From 653d328be726289253070525fdd02ffd60b33aaa Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 14 2018 13:02:32 +0000 Subject: import freeradius-3.0.13-9.el7_5 --- diff --git a/.freeradius.metadata b/.freeradius.metadata new file mode 100644 index 0000000..1dcc6e9 --- /dev/null +++ b/.freeradius.metadata @@ -0,0 +1 @@ +29d4e4c21db4d17a60eab034c15927c83177c786 SOURCES/freeradius-server-3.0.13.tar.bz2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8ce4c4b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/freeradius-server-3.0.13.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/freeradius-FR-GV-201-check-input-output-length-in-make_secret.patch b/SOURCES/freeradius-FR-GV-201-check-input-output-length-in-make_secret.patch new file mode 100644 index 0000000..04a8bea --- /dev/null +++ b/SOURCES/freeradius-FR-GV-201-check-input-output-length-in-make_secret.patch @@ -0,0 +1,64 @@ +From 8af41abbd3c0b078425963d88494cfa4e22627e5 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Tue, 4 Jul 2017 10:12:09 -0400 +Subject: [PATCH] FR-GV-201 - check input / output length in make_secret() + +--- + src/lib/radius.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/lib/radius.c b/src/lib/radius.c +index b9f0f59c9..62ec11c7a 100644 +--- a/src/lib/radius.c ++++ b/src/lib/radius.c +@@ -542,17 +542,17 @@ static ssize_t rad_recvfrom(int sockfd, RADIUS_PACKET *packet, int flags, + * encrypting passwords to RADIUS. + */ + static void make_secret(uint8_t *digest, uint8_t const *vector, +- char const *secret, uint8_t const *value) ++ char const *secret, uint8_t const *value, size_t length) + { + FR_MD5_CTX context; +- int i; ++ size_t i; + + fr_md5_init(&context); + fr_md5_update(&context, vector, AUTH_VECTOR_LEN); + fr_md5_update(&context, (uint8_t const *) secret, strlen(secret)); + fr_md5_final(digest, &context); + +- for ( i = 0; i < AUTH_VECTOR_LEN; i++ ) { ++ for ( i = 0; i < length; i++ ) { + digest[i] ^= value[i]; + } + } +@@ -1010,8 +1010,8 @@ static ssize_t vp2data_any(RADIUS_PACKET const *packet, + * always fits. + */ + case FLAG_ENCRYPT_ASCEND_SECRET: +- if (len != 16) return 0; +- make_secret(ptr, packet->vector, secret, data); ++ if (len > AUTH_VECTOR_LEN) len = AUTH_VECTOR_LEN; ++ make_secret(ptr, packet->vector, secret, data, len); + len = AUTH_VECTOR_LEN; + break; + +@@ -3769,9 +3769,14 @@ ssize_t data2vp(TALLOC_CTX *ctx, + goto raw; + } else { + uint8_t my_digest[AUTH_VECTOR_LEN]; ++ size_t secret_len; ++ ++ secret_len = datalen; ++ if (secret_len > AUTH_VECTOR_LEN) secret_len = AUTH_VECTOR_LEN; ++ + make_secret(my_digest, + original->vector, +- secret, data); ++ secret, data, secret_len); + memcpy(buffer, my_digest, + AUTH_VECTOR_LEN ); + buffer[AUTH_VECTOR_LEN] = '\0'; +-- +2.13.2 + diff --git a/SOURCES/freeradius-FR-GV-206-decode-option-60-string-not-63-octets-and-.patch b/SOURCES/freeradius-FR-GV-206-decode-option-60-string-not-63-octets-and-.patch new file mode 100644 index 0000000..186b156 --- /dev/null +++ b/SOURCES/freeradius-FR-GV-206-decode-option-60-string-not-63-octets-and-.patch @@ -0,0 +1,28 @@ +From 46aa2d51f137ca34842dd744d17321ed7c11b386 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Mon, 3 Jul 2017 11:36:13 -0400 +Subject: [PATCH] FR-GV-206 - decode option 60 (string) not 63 (octets), and + check length + +--- + src/modules/proto_dhcp/dhcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c +index 98d87509d..a66a931cb 100644 +--- a/src/modules/proto_dhcp/dhcp.c ++++ b/src/modules/proto_dhcp/dhcp.c +@@ -1097,8 +1097,8 @@ int fr_dhcp_decode(RADIUS_PACKET *packet) + /* + * Vendor is "MSFT 98" + */ +- vp = fr_pair_find_by_num(head, 63, DHCP_MAGIC_VENDOR, TAG_ANY); +- if (vp && (strcmp(vp->vp_strvalue, "MSFT 98") == 0)) { ++ vp = fr_pair_find_by_num(head, 60, DHCP_MAGIC_VENDOR, TAG_ANY); ++ if (vp && (vp->vp_length >= 7) && (memcmp(vp->vp_octets, "MSFT 98", 7) == 0)) { + vp = fr_pair_find_by_num(head, 262, DHCP_MAGIC_VENDOR, TAG_ANY); + + /* +-- +2.13.2 + diff --git a/SOURCES/freeradius-FR-GV-301-handle-malformed-WiMAX-attributes.patch b/SOURCES/freeradius-FR-GV-301-handle-malformed-WiMAX-attributes.patch new file mode 100644 index 0000000..a427291 --- /dev/null +++ b/SOURCES/freeradius-FR-GV-301-handle-malformed-WiMAX-attributes.patch @@ -0,0 +1,270 @@ +From c4685b85f61f28ea0d5cf4e41cb8feaa5193d9dd Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Tue, 27 Jun 2017 21:49:20 -0400 +Subject: [PATCH] FR-GV-301 - handle malformed WiMAX attributes + +--- + src/lib/radius.c | 177 ++++++++++++++++++++++++++++++++++------------- + src/tests/unit/wimax.txt | 12 ++++ + 2 files changed, 142 insertions(+), 47 deletions(-) + +diff --git a/src/lib/radius.c b/src/lib/radius.c +index 7114e1650..ea4cbf06b 100644 +--- a/src/lib/radius.c ++++ b/src/lib/radius.c +@@ -3229,7 +3229,7 @@ static ssize_t data2vp_extended(TALLOC_CTX *ctx, RADIUS_PACKET *packet, + return end - data; + } + +-/** Convert a Vendor-Specific WIMAX to vps ++/** Convert a Vendor-Specific WIMAX to VPs + * + * @note Called ONLY for Vendor-Specific + */ +@@ -3241,25 +3241,54 @@ static ssize_t data2vp_wimax(TALLOC_CTX *ctx, + VALUE_PAIR **pvp) + { + ssize_t rcode; +- size_t fraglen; +- bool last_frag; ++ size_t wimax_len; ++ bool more; + uint8_t *head, *tail; +- uint8_t const *frag, *end; ++ uint8_t const *attr, *end; + DICT_ATTR const *child; + +- if (attrlen < 8) return -1; ++ /* ++ * data = VID VID VID VID WiMAX-Attr WimAX-Len Continuation ... ++ */ ++ ++ /* ++ * Not enough room for WiMAX Vendor + Wimax attr + length ++ * + continuation, it's a bad attribute. ++ */ ++ if (attrlen < 8) { ++ raw: ++ /* ++ * It's not a Vendor-Specific, it's unknown... ++ */ ++ child = dict_unknown_afrom_fields(ctx, PW_VENDOR_SPECIFIC, 0); ++ if (!child) { ++ fr_strerror_printf("Internal sanity check %d", __LINE__); ++ return -1; ++ } ++ ++ rcode = data2vp(ctx, packet, original, secret, child, ++ data, attrlen, attrlen, pvp); ++ if (rcode < 0) return rcode; ++ return attrlen; ++ } + +- if (((size_t) (data[5] + 4)) != attrlen) return -1; ++ if (data[5] < 3) goto raw; /* WiMAX-Length is too small */ + + child = dict_attrbyvalue(data[4], vendor); +- if (!child) return -1; ++ if (!child) goto raw; + ++ /* ++ * No continued data, just decode the attribute in place. ++ */ + if ((data[6] & 0x80) == 0) { ++ if ((data[5] + 4) != attrlen) goto raw; /* WiMAX attribute doesn't fill Vendor-Specific */ ++ + rcode = data2vp(ctx, packet, original, secret, child, + data + 7, data[5] - 3, data[5] - 3, + pvp); +- if (rcode < 0) return -1; +- return 7 + rcode; ++ ++ if ((rcode < 0) || (((size_t) rcode + 7) != attrlen)) goto raw; /* didn't decode all of the data */ ++ return attrlen; + } + + /* +@@ -3268,61 +3297,115 @@ static ssize_t data2vp_wimax(TALLOC_CTX *ctx, + * MUST be all of the same VSA, WiMAX, and WiMAX-attr. + * + * The first fragment doesn't have a RADIUS attribute +- * header, so it needs to be treated a little special. ++ * header. + */ +- fraglen = data[5] - 3; +- frag = data + attrlen; ++ wimax_len = 0; ++ attr = data + 4; + end = data + packetlen; +- last_frag = false; + +- while (frag < end) { +- if (last_frag || +- (frag[0] != PW_VENDOR_SPECIFIC) || +- (frag[1] < 9) || /* too short for wimax */ +- ((frag + frag[1]) > end) || /* overflow */ +- (memcmp(frag + 2, data, 4) != 0) || /* not wimax */ +- (frag[6] != data[4]) || /* not the same wimax attr */ +- ((frag[7] + 6) != frag[1])) { /* doesn't fill the attr */ +- end = frag; +- break; +- } ++ while (attr < end) { ++ /* ++ * Not enough room for Attribute + length + ++ * continuation, it's bad. ++ */ ++ if ((end - attr) < 3) goto raw; + +- last_frag = ((frag[8] & 0x80) == 0); ++ /* ++ * Must have non-zero data in the attribute. ++ */ ++ if (attr[1] <= 3) goto raw; + +- fraglen += frag[7] - 3; +- frag += frag[1]; +- } ++ /* ++ * If the WiMAX attribute overflows the packet, ++ * it's bad. ++ */ ++ if ((attr + attr[1]) > end) goto raw; + +- head = tail = malloc(fraglen); +- if (!head) return -1; ++ /* ++ * Check the continuation flag. ++ */ ++ more = ((attr[2] & 0x80) != 0); ++ ++ /* ++ * Or, there's no more data, in which case we ++ * shorten "end" to finish at this attribute. ++ */ ++ if (!more) end = attr + attr[1]; ++ ++ /* ++ * There's more data, but we're at the end of the ++ * packet. The attribute is malformed! ++ */ ++ if (more && ((attr + attr[1]) == end)) goto raw; ++ ++ /* ++ * Add in the length of the data we need to ++ * concatenate together. ++ */ ++ wimax_len += attr[1] - 3; ++ ++ /* ++ * Go to the next attribute, and stop if there's ++ * no more. ++ */ ++ attr += attr[1]; ++ if (!more) break; ++ ++ /* ++ * data = VID VID VID VID WiMAX-Attr WimAX-Len Continuation ... ++ * ++ * attr = Vendor-Specific VSA-Length VID VID VID VID WiMAX-Attr WimAX-Len Continuation ... ++ * ++ */ ++ ++ /* ++ * No room for Vendor-Specific + length + ++ * Vendor(4) + attr + length + continuation + data ++ */ ++ if ((end - attr) < 9) goto raw; ++ ++ if (attr[0] != PW_VENDOR_SPECIFIC) goto raw; ++ if (attr[1] < 9) goto raw; ++ if ((attr + attr[1]) > end) goto raw; ++ if (memcmp(data, attr + 2, 4) != 0) goto raw; /* not WiMAX Vendor ID */ ++ ++ if (attr[1] != (attr[7] + 6)) goto raw; /* WiMAX attr doesn't exactly fill the VSA */ ++ ++ if (data[4] != attr[6]) goto raw; /* different WiMAX attribute */ ++ ++ /* ++ * Skip over the Vendor-Specific header, and ++ * continue with the WiMAX attributes. ++ */ ++ attr += 6; ++ } + + /* +- * And again, but faster and looser. +- * +- * We copy the first fragment, followed by the rest of +- * the fragments. ++ * No data in the WiMAX attribute, make a "raw" one. + */ +- frag = data; ++ if (!wimax_len) goto raw; + +- memcpy(tail, frag + 4 + 3, frag[4 + 1] - 3); +- tail += frag[4 + 1] - 3; +- frag += attrlen; /* should be frag[1] - 7 */ ++ head = tail = malloc(wimax_len); ++ if (!head) return -1; + + /* +- * frag now points to RADIUS attributes ++ * Copy the data over, this time trusting the attribute ++ * contents. + */ +- do { +- memcpy(tail, frag + 2 + 4 + 3, frag[2 + 4 + 1] - 3); +- tail += frag[2 + 4 + 1] - 3; +- frag += frag[1]; +- } while (frag < end); ++ attr = data; ++ while (attr < end) { ++ memcpy(tail, attr + 4 + 3, attr[4 + 1] - 3); ++ tail += attr[4 + 1] - 3; ++ attr += 4 + attr[4 + 1]; /* skip VID+WiMax header */ ++ attr += 2; /* skip Vendor-Specific header */ ++ } + +- VP_HEXDUMP("wimax fragments", head, fraglen); ++ VP_HEXDUMP("wimax fragments", head, wimax_len); + + rcode = data2vp(ctx, packet, original, secret, child, +- head, fraglen, fraglen, pvp); ++ head, wimax_len, wimax_len, pvp); + free(head); +- if (rcode < 0) return rcode; ++ if (rcode < 0) goto raw; + + return end - data; + } +diff --git a/src/tests/unit/wimax.txt b/src/tests/unit/wimax.txt +index 191b37e25..6e373d59a 100644 +--- a/src/tests/unit/wimax.txt ++++ b/src/tests/unit/wimax.txt +@@ -7,6 +7,12 @@ data 1a 0e 00 00 60 b5 01 08 00 01 05 31 2e 30 + decode - + data WiMAX-Release = "1.0" + ++decode 1a 08 00 00 60 b5 01 02 ++data Attr-26 = 0x000060b50102 ++ ++decode 1a 0a 00 00 60 b5 01 04 00 01 ++data Attr-26.24757.1 = 0x01 ++ + encode WiMAX-Accounting-Capabilities = 1 + data 1a 0c 00 00 60 b5 01 06 00 02 03 01 + +@@ -143,3 +149,9 @@ data 1a ff 00 00 60 b5 01 f9 80 01 ff 45 45 45 45 45 45 45 45 45 45 45 45 45 45 + + decode - + data WiMAX-Release = "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE", WiMAX-Idle-Mode-Notification-Cap = Supported ++ ++# ++# Continuation is set, but there's no continued data. ++decode 1a 0b 00 00 60 b5 31 05 80 00 00 ++data Attr-26 = 0x000060b53105800000 ++ +-- +2.13.2 + diff --git a/SOURCES/freeradius-FR-GV-302-do-checks-based-on-pointers-not-on-decoded.patch b/SOURCES/freeradius-FR-GV-302-do-checks-based-on-pointers-not-on-decoded.patch new file mode 100644 index 0000000..2c3c77b --- /dev/null +++ b/SOURCES/freeradius-FR-GV-302-do-checks-based-on-pointers-not-on-decoded.patch @@ -0,0 +1,82 @@ +From 019e35431db17661aa1d74d995fd0315af9a8dbf Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Tue, 27 Jun 2017 21:54:10 -0400 +Subject: [PATCH] FR-GV-302 - do checks based on pointers, not on decoded data + +because decoded data may be empty +--- + src/lib/radius.c | 10 +++++++++- + src/tests/unit/rfc.txt | 12 ++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/lib/radius.c b/src/lib/radius.c +index ad6b15b46..7114e1650 100644 +--- a/src/lib/radius.c ++++ b/src/lib/radius.c +@@ -2952,16 +2952,23 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx, + * don't care about walking off of the end of it. + */ + while (ptr < end) { ++ if (ptr[1] < 2) return -1; ++ if ((ptr + ptr[1]) > end) return -1; ++ + total += ptr[1] - 2; + + ptr += ptr[1]; + ++ if (ptr == end) break; ++ + /* + * Attributes MUST be consecutive. + */ + if (ptr[0] != attr) break; + } + ++ end = ptr; ++ + vp = fr_pair_afrom_da(ctx, da); + if (!vp) return -1; + +@@ -2974,7 +2981,7 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx, + + total = 0; + ptr = start; +- while (total < vp->vp_length) { ++ while (ptr < end) { + memcpy(p, ptr + 2, ptr[1] - 2); + p += ptr[1] - 2; + total += ptr[1] - 2; +@@ -2982,6 +2989,7 @@ static ssize_t data2vp_concat(TALLOC_CTX *ctx, + } + + *pvp = vp; ++ + return ptr - start; + } + +diff --git a/src/tests/unit/rfc.txt b/src/tests/unit/rfc.txt +index 00247940b..d870975e3 100644 +--- a/src/tests/unit/rfc.txt ++++ b/src/tests/unit/rfc.txt +@@ -178,6 +178,18 @@ data Failed to parse IPv4 address string "256/8" + attribute PMIP6-Home-IPv4-HoA = bob/8 + data Failed to parse IPv4 address string "bob/8" + ++# ++# A "concat" attribute, with no data ++# ++decode 89 02 ++data PKM-SS-Cert = 0x ++ ++# ++# Or with weirdly formatted data ++# ++decode 89 03 ff 89 02 89 03 fe ++data PKM-SS-Cert = 0xfffe ++ + $INCLUDE tunnel.txt + $INCLUDE errors.txt + $INCLUDE extended.txt +-- +2.13.2 + diff --git a/SOURCES/freeradius-FR-GV-303-do-memchr-of-end-p-not-q-p.patch b/SOURCES/freeradius-FR-GV-303-do-memchr-of-end-p-not-q-p.patch new file mode 100644 index 0000000..c0e0613 --- /dev/null +++ b/SOURCES/freeradius-FR-GV-303-do-memchr-of-end-p-not-q-p.patch @@ -0,0 +1,51 @@ +From af6d64cfa4f8ff64da1b5cd6cacd06ae3c095c37 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Mon, 3 Jul 2017 15:37:44 -0400 +Subject: [PATCH] FR-GV-303 - do memchr() of end-p, not q-p + +--- + src/modules/proto_dhcp/dhcp.