ 		#  OCSP Configuration
 diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
 index a83c1f687..e500cf97b 100644
 --- a/raddb/radiusd.conf.in
--- a/SOURCES/freeradius-EAP-PWD-curve-handling.patch
+++ b/SOURCES/freeradius-EAP-PWD-curve-handling.patch
@ -1,45 +0,0 @@
-diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
-index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
-+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
-@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
- 	data_len = BN_num_bytes(session->order);
- 	BN_bin2bn(ptr, data_len, session->peer_scalar);
-
-+	/* validate received scalar */
-+	if (BN_is_zero(session->peer_scalar) ||
-+	    BN_is_one(session->peer_scalar) ||
-+	    BN_cmp(session->peer_scalar, session->order) >= 0) {
-+		ERROR("Peer's scalar is not within the allowed range");
-+		goto finish;
-+	}
-+
- 	if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
- 		DEBUG2("pwd: unable to get coordinates of peer's element");
- 		goto finish;
- 	}
-
-+	/* validate received element */
-+	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
-+	    EC_POINT_is_at_infinity(session->group, session->peer_element)) {
-+		ERROR("Peer's element is not a point on the elliptic curve");
-+		goto finish;
-+	}
-+
- 	/* check to ensure peer's element is not in a small sub-group */
- 	if (BN_cmp(cofactor, BN_value_one())) {
- 		if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
-@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
- 		}
- 	}
-
-+	/* detect reflection attacks */
-+	if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
-+	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
-+		ERROR("Reflection attack detected");
-+		goto finish;
-+	}
-+
- 	/* compute the shared key, k */
- 	if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
- 	    (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
--- a/SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
+++ b/SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
@ -0,0 +1,39 @@
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Fri Jul 2 07:12:48 2021 -0400
+Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
+
+	FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
+	explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
+	variable to 1 or else FR should exit at start.
+	
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
+	Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ src/main/radiusd.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/main/radiusd.c b/src/main/radiusd.c
+index 9739514509..58a48895e6 100644
+--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
+@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
+	/*
+	 *  If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
+	 */
+	char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
+	FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
+	if (fips_file != NULL) {
+		int fips_enabled = fgetc(fips_file) - '0';
+		fclose(fips_file);
+		if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
+			fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
+			exit(EXIT_FAILURE);
+		}
+	}
+
+ 	/*
+ 	 *  According to the talloc peeps, no two threads may modify any part of
+ 	 *  a ctx tree with a common root without synchronisation.
--- a/SOURCES/freeradius-Fix-resource-hard-limit-error.patch
+++ b/SOURCES/freeradius-Fix-resource-hard-limit-error.patch
@ -0,0 +1,32 @@
+commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Fri Jul 2 07:12:48 2021 -0400
+Subject: [PATCH] debug: don't set resource hard limit to zero
+
+    Setting the resource hard limit to zero is irreversible, meaning if it
+    is set to zero then there is no way to set it higher. This means
+    enabling core dump is not possible, since setting a new resource limit
+    for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
+    can disable and enable core dumps without failures.
+
+    This fix is present in both main and 3.0.x upstream branches.
+    
+    Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
+    Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ src/lib/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/debug.c b/src/lib/debug.c
+index 576bcb2a65..6330c9cb66 100644
+--- a/src/lib/debug.c
+++ b/src/lib/debug.c
+@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
+ 		struct rlimit no_core;
+ 
+ 		no_core.rlim_cur = 0;
+-		no_core.rlim_max = 0;
+		no_core.rlim_max = core_limits.rlim_max;
+ 
+ 		if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
+ 			fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));
--- a/SOURCES/freeradius-Fix-segfault-when-home_server-is-null.patch
+++ b/SOURCES/freeradius-Fix-segfault-when-home_server-is-null.patch
@ -0,0 +1,51 @@
+From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 20 Nov 2019 13:59:54 -0500
+Subject: [PATCH] a better fix for commit 30ffd21
+
+Which still runs post-proxy-type fail if all of the home servers
+are dead
+
+[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
+[antorres@redhat.com: removed first hunk of commit, already present]
+---
+ src/main/process.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/src/main/process.c b/src/main/process.c
+index c8b3af24e2..1a48517d43 100644
+--- a/src/main/process.c
+++ b/src/main/process.c
+@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
+ 	}
+ 
+ 	old_server = request->server;
+-	rad_assert(request->home_server != NULL);
+ 
+ 	/*
+ 	 *	If the home server is virtual, just run pre_proxy from
+ 	 *	that section.
+ 	 */
+-	if (request->home_server->server) {
+	if (request->home_server && request->home_server->server) {
+ 		request->server = request->home_server->server;
+ 
+ 	} else {
+@@ -3182,13 +3180,12 @@ do_home:
+ 	}
+ 
+ 	old_server = request->server;
+-	rad_assert(request->home_server != NULL);
+ 
+ 	/*
+ 	 *	If the home server is virtual, just run pre_proxy from
+ 	 *	that section.
+ 	 */
+-	if (request->home_server->server) {
+	if (request->home_server && request->home_server->server) {
+ 		request->server = request->home_server->server;
+ 
+ 	} else {
+-- 
+2.31.1
+
--- a/SOURCES/freeradius-Fix-unterminated-strings-in-SQL-queries.patch
+++ b/SOURCES/freeradius-Fix-unterminated-strings-in-SQL-queries.patch
@ -0,0 +1,41 @@
+From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 12 Nov 2021 16:23:05 +0100
+Subject: [PATCH] Fix unterminated strings in SQL queries
+
+Resolves: bz#2021247
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ raddb/mods-config/sql/ippool/mysql/queries.conf  | 2 +-
+ raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
+index 2dfc6574dd..444812a047 100644
+--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
+@@ -114,7 +114,7 @@ allocate_update = "\
+ 		nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
+ 		callingstationid = '%{Calling-Station-Id}', \
+ 		username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
+-	WHERE framedipaddress = '%I'
+	WHERE framedipaddress = '%I'"
+ 
+ #
+ #  Use a stored procedure to find AND allocate the address. Read and customise
+diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
+index 31a5df3659..e92466108b 100644
+--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
+@@ -89,7 +89,7 @@ allocate_update = "\
+ 		callingstationid = '%{Calling-Station-Id}', \
+ 		username = '%{User-Name}', \
+ 		expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
+-	WHERE framedipaddress = '%I'
+	WHERE framedipaddress = '%I'"
+ 
+ #
+ #  This series of queries frees an IP number when an accounting START record arrives
+-- 
+2.31.1
+
--- a/SOURCES/freeradius-OpenSSL-HMAC-MD5.patch
+++ b/SOURCES/freeradius-OpenSSL-HMAC-MD5.patch
@ -1,68 +0,0 @@
-From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 28 Sep 2018 09:54:46 -0400
-Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
-
-If OpenSSL EVP is not found, fallback to internal implementation of
-HMAC-MD5.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
- src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
- 1 file changed, 33 insertions(+), 1 deletion(-)
-
-diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
-index 2c662ff368..1cca00fa2a 100644
--- a/src/lib/hmacmd5.c
-+++ b/src/lib/hmacmd5.c
-@@ -27,10 +27,41 @@
-
- RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
-
-+#ifdef HAVE_OPENSSL_EVP_H
-+#include <openssl/hmac.h>
-+#include <openssl/evp.h>
-+#endif
-+
- #include <freeradius-devel/libradius.h>
- #include <freeradius-devel/md5.h>
-
-/** Calculate HMAC using MD5
-+#ifdef HAVE_OPENSSL_EVP_H
-+/** Calculate HMAC using OpenSSL's MD5 implementation
-+ *
-+ * @param digest Caller digest to be filled in.
-+ * @param text Pointer to data stream.
-+ * @param text_len length of data stream.
-+ * @param key Pointer to authentication key.
-+ * @param key_len Length of authentication key.
-+ *
-+ */
-+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
-+		 uint8_t const *key, size_t key_len)
-+{
-+	HMAC_CTX *ctx  = HMAC_CTX_new();
-+
-+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-+	/* Since MD5 is not allowed by FIPS, explicitly allow it. */
-+	HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
-+
-+	HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
-+	HMAC_Update(ctx, text, text_len);
-+	HMAC_Final(ctx, digest, NULL);
-+	HMAC_CTX_free(ctx);
-+}
-+#else
-+/** Calculate HMAC using internal MD5 implementation
-  *
-  * @param digest Caller digest to be filled in.
-  * @param text Pointer to data stream.
-@@ -101,6 +132,7 @@
- 					      * hash */
- 	fr_md5_final(digest, &context);	  /* finish up 2nd pass */
- }
-+#endif /* HAVE_OPENSSL_EVP_H */
-
- /*
- Test Vectors (Trailing '\0' of a character string not included in test):
--- a/SOURCES/freeradius-OpenSSL-HMAC-SHA1.patch
+++ b/SOURCES/freeradius-OpenSSL-HMAC-SHA1.patch
@ -1,73 +0,0 @@
-From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 28 Sep 2018 11:03:52 -0400
-Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
-
-If OpenSSL EVP is not found, fallback to internal implementation of
-HMAC-SHA1.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
- src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
-index c3cbd87a2c..211470ea35 100644
--- a/src/lib/hmacsha1.c
-+++ b/src/lib/hmacsha1.c
-@@ -10,13 +10,19 @@
-
- RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
-
-+#ifdef HAVE_OPENSSL_EVP_H
-+#include <openssl/hmac.h>
-+#include <openssl/evp.h>
-+#endif
-+
- #include <freeradius-devel/libradius.h>
-
- #ifdef HMAC_SHA1_DATA_PROBLEMS
- unsigned int sha1_data_problems = 0;
- #endif
-
-/** Calculate HMAC using SHA1
-+#ifdef HAVE_OPENSSL_EVP_H
-+/** Calculate HMAC using OpenSSL's SHA1 implementation
-  *
-  * @param digest Caller digest to be filled in.
-  * @param text Pointer to data stream.
-@@ -28,6 +34,26 @@
- void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
- 		  uint8_t const *key, size_t key_len)
- {
-+	HMAC_CTX *ctx  = HMAC_CTX_new();
-+	HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
-+	HMAC_Update(ctx, text, text_len);
-+	HMAC_Final(ctx, digest, NULL);
-+	HMAC_CTX_free(ctx);
-+}
-+
-+#else
-+
-+/** Calculate HMAC using internal SHA1 implementation
-+ *
-+ * @param digest Caller digest to be filled in.
-+ * @param text Pointer to data stream.
-+ * @param text_len length of data stream.
-+ * @param key Pointer to authentication key.
-+ * @param key_len Length of authentication key.
-+ */
-+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
-+		  uint8_t const *key, size_t key_len)
-+{
- 	fr_sha1_ctx context;
- 	uint8_t k_ipad[65];    /* inner padding - key XORd with ipad */
- 	uint8_t k_opad[65];    /* outer padding - key XORd with opad */
-@@ -142,6 +168,7 @@
- 	}
- #endif
- }
-+#endif /* HAVE_OPENSSL_EVP_H */
-
- /*
- Test Vectors (Trailing '\0' of a character string not included in test):
--- a/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch
+++ b/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch
@ -1,33 +1,43 @@
-From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
-From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
-Date: Mon, 26 Sep 2016 19:48:36 +0300
-Subject: [PATCH] Use system crypto policy by default
+From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 8 May 2019 10:16:31 -0400
+Subject: [PATCH] Use system-provided crypto-policies by default

