Compare commits
No commits in common. "imports/c8-beta-stream-3.0/freeradius-3.0.17-6.module+el8.1.0+3392+9bd8939b" and "c8-stream-3.0" have entirely different histories.
imports/c8
...
c8-stream-
@ -1 +1 @@
|
||||
a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2
|
||||
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/freeradius-server-3.0.17.tar.bz2
|
||||
SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||
|
@ -1,97 +0,0 @@
|
||||
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 12:20:11 +0300
|
||||
Subject: [PATCH] man: Add missing option descriptions
|
||||
|
||||
---
|
||||
man/man8/raddebug.8 | 4 ++++
|
||||
man/man8/radiusd.8 | 7 +++++++
|
||||
man/man8/radmin.8 | 4 ++++
|
||||
3 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
|
||||
index 66e80e64fa..6e27e2453c 100644
|
||||
--- a/man/man8/raddebug.8
|
||||
+++ b/man/man8/raddebug.8
|
||||
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
|
||||
.IR condition ]
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-n
|
||||
.IR name ]
|
||||
.RB [ \-i
|
||||
@@ -73,6 +75,8 @@ option is equivalent to using:
|
||||
.IP "\-d \fIconfig directory\fP"
|
||||
The radius configuration directory, usually /etc/raddb. See the
|
||||
\fIradmin\fP manual page for more description of this option.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP "\-n \fImname\fP"
|
||||
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
|
||||
.IP \-I\ \fIipv6-address\fP
|
||||
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||
index c825f22d0d..98aef5e1be 100644
|
||||
--- a/man/man8/radiusd.8
|
||||
+++ b/man/man8/radiusd.8
|
||||
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
|
||||
.RB [ \-C ]
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-f ]
|
||||
.RB [ \-h ]
|
||||
.RB [ \-i
|
||||
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
|
||||
.IR name ]
|
||||
.RB [ \-p
|
||||
.IR port ]
|
||||
+.RB [ \-P ]
|
||||
.RB [ \-s ]
|
||||
.RB [ \-t ]
|
||||
.RB [ \-v ]
|
||||
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
|
||||
.IP "\-d \fIconfig directory\fP"
|
||||
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
|
||||
files such as the \fIdictionary\fP and the \fIusers\fP files.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP \-f
|
||||
Do not fork, stay running as a foreground process.
|
||||
.IP \-h
|
||||
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
|
||||
\fIradiusd.conf\fP are ignored.
|
||||
|
||||
This option MUST be used in conjunction with "-i".
|
||||
+.IP "\-P
|
||||
+Always write out PID, even with -f.
|
||||
.IP \-s
|
||||
Run in "single server" mode. The server normally runs with multiple
|
||||
threads and/or processes, which can lower its response time to
|
||||
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
|
||||
index 5ecc963d81..5bf661fa71 100644
|
||||
--- a/man/man8/radmin.8
|
||||
+++ b/man/man8/radmin.8
|
||||
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
|
||||
.B radmin
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-e
|
||||
.IR command ]
|
||||
.RB [ \-E ]
|
||||
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
|
||||
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
|
||||
configuration files to find the "listen" section that defines the
|
||||
control socket filename.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP "\-e \fIcommand\fP"
|
||||
Run \fIcommand\fP and exit.
|
||||
.IP \-E
|
||||
--
|
||||
2.18.0
|
||||
|
@ -12,24 +12,24 @@ diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||
index 2621e183c..94494b2c6 100644
|
||||
--- a/raddb/mods-available/eap
|
||||
+++ b/raddb/mods-available/eap
|
||||
@@ -472,7 +472,7 @@ eap {
|
||||
#
|
||||
@@ -533,7 +533,7 @@
|
||||
# You should also delete all of the files
|
||||
# in the directory when the server starts.
|
||||
#
|
||||
- # tmpdir = /tmp/radiusd
|
||||
+ # tmpdir = /var/run/radiusd/tmp
|
||||
|
||||
# The command used to verify the client cert.
|
||||
# We recommend using the OpenSSL command-line
|
||||
@@ -486,7 +486,7 @@ eap {
|
||||
# in PEM format. This file is automatically
|
||||
@@ -548,7 +548,7 @@
|
||||
# deleted by the server when the command
|
||||
# returns.
|
||||
#
|
||||
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
|
||||
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
|
||||
}
|
||||
|
||||
#
|
||||
# OCSP Configuration
|
||||
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
|
||||
index a83c1f687..e500cf97b 100644
|
||||
--- a/raddb/radiusd.conf.in
|
||||
|
@ -1,45 +0,0 @@
|
||||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
index 7f91e4b230..848ca2055e 100644
|
||||
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
||||
data_len = BN_num_bytes(session->order);
|
||||
BN_bin2bn(ptr, data_len, session->peer_scalar);
|
||||
|
||||
+ /* validate received scalar */
|
||||
+ if (BN_is_zero(session->peer_scalar) ||
|
||||
+ BN_is_one(session->peer_scalar) ||
|
||||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
|
||||
+ ERROR("Peer's scalar is not within the allowed range");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
|
||||
DEBUG2("pwd: unable to get coordinates of peer's element");
|
||||
goto finish;
|
||||
}
|
||||
|
||||
+ /* validate received element */
|
||||
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
|
||||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
|
||||
+ ERROR("Peer's element is not a point on the elliptic curve");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
/* check to ensure peer's element is not in a small sub-group */
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
|
||||
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
||||
}
|
||||
}
|
||||
|
||||
+ /* detect reflection attacks */
|
||||
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
|
||||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
|
||||
+ ERROR("Reflection attack detected");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
/* compute the shared key, k */
|
||||
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
|
||||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
|
39
SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
Normal file
39
SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
Normal file
@ -0,0 +1,39 @@
|
||||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
|
||||
|
||||
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
|
||||
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
|
||||
variable to 1 or else FR should exit at start.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
src/main/radiusd.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
|
||||
index 9739514509..58a48895e6 100644
|
||||
--- a/src/main/radiusd.c
|
||||
+++ b/src/main/radiusd.c
|
||||
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
|
||||
+ */
|
||||
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
|
||||
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
+ if (fips_file != NULL) {
|
||||
+ int fips_enabled = fgetc(fips_file) - '0';
|
||||
+ fclose(fips_file);
|
||||
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
|
||||
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* According to the talloc peeps, no two threads may modify any part of
|
||||
* a ctx tree with a common root without synchronisation.
|
32
SOURCES/freeradius-Fix-resource-hard-limit-error.patch
Normal file
32
SOURCES/freeradius-Fix-resource-hard-limit-error.patch
Normal file
@ -0,0 +1,32 @@
|
||||
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
|
||||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||
Subject: [PATCH] debug: don't set resource hard limit to zero
|
||||
|
||||
Setting the resource hard limit to zero is irreversible, meaning if it
|
||||
is set to zero then there is no way to set it higher. This means
|
||||
enabling core dump is not possible, since setting a new resource limit
|
||||
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
|
||||
can disable and enable core dumps without failures.
|
||||
|
||||
This fix is present in both main and 3.0.x upstream branches.