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c +index a66a931cb..dbfe81747 100644 +--- a/src/modules/proto_dhcp/dhcp.c ++++ b/src/modules/proto_dhcp/dhcp.c +@@ -774,25 +774,23 @@ static int fr_dhcp_attr2vp(TALLOC_CTX *ctx, VALUE_PAIR **vp_p, uint8_t const *da + * multiple additional VPs + */ + fr_cursor_init(&cursor, vp_p); +- for (;;) { +- q = memchr(p, '\0', q - p); ++ while (p < end) { ++ q = memchr(p, '\0', end - p); + /* Malformed but recoverable */ + if (!q) q = end; + + fr_pair_value_bstrncpy(vp, (char const *)p, q - p); + p = q + 1; + ++ if (p >= end) break; ++ + /* Need another VP for the next round */ +- if (p < end) { +- vp = fr_pair_afrom_da(ctx, vp->da); +- if (!vp) { +- fr_pair_list_free(vp_p); +- return -1; +- } +- fr_cursor_insert(&cursor, vp); +- continue; ++ vp = fr_pair_afrom_da(ctx, vp->da); ++ if (!vp) { ++ fr_pair_list_free(vp_p); ++ return -1; + } +- break; ++ fr_cursor_insert(&cursor, vp); + } + } + break; +-- +2.13.2 + diff --git a/SOURCES/freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch b/SOURCES/freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch new file mode 100644 index 0000000..64b68c5 --- /dev/null +++ b/SOURCES/freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch @@ -0,0 +1,41 @@ +From 4929ae5d13a2750f83cd1a7fd0191b8fca4d32d0 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Mon, 3 Jul 2017 15:42:35 -0400 +Subject: [PATCH] FR-GV-304 - check for option overflowing the packet + +--- + src/modules/proto_dhcp/dhcp.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c +index dbfe81747..5fd922d03 100644 +--- a/src/modules/proto_dhcp/dhcp.c ++++ b/src/modules/proto_dhcp/dhcp.c +@@ -629,6 +629,24 @@ static int fr_dhcp_decode_suboption(TALLOC_CTX *ctx, VALUE_PAIR **tlv, uint8_t c + uint32_t attr; + + /* ++ * Not enough room for the option header, it's a ++ * bad packet. ++ */ ++ if ((p + 2) > (data + len)) { ++ fr_pair_list_free(&head); ++ return -1; ++ } ++ ++ /* ++ * Not enough room for the option header + data, ++ * it's a bad packet. ++ */ ++ if ((p + 2 + p[1]) > (data + len)) { ++ fr_pair_list_free(&head); ++ return -1; ++ } ++ ++ /* + * The initial OID string looks like: + * .0 + * +-- +2.13.2 + diff --git a/SOURCES/freeradius-Fix-double-free-in-rlm_sql-acct_redundant.patch b/SOURCES/freeradius-Fix-double-free-in-rlm_sql-acct_redundant.patch new file mode 100644 index 0000000..4d05b59 --- /dev/null +++ b/SOURCES/freeradius-Fix-double-free-in-rlm_sql-acct_redundant.patch @@ -0,0 +1,31 @@ +From 7a1085292deb832d7cbf6b0e8f64b8253c3f2a78 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Tue, 13 Feb 2018 16:56:10 +0200 +Subject: [PATCH] Fix double free in rlm_sql acct_redundant + +Do not free "expanded" buffer twice in "acct_redundant" in rlm_sql.c. +This fixes a crash in the case of an accounting packet not matching a +Start entry in the database. + +See also https://bugzilla.redhat.com/show_bug.cgi?id=1540580 + +Found and fixed by Benoit Welterlen. +--- + src/modules/rlm_sql/rlm_sql.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c +index 3a032d32e..11f6c5d4c 100644 +--- a/src/modules/rlm_sql/rlm_sql.c ++++ b/src/modules/rlm_sql/rlm_sql.c +@@ -1439,7 +1439,6 @@ static int acct_redundant(rlm_sql_t *inst, REQUEST *request, sql_acct_section_t + if (!*expanded) { + RDEBUG("Ignoring null query"); + rcode = RLM_MODULE_NOOP; +- talloc_free(expanded); + + goto finish; + } +-- +2.16.1 + diff --git a/SOURCES/freeradius-Fix-some-issues-found-with-static-analyzers.patch b/SOURCES/freeradius-Fix-some-issues-found-with-static-analyzers.patch new file mode 100644 index 0000000..759d9d3 --- /dev/null +++ b/SOURCES/freeradius-Fix-some-issues-found-with-static-analyzers.patch @@ -0,0 +1,262 @@ +From 7024d6ce061d57af65fe3a068803212581552f96 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Fri, 10 Mar 2017 09:11:03 -0500 +Subject: [PATCH] Fix some issues found with static analyzers + +Fix some issues found with static analyzers. Includes the following. + +Coverity. Closes #1937 + +(cherry picked from commit 521e2a9bd3b1b49555bcd9fb90b03c456f616070) + +Allo session resumption for RadSec connectins. Closes #1936 + +(cherry picked from commit 43efa4321d7cd9fca1184f999e1cadeff3afda02) + +request->packet cannot be NULL. Helps with #1935 + +(cherry picked from commit 7f22c30476be495438d5bc4dbec2f618f09c0b15) + +remove unused variable + +(cherry picked from commit d9bfc70efbf575258425d2ca86160490e0c36a45) + +close open FDs on error, and use error path in more situations + +(cherry picked from commit e51af914bc5fdf879f821e6a1ecfe700bff937ca) + +return RLM_MODULE_FAIL for default switch statement + +(cherry picked from commit cdfa6e15065a4a616c96af516936117124a1c293) + +Remove always-false condition in rlm_eap_fast + +(cherry picked from commit 96d7a5e2bb393b4fd1b6cb6e0a6858e6c18eb96a) + +Remove always-false condition from cf_item_parse + +(cherry picked from commit 92624adf8170fb133b330fe02d8940a8bac86189) + +Ensure that error is always initialized + +(cherry picked from commit c483d8456e44747621334b318483c3a33752aaac) +--- + src/main/command.c | 15 ++++++++------- + src/main/conffile.c | 2 -- + src/main/process.c | 5 +++-- + src/main/tls.c | 12 ++++++------ + src/main/xlat.c | 6 +++++- + src/modules/rlm_cache/rlm_cache.c | 3 ++- + src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c | 3 --- + src/modules/rlm_mschap/rlm_mschap.c | 2 +- + 8 files changed, 25 insertions(+), 23 deletions(-) + +diff --git a/src/main/command.c b/src/main/command.c +index d3b729f9a..34c5268d7 100644 +--- a/src/main/command.c ++++ b/src/main/command.c +@@ -345,7 +345,7 @@ static int fr_server_domain_socket_perm(UNUSED char const *path, UNUSED uid_t ui + */ + static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + { +- int dir_fd = -1, path_fd = -1, sock_fd = -1, parent_fd = -1; ++ int dir_fd = -1, sock_fd = -1, parent_fd = -1; + char const *name; + char *buff = NULL, *dir = NULL, *p; + +@@ -392,8 +392,9 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + fr_strerror_printf("Failed determining parent directory"); + error: + talloc_free(dir); +- close(dir_fd); +- close(path_fd); ++ if (sock_fd >= 0) close(sock_fd); ++ if (dir_fd >= 0) close(dir_fd); ++ if (parent_fd >= 0) close(parent_fd); + return -1; + } + +@@ -459,7 +460,7 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + if (ret < 0) { + fr_strerror_printf("Failed changing ownership of control socket directory: %s", + fr_syserror(errno)); +- return -1; ++ goto error; + } + /* + * Control socket dir already exists, but we still need to +@@ -527,7 +528,7 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + if (client_fd >= 0) { + fr_strerror_printf("Control socket '%s' is already in use", path); + close(client_fd); +- return -1; ++ goto error; + } + } + +@@ -676,8 +677,8 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + if (uid != (uid_t)-1) rad_seuid(euid); + if (gid != (gid_t)-1) rad_segid(egid); + +- close(dir_fd); +- close(path_fd); ++ if (dir_fd >= 0) close(dir_fd); ++ if (parent_fd >= 0) close(parent_fd); + + return sock_fd; + } +diff --git a/src/main/conffile.c b/src/main/conffile.c +index df78184bd..10c029a0e 100644 +--- a/src/main/conffile.c ++++ b/src/main/conffile.c +@@ -1474,7 +1474,6 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d + + if (!value) { + if (required) { +- is_required: + cf_log_err(c_item, "Configuration item \"%s\" must have a value", name); + + return -1; +@@ -1620,7 +1619,6 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d + } + } + +- if (required && !value) goto is_required; + if (cant_be_empty && (value[0] == '\0')) goto cant_be_empty; + + if (attribute) { +diff --git a/src/main/process.c b/src/main/process.c +index c5a690672..c3856c7a1 100644 +--- a/src/main/process.c ++++ b/src/main/process.c +@@ -2122,8 +2122,9 @@ static void remove_from_proxy_hash_nl(REQUEST *request, bool yank) + } + + #ifdef WITH_TCP +- rad_assert(request->proxy_listener != NULL); +- request->proxy_listener->count--; ++ if (request->proxy_listener) { ++ request->proxy_listener->count--; ++ } + #endif + request->proxy_listener = NULL; + +diff --git a/src/main/tls.c b/src/main/tls.c +index caa7e62ed..a72be2b63 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -1360,7 +1360,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + blob_len = i2d_SSL_SESSION(sess, NULL); + if (blob_len < 1) { + /* something went wrong */ +- RWDEBUG("Session serialisation failed, couldn't determine required buffer length"); ++ if (request) RWDEBUG("Session serialisation failed, couldn't determine required buffer length"); + return 0; + } + +@@ -1375,7 +1375,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + p = sess_blob; + rv = i2d_SSL_SESSION(sess, &p); + if (rv != blob_len) { +- RWDEBUG("Session serialisation failed"); ++ if (request) RWDEBUG("Session serialisation failed"); + goto error; + } + +@@ -1384,8 +1384,8 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + conf->session_cache_path, FR_DIR_SEP, buffer); + fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); + if (fd < 0) { +- RERROR("Session serialisation failed, failed opening session file %s: %s", +- filename, fr_syserror(errno)); ++ if (request) RERROR("Session serialisation failed, failed opening session file %s: %s", ++ filename, fr_syserror(errno)); + goto error; + } + +@@ -1409,7 +1409,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + while (todo > 0) { + rv = write(fd, p, todo); + if (rv < 1) { +- RWDEBUG("Failed writing session: %s", fr_syserror(errno)); ++ if (request) RWDEBUG("Failed writing session: %s", fr_syserror(errno)); + close(fd); + goto error; + } +@@ -1417,7 +1417,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + todo -= rv; + } + close(fd); +- RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len); ++ if (request) RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len); + } + + error: +diff --git a/src/main/xlat.c b/src/main/xlat.c +index 31987289c..aeac3a4c3 100644 +--- a/src/main/xlat.c ++++ b/src/main/xlat.c +@@ -1787,7 +1787,10 @@ static ssize_t xlat_tokenize_request(REQUEST *request, char const *fmt, xlat_exp + * much faster. + */ + tokens = talloc_typed_strdup(request, fmt); +- if (!tokens) return -1; ++ if (!tokens) { ++ error = "Out of memory"; ++ return -1; ++ } + + slen = xlat_tokenize_literal(request, tokens, head, false, &error); + +@@ -1806,6 +1809,7 @@ static ssize_t xlat_tokenize_request(REQUEST *request, char const *fmt, xlat_exp + */ + if (slen < 0) { + talloc_free(tokens); ++ + rad_assert(error != NULL); + + REMARKER(fmt, -slen, error); +diff --git a/src/modules/rlm_cache/rlm_cache.c b/src/modules/rlm_cache/rlm_cache.c +index 248de8bf9..54449747f 100644 +--- a/src/modules/rlm_cache/rlm_cache.c ++++ b/src/modules/rlm_cache/rlm_cache.c +@@ -126,7 +126,8 @@ static void CC_HINT(nonnull) cache_merge(rlm_cache_t *inst, REQUEST *request, rl + + RDEBUG2("Merging cache entry into request"); + +- if (c->packet && request->packet) { ++ if (c->packet) { ++ rad_assert(request->packet != NULL); + rdebug_pair_list(L_DBG_LVL_2, request, c->packet, "&request:"); + radius_pairmove(request, &request->packet->vps, fr_pair_list_copy(request->packet, c->packet), false); + } +diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c +index dba2c1462..95e521718 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c ++++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c +@@ -1235,9 +1235,6 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) + + eap_fast_append_result(tls_session, code); + +- if (code == PW_CODE_ACCESS_REJECT) +- break; +- + if (t->pac.send) { + RDEBUG("Peer requires new PAC"); + eap_fast_send_pac_tunnel(request, tls_session); +diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c +index aba15f826..c702f1b45 100644 +--- a/src/modules/rlm_mschap/rlm_mschap.c ++++ b/src/modules/rlm_mschap/rlm_mschap.c +@@ -1471,7 +1471,7 @@ static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned c + break; + + default: +- rad_assert(0); ++ return RLM_MODULE_FAIL; + } + mschap_add_reply(request, ident, "MS-CHAP-Error", buffer, strlen(buffer)); + +-- +2.11.0 + diff --git a/SOURCES/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch b/SOURCES/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch new file mode 100644 index 0000000..8dac6ed --- /dev/null +++ b/SOURCES/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch @@ -0,0 +1,30 @@ +From bd67f9fc09690f0b3ac195cb9c57d51bd7a7dc23 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Wed, 29 Mar 2017 10:43:14 +0300 +Subject: [PATCH] Handle connection error in rlm_ldap_cacheable_groupobj + +Closes #1951 + +(cherry picked from commit 208681c80e1149de888affdb87f34de0c371db50) +--- + src/modules/rlm_ldap/groups.