+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
 ---
- raddb/mods-available/eap        | 2 +-
+ raddb/mods-available/eap        | 4 ++--
 raddb/mods-available/inner-eap  | 2 +-
 raddb/sites-available/abfab-tls | 2 +-
 raddb/sites-available/tls       | 4 ++--
- 4 files changed, 5 insertions(+), 5 deletions(-)
+ 4 files changed, 6 insertions(+), 6 deletions(-)

 diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
-index 94494b2c6..9a8dc9327 100644
+index 36849e10f2..b28c0f19c6 100644
 --- a/raddb/mods-available/eap
 +++ b/raddb/mods-available/eap
-@@ -323,7 +323,7 @@ eap {
+@@ -368,7 +368,7 @@ eap {
 		#
- 		# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ 		#  For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
 		#
 -		cipher_list = "DEFAULT"
 +		cipher_list = "PROFILE=SYSTEM"
 
- 		# If enabled, OpenSSL will use server cipher list
- 		# (possibly defined by cipher_list option above)
+ 		#  If enabled, OpenSSL will use server cipher list
+ 		#  (possibly defined by cipher_list option above)
+@@ -912,7 +912,7 @@ eap {
+ 		#  Note - for OpenSSL 1.1.0 and above you may need
+ 		#  to add ":@SECLEVEL=0"
+ 		#
+-	#	cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+	#	cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  PAC lifetime in seconds (default: seven days)
+ 		#
 diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
-index 2b4df6267..af9aa88cd 100644
+index 576eb7739e..ffa07188e2 100644
 --- a/raddb/mods-available/inner-eap
 +++ b/raddb/mods-available/inner-eap
-@@ -68,7 +68,7 @@ eap inner-eap {
+@@ -77,7 +77,7 @@ eap inner-eap {
 		#  certificates.  If so, edit this file.
 		ca_file = ${cadir}/ca.pem
 