|
||||
|
||||
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
src/lib/debug.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/debug.c b/src/lib/debug.c
|
||||
index 576bcb2a65..6330c9cb66 100644
|
||||
--- a/src/lib/debug.c
|
||||
+++ b/src/lib/debug.c
|
||||
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
|
||||
struct rlimit no_core;
|
||||
|
||||
no_core.rlim_cur = 0;
|
||||
- no_core.rlim_max = 0;
|
||||
+ no_core.rlim_max = core_limits.rlim_max;
|
||||
|
||||
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
|
||||
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));
|
@ -0,0 +1,51 @@
|
||||
From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
|
||||
From: "Alan T. DeKok" <aland@freeradius.org>
|
||||
Date: Wed, 20 Nov 2019 13:59:54 -0500
|
||||
Subject: [PATCH] a better fix for commit 30ffd21
|
||||
|
||||
Which still runs post-proxy-type fail if all of the home servers
|
||||
are dead
|
||||
|
||||
[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
|
||||
[antorres@redhat.com: removed first hunk of commit, already present]
|
||||
---
|
||||
src/main/process.c | 9 +++------
|
||||
1 file changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/main/process.c b/src/main/process.c
|
||||
index c8b3af24e2..1a48517d43 100644
|
||||
--- a/src/main/process.c
|
||||
+++ b/src/main/process.c
|
||||
@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
|
||||
}
|
||||
|
||||
old_server = request->server;
|
||||
- rad_assert(request->home_server != NULL);
|
||||
|
||||
/*
|
||||
* If the home server is virtual, just run pre_proxy from
|
||||
* that section.
|
||||
*/
|
||||
- if (request->home_server->server) {
|
||||
+ if (request->home_server && request->home_server->server) {
|
||||
request->server = request->home_server->server;
|
||||
|
||||
} else {
|
||||
@@ -3182,13 +3180,12 @@ do_home:
|
||||
}
|
||||
|
||||
old_server = request->server;
|
||||
- rad_assert(request->home_server != NULL);
|
||||
|
||||
/*
|
||||
* If the home server is virtual, just run pre_proxy from
|
||||
* that section.
|
||||
*/
|
||||
- if (request->home_server->server) {
|
||||
+ if (request->home_server && request->home_server->server) {
|
||||
request->server = request->home_server->server;
|
||||
|
||||
} else {
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 12 Nov 2021 16:23:05 +0100
|
||||
Subject: [PATCH] Fix unterminated strings in SQL queries
|
||||
|
||||
Resolves: bz#2021247
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
raddb/mods-config/sql/ippool/mysql/queries.conf | 2 +-
|
||||
raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
index 2dfc6574dd..444812a047 100644
|
||||
--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
@@ -114,7 +114,7 @@ allocate_update = "\
|
||||
nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
|
||||
callingstationid = '%{Calling-Station-Id}', \
|
||||
username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
|
||||
- WHERE framedipaddress = '%I'
|
||||
+ WHERE framedipaddress = '%I'"
|
||||
|
||||
#
|
||||
# Use a stored procedure to find AND allocate the address. Read and customise
|
||||
diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
index 31a5df3659..e92466108b 100644
|
||||
--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
@@ -89,7 +89,7 @@ allocate_update = "\
|
||||
callingstationid = '%{Calling-Station-Id}', \
|
||||
username = '%{User-Name}', \
|
||||
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
|
||||
- WHERE framedipaddress = '%I'
|
||||
+ WHERE framedipaddress = '%I'"
|
||||
|
||||
#
|
||||
# This series of queries frees an IP number when an accounting START record arrives
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,68 +0,0 @@
|
||||
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 28 Sep 2018 09:54:46 -0400
|
||||
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
|
||||
|
||||
If OpenSSL EVP is not found, fallback to internal implementation of
|
||||
HMAC-MD5.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 33 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
|
||||
index 2c662ff368..1cca00fa2a 100644
|
||||
--- a/src/lib/hmacmd5.c
|
||||
+++ b/src/lib/hmacmd5.c
|
||||
@@ -27,10 +27,41 @@
|
||||
|
||||
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
|
||||
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+#include <openssl/hmac.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#endif
|
||||
+
|
||||
#include <freeradius-devel/libradius.h>
|
||||
#include <freeradius-devel/md5.h>
|
||||
|
||||
-/** Calculate HMAC using MD5
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+/** Calculate HMAC using OpenSSL's MD5 implementation
|
||||
+ *
|
||||
+ * @param digest Caller digest to be filled in.
|
||||
+ * @param text Pointer to data stream.
|
||||
+ * @param text_len length of data stream.
|
||||
+ * @param key Pointer to authentication key.
|
||||
+ * @param key_len Length of authentication key.
|
||||
+ *
|
||||
+ */
|
||||
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
+ uint8_t const *key, size_t key_len)
|
||||
+{
|
||||
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||
+
|
||||
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
|
||||
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
|
||||
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
|
||||
+
|
||||
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
|
||||
+ HMAC_Update(ctx, text, text_len);
|
||||
+ HMAC_Final(ctx, digest, NULL);
|
||||
+ HMAC_CTX_free(ctx);
|
||||
+}
|
||||
+#else
|
||||
+/** Calculate HMAC using internal MD5 implementation
|
||||
*
|
||||
* @param digest Caller digest to be filled in.
|
||||
* @param text Pointer to data stream.
|
||||
@@ -101,6 +132,7 @@
|
||||
* hash */
|
||||
fr_md5_final(digest, &context); /* finish up 2nd pass */
|
||||
}
|
||||
+#endif /* HAVE_OPENSSL_EVP_H */
|
||||
|
||||
/*
|
||||
Test Vectors (Trailing '\0' of a character string not included in test):
|
@ -1,73 +0,0 @@
|
||||
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 28 Sep 2018 11:03:52 -0400
|
||||
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
|
||||
|
||||
If OpenSSL EVP is not found, fallback to internal implementation of
|
||||
HMAC-SHA1.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
|
||||
1 file changed, 28 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
|
||||
index c3cbd87a2c..211470ea35 100644
|
||||
--- a/src/lib/hmacsha1.c
|
||||
+++ b/src/lib/hmacsha1.c
|
||||
@@ -10,13 +10,19 @@
|
||||
|
||||
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
|
||||
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+#include <openssl/hmac.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#endif
|
||||
+
|
||||
#include <freeradius-devel/libradius.h>
|
||||
|
||||
#ifdef HMAC_SHA1_DATA_PROBLEMS
|
||||
unsigned int sha1_data_problems = 0;
|
||||
#endif
|
||||
|
||||
-/** Calculate HMAC using SHA1
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+/** Calculate HMAC using OpenSSL's SHA1 implementation
|
||||
*
|
||||
* @param digest Caller digest to be filled in.
|
||||
* @param text Pointer to data stream.
|
||||
@@ -28,6 +34,26 @@
|
||||
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
uint8_t const *key, size_t key_len)
|
||||
{
|
||||
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
|
||||
+ HMAC_Update(ctx, text, text_len);
|
||||
+ HMAC_Final(ctx, digest, NULL);
|
||||
+ HMAC_CTX_free(ctx);
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+
|
||||
+/** Calculate HMAC using internal SHA1 implementation
|
||||
+ *
|
||||
+ * @param digest Caller digest to be filled in.
|
||||
+ * @param text Pointer to data stream.
|
||||
+ * @param text_len length of data stream.
|
||||
+ * @param key Pointer to authentication key.
|
||||
+ * @param key_len Length of authentication key.