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/modules/rlm_ldap/groups.c b/src/modules/rlm_ldap/groups.c +index 12f34da2a..5e0a1819e 100644 +--- a/src/modules/rlm_ldap/groups.c ++++ b/src/modules/rlm_ldap/groups.c +@@ -461,8 +461,10 @@ rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request + + case LDAP_PROC_NO_RESULT: + RDEBUG2("No cacheable group memberships found in group objects"); ++ goto finish; + + default: ++ rcode = RLM_MODULE_FAIL; + goto finish; + } + +-- +2.11.0 + diff --git a/SOURCES/freeradius-check-sizeof-packet-.-Found-by-PVS-Studio.patch b/SOURCES/freeradius-check-sizeof-packet-.-Found-by-PVS-Studio.patch new file mode 100644 index 0000000..fe9348b --- /dev/null +++ b/SOURCES/freeradius-check-sizeof-packet-.-Found-by-PVS-Studio.patch @@ -0,0 +1,28 @@ +From 815387fe1f5caa6fe517364ac0995df60695f339 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Wed, 17 May 2017 12:03:46 -0400 +Subject: [PATCH] check sizeof(*packet). Found by PVS-Studio + +(cherry picked from commit ffa424d138611d2e7ed57b217a899d0c2009ae74) +--- + src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c +index 9abae5c80..3c043f728 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c ++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c +@@ -386,8 +386,8 @@ static int mod_process(void *arg, eap_handler_t *handler) + } + + packet = (pwd_id_packet_t *) in; +- if (in_len < sizeof(packet)) { +- RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(packet)); ++ if (in_len < sizeof(*packet)) { ++ RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(*packet)); + return 0; + } + +-- +2.11.0 + diff --git a/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch b/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch new file mode 100644 index 0000000..ab3cd83 --- /dev/null +++ b/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch @@ -0,0 +1,124 @@ +From 4dd1bad726e993bcd43f16312acaf95596d35680 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Mon, 8 May 2017 16:38:56 -0400 +Subject: [PATCH] disable internal OpenSSL cache + +(cherry picked from commit af030bd4e19c9149e2ffd898ad0c4dfde78c29be) +--- + raddb/mods-available/eap | 18 ++++++++---------- + raddb/sites-available/abfab-tls | 3 ++- + raddb/sites-available/tls | 17 ++++++++--------- + src/main/tls.c | 4 ++-- + 4 files changed, 20 insertions(+), 22 deletions(-) + +diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap +index 9659db1cd..bfbfe710e 100644 +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -382,6 +382,13 @@ eap { + # Enable it. The default is "no". Deleting the entire "cache" + # subsection also disables caching. + # ++ # As of version 3.0.13-4 (upstream 3.0.14), the ++ # session cache requires the use of the "name" and ++ # "persist_dir" configuration items, below. ++ # ++ # The internal OpenSSL session cache has been permanently ++ # disabled. ++ # + # You can disallow resumption for a particular user by adding the + # following attribute to the control item list: + # +@@ -390,7 +397,7 @@ eap { + # If "enable = no" below, you CANNOT enable resumption for just one + # user by setting the above attribute to "yes". + # +- enable = yes ++ enable = no + + # + # Lifetime of the cached entries, in hours. The sessions will be +@@ -399,15 +406,6 @@ eap { + lifetime = 24 # hours + + # +- # The maximum number of entries in the +- # cache. Set to "0" for "infinite". +- # +- # This could be set to the number of users +- # who are logged in... which can be a LOT. +- # +- max_entries = 255 +- +- # + # Internal "name" of the session cache. Used to + # distinguish which TLS context sessions belong to. + # +diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls +index 79d74e6fc..5dbe143da 100644 +--- a/raddb/sites-available/abfab-tls ++++ b/raddb/sites-available/abfab-tls +@@ -24,7 +24,8 @@ listen { + cache { + enable = no + lifetime = 24 # hours +- max_entries = 255 ++ name = "abfab-tls" ++# persist_dir = ${logdir}/abfab-tls + } + + require_client_cert = yes +diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls +index c9555e1c7..eb39c659e 100644 +--- a/raddb/sites-available/tls ++++ b/raddb/sites-available/tls +@@ -239,6 +239,14 @@ listen { + # Deleting the entire "cache" subsection + # Also disables caching. + # ++ # ++ # As of version 3.0.13-4 (upstream 3.0.14), the session ++ # cache requires the use of the "name" and ++ # "persist_dir" configuration items, below. ++ # ++ # The internal OpenSSL session cache has been permanently ++ # disabled. ++ # + # You can disallow resumption for a + # particular user by adding the following + # attribute to the control item list: +@@ -259,15 +267,6 @@ listen { + lifetime = 24 # hours + + # +- # The maximum number of entries in the +- # cache. Set to "0" for "infinite". +- # +- # This could be set to the number of users +- # who are logged in... which can be a LOT. +- # +- max_entries = 255 +- +- # + # Internal "name" of the session cache. + # Used to distinguish which TLS context + # sessions belong to. +diff --git a/src/main/tls.c b/src/main/tls.c +index a72be2b63..e992062dc 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -2937,9 +2937,9 @@ post_ca: + } + + /* +- * Cache it, and DON'T auto-clear it. ++ * Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache. + */ +- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR); ++ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL); + + SSL_CTX_set_session_id_context(ctx, + (unsigned char *) conf->session_context_id, +-- +2.11.0 + diff --git a/SOURCES/freeradius-logrotate b/SOURCES/freeradius-logrotate new file mode 100644 index 0000000..1c3c5b9 --- /dev/null +++ b/SOURCES/freeradius-logrotate @@ -0,0 +1,51 @@ +# You can use this to rotate the /var/log/radius/* files, simply copy +# it to /etc/logrotate.d/radiusd + +# There are different detail-rotating strategies you can use. One is +# to write to a single detail file per IP and use the rotate config +# below. Another is to write to a daily detail file per IP with: +# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail +# (or similar) in radiusd.conf, without rotation. If you go with the +# second technique, you will need another cron job that removes old +# detail files. You do not need to comment out the below for method #2. +/var/log/radius/radacct/*/detail { + monthly + rotate 4 + nocreate + missingok + compress +} + +/var/log/radius/checkrad.log { + monthly + rotate 4 + create + missingok + compress +} + +/var/log/radius/radius.log { + monthly + rotate 4 + create + missingok + compress + postrotate + /usr/bin/systemctl reload-or-try-restart radiusd + endscript +} + +/var/log/radius/radwtmp { + monthly + rotate 4 + create + compress + missingok +} +/var/log/radius/sqltrace.sql { + monthly + rotate 4 + create + compress + missingok +} diff --git a/SOURCES/freeradius-make-data2vp_extended-be-more-like-data2vp_wimax.patch b/SOURCES/freeradius-make-data2vp_extended-be-more-like-data2vp_wimax.patch new file mode 100644 index 0000000..b6e4a37 --- /dev/null +++ b/SOURCES/freeradius-make-data2vp_extended-be-more-like-data2vp_wimax.patch @@ -0,0 +1,237 @@ +From 87390bfe6d266ab81312e072759203ccbb261906 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Wed, 28 Jun 2017 12:13:03 -0400 +Subject: [PATCH] make data2vp_extended() be more like data2vp_wimax() + +There is no exploit, but making the code simpler is good. +--- + src/lib/radius.c | 170 ++++++++++++++++++++++++++++++-------------- + src/tests/unit/extended.txt | 2 +- + 2 files changed, 116 insertions(+), 56 deletions(-) + +diff --git a/src/lib/radius.c b/src/lib/radius.c +index ea4cbf06b..b9f0f59c9 100644 +--- a/src/lib/radius.c ++++ b/src/lib/radius.c +@@ -3161,70 +3161,143 @@ static ssize_t data2vp_extended(TALLOC_CTX *ctx, RADIUS_PACKET *packet, + VALUE_PAIR **pvp) + { + ssize_t rcode; +- size_t fraglen; ++ size_t ext_len; ++ bool more; + uint8_t *head, *tail; +- uint8_t const *frag, *end; +- uint8_t const *attr; +- int fragments; +- bool last_frag; ++ uint8_t const *attr, *end; ++ DICT_ATTR const *child; ++ ++ /* ++ * data = Ext-Attr Flag ... ++ */ ++ ++ /* ++ * Not enough room for Ext-Attr + Flag + data, it's a bad ++ * attribute. ++ */ ++ if (attrlen < 3) { ++ raw: ++ /* ++ * It's not an Extended attribute, it's unknown... ++ */ ++ child = dict_unknown_afrom_fields(ctx, (da->vendor/ FR_MAX_VENDOR) & 0xff, 0); ++ if (!child) { ++ fr_strerror_printf("Internal sanity check %d", __LINE__); ++ return -1; ++ } ++ ++ rcode = data2vp(ctx, packet, original, secret, child, ++ data, attrlen, attrlen, pvp); ++ if (rcode < 0) return rcode; ++ return attrlen; ++ } ++ ++ /* ++ * No continued data, just decode the attribute in place. ++ */ ++ if ((data[1] & 0x80) == 0) { ++ rcode = data2vp(ctx, packet, original, secret, da, ++ data + 2, attrlen - 2, attrlen - 2, ++ pvp); + +- if (attrlen < 3) return -1; ++ if ((rcode < 0) || (((size_t) rcode + 2) != attrlen)) goto raw; /* didn't decode all of the data */ ++ return attrlen; ++ } ++ ++ /* ++ * It's continued, but there are no subsequent fragments, ++ * it's bad. ++ */ ++ if (attrlen >= packetlen) goto raw; + + /* + * Calculate the length of all of the fragments. For + * now, they MUST be contiguous in the packet, and they +- * MUST be all of the same TYPE and EXTENDED-TYPE ++ * MUST be all of the same Type and Ext-Type ++ * ++ * We skip the first fragment, which doesn't have a ++ * RADIUS attribute header. + */ +- attr = data - 2; +- fraglen = attrlen - 2; +- frag = data + attrlen; ++ ext_len = attrlen - 2; ++ attr = data + attrlen; + end = data + packetlen; +- fragments = 1; +- last_frag = false; +- +- while (frag < end) { +- if (last_frag || +- (frag[0] != attr[0]) || +- (frag[1] < 4) || /* too short for long-extended */ +- (frag[2] != attr[2]) || +- ((frag + frag[1]) > end)) { /* overflow */ +- end = frag; +- break; +- } + +- last_frag = ((frag[3] & 0x80) == 0); ++ while (attr < end) { ++ /* ++ * Not enough room for Attr + length + Ext-Attr ++ * continuation, it's bad. ++ */ ++ if ((end - attr) < 4) goto raw; ++ ++ if (attr[1] < 4) goto raw; ++ ++ /* ++ * If the attribute overflows the packet, it's ++ * bad. ++ */ ++ if ((attr + attr[1]) > end) goto raw; ++ ++ if (attr[0] != ((da->vendor / FR_MAX_VENDOR) & 0xff)) goto raw; /* not the same Extended-Attribute-X */ ++ ++ if (attr[2] != data[0]) goto raw; /* Not the same Ext-Attr */ ++ ++ /* ++ * Check the continuation flag. ++ */ ++ more = ((attr[2] & 0x80) != 0); ++ ++ /* ++ * Or, there's no more data, in which case we ++ * shorten "end" to finish at this attribute. ++ */ ++ if (!more) end = attr + attr[1]; ++ ++ /* ++ * There's more data, but we're at the end of the ++ * packet. The attribute is malformed! ++ */ ++ if (more && ((attr + attr[1]) == end)) goto raw; ++ ++ /* ++ * Add in the length of the data we need to ++ * concatenate together. ++ */ ++ ext_len += attr[1] - 4; + +- fraglen += frag[1] - 4; +- frag += frag[1]; +- fragments++; ++ /* ++ * Go to the next attribute, and stop if there's ++ * no