@ -37,7 +47,7 @@ index 2b4df6267..af9aa88cd 100644
 		#  You may want to set a very small fragment size.
 		#  The TLS data here needs to go inside of the
 diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
-index 5dbe143da..46b5fea78 100644
+index 92f1d6330e..cd69b3905a 100644
 --- a/raddb/sites-available/abfab-tls
 +++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
@ -50,10 +60,10 @@ index 5dbe143da..46b5fea78 100644
 		cache {
 			enable = no
 diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
-index cf1cd7a8a..7dd59cb6f 100644
+index bbc761b1c5..83cd35b851 100644
 --- a/raddb/sites-available/tls
 +++ b/raddb/sites-available/tls
-@@ -197,7 +197,7 @@ listen {
+@@ -215,7 +215,7 @@ listen {
 		# Set this option to specify the allowed
 		# TLS cipher suites.  The format is listed
 		# in "man 1 ciphers".
@ -62,7 +72,7 @@ index cf1cd7a8a..7dd59cb6f 100644
 
 		# If enabled, OpenSSL will use server cipher list
 		# (possibly defined by cipher_list option above)
-@@ -499,7 +499,7 @@ home_server tls {
+@@ -517,7 +517,7 @@ home_server tls {
 		# Set this option to specify the allowed
 		# TLS cipher suites.  The format is listed
 		# in "man 1 ciphers".
@ -72,5 +82,5 @@ index cf1cd7a8a..7dd59cb6f 100644
 