|
||||
+ */
|
||||
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
+ uint8_t const *key, size_t key_len)
|
||||
+{
|
||||
fr_sha1_ctx context;
|
||||
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
|
||||
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
|
||||
@@ -142,6 +168,7 @@
|
||||
}
|
||||
#endif
|
||||
}
|
||||
+#endif /* HAVE_OPENSSL_EVP_H */
|
||||
|
||||
/*
|
||||
Test Vectors (Trailing '\0' of a character string not included in test):
|
@ -1,20 +1,21 @@
|
||||
From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Mon, 26 Sep 2016 19:48:36 +0300
|
||||
Subject: [PATCH] Use system crypto policy by default
|
||||
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 8 May 2019 10:16:31 -0400
|
||||
Subject: [PATCH] Use system-provided crypto-policies by default
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/mods-available/eap | 2 +-
|
||||
raddb/mods-available/eap | 4 ++--
|
||||
raddb/mods-available/inner-eap | 2 +-
|
||||
raddb/sites-available/abfab-tls | 2 +-
|
||||
raddb/sites-available/tls | 4 ++--
|
||||
4 files changed, 5 insertions(+), 5 deletions(-)
|
||||
4 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||
index 94494b2c6..9a8dc9327 100644
|
||||
index 36849e10f2..b28c0f19c6 100644
|
||||
--- a/raddb/mods-available/eap
|
||||
+++ b/raddb/mods-available/eap
|
||||
@@ -323,7 +323,7 @@ eap {
|
||||
@@ -368,7 +368,7 @@ eap {
|
||||
#
|
||||
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||
#
|
||||
@ -23,11 +24,20 @@ index 94494b2c6..9a8dc9327 100644
|
||||
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
@@ -912,7 +912,7 @@ eap {
|
||||
# Note - for OpenSSL 1.1.0 and above you may need
|
||||
# to add ":@SECLEVEL=0"
|
||||
#
|
||||
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||
+ # cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# PAC lifetime in seconds (default: seven days)
|
||||
#
|
||||
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
|
||||
index 2b4df6267..af9aa88cd 100644
|
||||
index 576eb7739e..ffa07188e2 100644
|
||||
--- a/raddb/mods-available/inner-eap
|
||||
+++ b/raddb/mods-available/inner-eap
|
||||
@@ -68,7 +68,7 @@ eap inner-eap {
|
||||
@@ -77,7 +77,7 @@ eap inner-eap {
|
||||
# certificates. If so, edit this file.
|
||||
ca_file = ${cadir}/ca.pem
|
||||
|
||||
@ -37,7 +47,7 @@ index 2b4df6267..af9aa88cd 100644
|
||||
# You may want to set a very small fragment size.
|
||||
# The TLS data here needs to go inside of the
|
||||
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
|
||||
index 5dbe143da..46b5fea78 100644
|
||||
index 92f1d6330e..cd69b3905a 100644
|
||||
--- a/raddb/sites-available/abfab-tls
|
||||
+++ b/raddb/sites-available/abfab-tls
|
||||
@@ -19,7 +19,7 @@ listen {
|
||||
@ -50,10 +60,10 @@ index 5dbe143da..46b5fea78 100644
|
||||
cache {
|
||||
enable = no
|
||||
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
|
||||
index cf1cd7a8a..7dd59cb6f 100644
|
||||
index bbc761b1c5..83cd35b851 100644
|
||||
--- a/raddb/sites-available/tls
|
||||
+++ b/raddb/sites-available/tls
|
||||
@@ -197,7 +197,7 @@ listen {
|
||||
@@ -215,7 +215,7 @@ listen {
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
@ -62,7 +72,7 @@ index cf1cd7a8a..7dd59cb6f 100644
|
||||
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
@@ -499,7 +499,7 @@ home_server tls {
|
||||
@@ -517,7 +517,7 @@ home_server tls {
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
@ -72,5 +82,5 @@ index cf1cd7a8a..7dd59cb6f 100644
|
||||
|
||||
}
|
||||
--
|
||||
2.13.2
|
||||
2.21.0
|
||||
|
||||
|
1502
SOURCES/freeradius-blastradius-fix.patch
Normal file
1502
SOURCES/freeradius-blastradius-fix.patch
Normal file
File diff suppressed because it is too large
Load Diff
91
SOURCES/freeradius-bootstrap-create-only.patch
Normal file
91
SOURCES/freeradius-bootstrap-create-only.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 15:53:45 -0400
|
||||
Subject: [PATCH] Don't clobber existing files on bootstrap
|
||||
|
||||
Rebased: v3.0.20
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
|
||||
1 file changed, 19 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aa..336a2bd 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -31,52 +31,55 @@ fi
|
||||
# Don't edit the following text. Instead, edit the Makefile, and
|
||||
# re-generate these commands.
|
||||
#
|
||||
-if [ ! -f dh ]; then
|
||||
+if [ ! -e dh ]; then
|
||||
openssl dhparam -out dh 2048 || exit 1
|
||||
- if [ -e /dev/urandom ] ; then
|
||||
- ln -sf /dev/urandom random
|
||||
- else
|
||||
- date > ./random;
|
||||
- fi
|
||||
+ ln -sf /dev/urandom random
|
||||
fi
|
||||
|
||||
-if [ ! -f server.key ]; then
|
||||
+if [ ! -e server.key ]; then
|
||||
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||
+ chmod g+r server.key
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.key ]; then
|
||||
+if [ ! -e ca.key ]; then
|
||||
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f index.txt ]; then
|
||||
+if [ ! -e index.txt ]; then
|
||||
touch index.txt
|
||||
fi
|
||||
|
||||
-if [ ! -f serial ]; then
|
||||
+if [ ! -e serial ]; then
|
||||
echo '01' > serial
|
||||
fi
|
||||
|
||||
-if [ ! -f server.crt ]; then
|
||||
+if [ ! -e server.crt ]; then
|
||||
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f server.p12 ]; then
|
||||
+if [ ! -e server.p12 ]; then
|
||||
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
+ chmod g+r server.p12
|
||||
fi
|
||||
|
||||
-if [ ! -f server.pem ]; then
|
||||
+if [ ! -e server.pem ]; then
|
||||
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
openssl verify -CAfile ca.pem server.pem || exit 1
|
||||
+ chmod g+r server.pem
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.der ]; then
|
||||
+if [ ! -e ca.der ]; then
|
||||
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f client.key ]; then
|
||||
+if [ ! -e client.key ]; then
|
||||
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ chmod g+r client.key
|
||||
fi
|
||||
|
||||
-if [ ! -f client.crt ]; then
|
||||
+if [ ! -e client.crt ]; then
|
||||
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
|
||||
fi
|
||||
+
|
||||
+chown root:radiusd dh ca.* client.* server.*
|
||||
+chmod 640 dh ca.* client.* server.*
|
||||
--
|
||||
2.26.2
|
||||
|
52
SOURCES/freeradius-bootstrap-fixed-dhparam.patch
Normal file
52
SOURCES/freeradius-bootstrap-fixed-dhparam.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 16:10:52 -0400
|
||||
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/Makefile | 2 +-
|
||||
raddb/certs/bootstrap | 7 +++++--
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||
index 5cbfd46..41b7aea 100644
|
||||
--- a/raddb/certs/Makefile
|
||||
+++ b/raddb/certs/Makefile
|
||||
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||
#
|
||||
######################################################################
|
||||
dh:
|
||||
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||
+ cp rfc3526-group-18-8192.dhparam dh
|
||||
|
||||
######################################################################
|
||||
#
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 9920ecf..59b3310 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -13,6 +13,10 @@
|
||||
umask 027
|
||||
cd `dirname $0`
|
||||
|
||||
+if [ ! -e random ]; then
|
||||
+ ln -sf /dev/urandom random
|
||||
+fi
|
||||
+
|
||||
make -h > /dev/null 2>&1
|
||||
|
||||
#
|
||||
@@ -35,8 +39,7 @@ fi
|
||||
# re-generate these commands.
|
||||
#
|
||||
if [ ! -e dh ]; then
|
||||
- openssl dhparam -out dh 2048 || exit 1
|
||||
- ln -sf /dev/urandom random
|
||||
+ cp rfc3526-group-18-8192.dhparam dh
|
||||
fi
|
||||
|
||||
if [ ! -e server.key ]; then
|
||||
--
|
||||
2.26.2
|
||||
|
29
SOURCES/freeradius-bootstrap-make-permissions.patch
Normal file
29
SOURCES/freeradius-bootstrap-make-permissions.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Tue, 4 Aug 2020 10:08:15 -0400
|
||||
Subject: [PATCH] Fix permissions after generating certificates with make
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/bootstrap | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 336a2bd..9920ecf 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
|
||||
#
|
||||
if [ "$?" = "0" ]; then
|
||||
make all
|
||||
- exit $?