more. ++ */ ++ attr += attr[1]; ++ if (!more) break; + } + +- head = tail = malloc(fraglen); +- if (!head) return -1; ++ if (!ext_len) goto raw; + +- VP_TRACE("Fragments %d, total length %d\n", fragments, (int) fraglen); ++ head = tail = malloc(ext_len); ++ if (!head) goto raw; + + /* +- * And again, but faster and looser. +- * +- * We copy the first fragment, followed by the rest of +- * the fragments. ++ * Copy the data over, this time trusting the attribute ++ * contents. + */ +- frag = attr; ++ attr = data; ++ memcpy(tail, attr + 2, attrlen - 2); ++ tail += attrlen - 2; ++ attr += attrlen; + +- while (fragments > 0) { +- memcpy(tail, frag + 4, frag[1] - 4); +- tail += frag[1] - 4; +- frag += frag[1]; +- fragments--; ++ while (attr < end) { ++ memcpy(tail, attr + 4, attr[1] - 4); ++ tail += attr[1] - 4; ++ attr += attr[1]; /* skip VID+WiMax header */ + } + +- VP_HEXDUMP("long-extended fragments", head, fraglen); ++ VP_HEXDUMP("long-extended fragments", head, ext_len); + + rcode = data2vp(ctx, packet, original, secret, da, +- head, fraglen, fraglen, pvp); ++ head, ext_len, ext_len, pvp); + free(head); +- if (rcode < 0) return rcode; ++ if (rcode < 0) goto raw; + + return end - data; + } +@@ -3827,19 +3900,6 @@ ssize_t data2vp(TALLOC_CTX *ctx, + } + + /* +- * If there no more fragments, then the contents +- * have to be a well-known data type. +- * +- */ +- if ((data[1] & 0x80) == 0) { +- rcode = data2vp(ctx, packet, original, secret, child, +- data + 2, attrlen - 2, attrlen - 2, +- pvp); +- if (rcode < 0) goto raw; +- return 2 + rcode; +- } +- +- /* + * This requires a whole lot more work. + */ + return data2vp_extended(ctx, packet, original, secret, child, +diff --git a/src/tests/unit/extended.txt b/src/tests/unit/extended.txt +index 8b0e3a2c4..9810b194c 100644 +--- a/src/tests/unit/extended.txt ++++ b/src/tests/unit/extended.txt +@@ -80,7 +80,7 @@ data Attr-245.26.1.6 = 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + + # again, but the second one attr is not an extended attr + decode f5 ff 1a 80 00 00 00 01 06 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ab bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb 01 05 62 6f 62 +-data Attr-245.26.1.6 = 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb, User-Name = "bob" ++data Attr-245 = 0x1a800000000106aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb, User-Name = "bob" + + # No data means that the attribute is an "invalid attribute" + decode f5 04 01 00 +-- +2.13.2 + diff --git a/SOURCES/freeradius-pam-conf b/SOURCES/freeradius-pam-conf new file mode 100644 index 0000000..090c4a5 --- /dev/null +++ b/SOURCES/freeradius-pam-conf @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include password-auth +account required pam_nologin.so +account include password-auth +password include password-auth +session include password-auth diff --git a/SOURCES/freeradius-parse-port.-Closes-2000.patch b/SOURCES/freeradius-parse-port.-Closes-2000.patch new file mode 100644 index 0000000..4d496c6 --- /dev/null +++ b/SOURCES/freeradius-parse-port.-Closes-2000.patch @@ -0,0 +1,32 @@ +From 66e6706039677c364f1181ed3c5620fee59a38e1 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Fri, 2 Jun 2017 09:10:05 -0400 +Subject: [PATCH] parse port. Closes #2000 + +(cherry picked from commit 66c109361ef67906f52fe2d441f6b61ec2492f32) +--- + src/modules/proto_dhcp/dhcpclient.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c +index 5c923f136..adbcb8c9d 100644 +--- a/src/modules/proto_dhcp/dhcpclient.c ++++ b/src/modules/proto_dhcp/dhcpclient.c +@@ -413,10 +413,11 @@ int main(int argc, char **argv) + */ + server_ipaddr.af = AF_INET; + if (strcmp(argv[1], "-") != 0) { +- if (ip_hton(&server_ipaddr, AF_INET, argv[1], false) < 0) { +- fr_perror("dhcpclient"); +- fr_exit_now(1); ++ if (fr_pton_port(&server_ipaddr, &server_port, argv[1], -1, AF_INET, true) < 0) { ++ fprintf(stderr, "dhcpclient: Failed parsing IP:port - %s", fr_strerror()); ++ exit(1); + } ++ + client_ipaddr.af = server_ipaddr.af; + } + +-- +2.11.0 + diff --git a/SOURCES/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch b/SOURCES/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch new file mode 100644 index 0000000..3787926 --- /dev/null +++ b/SOURCES/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch @@ -0,0 +1,39 @@ +From 362533a64646cce89799ba0759d4304b8de1e917 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Tue, 7 Mar 2017 09:22:10 -0500 +Subject: [PATCH] radtest should use Cleartext-Password for EAP + +(cherry picked from commit 0251c6c9d049f06c8f10974f9e67ef8142b17047) +--- + src/main/radtest.in | 2 +- + src/modules/rlm_eap/radeapclient.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/main/radtest.in b/src/main/radtest.in +index 7f009ae68..38b1ba9a0 100644 +--- a/src/main/radtest.in ++++ b/src/main/radtest.in +@@ -81,7 +81,7 @@ do + PASSWORD="MS-CHAP-Password" + ;; + eap-md5) +- PASSWORD="User-Password" ++ PASSWORD="Cleartext-Password" + if [ ! -x "$radeapclient" ] + then + echo "radtest: No 'radeapclient' program was found. Cannot perform EAP-MD5." >&1 +diff --git a/src/modules/rlm_eap/radeapclient.c b/src/modules/rlm_eap/radeapclient.c +index 020d252f1..ff69361e4 100644 +--- a/src/modules/rlm_eap/radeapclient.c ++++ b/src/modules/rlm_eap/radeapclient.c +@@ -468,6 +468,7 @@ static int rc_init_packet(rc_transaction_t *trans) + /* + * Keep a copy of the the password attribute. + */ ++ case PW_CLEARTEXT_PASSWORD: + case PW_USER_PASSWORD: + case PW_CHAP_PASSWORD: + case PW_MS_CHAP_PASSWORD: +-- +2.11.0 + diff --git a/SOURCES/freeradius-redhat-config.patch b/SOURCES/freeradius-redhat-config.patch new file mode 100644 index 0000000..a120128 --- /dev/null +++ b/SOURCES/freeradius-redhat-config.patch @@ -0,0 +1,60 @@ +From 0d05cf9318ff5861d9833007d46a4a7ed78cbafd Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 8 Sep 2014 12:32:13 +0300 +Subject: [PATCH] Adjust configuration to fit Red Hat specifics + +--- + raddb/mods-available/eap | 4 ++-- + raddb/radiusd.conf.in | 7 +++---- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap +index 427016c66..9659db1cd 100644 +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -470,7 +470,7 @@ eap { + # + # You should also delete all of the files + # in the directory when the server starts. +- # tmpdir = /tmp/radiusd ++ # tmpdir = /var/run/radiusd/tmp + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line +@@ -484,7 +484,7 @@ eap { + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. +- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" ++ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + # +diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in +index c62f4ffed..625f43447 100644 +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -70,8 +70,7 @@ certdir = ${confdir}/certs + cadir = ${confdir}/certs + run_dir = ${localstatedir}/run/${name} + +-# Should likely be ${localstatedir}/lib/radiusd +-db_dir = ${raddbdir} ++db_dir = ${localstatedir}/lib/radiusd + + # + # libdir: Where to find the rlm_* modules. +@@ -436,8 +435,8 @@ security { + # member. This can allow for some finer-grained access + # controls. + # +-# user = radius +-# group = radius ++ user = radiusd ++ group = radiusd + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. +-- +2.11.0 + diff --git a/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file-not-later.patch b/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file-not-later.patch new file mode 100644 index 0000000..3edff67 --- /dev/null +++ b/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file-not-later.patch @@ -0,0 +1,35 @@ +From 1a39666a0dc41d76524001461cd47a19600deaba Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Mon, 8 May 2017 16:00:01 -0400 +Subject: [PATCH] set S_IWUSER when creating the file, not later + +(cherry picked from commit 8f53382c64114936a0433d68101a24570783e13a) +--- + src/main/tls.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index e992062dc..1008e8a51 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -1382,7 +1382,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + /* open output file */ + snprintf(filename, sizeof(filename), "%s%c%s.asn1", + conf->session_cache_path, FR_DIR_SEP, buffer); +- fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); ++ fd = open(filename, O_RDWR|O_CREAT|O_EXCL, S_IWUSR); + if (fd < 0) { + if (request) RERROR("Session serialisation failed, failed opening session file %s: %s", + filename, fr_syserror(errno)); +@@ -1400,8 +1400,6 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + fr_pair_value_strcpy(vp, filename); + fr_pair_add(&request->state, vp); + } +- +- (void) fchmod(fd, S_IWUSR); + } + + todo = blob_len; +-- +2.11.0 + diff --git a/SOURCES/freeradius-tmpfiles.conf b/SOURCES/freeradius-tmpfiles.conf new file mode 100644 index 0000000..ead7a2f --- /dev/null +++ b/SOURCES/freeradius-tmpfiles.conf @@ -0,0 +1 @@ +D /var/run/radiusd 0710 radiusd radiusd - diff --git a/SOURCES/radiusd.service b/SOURCES/radiusd.service new file mode 100644 index 0000000..67696ad --- /dev/null +++ b/SOURCES/radiusd.service @@ -0,0 +1,15 @@ +[Unit] +Description=FreeRADIUS high performance RADIUS server. +After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service + +[Service] +Type=forking +PIDFile=/var/run/radiusd/radiusd.pid +ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd +ExecStartPre=/usr/sbin/radiusd -C +ExecStart=/usr/sbin/radiusd -d /etc/raddb +ExecReload=/usr/sbin/radiusd -C +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec new file mode 100644 index 0000000..da5e9ac --- /dev/null +++ b/SPECS/freeradius.spec @@ -0,0 +1,2298 @@ +Summary: High-performance and highly configurable free RADIUS server +Name: freeradius +Version: 3.0.13 +Release: 9%{?dist} +License: GPLv2+ and LGPLv2+ +Group: System Environment/Daemons +URL: http://www.freeradius.org/ + +# Is elliptic curve cryptography supported? +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 20 +%global HAVE_EC_CRYPTO 1 +%else +%global HAVE_EC_CRYPTO 0 +%endif + +%global dist_base freeradius-server-%{version} + +Source0: ftp://ftp.freeradius.org/pub/radius/%{dist_base}.tar.bz2 +Source100: radiusd.service +Source102: freeradius-logrotate +Source103: freeradius-pam-conf +Source104: freeradius-tmpfiles.conf + +Patch1: freeradius-redhat-config.patch +Patch2: freeradius-Fix-some-issues-found-with-static-analyzers.patch +Patch3: freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch +Patch4: freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch +Patch5: freeradius-disable-internal-OpenSSL-cache.patch +Patch6: freeradius-check-sizeof-packet-.-Found-by-PVS-Studio.patch +Patch7: freeradius-parse-port.-Closes-2000.patch +Patch8: freeradius-set-S_IWUSER-when-creating-the-file-not-later.patch +Patch9: freeradius-FR-GV-302-do-checks-based-on-pointers-not-on-decoded.patch +Patch10: freeradius-FR-GV-301-handle-malformed-WiMAX-attributes.patch +Patch11: freeradius-make-data2vp_extended-be-more-like-data2vp_wimax.patch +Patch12: freeradius-FR-GV-206-decode-option-60-string-not-63-octets-and-.patch +Patch13: freeradius-FR-GV-303-do-memchr-of-end-p-not-q-p.patch +Patch14: freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch +Patch15: freeradius-FR-GV-201-check-input-output-length-in-make_secret.patch +Patch16: freeradius-Fix-double-free-in-rlm_sql-acct_redundant.patch + +%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} + +BuildRequires: autoconf +BuildRequires: gdbm-devel +BuildRequires: openssl +BuildRequires: openssl-devel +BuildRequires: pam-devel +BuildRequires: zlib-devel +BuildRequires: net-snmp-devel +BuildRequires: net-snmp-utils +BuildRequires: readline-devel +BuildRequires: libpcap-devel +BuildRequires: systemd-units +BuildRequires: libtalloc-devel +BuildRequires: pcre-devel +BuildRequires: tncfhh-devel + +%if ! 