 }
 -- 
-2.13.2
+2.21.0

--- a/SOURCES/freeradius-bootstrap-create-only.patch
+++ b/SOURCES/freeradius-bootstrap-create-only.patch
@ -0,0 +1,91 @@
+From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 5 Aug 2020 15:53:45 -0400
+Subject: [PATCH] Don't clobber existing files on bootstrap
+
+Rebased: v3.0.20
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 0f719aa..336a2bd 100755
+--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
+@@ -31,52 +31,55 @@ fi
+ #  Don't edit the following text.  Instead, edit the Makefile, and
+ #  re-generate these commands.
+ #
+-if [ ! -f dh ]; then
+if [ ! -e dh ]; then
+   openssl dhparam -out dh 2048 || exit 1
+-  if [ -e /dev/urandom ] ; then
+-	ln -sf /dev/urandom random
+-  else
+-	date > ./random;
+-  fi
+  ln -sf /dev/urandom random
+ fi
+ 
+-if [ ! -f server.key ]; then
+if [ ! -e server.key ]; then
+   openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
+  chmod g+r server.key
+ fi
+ 
+-if [ ! -f ca.key ]; then
+if [ ! -e ca.key ]; then
+   openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+ fi
+ 
+-if [ ! -f index.txt ]; then
+if [ ! -e index.txt ]; then
+   touch index.txt
+ fi
+ 
+-if [ ! -f serial ]; then
+if [ ! -e serial ]; then
+   echo '01' > serial
+ fi
+ 
+-if [ ! -f server.crt ]; then
+if [ ! -e server.crt ]; then
+   openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
+ fi
+ 
+-if [ ! -f server.p12 ]; then
+if [ ! -e server.p12 ]; then
+   openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+  chmod g+r server.p12
+ fi
+ 
+-if [ ! -f server.pem ]; then
+if [ ! -e server.pem ]; then
+   openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+   openssl verify -CAfile ca.pem server.pem || exit 1
+  chmod g+r server.pem
+ fi
+ 
+-if [ ! -f ca.der ]; then
+if [ ! -e ca.der ]; then
+   openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
+ fi
+ 
+-if [ ! -f client.key ]; then
+if [ ! -e client.key ]; then
+   openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
+  chmod g+r client.key
+ fi
+ 
+-if [ ! -f client.crt ]; then
+if [ ! -e client.crt ]; then
+   openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+ fi
+
+chown root:radiusd dh ca.* client.* server.*
+chmod 640 dh ca.* client.* server.*
+-- 
+2.26.2
+
--- a/SOURCES/freeradius-bootstrap-fixed-dhparam.patch
+++ b/SOURCES/freeradius-bootstrap-fixed-dhparam.patch
@ -0,0 +1,52 @@
+From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 5 Aug 2020 16:10:52 -0400
+Subject: [PATCH] Use fixed FIPS-approved dhparam by default
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/Makefile  | 2 +-
+ raddb/certs/bootstrap | 7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 5cbfd46..41b7aea 100644
+--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
+@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
+ #
+ ######################################################################
+ dh:
+-	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+	cp rfc3526-group-18-8192.dhparam dh
+ 
+ ######################################################################
+ #
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 9920ecf..59b3310 100755
+--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
+@@ -13,6 +13,10 @@
+ umask 027
+ cd `dirname $0`
+ 
+if [ ! -e random ]; then
+  ln -sf /dev/urandom random
+fi
+
+ make -h > /dev/null 2>&1
+ 
+ #
+@@ -35,8 +39,7 @@ fi
+ #  re-generate these commands.
+ #
+ if [ ! -e dh ]; then
+-  openssl dhparam -out dh 2048 || exit 1
+-  ln -sf /dev/urandom random
+  cp rfc3526-group-18-8192.dhparam dh
+ fi
+ 
+ if [ ! -e server.key ]; then
+-- 
+2.26.2
+
--- a/SOURCES/freeradius-bootstrap-make-permissions.patch
+++ b/SOURCES/freeradius-bootstrap-make-permissions.patch
@ -0,0 +1,29 @@
+From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 4 Aug 2020 10:08:15 -0400
+Subject: [PATCH] Fix permissions after generating certificates with make
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/bootstrap | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 336a2bd..9920ecf 100755
+--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
+@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
+ #
+ if [ "$?" = "0" ]; then
+   make all
+-  exit $?
+  ret=$?
+  chown root:radiusd dh ca.* client.* server.*
+  chmod 640 dh ca.* client.* server.*
+  exit $ret
+ fi
+ 
+ #
+-- 
+2.26.2
+
--- a/SOURCES/freeradius-bootstrap-run-only-once.patch
+++ b/SOURCES/freeradius-bootstrap-run-only-once.patch
@ -0,0 +1,72 @@
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Wed Jul 20 2021
+Subject: [PATCH] ensure bootstrap script is run only once
+
+	The bootstrap script should only run once. By checking if there are
+	certificates in the directory, we can exit early if certificates were
+	already generated.
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
+	Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ raddb/certs/README    | 16 ++++++----------
+ raddb/certs/bootstrap | 18 ++++++++++++------
+ 2 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/raddb/certs/README b/raddb/certs/README
+index 6288921da1..32413964dd 100644
+--- a/raddb/certs/README
+++ b/raddb/certs/README
+@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
+ your users, and to issue client certificates for EAP-TLS.
+ 
+   If FreeRADIUS was configured to use OpenSSL, then simply starting
+-the server in root in debugging mode should also create test
+-certificates, i.e.:
+the server in root mode should also create test certificates.
+ 
+-$ radiusd -X
+-
+-  That will cause the EAP-TLS module to run the "bootstrap" script in
+-this directory.  The script will be executed only once, the first time
+-the server has been installed on a particular machine.  This bootstrap
+-script SHOULD be run on installation of any pre-built binary package
+-for your OS.  In any case, the script will ensure that it is not run
+-twice, and that it does not over-write any existing certificates.
+  The start of FreeRADIUS will cause to run the "bootstrap" script.
+The script will be executed during every start of FreeRADIUS via systemd but
+the script will ensure that it does not overwrite any existing certificates.
+Ideally, the bootstrap script file should be deleted after new testing certificates
+have been generated.
+ 
+   If you already have CA and server certificates, rename (or delete)
+ this directory, and create a new "certs" directory containing your
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 0f719aafd4..92254dc936 100755
+--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
+@@ -1,12 +1,18 @@
+ #!/bin/sh
+ #
+-#  This is a wrapper script to create default certificates when the
+-#  server first starts in debugging mode.  Once the certificates have been
+-#  created, this file should be deleted.
+# Bootstrap script should be run only once. If there are already certificates
+# generated, skip the execution.
+#
+cd `dirname $0`
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
+  exit 0
+fi
+
+ #
+-#  Ideally, this program should be run as part of the installation of any
+-#  binary package.  The installation should also ensure that the permissions
+-#  and owners are correct for the files generated by this script.
+#  This is a wrapper script to create default certificates when the
+#  server starts via systemd. It should also ensure that the
+#  permissions and owners are correct for the generated files. Once
+# the certificates have been created, this file should be deleted.
+ #
+ #  $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
+ #
--- a/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
+++ b/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
@ -0,0 +1,47 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix crash on invalid abinary data
+
+A malicious RADIUS client or home server can send a malformed abinary
+attribute which can cause the server to crash.
+
+Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/lib/filters.c b/src/lib/filters.c
+index 4868cd385d9f..3f3b63daeef3 100644
+--- a/src/lib/filters.c
+++ b/src/lib/filters.c
+@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ 			}
+ 		}
+ 	} else if (filter->type == RAD_FILTER_GENERIC) {
+-		int count;
+		size_t count, masklen;
+
+		masklen = ntohs(filter->u.generic.len);
+		if (masklen >= sizeof(filter->u.generic.mask)) {
+			*p = '\0';
+			return;
+		}
+ 
+ 		i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
+ 		p += i;
+ 
+ 		/* show the mask */
+-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+		for (count = 0; count < masklen; count++) {
+ 			i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
+ 			p += i;
+ 			outlen -= i;
+@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ 		outlen--;
+ 
+ 		/* show the value */
+-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+		for (count = 0; count < masklen; count++) {
+ 			i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
+ 			p += i;
+ 			outlen -= i;
--- a/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
+++ b/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
@ -0,0 +1,115 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix crash on unknown option in EAP-SIM
+
+When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
+look that option up in the internal dictionaries. This lookup will fail, but the
+SIM code will not check for that failure. Instead, it will dereference a NULL
+pointer, and cause the server to crash.
+
+Backport of:
+https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
+https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
+index cf1e8a7dd92..e438a844eab 100644
+--- a/src/modules/rlm_eap/libeap/eapsimlib.c
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
+@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
+ 	newvp->vp_length = 1;
+ 	fr_pair_add(&(r->vps), newvp);
+ 
+	/*
+	 *	EAP-SIM has a 1 octet of subtype, and 2 octets
+	 *	reserved.
+	 */
+ 	attr     += 3;
+ 	attrlen  -= 3;
+ 
+-	/* now, loop processing each attribute that we find */
+-	while(attrlen > 0) {
+	/*
+	 *	Loop over each attribute.  The format is:
+	 *
+	 *	1 octet of type
+	 *	1 octet of length (value 1..255)
+	 *	((4 * length) - 2) octets of data.
+	 */
+	while (attrlen > 0) {
+ 		uint8_t *p;
+ 
+-		if(attrlen < 2) {
+		if (attrlen < 2) {
+ 			fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
+ 			return 0;
+ 		}
+ 
+		if (!attr[1]) {
+			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
+					   es_attribute_count);
+			return 0;
+		}
+
+ 		eapsim_attribute = attr[0];
+ 		eapsim_len = attr[1] * 4;
+ 
+		/*
+		 *	The length includes the 2-byte header.
+		 */
+ 		if (eapsim_len > attrlen) {
+ 			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
+ 					   eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
+ 			return 0;
+ 		}
+ 
+-		if(eapsim_len > MAX_STRING_LEN) {
+-			eapsim_len = MAX_STRING_LEN;
+-		}
+-		if (eapsim_len < 2) {
+-			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
+-					   es_attribute_count);
+-			return 0;
+-		}
+		newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
+		if (!newvp) {
+			/*
+			 *	RFC 4186 Section 8.1 says 0..127 are
+			 *	"non-skippable".  If one such
+			 *	attribute is found and we don't
+			 *	understand it, the server has to send:
+			 *
+			 *	EAP-Request/SIM/Notification packet with an
+			 *	(AT_NOTIFICATION code, which implies general failure ("General
+			 *	failure after authentication" (0), or "General failure" (16384),
+			 *	depending on the phase of the exchange), which terminates the
+			 *	authentication exchange.
+			 */
+			if (eapsim_attribute <= 127) {
+				fr_strerror_printf("Unknown mandatory attribute %d, failing",
+						   eapsim_attribute);
+				return 0;
+			}
+ 
+-		newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
+-		newvp->vp_length = eapsim_len-2;
+-		newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+-		memcpy(p, &attr[2], eapsim_len-2);
+-		fr_pair_add(&(r->vps), newvp);
+-		newvp = NULL;
+		} else {
+			/*
+			 *	It's known, ccount for header, and
+			 *	copy the value over.
+			 */
+			newvp->vp_length = eapsim_len - 2;
+
+			newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+			memcpy(p, &attr[2], newvp->vp_length);
+			fr_pair_add(&(r->vps), newvp);
+		}
+ 
+ 		/* advance pointers, decrement length */
+ 		attr += eapsim_len;
--- a/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
+++ b/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
@ -0,0 +1,76 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix information leakage in EAP-PWD
+
+The EAP-PWD function compute_password_element() leaks information about the 
+password which allows an attacker to substantially reduce the size of an 
+offline dictionary attack.
+
+Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index d94851c3aa..9f86b62114 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
+ #include <freeradius-devel/radiusd.h>
+ #include <freeradius-devel/modules.h>
+ 
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
+
+ /* The random function H(x) = HMAC-SHA256(0^32, x) */
+ static void H_Init(HMAC_CTX *ctx)
+ {
+@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 			      uint32_t *token)
+ {
+ 	BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
+-	HMAC_CTX *ctx = NULL;
+	EVP_MD_CTX *hmac_ctx;
+	EVP_PKEY *hmac_pkey;
+ 	uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
+ 	int nid, is_odd, primebitlen, primebytelen, ret = 0;
+ 
+-	ctx = HMAC_CTX_new();
+-	if (ctx == NULL) {
+-		DEBUG("failed allocating HMAC context");
+-		goto fail;
+-	}
+	MEM(hmac_ctx = EVP_MD_CTX_new());
+	MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
+ 
+ 	switch (grp_num) { /* from IANA registry for IKE D-H groups */
+ 	case 19:
+@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 		 *    pwd-seed = H(token | peer-id | server-id | password |
+ 		 *		   counter)
+ 		 */
+-		H_Init(ctx);
+-		H_Update(ctx, (uint8_t *)token, sizeof(*token));
+-		H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
+-		H_Update(ctx, (uint8_t const *)id_server, id_server_len);
+-		H_Update(ctx, (uint8_t const *)password, password_len);
+-		H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
+-		H_Final(ctx, pwe_digest);
+		EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
+		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
+ 
+ 		BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
+ 		if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
+@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 	BN_clear_free(x_candidate);
+ 	BN_clear_free(rnd);
+ 	talloc_free(prfbuf);
+-	HMAC_CTX_free(ctx);
+	EVP_MD_CTX_free(hmac_ctx);
+	EVP_PKEY_free(hmac_pkey);
+ 
+ 	return ret;
+ }
--- a/SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
+++ b/SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
--- a/SOURCES/freeradius-listen-ipv6-fix.patch
+++ b/SOURCES/freeradius-listen-ipv6-fix.patch
@ -1,42 +0,0 @@
-From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Mon, 22 Apr 2019 14:38:19 -0400
-Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
-
-In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
-which effectively result in a listen.ipaddr only allowing hostnames to
-resolve to IPv4 addresses. With a hostname with only a IPv6 address,
-it'll bail with the error message:
-
-radiusd: #### Opening IP addresses and Ports ####
-listen {
-        type = "auth"
-Failed resolving "ipv6.cipherboy.com" to IPv4 address:
-    Name or service not known
-
-This directly contradicts the language in the default configuration
-file, so support resolving both IPv4-only and IPv6-only hostnames.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
- src/lib/misc.c | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/src/lib/misc.c b/src/lib/misc.c
-index dff21e33f7..5520d8a0a4 100644
--- a/src/lib/misc.c
-+++ b/src/lib/misc.c
-@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
- 			fr_strerror_printf("Invalid address");
- 			return -1;
- 		}
-
-		/*
-		 *	Fall through to resolving the address, using
-		 *	whatever address family they prefer.  If they
-		 *	don't specify an address family, force IPv4.
-		 */
-		if (af == AF_UNSPEC) af = AF_INET;
- 	}
- 
- 	/*
--- a/SOURCES/freeradius-man-Fix-some-typos.patch
+++ b/SOURCES/freeradius-man-Fix-some-typos.patch
@ -4,91 +4,90 @@ Date: Fri, 14 Sep 2018 11:53:28 +0300
 Subject: [PATCH] man: Fix some typos