|
||||
+ ret=$?
|
||||
+ chown root:radiusd dh ca.* client.* server.*
|
||||
+ chmod 640 dh ca.* client.* server.*
|
||||
+ exit $ret
|
||||
fi
|
||||
|
||||
#
|
||||
--
|
||||
2.26.2
|
||||
|
72
SOURCES/freeradius-bootstrap-run-only-once.patch
Normal file
72
SOURCES/freeradius-bootstrap-run-only-once.patch
Normal file
@ -0,0 +1,72 @@
|
||||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Wed Jul 20 2021
|
||||
Subject: [PATCH] ensure bootstrap script is run only once
|
||||
|
||||
The bootstrap script should only run once. By checking if there are
|
||||
certificates in the directory, we can exit early if certificates were
|
||||
already generated.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
raddb/certs/README | 16 ++++++----------
|
||||
raddb/certs/bootstrap | 18 ++++++++++++------
|
||||
2 files changed, 18 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/README b/raddb/certs/README
|
||||
index 6288921da1..32413964dd 100644
|
||||
--- a/raddb/certs/README
|
||||
+++ b/raddb/certs/README
|
||||
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
|
||||
your users, and to issue client certificates for EAP-TLS.
|
||||
|
||||
If FreeRADIUS was configured to use OpenSSL, then simply starting
|
||||
-the server in root in debugging mode should also create test
|
||||
-certificates, i.e.:
|
||||
+the server in root mode should also create test certificates.
|
||||
|
||||
-$ radiusd -X
|
||||
-
|
||||
- That will cause the EAP-TLS module to run the "bootstrap" script in
|
||||
-this directory. The script will be executed only once, the first time
|
||||
-the server has been installed on a particular machine. This bootstrap
|
||||
-script SHOULD be run on installation of any pre-built binary package
|
||||
-for your OS. In any case, the script will ensure that it is not run
|
||||
-twice, and that it does not over-write any existing certificates.
|
||||
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
|
||||
+The script will be executed during every start of FreeRADIUS via systemd but
|
||||
+the script will ensure that it does not overwrite any existing certificates.
|
||||
+Ideally, the bootstrap script file should be deleted after new testing certificates
|
||||
+have been generated.
|
||||
|
||||
If you already have CA and server certificates, rename (or delete)
|
||||
this directory, and create a new "certs" directory containing your
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aafd4..92254dc936 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -1,12 +1,18 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
-# This is a wrapper script to create default certificates when the
|
||||
-# server first starts in debugging mode. Once the certificates have been
|
||||
-# created, this file should be deleted.
|
||||
+# Bootstrap script should be run only once. If there are already certificates
|
||||
+# generated, skip the execution.
|
||||
+#
|
||||
+cd `dirname $0`
|
||||
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
#
|
||||
-# Ideally, this program should be run as part of the installation of any
|
||||
-# binary package. The installation should also ensure that the permissions
|
||||
-# and owners are correct for the files generated by this script.
|
||||
+# This is a wrapper script to create default certificates when the
|
||||
+# server starts via systemd. It should also ensure that the
|
||||
+# permissions and owners are correct for the generated files. Once
|
||||
+# the certificates have been created, this file should be deleted.
|
||||
#
|
||||
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
|
||||
#
|
47
SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
Normal file
47
SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 09 Dec 2022
|
||||
Subject: Fix crash on invalid abinary data
|
||||
|
||||
A malicious RADIUS client or home server can send a malformed abinary
|
||||
attribute which can cause the server to crash.
|
||||
|
||||
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/lib/filters.c b/src/lib/filters.c
|
||||
index 4868cd385d9f..3f3b63daeef3 100644
|
||||
--- a/src/lib/filters.c
|
||||
+++ b/src/lib/filters.c
|
||||
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||
}
|
||||
}
|
||||
} else if (filter->type == RAD_FILTER_GENERIC) {
|
||||
- int count;
|
||||
+ size_t count, masklen;
|
||||
+
|
||||
+ masklen = ntohs(filter->u.generic.len);
|
||||
+ if (masklen >= sizeof(filter->u.generic.mask)) {
|
||||
+ *p = '\0';
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
|
||||
p += i;
|
||||
|
||||
/* show the mask */
|
||||
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||
+ for (count = 0; count < masklen; count++) {
|
||||
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
|
||||
p += i;
|
||||
outlen -= i;
|
||||
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||
outlen--;
|
||||
|
||||
/* show the value */
|
||||
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||
+ for (count = 0; count < masklen; count++) {
|
||||
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
|
||||
p += i;
|
||||
outlen -= i;
|
115
SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
Normal file
115
SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
Normal file
@ -0,0 +1,115 @@
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 09 Dec 2022
|
||||
Subject: Fix crash on unknown option in EAP-SIM
|
||||
|
||||
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
|
||||
look that option up in the internal dictionaries. This lookup will fail, but the
|
||||
SIM code will not check for that failure. Instead, it will dereference a NULL
|
||||
pointer, and cause the server to crash.
|
||||
|
||||
Backport of:
|
||||
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
|
||||
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
index cf1e8a7dd92..e438a844eab 100644
|
||||
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
|
||||
newvp->vp_length = 1;
|
||||
fr_pair_add(&(r->vps), newvp);
|
||||
|
||||
+ /*
|
||||
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
|
||||
+ * reserved.
|
||||
+ */
|
||||
attr += 3;
|
||||
attrlen -= 3;
|
||||
|
||||
- /* now, loop processing each attribute that we find */
|
||||
- while(attrlen > 0) {
|
||||
+ /*
|
||||
+ * Loop over each attribute. The format is:
|
||||
+ *
|
||||
+ * 1 octet of type
|
||||
+ * 1 octet of length (value 1..255)
|
||||
+ * ((4 * length) - 2) octets of data.
|
||||
+ */
|
||||
+ while (attrlen > 0) {
|
||||
uint8_t *p;
|
||||
|
||||
- if(attrlen < 2) {
|
||||
+ if (attrlen < 2) {
|
||||
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (!attr[1]) {
|
||||
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
|
||||
+ es_attribute_count);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
eapsim_attribute = attr[0];
|
||||
eapsim_len = attr[1] * 4;
|
||||
|
||||
+ /*
|
||||
+ * The length includes the 2-byte header.
|
||||
+ */
|
||||
if (eapsim_len > attrlen) {
|
||||
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
|
||||
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if(eapsim_len > MAX_STRING_LEN) {
|
||||
- eapsim_len = MAX_STRING_LEN;
|
||||
- }
|
||||
- if (eapsim_len < 2) {
|
||||
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
|
||||
- es_attribute_count);
|
||||
- return 0;
|
||||
- }
|
||||
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
|
||||
+ if (!newvp) {
|
||||
+ /*
|
||||
+ * RFC 4186 Section 8.1 says 0..127 are
|
||||
+ * "non-skippable". If one such
|
||||
+ * attribute is found and we don't
|
||||
+ * understand it, the server has to send:
|
||||
+ *
|
||||
+ * EAP-Request/SIM/Notification packet with an
|
||||
+ * (AT_NOTIFICATION code, which implies general failure ("General
|
||||
+ * failure after authentication" (0), or "General failure" (16384),
|
||||
+ * depending on the phase of the exchange), which terminates the
|
||||
+ * authentication exchange.