0%{?rhel} +BuildRequires: libyubikey-devel +BuildRequires: ykclient-devel +%endif + +Requires: openssl >= 1.0.1e-34 +Requires(pre): shadow-utils glibc-common +Requires(post): systemd-sysv +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description +The FreeRADIUS Server Project is a high performance and highly configurable +GPL'd free RADIUS server. The server is similar in some respects to +Livingston's 2.0 server. While FreeRADIUS started as a variant of the +Cistron RADIUS server, they don't share a lot in common any more. It now has +many more features than Cistron or Livingston, and is much more configurable. + +FreeRADIUS is an Internet authentication daemon, which implements the RADIUS +protocol, as defined in RFC 2865 (and others). It allows Network Access +Servers (NAS boxes) to perform authentication for dial-up users. There are +also RADIUS clients available for Web servers, firewalls, Unix logins, and +more. Using RADIUS allows authentication and authorization for a network to +be centralized, and minimizes the amount of re-configuration which has to be +done when adding or deleting new users. + +%package doc +Group: Documentation +Summary: FreeRADIUS documentation + +%description doc +All documentation supplied by the FreeRADIUS project is included +in this package. + +%package utils +Group: System Environment/Daemons +Summary: FreeRADIUS utilities +Requires: %{name} = %{version}-%{release} +Requires: libpcap >= 0.9.4 + +%description utils +The FreeRADIUS server has a number of features found in other servers, +and additional features not found in any other server. Rather than +doing a feature by feature comparison, we will simply list the features +of the server, and let you decide if they satisfy your needs. + +Support for RFC and VSA Attributes Additional server configuration +attributes Selecting a particular configuration Authentication methods + +%package devel +Group: System Environment/Daemons +Summary: FreeRADIUS development files +Requires: %{name} = %{version}-%{release} + +%description devel +Development headers and libraries for FreeRADIUS. + +%package ldap +Summary: LDAP support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: openldap-devel + +%description ldap +This plugin provides the LDAP support for the FreeRADIUS server project. + +%package krb5 +Summary: Kerberos 5 support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: krb5-devel + +%description krb5 +This plugin provides the Kerberos 5 support for the FreeRADIUS server project. + +%package perl +Summary: Perl support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +%{?fedora:BuildRequires: perl-devel} +BuildRequires: perl-devel +BuildRequires: perl(ExtUtils::Embed) + +%description perl +This plugin provides the Perl support for the FreeRADIUS server project. + +%package python +Summary: Python support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: python-devel + +%description python +This plugin provides the Python support for the FreeRADIUS server project. + +%package mysql +Summary: MySQL support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: mysql-devel + +%description mysql +This plugin provides the MySQL support for the FreeRADIUS server project. + +%package postgresql +Summary: Postgresql support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: postgresql-devel + +%description postgresql +This plugin provides the postgresql support for the FreeRADIUS server project. + +%package sqlite +Summary: SQLite support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: sqlite-devel + +%description sqlite +This plugin provides the SQLite support for the FreeRADIUS server project. + +%package unixODBC +Summary: Unix ODBC support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: unixODBC-devel + +%description unixODBC +This plugin provides the unixODBC support for the FreeRADIUS server project. + + +%prep +%setup -q -n %{dist_base} +# Note: We explicitly do not make patch backup files because 'make install' +# mistakenly includes the backup files, especially problematic for raddb config files. +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 + +%build +# Force compile/link options, extra security for network facing daemon +%global _hardened_build 1 + +%configure \ + --libdir=%{_libdir}/freeradius \ + --disable-openssl-version-check \ + --with-udpfromto \ + --with-threads \ + --with-docdir=%{docdir} \ + --with-rlm-sql_postgresql-include-dir=/usr/include/pgsql \ + --with-rlm-sql-postgresql-lib-dir=%{_libdir} \ + --with-rlm-sql_mysql-include-dir=/usr/include/mysql \ + --with-mysql-lib-dir=%{_libdir}/mysql \ + --with-unixodbc-lib-dir=%{_libdir} \ + --with-rlm-dbm-lib-dir=%{_libdir} \ + --with-rlm-krb5-include-dir=/usr/kerberos/include \ + --without-rlm_eap_ikev2 \ + --without-rlm_sql_iodbc \ + --without-rlm_sql_firebird \ + --without-rlm_sql_db2 \ + --without-rlm_sql_oracle \ + --without-rlm_rest \ + --without-rlm_unbound \ + --without-rlm_redis \ + --without-rlm_rediswho \ + --without-rlm_cache_memcached + +make + +%install +mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd +make install R=$RPM_BUILD_ROOT + +# logs +mkdir -p $RPM_BUILD_ROOT/var/log/radius/radacct +touch $RPM_BUILD_ROOT/var/log/radius/{radutmp,radius.log} + +install -D -m 644 %{SOURCE100} $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service +install -D -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd +install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd + +install -d -m 0755 %{buildroot}%{_prefix}/lib/tmpfiles.d +mkdir -p %{buildroot}%{_localstatedir}/run/ +install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp +install -m 0644 %{SOURCE104} %{buildroot}%{_prefix}/lib/tmpfiles.d/radiusd.conf + +# install SNMP MIB files +mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ +install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ + +# remove unneeded stuff +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.pem +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.p12 +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/index.* +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/serial* +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/dh +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/random + +rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd +rm -f $RPM_BUILD_ROOT/usr/bin/rbmonkey +rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.a +rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la + +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql + +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle + +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/unbound +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/abfab* +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/abfab* +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/moonshot-targeted-ids +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab* + +rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so + +# remove unsupported config files +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf + +# install doc files omitted by standard install +for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do + cp $f $RPM_BUILD_ROOT/%{docdir} +done +cp LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.gpl +cp src/lib/LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.lgpl +cp src/LICENSE.openssl $RPM_BUILD_ROOT/%{docdir}/LICENSE.openssl + +# add Red Hat specific documentation +cat >> $RPM_BUILD_ROOT/%{docdir}/REDHAT << EOF + +Red Hat, RHEL, Fedora, and CentOS specific information can be found on the +FreeRADIUS Wiki in the Red Hat FAQ. + +http://wiki.freeradius.org/guide/Red-Hat-FAQ + +Please reference that document. + +All documentation is in the freeradius-doc sub-package. + +EOF + + +# Make sure our user/group is present prior to any package or subpackage installation +%pre +getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1 +getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1 +exit 0 + +%post +%systemd_post radiusd.service +if [ $1 -eq 1 ]; then # install + # Initial installation + if [ ! -e /etc/raddb/certs/server.pem ]; then + /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 + fi +fi +exit 0 + +%preun +%systemd_preun radiusd.service + +%postun +%systemd_postun_with_restart radiusd.service +if [ $1 -eq 0 ]; then # uninstall + getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1 + getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1 +fi +exit 0 + +/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || : + + +%files +%defattr(-,root,root) + +# doc +%doc %{docdir}/LICENSE.gpl +%doc %{docdir}/LICENSE.lgpl +%doc %{docdir}/LICENSE.openssl +%doc %{docdir}/REDHAT + +# system +%config(noreplace) %{_sysconfdir}/pam.d/radiusd +%config(noreplace) %{_sysconfdir}/logrotate.d/radiusd +%{_unitdir}/radiusd.service +%{_prefix}/lib/tmpfiles.d/radiusd.conf +%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd +%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp +%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd + +# configs (raddb) +%dir %attr(755,root,radiusd) /etc/raddb +%defattr(-,root,radiusd) +/etc/raddb/README.rst +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/panic.gdb + +%attr(644,root,radiusd) %config(noreplace) /etc/raddb/dictionary +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/clients.conf + +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/templates.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/trigger.conf + +# symlink: /etc/raddb/hints -> ./mods-config/preprocess/hints +%config /etc/raddb/hints + +# symlink: /etc/raddb/huntgroups -> ./mods-config/preprocess/huntgroups +%config /etc/raddb/huntgroups + +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/proxy.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/radiusd.conf + +# symlink: /etc/raddb/users -> ./mods-config/files/authorize +%config(noreplace) /etc/raddb/users + +# certs +%dir %attr(770,root,radiusd) /etc/raddb/certs +%config(noreplace) /etc/raddb/certs/Makefile +%config(noreplace) /etc/raddb/certs/passwords.mk +/etc/raddb/certs/README +%config(noreplace) /etc/raddb/certs/xpextensions +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf +%attr(750,root,radiusd) /etc/raddb/certs/bootstrap + +# mods-config +%dir %attr(750,root,radiusd) /etc/raddb/mods-config +/etc/raddb/mods-config/README.rst +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/attr_filter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/attr_filter/* +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/files +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/files/* +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/preprocess +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/preprocess/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main + +# sites-available +%dir %attr(750,root,radiusd) /etc/raddb/sites-available +/etc/raddb/sites-available/README +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/control-socket +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/decoupled-accounting +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/check-eap-tls +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/status +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp.relay +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/virtual.example.com +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/originate-coa +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/vmps +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/default +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/proxy-inner-tunnel +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dynamic-clients +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/copy-acct-to-home-server +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/buffered-sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge + +# sites-enabled +# symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx +%dir %attr(750,root,radiusd) /etc/raddb/sites-enabled +%config(missingok) /etc/raddb/sites-enabled/inner-tunnel +%config(missingok) /etc/raddb/sites-enabled/default + +# mods-available +%dir %attr(750,root,radiusd) /etc/raddb/mods-available +/etc/raddb/mods-available/README.rst +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/always +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/attr_filter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_eap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/chap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/counter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cui +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/date +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.example.com +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.log +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sqlippool +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/digest +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dynamic_clients +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/eap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/echo +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/etc_group +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/exec +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/expiration +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/expr +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/files +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/idn +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/inner-eap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ippool +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/linelog +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/logintime +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mac2ip +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mac2vlan +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mschap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ntlm_auth +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/opendirectory +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/otp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pam +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rediswho +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/replicate +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/smbpasswd +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/smsotp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/soh +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sometimes +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlcounter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8 +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey + +# mods-enabled +# symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx +%dir %attr(750,root,radiusd) /etc/raddb/mods-enabled +%config(missingok) /etc/raddb/mods-enabled/always +%config(missingok) /etc/raddb/mods-enabled/attr_filter +%config(missingok) /etc/raddb/mods-enabled/cache_eap +%config(missingok) /etc/raddb/mods-enabled/chap +%config(missingok) /etc/raddb/mods-enabled/date +%config(missingok) /etc/raddb/mods-enabled/detail +%config(missingok) /etc/raddb/mods-enabled/detail.log +%config(missingok) /etc/raddb/mods-enabled/dhcp +%config(missingok) /etc/raddb/mods-enabled/digest +%config(missingok) /etc/raddb/mods-enabled/dynamic_clients +%config(missingok) /etc/raddb/mods-enabled/eap +%config(missingok) /etc/raddb/mods-enabled/echo +%config(missingok) /etc/raddb/mods-enabled/exec +%config(missingok) /etc/raddb/mods-enabled/expiration +%config(missingok) /etc/raddb/mods-enabled/expr +%config(missingok) /etc/raddb/mods-enabled/files +%config(missingok) /etc/raddb/mods-enabled/linelog +%config(missingok) /etc/raddb/mods-enabled/logintime +%config(missingok) /etc/raddb/mods-enabled/mschap +%config(missingok) /etc/raddb/mods-enabled/ntlm_auth +%config(missingok) /etc/raddb/mods-enabled/pap +%config(missingok) /etc/raddb/mods-enabled/passwd +%config(missingok) /etc/raddb/mods-enabled/preprocess +%config(missingok) /etc/raddb/mods-enabled/radutmp +%config(missingok) /etc/raddb/mods-enabled/realm +%config(missingok) /etc/raddb/mods-enabled/replicate +%config(missingok) /etc/raddb/mods-enabled/soh +%config(missingok) /etc/raddb/mods-enabled/sradutmp +%config(missingok) /etc/raddb/mods-enabled/unix +%config(missingok) /etc/raddb/mods-enabled/unpack +%config(missingok) /etc/raddb/mods-enabled/utf8 + +# policy +%dir %attr(750,root,radiusd) /etc/raddb/policy.d +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/accounting +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/canonicalization +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/control +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/cui +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/debug +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/dhcp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name + + +# binaries +%defattr(-,root,root) +/usr/sbin/checkrad +/usr/sbin/raddebug +/usr/sbin/radiusd +/usr/sbin/radmin + +# dictionaries +%dir %attr(755,root,root) /usr/share/freeradius +/usr/share/freeradius/* + +# logs +%dir %attr(700,radiusd,radiusd) /var/log/radius/ +%dir %attr(700,radiusd,radiusd) /var/log/radius/radacct/ +%ghost %attr(644,radiusd,radiusd) /var/log/radius/radutmp +%ghost %attr(600,radiusd,radiusd) /var/log/radius/radius.log + +# libs +%attr(755,root,root) %{_libdir}/freeradius/lib*.so* + +# loadable modules +%dir %attr(755,root,root) %{_libdir}/freeradius +%{_libdir}/freeradius/proto_dhcp.so +%{_libdir}/freeradius/proto_vmps.so +%{_libdir}/freeradius/rlm_always.so +%{_libdir}/freeradius/rlm_attr_filter.so +%{_libdir}/freeradius/rlm_cache.so +%{_libdir}/freeradius/rlm_cache_rbtree.so +%{_libdir}/freeradius/rlm_chap.so +%{_libdir}/freeradius/rlm_counter.so +%{_libdir}/freeradius/rlm_cram.so +%{_libdir}/freeradius/rlm_date.so +%{_libdir}/freeradius/rlm_detail.so +%{_libdir}/freeradius/rlm_dhcp.so +%{_libdir}/freeradius/rlm_digest.so +%{_libdir}/freeradius/rlm_dynamic_clients.so +%{_libdir}/freeradius/rlm_eap.so +%{_libdir}/freeradius/rlm_eap_fast.so +%{_libdir}/freeradius/rlm_eap_gtc.so +%{_libdir}/freeradius/rlm_eap_leap.so +%{_libdir}/freeradius/rlm_eap_md5.so +%{_libdir}/freeradius/rlm_eap_mschapv2.so +%{_libdir}/freeradius/rlm_eap_peap.so +%if %{HAVE_EC_CRYPTO} +%{_libdir}/freeradius/rlm_eap_pwd.so +%endif +%{_libdir}/freeradius/rlm_eap_sim.so +%{_libdir}/freeradius/rlm_eap_tls.so +%{_libdir}/freeradius/rlm_eap_tnc.so +%{_libdir}/freeradius/rlm_eap_ttls.so +%{_libdir}/freeradius/rlm_exec.so +%{_libdir}/freeradius/rlm_expiration.so +%{_libdir}/freeradius/rlm_expr.so +%{_libdir}/freeradius/rlm_files.so +%{_libdir}/freeradius/rlm_ippool.so +%{_libdir}/freeradius/rlm_linelog.so +%{_libdir}/freeradius/rlm_logintime.so +%{_libdir}/freeradius/rlm_mschap.so +%{_libdir}/freeradius/rlm_otp.so +%{_libdir}/freeradius/rlm_pam.so +%{_libdir}/freeradius/rlm_pap.so +%{_libdir}/freeradius/rlm_passwd.so +%{_libdir}/freeradius/rlm_preprocess.so +%{_libdir}/freeradius/rlm_radutmp.so +%{_libdir}/freeradius/rlm_realm.so +%{_libdir}/freeradius/rlm_replicate.so +%{_libdir}/freeradius/rlm_soh.so +%{_libdir}/freeradius/rlm_sometimes.so +%{_libdir}/freeradius/rlm_sql.so +%{_libdir}/freeradius/rlm_sqlcounter.so +%{_libdir}/freeradius/rlm_sqlippool.so +%{_libdir}/freeradius/rlm_sql_null.so +%{_libdir}/freeradius/rlm_unix.so +%{_libdir}/freeradius/rlm_unpack.so +%{_libdir}/freeradius/rlm_utf8.so +%{_libdir}/freeradius/rlm_wimax.so +%{_libdir}/freeradius/rlm_yubikey.so + +# main man pages +%doc %{_mandir}/man5/clients.conf.5.gz +%doc %{_mandir}/man5/dictionary.5.gz +%doc %{_mandir}/man5/radiusd.conf.5.gz +%doc %{_mandir}/man5/radrelay.conf.5.gz +%doc %{_mandir}/man5/rlm_always.5.gz +%doc %{_mandir}/man5/rlm_attr_filter.5.gz +%doc %{_mandir}/man5/rlm_chap.5.gz +%doc %{_mandir}/man5/rlm_counter.5.gz +%doc %{_mandir}/man5/rlm_detail.5.gz +%doc %{_mandir}/man5/rlm_digest.5.gz +%doc %{_mandir}/man5/rlm_expr.5.gz +%doc %{_mandir}/man5/rlm_files.5.gz +%doc %{_mandir}/man5/rlm_idn.5.gz +%doc %{_mandir}/man5/rlm_mschap.5.gz +%doc %{_mandir}/man5/rlm_pap.5.gz +%doc %{_mandir}/man5/rlm_passwd.5.gz +%doc %{_mandir}/man5/rlm_realm.5.gz +%doc %{_mandir}/man5/rlm_sql.5.gz +%doc %{_mandir}/man5/rlm_unix.5.gz +%doc %{_mandir}/man5/unlang.5.gz +%doc %{_mandir}/man5/users.5.gz +%doc %{_mandir}/man8/raddebug.8.gz +%doc %{_mandir}/man8/radiusd.8.gz +%doc %{_mandir}/man8/radmin.8.gz +%doc %{_mandir}/man8/radrelay.8.gz + +# MIB files +%{_datadir}/snmp/mibs/*RADIUS*.mib + +%files doc + +%doc %{docdir}/ + + +%files utils +/usr/bin/* + +# utils man pages +%doc %{_mandir}/man1/radclient.1.gz +%doc %{_mandir}/man1/radeapclient.1.gz +%doc %{_mandir}/man1/radlast.1.gz +%doc %{_mandir}/man1/radtest.1.gz +%doc %{_mandir}/man1/radwho.1.gz +%doc %{_mandir}/man1/radzap.1.gz +%doc %{_mandir}/man1/rad_counter.1.gz +%doc %{_mandir}/man1/smbencrypt.1.gz +%doc %{_mandir}/man1/dhcpclient.1.gz +%doc %{_mandir}/man5/checkrad.5.gz +%doc %{_mandir}/man8/radcrypt.8.gz +%doc %{_mandir}/man8/radsniff.8.gz +%doc %{_mandir}/man8/radsqlrelay.8.gz +%doc %{_mandir}/man8/rlm_ippool_tool.8.gz + +%files devel +/usr/include/freeradius + +%files krb5 +%{_libdir}/freeradius/rlm_krb5.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/krb5 + +%files perl +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/perl + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/perl +%attr(640,root,radiusd) /etc/raddb/mods-config/perl/example.pl + +%{_libdir}/freeradius/rlm_perl.so + +%files python +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python +/etc/raddb/mods-config/python/example.py* +/etc/raddb/mods-config/python/radiusd.py* +%{_libdir}/freeradius/rlm_python.so + +%files mysql +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/ndb +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/ndb/setup.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/ndb/schema.sql +/etc/raddb/mods-config/sql/main/ndb/README + +%{_libdir}/freeradius/rlm_sql_mysql.so + +%files postgresql +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/postgresql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/update_radacct_group.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql + +%{_libdir}/freeradius/rlm_sql_postgresql.so + +%files sqlite +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/sqlite/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/sqlite/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql + +%{_libdir}/freeradius/rlm_sql_sqlite.so + +%files ldap +%{_libdir}/freeradius/rlm_ldap.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap + +%files unixODBC +%{_libdir}/freeradius/rlm_sql_unixodbc.so + +%changelog +* Thu Feb 22 2018 Nikolai Kondrashov - 3.0.13-9 +- Fix double free in rlm_sql acct_redundant + Resolves: Bug#1551069 Radius service crashes with "Bad talloc magic value - + unknown value" when using module sql rlm_sql + +* Mon Jul 17 2017 Nikolai Kondrashov - 3.0.13-8 +- Avoid misinterpreting zero-size malloc in data2vp_extended() fix. +- Related: Bug#1469415 CVE-2017-10984 freeradius: Out-of-bounds write in + data2vp_wimax() + +* Tue Jul 11 2017 Nikolai Kondrashov - 3.0.13-7 +- Resolves: Bug#1469408 CVE-2017-10978 freeradius: Out-of-bounds read/write due + to improper output buffer size check in make_secret() +- Resolves: Bug#1469412 CVE-2017-10983 freeradius: Out-of-bounds read in + fr_dhcp_decode() when decoding option 63 +- Resolves: Bug#1469415 CVE-2017-10984 freeradius: Out-of-bounds write in + data2vp_wimax() +- Resolves: Bug#1469416 CVE-2017-10985 freeradius: Infinite loop and memory + exhaustion with 'concat' attributes +- Resolves: Bug#1469419 CVE-2017-10986 freeradius: Infinite read in + dhcp_attr2vp() +- Resolves: Bug#1469422 CVE-2017-10987 freeradius: Buffer over-read in + fr_dhcp_decode_suboptions() + +* Thu Jun 15 2017 Nikolai Kondrashov - 3.0.13-6 +- Avoid race condition when creating session cache file + Resolves: Bug#1458746 CVE-2017-9148 freeradius: TLS resumption + authentication bypass + +* Tue Jun 06 2017 Nikolai Kondrashov - 3.0.13-5 +- Refer to correct package version in configuration comments for Bug#1458746 + (CVE-2017-9148) fix. + Related: Bug#1458746 CVE-2017-9148 freeradius: TLS resumption + authentication bypass + +* Tue Jun 06 2017 Nikolai Kondrashov - 3.0.13-4 +- Disable internal OpenSSL cache. + Resolves: Bug#1458746 CVE-2017-9148 freeradius: TLS resumption + authentication bypass +- Check sizeof(*packet), not sizeof(packet) in EAP-PWD + Resolves: Bug#1459073 Potential buffer overflow in FreeRADIUS EAP-PWD +- Parse port as well as address for dhcpclient destination + Resolves: Bug#1457825 dhcpclient does no accept IP:PORT + +* Wed Mar 29 2017 Nikolai Kondrashov - 3.0.13-3 +- Explicitly disable rlm_cache_memcached to avoid error when the module's + dependencies are installed, and it is built, but not packaged. + Related: Bug#1202751 Rebase FreeRADIUS to 3.0.12 or later minor release +- Prevent segfaults by adding a missing handling of connection errors in + rlm_ldap. + Resolves: Bug#1437409 [abrt] freeradius: radiusd killed by SIGSEGV +- Make radtest use Cleartext-Password for EAP, fixing its support for eap-md5. + Resolves: Bug#1436619 radtest does not work with eap-md5 + +* Thu Mar 23 2017 Nikolai Kondrashov - 3.0.13-2 +- Fix some issues found with static analyzers. + Resolves: Bug#1432103 FreeRADIUS fails covscan checks +- Revert rlm_eap_tnc removal, because the tncfhh package is still in RHEL. + Related: Bug#1202751 Rebase FreeRADIUS to 3.0.12 or later minor release + +* Tue Mar 07 2017 Nikolai Kondrashov - 3.0.13-1 +- Upgrade to upstream v3.0.13 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 Rebase FreeRADIUS to 3.0.12 or later minor release + Resolves: Bug#1329181 freeradius-python fix libpython2.7.so dependency at + compile time + Resolves: Bug#1425869 Radiusd does not trigger modules.sql.fail trap if it + can't connect to mysql server + Resolves: Bug#1427829 Stack overflow when passing bare IPv6 to radclient + +* Tue Feb 21 2017 Nikolai Kondrashov - 3.0.12-2 +- Do not fail logrotate if radiusd is not running. + Resolves: Bug#1365226 