 ---
- man/man5/radrelay.conf.5 | 2 +-
- man/man5/rlm_files.5     | 2 +-
- man/man5/unlang.5        | 8 ++++----
- man/man8/radrelay.8      | 2 +-
- 4 files changed, 7 insertions(+), 7 deletions(-)
+ man/man1/radzap.1   | 4 ++--
+ man/man5/unlang.5   | 6 +++---
+ man/man8/radcrypt.8 | 2 +-
+ man/man8/radiusd.8  | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)

-diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
-index 5fb38bfc4e..e3e665024b 100644
--- a/man/man5/radrelay.conf.5
-+++ b/man/man5/radrelay.conf.5
-@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
- backup server. When the primary goes down, most NASes detect that and
- switch to the backup server.
- 
-That will cause your accounting packets to go the the backup server -
-+That will cause your accounting packets to go to the backup server -
- and some NASes don't even switch back to the primary server when it
- comes back up.
- 
-diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
-index bfee5030ff..52f4734ae3 100644
--- a/man/man5/rlm_files.5
-+++ b/man/man5/rlm_files.5
-@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
- perform per-group checks, and return per-group attributes, where the
- group membership is dynamically defined by a previous module.  It also
- lets you do things like key off of attributes in the reply, and
-express policies like like "when I send replies containing attribute
-+express policies like "when I send replies containing attribute
- FOO with value BAR, do more checks, and maybe send additional
- attributes".
- .SH CONFIGURATION
+diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
+index a2d529d064..03b9a43a54 100644
+--- a/man/man1/radzap.1
+++ b/man/man1/radzap.1
+@@ -1,4 +1,4 @@
+-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
+ .SH NAME
+ radzap - remove rogue entries from the active sessions database
+ .SH SYNOPSIS
+@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
+ .RB [ \-x ]
+ \fIserver[:port] secret\fP
+ .SH DESCRIPTION
+-The FreeRadius server can be configured to maintain an active session
+The FreeRADIUS server can be configured to maintain an active session
+ database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
+ use this database. Sometimes that database can get out of sync, and
+ then it might contain rogue entries. \fBradzap\fP can clean up this
 diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
-index 76db8f2d1c..12fe7855b2 100644
+index 40db5fa6e7..5f765f1787 100644
 --- a/man/man5/unlang.5
 +++ b/man/man5/unlang.5
-@@ -36,7 +36,7 @@ the pre-defined keywords here.
+@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
+ of Version 3, the <list> can be omitted, in which case "request" is
+ assumed.
 
- Subject to a few limitations described below, any keyword can appear
- in any context.  The language consists of a series of entries, each
-one one line.  Each entry begins with a keyword.  Entries are
-+one line.  Each entry begins with a keyword.  Entries are
- organized into lists.  Processing of the language is line by line,
- from the start of the list to the end.  Actions are executed
- per-keyword.
-@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below.  The match is
- then performed on the string returned from the expansion.  If the
- argument is an attribute reference (e.g. &User-Name), then the match
- is performed on the value of that attribute.  Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
-+is taken to be a literal string, and matching is done via simple
- comparison.
+-The "control" list is the list of attributes maintainted internally by
+The "control" list is the list of attributes maintained internally by
+ the server that controls how the server processes the request.  Any
+ attribute that does not go in a packet on the network will generally
+ be placed in the "control" list.
+@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
+ quotes, or back-quoted).  Also evaluates to true if 'foo' is a
+ non-zero number.  Note that the language is poorly typed, so the
+ string "0000" can be interpreted as a numerical zero.  This issue can
+-be avoided by comparings strings to an empty string, rather than by
+be avoided by comparing strings to an empty string, rather than by
+ evaluating the string by itself.
 
