From 42d0ad4c00afbbcecfa9e32f387f7d51d25a5590 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 27 2020 18:51:24 +0000 Subject: import freeradius-3.0.20-3.module+el8.3.0+7597+67902674 --- diff --git a/SOURCES/freeradius-bootstrap-create-only.patch b/SOURCES/freeradius-bootstrap-create-only.patch index 7af7c94..5b788d9 100644 --- a/SOURCES/freeradius-bootstrap-create-only.patch +++ b/SOURCES/freeradius-bootstrap-create-only.patch @@ -1,36 +1,20 @@ -From d38836ca4158b42c27f4d7f474e64f4f10aed16d Mon Sep 17 00:00:00 2001 +From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001 From: Alexander Scheel -Date: Wed, 8 May 2019 10:29:08 -0400 +Date: Wed, 5 Aug 2020 15:53:45 -0400 Subject: [PATCH] Don't clobber existing files on bootstrap +Rebased: v3.0.20 + Signed-off-by: Alexander Scheel --- - raddb/certs/bootstrap | 39 ++++++++++++--------------------------- - 1 file changed, 12 insertions(+), 27 deletions(-) + raddb/certs/bootstrap | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap -index 0f719aafd4..be81a2d697 100755 +index 0f719aa..336a2bd 100755 --- a/raddb/certs/bootstrap +++ b/raddb/certs/bootstrap -@@ -13,17 +13,6 @@ - umask 027 - cd `dirname $0` - --make -h > /dev/null 2>&1 -- --# --# If we have a working "make", then use it. Otherwise, run the commands --# manually. --# --if [ "$?" = "0" ]; then -- make all -- exit $? --fi -- - # - # The following commands were created by running "make -n", and edited - # to remove the trailing backslash, and to add "exit 1" after the commands. -@@ -31,52 +20,51 @@ fi +@@ -31,52 +31,55 @@ fi # Don't edit the following text. Instead, edit the Makefile, and # re-generate these commands. # @@ -44,60 +28,64 @@ index 0f719aafd4..be81a2d697 100755 - fi + ln -sf /dev/urandom random fi - + -if [ ! -f server.key ]; then +if [ ! -e server.key ]; then openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 ++ chmod g+r server.key fi - + -if [ ! -f ca.key ]; then +if [ ! -e ca.key ]; then openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 fi - + -if [ ! -f index.txt ]; then +if [ ! -e index.txt ]; then touch index.txt fi - + -if [ ! -f serial ]; then +if [ ! -e serial ]; then echo '01' > serial fi - + -if [ ! -f server.crt ]; then +if [ ! -e server.crt ]; then openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 fi - + -if [ ! -f server.p12 ]; then +if [ ! -e server.p12 ]; then openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 ++ chmod g+r server.p12 fi - + -if [ ! -f server.pem ]; then +if [ ! -e server.pem ]; then openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 openssl verify -CAfile ca.pem server.pem || exit 1 ++ chmod g+r server.pem fi - + -if [ ! -f ca.der ]; then +if [ ! -e ca.der ]; then openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 fi - + -if [ ! -f client.key ]; then +if [ ! -e client.key ]; then openssl req -new -out client.csr -keyout client.key -config ./client.cnf ++ chmod g+r client.key fi - + -if [ ! -f client.crt ]; then +if [ ! -e client.crt ]; then openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf fi + +chown root:radiusd dh ca.* client.* server.* -+chmod 644 dh ca.* client.* server.* --- -2.21.0 ++chmod 640 dh ca.* client.* server.* +-- +2.26.2 diff --git a/SOURCES/freeradius-bootstrap-fixed-dhparam.patch b/SOURCES/freeradius-bootstrap-fixed-dhparam.patch new file mode 100644 index 0000000..6121f4b --- /dev/null +++ b/SOURCES/freeradius-bootstrap-fixed-dhparam.patch @@ -0,0 +1,52 @@ +From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 5 Aug 2020 16:10:52 -0400 +Subject: [PATCH] Use fixed FIPS-approved dhparam by default + +Signed-off-by: Alexander Scheel +--- + raddb/certs/Makefile | 2 +- + raddb/certs/bootstrap | 7 +++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile +index 5cbfd46..41b7aea 100644 +--- a/raddb/certs/Makefile ++++ b/raddb/certs/Makefile +@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf + # + ###################################################################### + dh: +- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) ++ cp rfc3526-group-18-8192.dhparam dh + + ###################################################################### + # +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 9920ecf..59b3310 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -13,6 +13,10 @@ + umask 027 + cd `dirname $0` + ++if [ ! -e random ]; then ++ ln -sf /dev/urandom random ++fi ++ + make -h > /dev/null 2>&1 + + # +@@ -35,8 +39,7 @@ fi + # re-generate these commands. + # + if [ ! -e dh ]; then +- openssl dhparam -out dh 2048 || exit 1 +- ln -sf /dev/urandom random ++ cp rfc3526-group-18-8192.dhparam dh + fi + + if [ ! -e server.key ]; then +-- +2.26.2 + diff --git a/SOURCES/freeradius-bootstrap-make-permissions.patch b/SOURCES/freeradius-bootstrap-make-permissions.patch new file mode 100644 index 0000000..3548fa6 --- /dev/null +++ b/SOURCES/freeradius-bootstrap-make-permissions.patch @@ -0,0 +1,29 @@ +From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Tue, 4 Aug 2020 10:08:15 -0400 +Subject: [PATCH] Fix permissions after generating certificates with make + +Signed-off-by: Alexander Scheel +--- + raddb/certs/bootstrap | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 336a2bd..9920ecf 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1 + # + if [ "$?" = "0" ]; then + make all +- exit $? ++ ret=$? ++ chown root:radiusd dh ca.* client.* server.* ++ chmod 640 dh ca.* client.* server.