error running non-shared postrotate script for + /var/log/radius/radius.log of + '/var/log/radius/radius.log ' +- Fix output to log file specified with -l option. + Resolves: Bug#1421207 radiusd does not work with log file specified by -l + option +- Fix long hostnames interpreted as IP addresses. + Resolves: Bug#1420359 radclient does not detect 4. level and higher domain + name as a domain name +- Avoid clashes with libtool library symbols. + Resolves: Bug#1391960 undefined symbol: get_vtable in + /usr/lib64/libtdsodbc.so.0 with freeradius-unixODBC +- Remove mentions of Auth-Type = System from docs. + Resolves: Bug#1420293 Freeradius does not know Auth-Type = System +- Improve ip/v4/v6/addr documentation. + Resolves: Bug#1179736 add description for ipaddr = hostname from DNS with A + and AAAA entries + +* Fri Nov 25 2016 Nikolai Kondrashov - 3.0.12-1 +- Upgrade to upstream v3.0.12 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 Rebase FreeRADIUS to 3.0.7 or later minor release + Resolves: Bug#1358989 FreeRADIUS stops reading the accounting packets from the + detail file + Resolves: Bug#1269217 FreeRADIUS triggers mprotect with large radius reply + Resolves: Bug#1344183 radiusd crashed in rbtree_find() after receiving a packet + Resolves: Bug#1370431 FreeRADIUS fails to establish LDAP connections under + load + Resolves: Bug#1397981 [abrt] freeradius: radiusd killed by SIGSEGV + +* Mon Apr 18 2016 Nikolai Kondrashov - 3.0.11-1 +- Upgrade to upstream v3.0.11 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Resolves: Bug#1197551 + Resolves: Bug#1179745 + Resolves: Bug#1202751 Rebase FreeRADIUS to 3.0.7 or later minor release + Resolves: Bug#1289849 FreeRadius should start after ldap, ipa and krb5kdc + Resolves: Bug#1208886 Add the latest Mikrotik dictionary into Freeradius + Resolves: Bug#1198620 radutmp should not rotate + Resolves: Bug#1180979 Freeradius is installing files under /etc/tmpfiles.d/ + Resolves: Bug#1187904 radiusd logrotate config file contains old style + "/sbin/service radius reload" reload call + Resolves: Bug#1167846 radiusd fails to load clients from ldap + Resolves: Bug#1422018 /usr/lib/systemd/system/radiusd.service is marked + executable. Please remove executable permission bits + Resolves: Bug#1167843 support for older style generic attributes in + rlm_ldap doesn't work + Resolves: Bug#1354234 home servers are marked as dead by radiusd + +* Wed Dec 09 2015 Nikolai Kondrashov - 3.0.10-1 +- Upgrade to upstream v3.0.10 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 + Resolves: Bug#1340334 freeradius: Decryption of very long Tunnel-Passwords + can cause buffer overflow +- Remove rlm_eap_tnc support as the required package "tncfhh" was retired. + +* Wed Aug 19 2015 Nikolai Kondrashov - 3.0.9-1 +- Upgrade to upstream v3.0.9 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 + +* Tue Apr 28 2015 Nikolai Kondrashov - 3.0.8-1 +- Upgrade to upstream v3.0.8 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 + +* Thu Mar 19 2015 Nikolai Kondrashov - 3.0.7-1 +- Upgrade to upstream v3.0.7 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 + +* Fri Dec 26 2014 Nikolai Kondrashov - 3.0.4-6 +- Don't remove backslash from unknown escape sequences in LDAP values. + Resolves: Bug#1173526 +- Improve dhcpclient and rad_counter online help. + Resolves: Bug#1146966 +- raddb: Move trigger.conf INCLUDE before modules, making it easier to refer + to trigger variables from module configurations. + Resolves: Bug#1155961 +- Fix ipaddr option fallback onto ipv6. + Resolves: Bug#1168868 +- raddb: Comment on ipaddr/ipv4addr/ipv6addr use. + Resolves: Bug#1168247 + +* Tue Dec 09 2014 Nikolai Kondrashov - 3.0.4-5 +- Disable rlm_rest building explicitly to avoid unintended builds on some + architectures breaking RPM build. + Resolves: Bug#1162156 +- Add -D option support to dhcpclient. + Related: Bug#1146939 +- Don't install rbmonkey - a test tool only useful to developers. + Related: Bug#1146966 +- Update clients(5) man page + Resolves: Bug#1147464 + +* Thu Oct 30 2014 Nikolai Kondrashov - 3.0.4-4 +- Fix possible group info corruption/segfault in rlm_unix' fr_getgrnam. +- Fix file configuration item parsing. + +* Wed Oct 29 2014 Nikolai Kondrashov - 3.0.4-3 +- Fix a number of trigger issues. + Resolves: Bug#1110407 radiusd doesn't send snmp trap after "radmin -e 'hup + files'" + Resolves: Bug#1110414 radiusd doesn't send snmp trap when sql connection is + opened,closed or fail + Resolves: Bug#1110186 radiusd doesn't send snmp trap when ldap connection + fails/opens/closes + Resolves: Bug#1109164 snmp trap messages send by radiusd are inconsistent + and incomplete +- Fix two omissions from radtest manpage. + Resolves: Bug#1146898 'eap-md5' value is missing in -t option in SYNOPSIS + of radtest man page + Resolves: Bug#1114669 Missing -P option in radtest manpage +- Disable OpenSSL version checking to avoid the need to edit radiusd.conf to + confirm heartbleed is fixed. + Resolves: Bug#1155070 FreeRADIUS doesn't start after upgrade due to failing + OpenSSL version check + +* Mon Oct 6 2014 Nikolai Kondrashov - 3.0.4-2 +- Fix abort on home server triggers. + Resolves: Bug#1113509 radiusd aborts when it has no proxy response with active + snmp traps +- Fix segfault upon example.pl read failure. + Resolves: Bug#1146403 radiusd segfaults when file for perl module has + wrong permissions +- Fix example.pl permissions. + Resolves: Bug#1146406 /etc/raddb/mods-config/perl/example.pl has wrong + permissions and radiusd fails to start +- Fix integer handling in various cases. + Resolves: Bug#1146441 upstream test suite fails +- Fix dhcpclient's dictionary.dhcp loading. + Resolves: Bug#1146939 dhcpclient lookups dictionary.dhcp file in wrong + location + +* Mon Sep 15 2014 Nikolai Kondrashov - 3.0.4-1 +- Upgrade to upstream 3.0.4 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + +* Mon Sep 8 2014 Nikolai Kondrashov - 3.0.4-0.1.rc2 +- Upgrade to upstream 3.0.4-rc2 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). +- Add installation of SNMP MIB files. +- Resolves: Bug#1036562 Missing doc page for kerberos module +- Resolves: Bug#1099625 Default message digest defaults to sha1 +- Resolves: Bug#1109159 missing mib files in freeradius package +- Resolves: Bug#1113010 radiusd doesn't send snmp trap when max_threads value + is reached +- Resolves: Bug#1114669 Missing -P option in radtest manpage +- Resolves: Bug#1115128 radisud can't start if proto = udp is specified +- Resolves: Bug#1115134 radiusd aborts after 'Access-Request' when listens on + TCP port +- Resolves: Bug#1115137 radiusd listens on udp port even if proto = tcp is + specified +- Resolves: Bug#1126725 radiusd silently fails when start_servers is higher + than max_servers +- Resolves: Bug#1135446 Radeapclient is not available + +* Thu Feb 27 2014 Nikolai Kondrashov - 3.0.1-6 +- Fix CVE-2014-2015 "freeradius: stack-based buffer overflow flaw in rlm_pap + module" +- resolves: bug#1066984 (fedora 1066763) + +* Thu Feb 27 2014 John Dennis - 3.0.1-5 +- resolves: bug#1068798 (fedora 1068795) + rlm_perl attribute values truncated + +* Fri Jan 24 2014 Daniel Mach - 3.0.1-4 +- Mass rebuild 2014-01-24 + +* Sun Jan 19 2014 John Dennis - 3.0.1-3 +- resolves: bug#1055073 (fedora 1055072) + rlm_ippool; bad config file attribute and fails to send reply attributes +- resolves: bug#1055567 (fedora 1056227) + bad mysql sql syntax +- change CFLAGS -imacros to -include to address gcc/gdb bug 1004526 + where gdb will not display source information, only + +* Wed Jan 15 2014 Honza Horak - 3.0.1-2 +- Rebuild for mariadb-libs + Related: #1045013 + +* Tue Jan 14 2014 John Dennis - 3.0.1-1 +- Upgrade to upstream 3.0.1 release, full config compatible with 3.0.0. + This is a roll-up of all upstream bugs fixes found in 3.0.0 + See upstream ChangeLog for details (in freeradius-doc subpackage) +- resolves: bug#1052450 (fedora 1053020) +- resolves: bug#1044748 (fedora 1044747) +- resolves: bug#1048475 (fedora 1048474) +- resolves: bug#1043037 (fedora 1043036) + +* Fri Dec 27 2013 Daniel Mach - 3.0.0-5 +- Mass rebuild 2013-12-27 + +* Tue Nov 26 2013 John Dennis - 3.0.0-4 +- resolves: bug#1031035 + remove radeapclient man page, + upstream no longer supports radeapclient, use eapol_test instead +- resolves: bug#1031061 + rlm_eap_leap memory corruption, see freeradius-rlm_leap.patch +- move man pages for utils into utils subpackage from doc subpackage +- fix HAVE_EC_CRYPTO test to include f20 +- add new directory /var/run/radiusd/tmp + update mods-available/eap so tls-common.verify.tmpdir to point to it + +* Wed Nov 13 2013 John Dennis - 3.0.0-3 +- resolves: bug#1029941 + PW_TYPE_BOOLEAN config item should be declared int, not bool + +* Mon Oct 28 2013 John Dennis - 3.0.0-2 +- resolves: bug#1024119 + tncfhh-devel is now available in RHEL-7, remove conditional BuildRequires + +* Wed Oct 9 2013 John Dennis - 3.0.0-1 +- Offical 3.0 gold release from upstream +- resolves: bug#1000455 +- resolves: bug#891305 + +* Mon Aug 26 2013 John Dennis - 3.0.0-0.3.rc0 +- add missingok config attribute to /etc/raddb/sites-enabled/* symlinks + +* Sat Aug 03 2013 Petr Pisar - 3.0.0-0.2.rc0 +- Perl 5.18 rebuild + +* Fri Jul 26 2013 Ville Skyttä - 3.0.0-0.1.rc0 +- Install docs to %%{_pkgdocdir} where available. + +* Mon Jul 22 2013 John Dennis - 3.0.0-0.rc0 +- Upgrade to new upstream major version release + +* Wed Jul 17 2013 Petr Pisar - 2.2.0-7 +- Perl 5.18 rebuild + +* Wed Feb 13 2013 Fedora Release Engineering - 2.2.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Dec 14 2012 John Dennis - 2.2.0-5 +- resolves: bug#850119 - Introduce new systemd-rpm macros (>= F18) + +* Thu Dec 13 2012 John Dennis - 2.2.0-4 +- add compile option -fno-strict-aliasing + +* Thu Dec 13 2012 John Dennis - 2.2.0-3 +- specify homedir (/var/lib/radiusd) for radiusd user in useradd, + do not permit useradd to default the homedir. + +* Wed Dec 12 2012 John Dennis - 2.2.0-2 +- add security options to compiler/linker + +* Mon Dec 10 2012 John Dennis - 2.2.0-1 +- resolves: bug#876564 - fails to start without freeradius-mysql +- use upstream version of freeradius-exclude-config-file.patch + +* Wed Oct 3 2012 John Dennis - 2.2.0-0 +- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid + files when loading config files +- Upgrade to new 2.2.0 upstream release +- Upstream changelog for 2.1.12: + Feature improvements + * 100% configuration file compatible with 2.1.x. + The only fix needed is to disallow "hashsize=0" for rlm_passwd + * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware, + Redback, and Mikrotik dictionaries + * Switch to using SHA1 for certificate digests instead of MD5. + See raddb/certs/*.cnf + * Added copyright statements to the dictionaries, so that we know + when people are using them. + * Better documentation for radrelay and detail file writer. + See raddb/modules/radrelay and raddb/radrelay.conf + * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard + * Added -F to radwho + * Added query timeouts to MySQL driver. Patch from Brian De Wolf. + * Add /etc/default/freeradius to debian package. + Patch from Matthew Newton + * Finalize DHCP and DHCP relay code. It should now work everywhere. + See raddb/sites-available/dhcp, src_ipaddr and src_interface. + * DHCP capabilitiies are now compiled in by default. + It runs as a DHCP server ONLY when manually enabled. + * Added one letter expansions: %G - request minute and %I request + ID. + * Added script to convert ISC DHCP lease files to SQL pools. + See scripts/isc2ippool.pl + * Added rlm_cache to cache arbitrary attributes. + * Added max_use to rlm_ldap to force connection to be re-established + after a given number of queries. + * Added configtest option to Debian init scripts, and automatic + config test on restart. + * Added cache config item to rlm_krb5. When set to "no" ticket + caching is disabled which may increase performance. + + Bug fixes + * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12, + and 802.1X should upgrade immediately. + * Fix typo in detail file writer, to skip writing if the packet + was read from this detail file. + * Free cached replies when closing resumed SSL sessions. + * Fix a number of issues found by Coverity. + * Fix memory leak and race condition in the EAP-TLS session cache. + Thanks to Phil Mayers for tracking down OpenSSL APIs. + * Restrict ATTRIBUTE names to character sets that make sense. + * Fix EAP-TLS session Id length so that OpenSSL doesn't get + excited. + * Fix SQL IPPool logic for non-timer attributes. Closes bug #181 + * Change some informational messages to DEBUG rather than error. + * Portability fixes for FreeBSD. Closes bug #177 + * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols + nonsense. + * Safely handle extremely long lines in conf file variable expansion + * Fix for Debian bug #606450 + * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling + * The passwd module no longer permits "hashsize = 0". Setting that + is pointless for a host of reasons. It will also break the server. + * Fix proxied inner-tunnel packets sometimes having zero authentication + vector. Found by Brian Julin. + * Added $(EXEEXT) to Makefiles for portability. Closes bug #188. + * Fix minor build issue which would cause rlm_eap to be built twice. + * When using "status_check=request" for a home server, the username + and password must be specified, or the server will not start. + * EAP-SIM now calculates keys from the SIM identity, not from the + EAP-Identity. Changing the EAP type via NAK may result in + identities changing. Bug reported by Microsoft EAP team. + * Use home server src_ipaddr when sending Status-Server packets + * Decrypt encrypted ERX attributes in CoA packets. + * Fix registration of internal xlat's so %{mschap:...