- No statement other than "case" can appear in a "switch" block.
-@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below.  The match is
- then performed on the string returned from the expansion.  If the
- argument is an attribute reference (e.g. &User-Name), then the match
- is performed on the value of that attribute.  Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
-+is taken to be a literal string, and matching is done via simple
- comparison.
+ If the word 'foo' is not a quoted string, then it can be taken as a
+@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
+ .IP ok
+ Instructs the server that the request was processed properly.  This
+ keyword can be used to over-ride earlier failures, if the local
+-administrator determines that the faiures are not catastrophic.
+administrator determines that the failures are not catastrophic.
+ .IP reject
+ Causes the request to be immediately rejected
+ .SH MODULE RETURN CODES
+diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
+index 08336c66f2..2917f60c46 100644
+--- a/man/man8/radcrypt.8
+++ b/man/man8/radcrypt.8
+@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
+ Ignored if performing a password check.
+ .IP "\-c --check"
+ Perform a validation check on a password hash to verify if it matches
+-the plantext password.
+the plaintext password.
 
- .DS
-@@ -799,7 +799,7 @@ regular expression.  If no attribute matches, nothing else is done.
- The value can be an attribute reference, or an attribute-specific
- string.
- 
-When the value is an an attribute reference, it must take the form of
-+When the value is an attribute reference, it must take the form of
- "&Attribute-Name".  The leading "&" signifies that the value is a
- reference.  The "Attribute-Name" is an attribute name, such as
- "User-Name" or "request:User-Name".  When an attribute reference is
-diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
-index fdba6995d5..99e65732a2 100644
--- a/man/man8/radrelay.8
-+++ b/man/man8/radrelay.8
-@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
- backup server. When the primary goes down, most NASes detect that and
- switch to the backup server.
- 
-That will cause your accounting packets to go the the backup server -
-+That will cause your accounting packets to go to the backup server -
- and some NASes don't even switch back to the primary server when it
- comes back up.
- 
-- 
-2.18.0
-
+ .SH EXAMPLES
+ .nf
+diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
+index 98aef5e1be..2ef5ccf789 100644
+--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
+@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
+ used in the other configuration files.  You don't have to modify it.
+ It includes other dictionary files in the same directory.
+ .IP hints
+-Defines certain hints to the radius server based on the users's loginname
+Defines certain hints to the radius server based on the users' loginname
+ or other attributes sent by the access server. It also provides for
+ mapping user names (such as Pusername -> username). This provides the
+ functionality that the \fILivingston 2.0\fP server has as "Prefix" and
+-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
+ the Livingston way of doing things is also supported, and you can even use
+ both at the same time (within certain limits).
+ .IP huntgroups
--- a/SOURCES/freeradius-no-buildtime-cert-gen.patch
+++ b/SOURCES/freeradius-no-buildtime-cert-gen.patch
@ -0,0 +1,104 @@
+From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 8 May 2019 12:58:02 -0400
+Subject: [PATCH] Don't generate certificates in reproducible builds
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ Make.inc.in  | 5 +++++
+ configure    | 4 ++++
+ configure.ac | 3 +++
+ raddb/all.mk | 4 ++++
+ 4 files changed, 16 insertions(+)
+
+diff --git a/Make.inc.in b/Make.inc.in
+index 0b2cd74de8..8c623cf95c 100644
+--- a/Make.inc.in
+++ b/Make.inc.in
+@@ -173,3 +173,8 @@ else
+ 	TESTBINDIR = ./$(BUILD_DIR)/bin
+ 	TESTBIN    = ./$(BUILD_DIR)/bin
+ endif
+
+#
+#  With reproducible builds, do not generate certificates during installation
+#
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
+diff --git a/configure b/configure
+index c2c599c92b..3d4403a844 100755
+--- a/configure
+++ b/configure
+@@ -655,6 +655,7 @@ RUSERS
+ SNMPWALK
+ SNMPGET
+ PERL
+ENABLE_REPRODUCIBLE_BUILDS
+ openssl_version_check_config
+ WITH_DHCP
+ modconfdir
+@@ -5586,6 +5587,7 @@ else
+ fi
+ 
+ 
+ENABLE_REPRODUCIBLE_BUILDS=yes
+ # Check whether --enable-reproducible-builds was given.
+ if test "${enable_reproducible_builds+set}" = set; then :
+   enableval=$enable_reproducible_builds;  case "$enableval" in
+@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
+     ;;
+   *)
+     reproducible_builds=no
+    ENABLE_REPRODUCIBLE_BUILDS=no
+   esac
+ 
+ fi
+@@ -5604,6 +5607,7 @@ fi
+ 
+ 
+ 
+
+ CHECKRAD=checkrad
+ # Extract the first word of "perl", so it can be a program name with args.
+ set dummy perl; ac_word=$2
+diff --git a/configure.ac b/configure.ac
+index a7abf0025a..35b013f4af 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
+ dnl #
+ dnl #  extra argument: --enable-reproducible-builds
+ dnl #
+ENABLE_REPRODUCIBLE_BUILDS=yes
+ AC_ARG_ENABLE(reproducible-builds,
+ [AS_HELP_STRING([--enable-reproducible-builds],
+                 [ensure the build does not change each time])],
+@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
+     ;;
+   *)
+     reproducible_builds=no
+    ENABLE_REPRODUCIBLE_BUILDS=no
+   esac ]
+ )
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
+ 
+ 
+ dnl #############################################################
+diff --git a/raddb/all.mk b/raddb/all.mk
+index c966edd657..c8e976a499 100644
+--- a/raddb/all.mk
+++ b/raddb/all.mk
+@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
+ ifneq "$(LOCAL_CERT_PRODUCTS)" ""
+ $(LOCAL_CERT_PRODUCTS):
+ 	@echo BOOTSTRAP raddb/certs/
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
+	@$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
+else
+ 	@$(MAKE) -C $(R)$(raddbdir)/certs/
+endif
+ 
+ # Bootstrap is special
+ $(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
+-- 
+2.21.0
+
--- a/SOURCES/freeradius-no-dh-param-load-FIPS.patch
+++ b/SOURCES/freeradius-no-dh-param-load-FIPS.patch
@ -0,0 +1,45 @@
+From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 5 Aug 2020 11:39:45 -0400
+Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
+
+OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
+user-provided dhparams will be ignored (and dhparam generation
+may fail as well), unless they are on the FIPS approved list of
+parameters. However, OpenSSL since v1.1.1 will automatically select
+an appropriate DH parameter set anyways, if the user did not provide
+any. These will be FIPS approved.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/main/tls.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 5809a1bd7d..5e6493333c 100644
+--- a/src/main/tls.c
+++ b/src/main/tls.c
+@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
+
+ 	if (!file) return 0;
+
+	/*
+	 * Prior to trying to load the file, check what OpenSSL will do with it.
+	 *
+	 * Certain downstreams (such as RHEL) will ignore user-provided dhparams
+	 * in FIPS mode, unless the specified parameters are FIPS-approved.
+	 * However, since OpenSSL >= 1.1.1 will automatically select parameters
+	 * anyways, there's no point in attempting to load them.
+	 *
+	 * Change suggested by @t8m
+	 */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+	if (FIPS_mode() > 0) {
+		WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
+		return 0;
+	}
+#endif
+
+ 	if ((bio = BIO_new_file(file, "r")) == NULL) {
+ 		ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
+ 		return -1;
--- a/SOURCES/freeradius-python2-shebangs.patch
+++ b/SOURCES/freeradius-python2-shebangs.patch
@ -1,64 +0,0 @@
-From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Thu, 18 Oct 2018 12:40:53 -0400
-Subject: [PATCH] Clarify shebangs to be python2
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
- scripts/radtee                         | 2 +-
- src/modules/rlm_python/example.py      | 2 +-
- src/modules/rlm_python/prepaid.py      | 2 +-
- src/modules/rlm_python/radiusd.py      | 2 +-
- src/modules/rlm_python/radiusd_test.py | 2 +-
- 5 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/scripts/radtee b/scripts/radtee
-index 123769d244..78b4bcbe0b 100755
--- a/scripts/radtee
-+++ b/scripts/radtee
-@@ -1,4 +1,4 @@
-#!/usr/bin/env python
-+#!/usr/bin/env python2
- from __future__ import with_statement 
- 
- # RADIUS comparison tee v1.0
-diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
-index 5950a07678..eaf456e349 100644
--- a/src/modules/rlm_python/example.py
-+++ b/src/modules/rlm_python/example.py
-@@ -1,4 +1,4 @@
-#! /usr/bin/env python
-+#! /usr/bin/env python2
- #
- # Python module example file
- # Miguel A.L. Paraz <mparaz@mparaz.com>
-diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
-index c3cbf57b8f..3b1dc2e2e8 100644
--- a/src/modules/rlm_python/prepaid.py
-+++ b/src/modules/rlm_python/prepaid.py
-@@ -1,4 +1,4 @@
-#! /usr/bin/env python
-+#! /usr/bin/env python2
- #
- # Example Python module for prepaid usage using MySQL
- 
-diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
-index c535bb3caf..7129923994 100644
--- a/src/modules/rlm_python/radiusd.py
-+++ b/src/modules/rlm_python/radiusd.py
-@@ -1,4 +1,4 @@
-#! /usr/bin/env python
-+#! /usr/bin/env python2
- #
- # Definitions for RADIUS programs
- #
-diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
-index 13b7128b29..97b5b64f08 100644
--- a/src/modules/rlm_python/radiusd_test.py
-+++ b/src/modules/rlm_python/radiusd_test.py
-@@ -1,4 +1,4 @@
-#! /usr/bin/env python
-+#! /usr/bin/env python2
- #
- # Python module test
- # Miguel A.L. Paraz <mparaz@mparaz.com>
--- a/SOURCES/freeradius-tmpfiles.conf
+++ b/SOURCES/freeradius-tmpfiles.conf
@ -1 +1 @@
-D /var/run/radiusd 0710 radiusd radiusd -
+D /run/radiusd 0710 radiusd radiusd -
--- a/SOURCES/radiusd.service
+++ b/SOURCES/radiusd.service
@ -1,11 +1,12 @@
 [Unit]
 Description=FreeRADIUS high performance RADIUS server.
-After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service
+After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service