* ++ exit $ret + fi + + # +-- +2.26.2 + diff --git a/SOURCES/freeradius-no-dh-param-load-FIPS.patch b/SOURCES/freeradius-no-dh-param-load-FIPS.patch new file mode 100644 index 0000000..b727a26 --- /dev/null +++ b/SOURCES/freeradius-no-dh-param-load-FIPS.patch @@ -0,0 +1,45 @@ +From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 5 Aug 2020 11:39:45 -0400 +Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554) + +OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode: +user-provided dhparams will be ignored (and dhparam generation +may fail as well), unless they are on the FIPS approved list of +parameters. However, OpenSSL since v1.1.1 will automatically select +an appropriate DH parameter set anyways, if the user did not provide +any. These will be FIPS approved. + +Signed-off-by: Alexander Scheel +--- + src/main/tls.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/src/main/tls.c b/src/main/tls.c +index 5809a1bd7d..5e6493333c 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file) + + if (!file) return 0; + ++ /* ++ * Prior to trying to load the file, check what OpenSSL will do with it. ++ * ++ * Certain downstreams (such as RHEL) will ignore user-provided dhparams ++ * in FIPS mode, unless the specified parameters are FIPS-approved. ++ * However, since OpenSSL >= 1.1.1 will automatically select parameters ++ * anyways, there's no point in attempting to load them. ++ * ++ * Change suggested by @t8m ++ */ ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++ if (FIPS_mode() > 0) { ++ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults."); ++ return 0; ++ } ++#endif ++ + if ((bio = BIO_new_file(file, "r")) == NULL) { + ERROR(LOG_PREFIX ": Unable to open DH file - %s", file); + return -1; diff --git a/SOURCES/radiusd.service b/SOURCES/radiusd.service index f545280..d073530 100644 --- a/SOURCES/radiusd.service +++ b/SOURCES/radiusd.service @@ -6,6 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv Type=forking PIDFile=/var/run/radiusd/radiusd.pid ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd +ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap ExecStartPre=/usr/sbin/radiusd -C ExecStart=/usr/sbin/radiusd -d /etc/raddb ExecReload=/usr/sbin/radiusd -C diff --git a/SOURCES/rfc3526-group-18-8192.pem b/SOURCES/rfc3526-group-18-8192.pem new file mode 100644 index 0000000..af54dd6 --- /dev/null +++ b/SOURCES/rfc3526-group-18-8192.pem @@ -0,0 +1,24 @@ +-----BEGIN DH PARAMETERS----- +MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM +fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq +ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI +ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O ++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI +HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG +3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU +7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId +A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha +xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ +8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R +WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk +ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw +xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4 +Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i +aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU +38gfVuiAuW5xYMmA3Zjt09///////////wIBAg== +-----END DH PARAMETERS----- diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec index 4555d6a..040a696 100644 --- a/SPECS/freeradius.spec +++ b/SPECS/freeradius.spec @@ -9,7 +9,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.20 -Release: 1%{?dist} +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -28,12 +28,16 @@ Source100: radiusd.service Source102: freeradius-logrotate Source103: freeradius-pam-conf Source104: freeradius-tmpfiles.conf +Source105: rfc3526-group-18-8192.pem Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch Patch2: freeradius-Use-system-crypto-policy-by-default.patch Patch3: freeradius-bootstrap-create-only.patch Patch4: freeradius-no-buildtime-cert-gen.patch Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch +Patch6: freeradius-bootstrap-make-permissions.patch +Patch7: freeradius-no-dh-param-load-FIPS.patch +Patch8: freeradius-bootstrap-fixed-dhparam.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -65,7 +69,7 @@ Requires(pre): shadow-utils glibc-common Requires(post): systemd-sysv Requires(post): systemd-units # Needed for certificate generation -Requires(post): make +Requires: make Requires(preun): systemd-units Requires(postun): systemd-units @@ -227,6 +231,12 @@ This plugin provides the REST support for the FreeRADIUS server project. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 + +# Add fixed dhparam file to the source to ensure `make tests` can run. +cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam %build # Force compile/link options, extra security for network facing daemon @@ -292,6 +302,9 @@ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf +# Add fixed dhparam file +install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam + # install SNMP MIB files mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ @@ -376,12 +389,6 @@ exit 0 %post %systemd_post radiusd.service -if [ $1 -eq 1 ]; then # install - # Initial installation - if [ ! -e /etc/raddb/certs/server.pem ]; then - /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 - fi -fi exit 0 %preun @@ -447,6 +454,7 @@ exit 0 /etc/raddb/certs/README %config(noreplace) /etc/raddb/certs/xpextensions %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam %attr(750,root,radiusd) /etc/raddb/certs/bootstrap # mods-config @@ -876,6 +884,16 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Thu Aug 06 2020 Alexander Scheel - 3.0.20-3 +- Require make for proper bootstrap execution, removes post script + Resolves: bz#1672285 + +* Wed Aug 05 2020 Alexander Scheel - 3.0.20-2 +- Fix breakage caused by OpenSSL FIPS regression + Related: bz#1855822 + Related: bz#1810911 + Resolves: bz#1672285 + * Mon Jun 08 2020 Alexander Scheel - 3.0.20-1 - Update to FreeRADIUS server version 3.0.20 - Introduce Python 3 support; resolves: bz#1623069