|
||||
+ */
|
||||
+ if (eapsim_attribute <= 127) {
|
||||
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
|
||||
+ eapsim_attribute);
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
|
||||
- newvp->vp_length = eapsim_len-2;
|
||||
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||
- memcpy(p, &attr[2], eapsim_len-2);
|
||||
- fr_pair_add(&(r->vps), newvp);
|
||||
- newvp = NULL;
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * It's known, ccount for header, and
|
||||
+ * copy the value over.
|
||||
+ */
|
||||
+ newvp->vp_length = eapsim_len - 2;
|
||||
+
|
||||
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||
+ memcpy(p, &attr[2], newvp->vp_length);
|
||||
+ fr_pair_add(&(r->vps), newvp);
|
||||
+ }
|
||||
|
||||
/* advance pointers, decrement length */
|
||||
attr += eapsim_len;
|
76
SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
Normal file
76
SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 09 Dec 2022
|
||||
Subject: Fix information leakage in EAP-PWD
|
||||
|
||||
The EAP-PWD function compute_password_element() leaks information about the
|
||||
password which allows an attacker to substantially reduce the size of an
|
||||
offline dictionary attack.
|
||||
|
||||
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
index d94851c3aa..9f86b62114 100644
|
||||
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
|
||||
#include <freeradius-devel/radiusd.h>
|
||||
#include <freeradius-devel/modules.h>
|
||||
|
||||
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
|
||||
+
|
||||
/* The random function H(x) = HMAC-SHA256(0^32, x) */
|
||||
static void H_Init(HMAC_CTX *ctx)
|
||||
{
|
||||
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
uint32_t *token)
|
||||
{
|
||||
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||
- HMAC_CTX *ctx = NULL;
|
||||
+ EVP_MD_CTX *hmac_ctx;
|
||||
+ EVP_PKEY *hmac_pkey;
|
||||
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
|
||||
int nid, is_odd, primebitlen, primebytelen, ret = 0;
|
||||
|
||||
- ctx = HMAC_CTX_new();
|
||||
- if (ctx == NULL) {
|
||||
- DEBUG("failed allocating HMAC context");
|
||||
- goto fail;
|
||||
- }
|
||||
+ MEM(hmac_ctx = EVP_MD_CTX_new());
|
||||
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
|
||||
|
||||
switch (grp_num) { /* from IANA registry for IKE D-H groups */
|
||||
case 19:
|
||||
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
* pwd-seed = H(token | peer-id | server-id | password |
|
||||
* counter)
|
||||
*/
|
||||
- H_Init(ctx);
|
||||
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
|
||||
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
|
||||
- H_Update(ctx, (uint8_t const *)password, password_len);
|
||||
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||
- H_Final(ctx, pwe_digest);
|
||||
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||
|
||||
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
|
||||
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
|
||||
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
BN_clear_free(x_candidate);
|
||||
BN_clear_free(rnd);
|
||||
talloc_free(prfbuf);
|
||||
- HMAC_CTX_free(ctx);
|
||||
+ EVP_MD_CTX_free(hmac_ctx);
|
||||
+ EVP_PKEY_free(hmac_pkey);
|
||||
|
||||
return ret;
|
||||
}
|
1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
Normal file
1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,42 +0,0 @@
|
||||
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Mon, 22 Apr 2019 14:38:19 -0400
|
||||
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
|
||||
|
||||
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
|
||||
which effectively result in a listen.ipaddr only allowing hostnames to
|
||||
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
|
||||
it'll bail with the error message:
|
||||
|
||||
radiusd: #### Opening IP addresses and Ports ####
|
||||
listen {
|
||||
type = "auth"
|
||||
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
|
||||
Name or service not known
|
||||
|
||||
This directly contradicts the language in the default configuration
|
||||
file, so support resolving both IPv4-only and IPv6-only hostnames.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/misc.c | 7 -------
|
||||
1 file changed, 7 deletions(-)
|
||||
|
||||
diff --git a/src/lib/misc.c b/src/lib/misc.c
|
||||
index dff21e33f7..5520d8a0a4 100644
|
||||
--- a/src/lib/misc.c
|
||||
+++ b/src/lib/misc.c
|
||||
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
|
||||
fr_strerror_printf("Invalid address");
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- /*
|
||||
- * Fall through to resolving the address, using
|
||||
- * whatever address family they prefer. If they
|
||||
- * don't specify an address family, force IPv4.
|
||||
- */
|
||||
- if (af == AF_UNSPEC) af = AF_INET;
|
||||
}
|
||||
|
||||
/*
|
@ -4,91 +4,90 @@ Date: Fri, 14 Sep 2018 11:53:28 +0300
|
||||
Subject: [PATCH] man: Fix some typos
|
||||
|
||||
---
|
||||
man/man5/radrelay.conf.5 | 2 +-
|
||||
man/man5/rlm_files.5 | 2 +-
|
||||
man/man5/unlang.5 | 8 ++++----
|
||||
man/man8/radrelay.8 | 2 +-
|
||||
4 files changed, 7 insertions(+), 7 deletions(-)
|
||||
man/man1/radzap.1 | 4 ++--
|
||||
man/man5/unlang.5 | 6 +++---
|
||||
man/man8/radcrypt.8 | 2 +-
|
||||
man/man8/radiusd.8 | 4 ++--
|
||||
4 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
|
||||
index 5fb38bfc4e..e3e665024b 100644
|
||||
--- a/man/man5/radrelay.conf.5
|
||||
+++ b/man/man5/radrelay.conf.5
|
||||
@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
|
||||
backup server. When the primary goes down, most NASes detect that and
|
||||
switch to the backup server.
|
||||
|
||||
-That will cause your accounting packets to go the the backup server -
|
||||
+That will cause your accounting packets to go to the backup server -
|
||||
and some NASes don't even switch back to the primary server when it
|
||||
comes back up.
|
||||
|
||||
diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
|
||||
index bfee5030ff..52f4734ae3 100644
|
||||
--- a/man/man5/rlm_files.5
|
||||
+++ b/man/man5/rlm_files.5
|
||||
@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
|
||||
perform per-group checks, and return per-group attributes, where the
|
||||
group membership is dynamically defined by a previous module. It also
|
||||
lets you do things like key off of attributes in the reply, and
|
||||
-express policies like like "when I send replies containing attribute
|
||||
+express policies like "when I send replies containing attribute
|
||||
FOO with value BAR, do more checks, and maybe send additional
|
||||
attributes".
|
||||
.SH CONFIGURATION
|
||||
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
|
||||
index a2d529d064..03b9a43a54 100644
|
||||
--- a/man/man1/radzap.1
|
||||
+++ b/man/man1/radzap.1
|
||||
@@ -1,4 +1,4 @@
|
||||
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
|
||||
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
|
||||
.SH NAME
|
||||
radzap - remove rogue entries from the active sessions database
|
||||
.SH SYNOPSIS
|
||||
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
|
||||
.RB [ \-x ]
|
||||
\fIserver[:port] secret\fP
|
||||
.SH DESCRIPTION
|
||||
-The FreeRadius server can be configured to maintain an active session
|
||||
+The FreeRADIUS server can be configured to maintain an active session
|
||||
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
|
||||
use this database. Sometimes that database can get out of sync, and
|
||||
then it might contain rogue entries. \fBradzap\fP can clean up this
|
||||
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
|
||||
index 76db8f2d1c..12fe7855b2 100644
|
||||
index 40db5fa6e7..5f765f1787 100644
|
||||
--- a/man/man5/unlang.5
|
||||
+++ b/man/man5/unlang.5
|
||||
@@ -36,7 +36,7 @@ the pre-defined keywords here.
|
||||
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
|
||||
of Version 3, the <list> can be omitted, in which case "request" is
|
||||
assumed.