 [Service]
 Type=forking
 PIDFile=/var/run/radiusd/radiusd.pid
 ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
+ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
 ExecStartPre=/usr/sbin/radiusd -C
 ExecStart=/usr/sbin/radiusd -d /etc/raddb
 ExecReload=/usr/sbin/radiusd -C
--- a/SOURCES/rfc3526-group-18-8192.pem
+++ b/SOURCES/rfc3526-group-18-8192.pem
@ -0,0 +1,24 @@
+-----BEGIN DH PARAMETERS-----
+MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
+ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
+HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
+3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
+7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
+A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
+xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
+8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
+WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
+ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
+xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
+Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
+aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
+38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
+-----END DH PARAMETERS-----
--- a/SPECS/freeradius.spec
+++ b/SPECS/freeradius.spec
@ -8,8 +8,8 @@

 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
-Version: 3.0.17
-Release: 6%{?dist}
+Version: 3.0.20
+Release: 14%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@ -28,16 +28,25 @@ Source100: radiusd.service
 Source102: freeradius-logrotate
 Source103: freeradius-pam-conf
 Source104: freeradius-tmpfiles.conf
+Source105: rfc3526-group-18-8192.pem

 Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
 Patch2: freeradius-Use-system-crypto-policy-by-default.patch
-Patch3: freeradius-man-Fix-some-typos.patch
-Patch4: freeradius-Add-missing-option-descriptions.patch
-Patch5: freeradius-OpenSSL-HMAC-MD5.patch
-Patch6: freeradius-OpenSSL-HMAC-SHA1.patch
-Patch7: freeradius-python2-shebangs.patch
-Patch8: freeradius-EAP-PWD-curve-handling.patch
-Patch9: freeradius-listen-ipv6-fix.patch
+Patch3: freeradius-bootstrap-create-only.patch
+Patch4: freeradius-no-buildtime-cert-gen.patch
+Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
+Patch6: freeradius-bootstrap-make-permissions.patch
+Patch7: freeradius-no-dh-param-load-FIPS.patch
+Patch8: freeradius-bootstrap-fixed-dhparam.patch
+Patch9: freeradius-man-Fix-some-typos.patch
+Patch10: freeradius-Fix-resource-hard-limit-error.patch
+Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
+Patch12: freeradius-bootstrap-run-only-once.patch
+Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
+Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
+Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
+Patch16: freeradius-fix-crash-unknown-eap-sim.patch
+Patch17: freeradius-fix-info-leakage-eap-pwd.patch

 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}

@ -69,7 +78,7 @@ Requires(pre): shadow-utils glibc-common
 Requires(post): systemd-sysv
 Requires(post): systemd-units
 # Needed for certificate generation
-Requires(post): make
+Requires: make
 Requires(preun): systemd-units
 Requires(postun): systemd-units

@ -152,7 +161,7 @@ This plugin provides the Perl support for the FreeRADIUS server project.