|
||||
|
||||
Subject to a few limitations described below, any keyword can appear
|
||||
in any context. The language consists of a series of entries, each
|
||||
-one one line. Each entry begins with a keyword. Entries are
|
||||
+one line. Each entry begins with a keyword. Entries are
|
||||
organized into lists. Processing of the language is line by line,
|
||||
from the start of the list to the end. Actions are executed
|
||||
per-keyword.
|
||||
@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below. The match is
|
||||
then performed on the string returned from the expansion. If the
|
||||
argument is an attribute reference (e.g. &User-Name), then the match
|
||||
is performed on the value of that attribute. Otherwise, the argument
|
||||
-is taken to be a literal string, and and matching is done via simple
|
||||
+is taken to be a literal string, and matching is done via simple
|
||||
comparison.
|
||||
-The "control" list is the list of attributes maintainted internally by
|
||||
+The "control" list is the list of attributes maintained internally by
|
||||
the server that controls how the server processes the request. Any
|
||||
attribute that does not go in a packet on the network will generally
|
||||
be placed in the "control" list.
|
||||
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
|
||||
quotes, or back-quoted). Also evaluates to true if 'foo' is a
|
||||
non-zero number. Note that the language is poorly typed, so the
|
||||
string "0000" can be interpreted as a numerical zero. This issue can
|
||||
-be avoided by comparings strings to an empty string, rather than by
|
||||
+be avoided by comparing strings to an empty string, rather than by
|
||||
evaluating the string by itself.
|
||||
|
||||
No statement other than "case" can appear in a "switch" block.
|
||||
@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below. The match is
|
||||
then performed on the string returned from the expansion. If the
|
||||
argument is an attribute reference (e.g. &User-Name), then the match
|
||||
is performed on the value of that attribute. Otherwise, the argument
|
||||
-is taken to be a literal string, and and matching is done via simple
|
||||
+is taken to be a literal string, and matching is done via simple
|
||||
comparison.
|
||||
|
||||
.DS
|
||||
@@ -799,7 +799,7 @@ regular expression. If no attribute matches, nothing else is done.
|
||||
The value can be an attribute reference, or an attribute-specific
|
||||
string.
|
||||
|
||||
-When the value is an an attribute reference, it must take the form of
|
||||
+When the value is an attribute reference, it must take the form of
|
||||
"&Attribute-Name". The leading "&" signifies that the value is a
|
||||
reference. The "Attribute-Name" is an attribute name, such as
|
||||
"User-Name" or "request:User-Name". When an attribute reference is
|
||||
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
|
||||
index fdba6995d5..99e65732a2 100644
|
||||
--- a/man/man8/radrelay.8
|
||||
+++ b/man/man8/radrelay.8
|
||||
@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
|
||||
backup server. When the primary goes down, most NASes detect that and
|
||||
switch to the backup server.
|
||||
|
||||
-That will cause your accounting packets to go the the backup server -
|
||||
+That will cause your accounting packets to go to the backup server -
|
||||
and some NASes don't even switch back to the primary server when it
|
||||
comes back up.
|
||||
|
||||
--
|
||||
2.18.0
|
||||
If the word 'foo' is not a quoted string, then it can be taken as a
|
||||
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
|
||||
.IP ok
|
||||
Instructs the server that the request was processed properly. This
|
||||
keyword can be used to over-ride earlier failures, if the local
|
||||
-administrator determines that the faiures are not catastrophic.
|
||||
+administrator determines that the failures are not catastrophic.
|
||||
.IP reject
|
||||
Causes the request to be immediately rejected
|
||||
.SH MODULE RETURN CODES
|
||||
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
|
||||
index 08336c66f2..2917f60c46 100644
|
||||
--- a/man/man8/radcrypt.8
|
||||
+++ b/man/man8/radcrypt.8
|
||||
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
|
||||
Ignored if performing a password check.
|
||||
.IP "\-c --check"
|
||||
Perform a validation check on a password hash to verify if it matches
|
||||
-the plantext password.
|
||||
+the plaintext password.
|
||||
|
||||
.SH EXAMPLES
|
||||
.nf
|
||||
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||
index 98aef5e1be..2ef5ccf789 100644
|
||||
--- a/man/man8/radiusd.8
|
||||
+++ b/man/man8/radiusd.8
|
||||
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
|
||||
used in the other configuration files. You don't have to modify it.
|
||||
It includes other dictionary files in the same directory.
|
||||
.IP hints
|
||||
-Defines certain hints to the radius server based on the users's loginname
|
||||
+Defines certain hints to the radius server based on the users' loginname
|
||||
or other attributes sent by the access server. It also provides for
|
||||
mapping user names (such as Pusername -> username). This provides the
|
||||
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
|
||||
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
|
||||
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
|
||||
the Livingston way of doing things is also supported, and you can even use
|
||||
both at the same time (within certain limits).
|
||||
.IP huntgroups
|
||||
|
104
SOURCES/freeradius-no-buildtime-cert-gen.patch
Normal file
104
SOURCES/freeradius-no-buildtime-cert-gen.patch
Normal file
@ -0,0 +1,104 @@
|
||||
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 8 May 2019 12:58:02 -0400
|
||||
Subject: [PATCH] Don't generate certificates in reproducible builds
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
Make.inc.in | 5 +++++
|
||||
configure | 4 ++++
|
||||
configure.ac | 3 +++
|
||||
raddb/all.mk | 4 ++++
|
||||
4 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/Make.inc.in b/Make.inc.in
|
||||
index 0b2cd74de8..8c623cf95c 100644
|
||||
--- a/Make.inc.in
|
||||
+++ b/Make.inc.in
|
||||
@@ -173,3 +173,8 @@ else
|
||||
TESTBINDIR = ./$(BUILD_DIR)/bin
|
||||
TESTBIN = ./$(BUILD_DIR)/bin
|
||||
endif
|
||||
+
|
||||
+#
|
||||
+# With reproducible builds, do not generate certificates during installation
|
||||
+#
|
||||
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
|
||||
diff --git a/configure b/configure
|
||||
index c2c599c92b..3d4403a844 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -655,6 +655,7 @@ RUSERS
|
||||
SNMPWALK
|
||||
SNMPGET
|
||||
PERL
|
||||
+ENABLE_REPRODUCIBLE_BUILDS
|
||||
openssl_version_check_config
|
||||
WITH_DHCP
|
||||
modconfdir
|
||||
@@ -5586,6 +5587,7 @@ else
|
||||
fi
|
||||
|
||||
|
||||
+ENABLE_REPRODUCIBLE_BUILDS=yes
|
||||
# Check whether --enable-reproducible-builds was given.
|
||||
if test "${enable_reproducible_builds+set}" = set; then :
|
||||
enableval=$enable_reproducible_builds; case "$enableval" in
|
||||
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
|
||||
;;
|
||||
*)