 %if %{with python2}
 %package -n python2-freeradius
-Summary: Python support for freeradius
+Summary: Python 2 support for freeradius
 Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}
 BuildRequires: python2-devel
@ -163,8 +172,18 @@ Provides: %{name}-python%{?_isa} = %{version}-%{release}
 Obsoletes: %{name}-python < %{version}-%{release}

 %description -n python2-freeradius
-This plugin provides the Python support for the FreeRADIUS server project.
-%endif # with python2
+This plugin provides the Python 2 support for the FreeRADIUS server project.
+# endif: with python2
+%endif
+
+%package -n python3-freeradius
+Summary: Python 3 support for freeradius
+Requires: %{name} = %{version}-%{release}
+BuildRequires: python3-devel
+%{?python_provide:%python_provide python3-freeradius}
+
+%description -n python3-freeradius
+This plugin provides the Python 3 support for the FreeRADIUS server project.

 %package mysql
 Summary: MySQL support for freeradius
@ -225,11 +244,30 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+
+# Add fixed dhparam file to the source to ensure `make tests` can run.
+cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam

 %build
 # Force compile/link options, extra security for network facing daemon
 %global _hardened_build 1

+# Hack: rlm_python3 as stable; prevents building other unstable modules.
+sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
+
+# python3-config is broken:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
+export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
+export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
+
 %configure \
        --libdir=%{_libdir}/freeradius \
        --enable-reproducible-builds \
@ -245,6 +283,12 @@ This plugin provides the REST support for the FreeRADIUS server project.
        --with-unixodbc-lib-dir=%{_libdir} \
        --with-rlm-dbm-lib-dir=%{_libdir} \
        --with-rlm-krb5-include-dir=/usr/kerberos/include \
+        --with-rlm_python3 \
+        --with-rlm-python3-lib-dir=$PY3_LIB_DIR \
+        --with-rlm-python3-include-dir=$PY3_INC_DIR \
+%if %{without python2}
+        --without-rlm-python2 \
+%endif
        --without-rlm_eap_ikev2 \
        --without-rlm_eap_tnc \
        --without-rlm_sql_iodbc \
@ -252,11 +296,6 @@ This plugin provides the REST support for the FreeRADIUS server project.
        --without-rlm_sql_db2 \
        --without-rlm_sql_oracle \
        --without-rlm_unbound \
-%if %{without python2}
-        --without-rlm_python \
-        --without-python \
-        --disable-python \
-%endif
        --without-rlm_redis \
        --without-rlm_rediswho \
        --without-rlm_cache_memcached
@ -281,12 +320,16 @@ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
 install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf

+# Add fixed dhparam file
+install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
+
 # install SNMP MIB files
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
 install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/

 # remove unneeded stuff
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
+rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key
@ -320,11 +363,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*

 rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so

-# conditionally remove python due to it being python2-only
-%if %{without python2}
-rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/python
-%endif
-
 # Remove yubikey on RHEL
 %if 0%{?rhel}
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
@ -334,6 +372,10 @@ rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
 # remove unsupported config files
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf

+# Mongo will never be supported on Fedora or RHEL
+rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf
+rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf
+
 # install doc files omitted by standard install
 for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do
    cp $f $RPM_BUILD_ROOT/%{docdir}
@ -365,12 +407,6 @@ exit 0

 %post
 %systemd_post radiusd.service
-if [ $1 -eq 1 ]; then           # install
-  # Initial installation
-  if [ ! -e /etc/raddb/certs/server.pem ]; then
-    /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
-  fi
-fi
 exit 0

 %preun
@ -436,6 +472,7 @@ exit 0
 /etc/raddb/certs/README
 %config(noreplace) /etc/raddb/certs/xpextensions
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
 %attr(750,root,radiusd) /etc/raddb/certs/bootstrap

 # mods-config
@ -463,6 +500,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa-relay
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp
@ -527,6 +565,8 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python3
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis
@ -594,6 +634,7 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/rfc7542


 # binaries
@ -751,7 +792,14 @@ exit 0
 /etc/raddb/mods-config/python/example.py*
 /etc/raddb/mods-config/python/radiusd.py*
 %{_libdir}/freeradius/rlm_python.so
-%endif # with python2
+# endif: with python2
+%endif
+
+%files -n python3-freeradius
+%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python3
+/etc/raddb/mods-config/python3/example.py*
+/etc/raddb/mods-config/python3/radiusd.py*
+%{_libdir}/freeradius/rlm_python3.so

 %files mysql
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
@ -767,6 +815,7 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql

 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
@ -803,6 +852,7 @@ exit 0
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/procedure.sql

 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
@ -852,6 +902,73 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest

 %changelog
+* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
+- Fix defect found by Covscan
+  Resolves: #2151704
+
+* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
+- Fix multiple CVEs
+- Add rpminspect configuration
+  Resolves: #2151702
+  Resolves: #2151704
+  Resolves: #2151706
+
+* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
+- Fix segfault when home_server is null
+  Resolves: bz#2030173
+
+* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
+- Fix unterminated strings in SQL queries
+  Resolves: bz#2021247
+
+* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
+- Rebuild to pick up latest json-c
+  Resolves: bz#2021818
+
+* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
+- radiusd.service: don't fail if bootstrap script is not present
+  Resolves: bz#1954521
+
+* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
+- Extend info about boostrap script in README and comments
+  Resolves: bz#1954521
+
+* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
+- Ensure bootstrap script is run only once
+  Resolves: bz#1954521
+
+* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
+- Exit if host in FIPS mode and MD5 usage not explicitly allowed
+  Resolves: bz#1958979
+
+* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
+- Fix coredump not being able to be enabled
+  Resolves: bz#1977572
+
+* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
+- Fix some manpage typos
+  Resolves: bz#1843807
+
+* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
+- Require make for proper bootstrap execution, removes post script
+  Resolves: bz#1672285
+
+* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
+- Fix breakage caused by OpenSSL FIPS regression
+  Related: bz#1855822
+  Related: bz#1810911
+  Resolves: bz#1672285
+
+* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
+- Update to FreeRADIUS server version 3.0.20
+- Introduce Python 3 support; resolves: bz#1623069
+- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
+- Create tmp files in /run; resolves: bz#1805975
+
+* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
+- Fix information leak due to aborting when needing more than 10 iterations
+  Resolves: bz#1751797
+
 * Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
 - Fix handling of IPv6-only hostnames with listen.ipaddr
  Resolves: bz#1685546