|
||||
reproducible_builds=no
|
||||
+ ENABLE_REPRODUCIBLE_BUILDS=no
|
||||
esac
|
||||
|
||||
fi
|
||||
@@ -5604,6 +5607,7 @@ fi
|
||||
|
||||
|
||||
|
||||
+
|
||||
CHECKRAD=checkrad
|
||||
# Extract the first word of "perl", so it can be a program name with args.
|
||||
set dummy perl; ac_word=$2
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index a7abf0025a..35b013f4af 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
|
||||
dnl #
|
||||
dnl # extra argument: --enable-reproducible-builds
|
||||
dnl #
|
||||
+ENABLE_REPRODUCIBLE_BUILDS=yes
|
||||
AC_ARG_ENABLE(reproducible-builds,
|
||||
[AS_HELP_STRING([--enable-reproducible-builds],
|
||||
[ensure the build does not change each time])],
|
||||
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
|
||||
;;
|
||||
*)
|
||||
reproducible_builds=no
|
||||
+ ENABLE_REPRODUCIBLE_BUILDS=no
|
||||
esac ]
|
||||
)
|
||||
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
|
||||
|
||||
|
||||
dnl #############################################################
|
||||
diff --git a/raddb/all.mk b/raddb/all.mk
|
||||
index c966edd657..c8e976a499 100644
|
||||
--- a/raddb/all.mk
|
||||
+++ b/raddb/all.mk
|
||||
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
|
||||
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
|
||||
$(LOCAL_CERT_PRODUCTS):
|
||||
@echo BOOTSTRAP raddb/certs/
|
||||
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
|
||||
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
|
||||
+else
|
||||
@$(MAKE) -C $(R)$(raddbdir)/certs/
|
||||
+endif
|
||||
|
||||
# Bootstrap is special
|
||||
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
|
||||
--
|
||||
2.21.0
|
||||
|
45
SOURCES/freeradius-no-dh-param-load-FIPS.patch
Normal file
45
SOURCES/freeradius-no-dh-param-load-FIPS.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 11:39:45 -0400
|
||||
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
|
||||
|
||||
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
|
||||
user-provided dhparams will be ignored (and dhparam generation
|
||||
may fail as well), unless they are on the FIPS approved list of
|
||||
parameters. However, OpenSSL since v1.1.1 will automatically select
|
||||
an appropriate DH parameter set anyways, if the user did not provide
|
||||
any. These will be FIPS approved.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/main/tls.c | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/main/tls.c b/src/main/tls.c
|
||||
index 5809a1bd7d..5e6493333c 100644
|
||||
--- a/src/main/tls.c
|
||||
+++ b/src/main/tls.c
|
||||
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
|
||||
|
||||
if (!file) return 0;
|
||||
|
||||
+ /*
|
||||
+ * Prior to trying to load the file, check what OpenSSL will do with it.
|
||||
+ *
|
||||
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
|
||||
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
|
||||
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
|
||||
+ * anyways, there's no point in attempting to load them.
|
||||
+ *
|
||||
+ * Change suggested by @t8m
|
||||
+ */
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||
+ if (FIPS_mode() > 0) {
|
||||
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if ((bio = BIO_new_file(file, "r")) == NULL) {
|
||||
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
|
||||
return -1;
|
@ -1,64 +0,0 @@
|
||||
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Thu, 18 Oct 2018 12:40:53 -0400
|
||||
Subject: [PATCH] Clarify shebangs to be python2
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
scripts/radtee | 2 +-
|
||||
src/modules/rlm_python/example.py | 2 +-
|
||||
src/modules/rlm_python/prepaid.py | 2 +-
|
||||
src/modules/rlm_python/radiusd.py | 2 +-
|
||||
src/modules/rlm_python/radiusd_test.py | 2 +-
|
||||
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/scripts/radtee b/scripts/radtee
|
||||
index 123769d244..78b4bcbe0b 100755
|
||||
--- a/scripts/radtee
|
||||
+++ b/scripts/radtee
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python2
|
||||
from __future__ import with_statement
|
||||
|
||||
# RADIUS comparison tee v1.0
|
||||
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
|
||||
index 5950a07678..eaf456e349 100644
|
||||
--- a/src/modules/rlm_python/example.py
|
||||
+++ b/src/modules/rlm_python/example.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Python module example file
|
||||
# Miguel A.L. Paraz <mparaz@mparaz.com>
|
||||
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
|
||||
index c3cbf57b8f..3b1dc2e2e8 100644
|
||||
--- a/src/modules/rlm_python/prepaid.py
|
||||
+++ b/src/modules/rlm_python/prepaid.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Example Python module for prepaid usage using MySQL
|
||||
|
||||
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
|
||||
index c535bb3caf..7129923994 100644
|
||||
--- a/src/modules/rlm_python/radiusd.py
|
||||
+++ b/src/modules/rlm_python/radiusd.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Definitions for RADIUS programs
|
||||
#
|
||||
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
|
||||
index 13b7128b29..97b5b64f08 100644
|
||||
--- a/src/modules/rlm_python/radiusd_test.py
|
||||
+++ b/src/modules/rlm_python/radiusd_test.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Python module test
|
||||
# Miguel A.L. Paraz <mparaz@mparaz.com>
|
@ -1 +1 @@
|
||||
D /var/run/radiusd 0710 radiusd radiusd -
|
||||
D /run/radiusd 0710 radiusd radiusd -
|
||||
|
@ -1,11 +1,12 @@
|
||||
[Unit]
|
||||
Description=FreeRADIUS high performance RADIUS server.
|
||||
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service
|
||||
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/run/radiusd/radiusd.pid
|
||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
|
||||
ExecStartPre=/usr/sbin/radiusd -C
|
||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||
ExecReload=/usr/sbin/radiusd -C
|
||||
|
24
SOURCES/rfc3526-group-18-8192.pem
Normal file
24
SOURCES/rfc3526-group-18-8192.pem
Normal file
@ -0,0 +1,24 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
|
||||
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
|
||||
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
|
||||
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
|
||||
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
|
||||
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
|
||||
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
|
||||
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
|
||||
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
|
||||
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
|
||||
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
|
||||
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
|
||||
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
|
||||
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
|
||||
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
|
||||
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
|
||||
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
@ -8,8 +8,8 @@
|
||||
|
||||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.17
|
||||
Release: 6%{?dist}
|
||||
Version: 3.0.20
|
||||
Release: 15%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.freeradius.org/
|
||||
@ -28,16 +28,26 @@ Source100: radiusd.service
|
||||
Source102: freeradius-logrotate
|
||||
Source103: freeradius-pam-conf
|
||||
Source104: freeradius-tmpfiles.conf
|
||||
Source105: rfc3526-group-18-8192.pem
|
||||
|
||||
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
|
||||
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
|
||||
Patch3: freeradius-man-Fix-some-typos.patch
|
||||
Patch4: freeradius-Add-missing-option-descriptions.patch
|
||||
Patch5: freeradius-OpenSSL-HMAC-MD5.patch
|
||||
Patch6: freeradius-OpenSSL-HMAC-SHA1.patch
|
||||
Patch7: freeradius-python2-shebangs.patch
|
||||
Patch8: freeradius-EAP-PWD-curve-handling.patch
|
||||
Patch9: freeradius-listen-ipv6-fix.patch
|
||||
Patch3: freeradius-bootstrap-create-only.patch
|
||||
Patch4: freeradius-no-buildtime-cert-gen.patch
|
||||
Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
|
||||
Patch6: freeradius-bootstrap-make-permissions.patch
|
||||
Patch7: freeradius-no-dh-param-load-FIPS.patch
|
||||
Patch8: freeradius-bootstrap-fixed-dhparam.patch
|
||||
Patch9: freeradius-man-Fix-some-typos.patch
|
||||
Patch10: freeradius-Fix-resource-hard-limit-error.patch
|
||||
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
|
||||
Patch12: freeradius-bootstrap-run-only-once.patch
|
||||
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
|
||||
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
|
||||
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
|
||||
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
|
||||
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
|
||||
Patch18: freeradius-blastradius-fix.patch
|
||||
|
||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -69,7 +79,7 @@ Requires(pre): shadow-utils glibc-common
|
||||
Requires(post): systemd-sysv
|
||||
Requires(post): systemd-units
|
||||
# Needed for certificate generation
|
||||
Requires(post): make
|
||||
Requires: make
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
@ -152,7 +162,7 @@ This plugin provides the Perl support for the FreeRADIUS server project.
|
||||
|
||||
%if %{with python2}
|
||||
%package -n python2-freeradius
|
||||
Summary: Python support for freeradius
|
||||
Summary: Python 2 support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: python2-devel
|
||||
@ -163,8 +173,18 @@ Provides: %{name}-python%{?_isa} = %{version}-%{release}
|
||||
Obsoletes: %{name}-python < %{version}-%{release}
|
||||
|
||||
%description -n python2-freeradius
|
||||
This plugin provides the Python support for the FreeRADIUS server project.
|
||||
%endif # with python2
|
||||
This plugin provides the Python 2 support for the FreeRADIUS server project.
|
||||
# endif: with python2
|
||||
%endif
|
||||
|
||||
%package -n python3-freeradius
|
||||
Summary: Python 3 support for freeradius
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: python3-devel
|
||||
%{?python_provide:%python_provide python3-freeradius}
|
||||
|
||||
%description -n python3-freeradius
|
||||
This plugin provides the Python 3 support for the FreeRADIUS server project.
|
||||
|
||||
%package mysql
|
||||
Summary: MySQL support for freeradius
|
||||
@ -225,11 +245,31 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
|
||||
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
||||
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
|
||||
%build
|
||||
# Force compile/link options, extra security for network facing daemon
|
||||
%global _hardened_build 1
|
||||
|
||||
# Hack: rlm_python3 as stable; prevents building other unstable modules.
|
||||
sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
|
||||
|
||||
# python3-config is broken:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
|
||||
export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
|
||||
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
||||
|
||||
%configure \
|
||||
--libdir=%{_libdir}/freeradius \
|
||||
--enable-reproducible-builds \
|
||||
@ -245,6 +285,12 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
--with-unixodbc-lib-dir=%{_libdir} \
|
||||
--with-rlm-dbm-lib-dir=%{_libdir} \
|
||||
--with-rlm-krb5-include-dir=/usr/kerberos/include \
|
||||
--with-rlm_python3 \
|
||||
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
|
||||
--with-rlm-python3-include-dir=$PY3_INC_DIR \
|
||||
%if %{without python2}
|
||||
--without-rlm-python2 \
|
||||
%endif
|
||||
--without-rlm_eap_ikev2 \
|
||||
--without-rlm_eap_tnc \
|
||||
--without-rlm_sql_iodbc \
|
||||
@ -252,11 +298,6 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
--without-rlm_sql_db2 \
|
||||
--without-rlm_sql_oracle \
|
||||
--without-rlm_unbound \
|
||||
%if %{without python2}
|
||||
--without-rlm_python \
|
||||
--without-python \
|
||||
--disable-python \
|
||||
%endif
|
||||
--without-rlm_redis \
|
||||
--without-rlm_rediswho \
|
||||
--without-rlm_cache_memcached
|
||||
@ -281,12 +322,16 @@ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
|
||||
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
|
||||
|
||||
# Add fixed dhparam file
|
||||
install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
|
||||
# install SNMP MIB files
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
|
||||
# remove unneeded stuff
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key
|
||||
@ -320,11 +365,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
|
||||
|
||||
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
|
||||
|
||||
# conditionally remove python due to it being python2-only
|
||||
%if %{without python2}
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/python
|
||||
%endif
|
||||
|
||||
# Remove yubikey on RHEL
|
||||
%if 0%{?rhel}
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
|
||||
@ -334,6 +374,10 @@ rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
|
||||
# remove unsupported config files
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
|
||||
|
||||
# Mongo will never be supported on Fedora or RHEL
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf
|
||||
|
||||
# install doc files omitted by standard install
|
||||
for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do
|
||||
cp $f $RPM_BUILD_ROOT/%{docdir}
|
||||
@ -365,12 +409,6 @@ exit 0
|
||||
|
||||
%post
|
||||
%systemd_post radiusd.service
|
||||
if [ $1 -eq 1 ]; then # install
|
||||
# Initial installation
|
||||
if [ ! -e /etc/raddb/certs/server.pem ]; then
|
||||
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%preun
|
||||
@ -436,6 +474,7 @@ exit 0
|
||||
/etc/raddb/certs/README
|
||||
%config(noreplace) /etc/raddb/certs/xpextensions
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
|
||||
|
||||
# mods-config
|
||||
@ -463,6 +502,7 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa-relay
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp
|
||||
@ -527,6 +567,8 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python3
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis
|
||||
@ -594,6 +636,7 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/rfc7542
|
||||
|
||||
|
||||
# binaries
|
||||
@ -751,7 +794,14 @@ exit 0
|
||||
/etc/raddb/mods-config/python/example.py*
|
||||
/etc/raddb/mods-config/python/radiusd.py*
|
||||
%{_libdir}/freeradius/rlm_python.so
|
||||
%endif # with python2
|
||||
# endif: with python2
|
||||
%endif
|
||||
|
||||
%files -n python3-freeradius
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python3
|
||||
/etc/raddb/mods-config/python3/example.py*
|
||||
/etc/raddb/mods-config/python3/radiusd.py*
|
||||
%{_libdir}/freeradius/rlm_python3.so
|
||||
|
||||
%files mysql
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
|
||||
@ -767,6 +817,7 @@ exit 0
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
|
||||
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
|
||||
@ -803,6 +854,7 @@ exit 0
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/procedure.sql
|
||||
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
|
||||
@ -852,6 +904,77 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Thu Jul 11 2023 Antonio Torres <antorres@redhat.com> - 3.0.20-15
|
||||
- Backport BlastRADIUS CVE fix
|
||||
Resolves: RHEL-46572
|
||||
|
||||
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
|
||||
- Fix defect found by Covscan
|
||||
Resolves: #2151704
|
||||
|
||||
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
|
||||
- Fix multiple CVEs
|
||||
- Add rpminspect configuration
|
||||
Resolves: #2151702
|
||||
Resolves: #2151704
|
||||
Resolves: #2151706
|
||||
|
||||
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
|
||||
- Fix segfault when home_server is null
|
||||
Resolves: bz#2030173
|
||||
|
||||
* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
|
||||
- Fix unterminated strings in SQL queries
|
||||
Resolves: bz#2021247
|
||||
|
||||
* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
|
||||
- Rebuild to pick up latest json-c
|
||||
Resolves: bz#2021818
|
||||
|
||||
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
|
||||
- radiusd.service: don't fail if bootstrap script is not present
|
||||
Resolves: bz#1954521
|
||||
|
||||
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
|
||||
- Extend info about boostrap script in README and comments
|
||||
Resolves: bz#1954521
|
||||
|
||||
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
|
||||
- Ensure bootstrap script is run only once
|
||||
Resolves: bz#1954521
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
|
||||
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
|
||||
Resolves: bz#1958979
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
|
||||
- Fix coredump not being able to be enabled
|
||||
Resolves: bz#1977572
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
|
||||
- Fix some manpage typos
|
||||
Resolves: bz#1843807
|
||||
|
||||
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
|
||||
- Require make for proper bootstrap execution, removes post script
|
||||
Resolves: bz#1672285
|
||||
|
||||
* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
|
||||
- Fix breakage caused by OpenSSL FIPS regression
|
||||
Related: bz#1855822
|
||||
Related: bz#1810911
|
||||
Resolves: bz#1672285
|
||||
|
||||
* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
|
||||
- Update to FreeRADIUS server version 3.0.20
|
||||
- Introduce Python 3 support; resolves: bz#1623069
|
||||
- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
|
||||
- Create tmp files in /run; resolves: bz#1805975
|
||||
|
||||
* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
|
||||
- Fix information leak due to aborting when needing more than 10 iterations
|
||||
Resolves: bz#1751797
|
||||
|
||||
* Fri Jun 14 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-6
|
||||
- Fix handling of IPv6-only hostnames with listen.ipaddr
|
||||
Resolves: bz#1685546
|
||||
|
Loading…
Reference in New Issue
Block a user