} doesn't + disappear after a HUP. + * Can now reference tagged attributes in expansions. + e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work. + * Correct calculation of Message-Authenticator for CoA and Disconnect + replies. Patch from Jouni Malinen + * Install rad_counter, for managing rlm_counter files. + * Add unique index constraint to all SQL flavours so that alternate + queries work correctly. + * The TTLS diameter decoder is now more lenient. It ignores + unknown attributes, instead of rejecting the TTLS session. + * Use "globfree" in detail file reader. Prevents very slow leak. + Closes bug #207. + * Operator =~ shouldn't copy the attribute, like :=. It should + instead behave more like ==. + * Build main Debian package without SQL dependencies + * Use max_queue_size in threading code + * Update permissions in raddb/sql/postgresql/admin.sql + * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL + wouldn't use methods it knew about. + * Add more sanity checks in dynamic_clients code so the server won't + crash if it attempts to load a badly formated client definition. + +* Thu Jul 19 2012 Fedora Release Engineering - 2.1.12-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 08 2012 Petr Pisar - 2.1.12-9 +- Perl 5.16 rebuild + +* Tue May 15 2012 John Dennis - 2.1.12-8 +- resolves: bug#821407 - openssl dependency + +* Sat Apr 14 2012 John Dennis - 2.1.12-7 +- resolves: bug#810605 Segfault with freeradius-perl threading + +* Tue Feb 28 2012 John Dennis - 2.1.12-6 + Fixing bugs in RHEL6 rebase, applying fixes here as well + resolves: bug#700870 freeradius not compiled with --with-udpfromto + resolves: bug#753764 shadow password expiration does not work + resolves: bug#712803 radtest script is not working with eap-md5 option + resolves: bug#690756 errors in raddb/sql/postgresql/admin.sql template + +* Tue Feb 7 2012 John Dennis - 2.1.12-5 +- resolves: bug#781877 (from RHEL5) rlm_dbm_parse man page misspelled +- resolves: bug#760193 (from RHEL5) radtest PPPhint option is not parsed properly + +* Sun Jan 15 2012 John Dennis - 2.1.12-4 +- resolves: bug#781744 + systemd service file incorrectly listed pid file as + /var/run/radiusd/radiusd which it should have been + /var/run/radiusd/radiusd.pid + +* Fri Jan 13 2012 Fedora Release Engineering - 2.1.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Oct 31 2011 John Dennis - 2.1.12-2 +- rename /etc/tmpfiles.d/freeradius.conf to /etc/tmpfiles.d/radiusd.conf + remove config(noreplace) because it must match files section and + permissions differ between versions. +- fixup macro usage for /var/run & /var/lib + +* Mon Oct 3 2011 John Dennis - 2.1.12-1 +- Upgrade to latest upstream release: 2.1.12 +- Upstream changelog for 2.1.12: + Feature improvements + * Updates to dictionary.erx, dictionary.siemens, dictionary.starent, + dictionary.starent.vsa1, dictionary.zyxel, added dictionary.symbol + * Added support for PCRE from Phil Mayers + * Configurable file permission in rlm_linelog + * Added "relaxed" option to rlm_attr_filter. This copies attributes + if at least one match occurred. + * Added documentation on dynamic clients. + See raddb/modules/dynamic_clients. + * Added support for elliptical curve cryptography. + See ecdh_curve in raddb/eap.conf. + * Added support for 802.1X MIBs in checkrad + * Added support for %{rand:...}, which generates a uniformly + distributed number between 0 and the number you specify. + * Created "man" pages for all installed commands, and documented + options for all commands. Patch from John Dennis. + * Allow radsniff to decode encrypted VSAs and CoA packets. + Patch from Bjorn Mork. + * Always send Message-Authenticator in radtest. Patch from John Dennis. + radclient continues to be more flexible. + * Updated Oracle schema and queries + * Added SecurID module. See src/modules/rlm_securid/README + + Bug fixes + * Fix memory leak in rlm_detail + * Fix "failed to insert event" + * Allow virtual servers to be reloaded on HUP. + It no longer complains about duplicate virtual servers. + * Fix %{string:...} expansion + * Fix "server closed socket" loop in radmin + * Set ownership of control socket when starting up + * Always allow root to connect to control socket, even if + "uid" is set. They're root. They can already do anything. + * Save all attributes in Access-Accept when proxying inner-tunnel + EAP-MSCHAPv2 + * Fixes for DHCP relaying. + * Check certificate validity when using OCSP. + * Updated Oracle "configure" script + * Fixed typos in dictionary.alvarion + * WARNING on potential proxy loop. + * Be more aggressive about clearing old requests from the + internal queue + * Don't open network sockets when using -C + +* Wed Sep 21 2011 Tom Callaway - 2.1.11-7 +- restore defattr customization in the main package + +* Fri Sep 9 2011 Tom Callaway - 2.1.11-6 +- add missing systemd scriptlets + +* Thu Sep 8 2011 Tom Callaway - 2.1.11-5 +- convert to systemd + +* Thu Jul 21 2011 Petr Sabata - 2.1.11-4 +- Perl mass rebuild + +* Wed Jul 20 2011 Petr Sabata - 2.1.11-3 +- Perl mass rebuild + +* Thu Jun 23 2011 John Dennis - 2.1.11-2 +- reload the server (i.e. HUP) after logrotate + +* Wed Jun 22 2011 John Dennis - 2.1.11-1 +- Upgrade to latest upstream release: 2.1.11 +- Remove the following two patches as upstream has incorporated them: + freeradius-radtest-ipv6.patch + freeradius-lt-dladvise.patch +- Upstream changelog for 2.1.11: + Feature improvements + * Added doc/rfc/rfc6158.txt: RADIUS Design Guidelines. + All vendors need to read it and follow its directions. + * Microsoft SoH support for PEAP from Phil Mayers. + See doc/SoH.txt + * Certificate "bootstrap" script now checks for certificate expiry. + See comments in raddb/eap.conf, and then "make_cert_command". + * Support for dynamic expansion of EAP-GTC challenges. + Patch from Alexander Clouter. + * OCSP support from Alex Bergmann. See raddb/eap.conf, "ocsp" + section. + * Updated dictionary.huawei, dictionary.3gpp, dictionary.3gpp3. + * Added dictionary.eltex, dictionary.motorola, and dictionary.ukerna. + * Experimental redis support from Gabriel Blanchard. + See raddb/modules/redis and raddb/modules/rediswho + * Add "key" to rlm_fastusers. Closes bug #126. + * Added scripts/radtee from original software at + http://horde.net/~jwm/software/misc/comparison-tee + * Updated radmin "man" page for new commands. + * radsniff now prints the hex decoding of the packet (-x -x -x) + * mschap module now reloads its configuration on HUP + * Added experimental "replicate" module. See raddb/modules/replicate + * Policy "foo" can now refer to module "foo". This lets you + over-ride the behavior of a module. + * Policy "foo.authorize" can now over-ride the behavior of module + "foo", "authorize" method. + * Produce errors in more situations when the configuration files + have invalid syntax. + + Bug fixes + * Ignore pre/post-proxy sections if proxying is disabled + * Add configure checks for pcap_fopen*. + * Fix call to otp_write in rlm_otp + * Fix issue with Access-Challenge checking from 2.1.10, when the + debug flag was set after server startup. Closes #116 and #117. + * Fix typo in zombie period start time. + * Fix leak in src/main/valuepair.c. Patch from James Ballantine. + * Allow radtest to use spaces in shared secret. + Patch from Cedric Carree. + * Remove extra calls to HMAC_CTX_init() in rlm_wimax, fixing leak. + Patch from James Ballantine. + * Remove MN-FA key generation. The NAS does this, not AAA. + Patch from Ben Weichman. + * Include dictionary.mikrotik by default. Closes bug #121. + * Add group membership query to MS-SQL examples. Closes bug #120. + * Don't cast NAS-Port to integer in Postgresql queries. + Closes bug #112. + * Fixes for libtool and autoconf from Sam Hartman. + * radsniff should read the dictionaries in more situations. + * Use fnmatch to check for detail file reader==writer. + Closes bug #128. + * Check for short writes (i.e. disk full) in rlm_detail. + Closes bug #130. Patches and testing from John Morrissey. + * Fix typo in src/lib/token.c. Closes bug #124 + * Allow workstation trust accounts to use MS-CHAP. + Closes bug #123. + * Assigning foo=`/bin/echo hello` now produces a syntax error + if it is done outside of an "update" section. + * Fix "too many open file descriptors" problem when using + "verify client" in eap.conf. + * Many fixes to dialup_admin for PHP5, by Stefan Winter. + * Allow preprocess module to have "hints = " and "huntgroups =", + which allows them to be empty or non-existent. + * Renamed "php3" files to "php" in dialup_admin/ + * Produce error when sub-TLVs are used in a dictionary. They are + supported only in the "master" branch, and not in 2.1.x. + * Minor fix in dictionary.redback. Closes bug #138. + * Fixed MySQL "NULL" issues in ippool.conf. Closes bug #129. + * Fix to Access-Challenge warning from Ken-ichirou Matsuzawa. + Closes bug #118. + * DHCP fixes to send unicast packets in more situations. + * Fix to udpfromto, to enable it to work on IPv6 networks. + * Fixes to the Oracle accounting_onoff_query. + * When using both IPv4 and IPv6 home servers, ensure that we use the + correct local socket for proxying. Closes bug #143. + * Suppress messages when thread pool is nearly full, all threads + are busy, and we can't create new threads. + * IPv6 is now enabled for udpfromto. Closes bug #141 + * Make sqlippool query buffer the same size as sql module. + Closes bug #139. + * Make Coa / Disconnect proxying work again. + * Configure scripts for rlm_caching from Nathaniel McCallum + * src/lib/dhcp.c and src/include/libradius.h are LGPL, not GPL. + * Updated password routines to use time-insensitive comparisons. + This prevents timing attacks (though none are known). + * Allow sqlite module to do normal SELECT queries. + * rlm_wimax now has a configure script + * Moved Ascend, USR, and Motorola "illegal" dictionaries to separate + files. See share/dictionary for explanations. + * Check for duplicate module definitions in the modules{} section, + and refuse to start if duplicates are found. + * Check for duplicate virtual servers, and refuse to start if + duplicates are found. + * Don't use udpfromto if source is INADDR_ANY. Closes bug #148. + * Check pre-conditions before running radmin "inject file". + * Don't over-ride "no match" with "match" for regexes. + Closes bug #152. + * Make retry and error message configurable in mschap. + See raddb/modules/mschap + * Allow EAP-MSCHAPv2 to send error message to client. This change + allows some clients to prompt the user for a new password. + See raddb/eap.conf, mschapv2 section, "send_error". + * Load the default virtual server before any others. + This matches what users expect, and reduces confusion. + * Fix configure checks for udpfromto. Fixes Debian bug #606866 + * Definitive fix for bug #35, where the server could crash under + certain loads. Changes src/lib/packet.c to use RB trees. + * Updated "configure" checks to allow IPv6 udpfromto on Linux. + * SQL module now returns NOOP if the accounting start/interim/stop + queries don't do anything. + * Allow %%{outer.control: ... } in string expansions + * home_server coa config now matches raddb/proxy.conf + * Never send a reply to a DHCP Release. + +* Thu Jun 16 2011 Marcela Mašláňová - 2.1.10-8 +- Perl mass rebuild + +* Wed Mar 23 2011 John Dennis - 2.1.10-7 +- Resolves: #689045 Using rlm_perl cause radiusd failed to start + Fix configure typo which caused lt_dladvise_* functions to be skipped. + run autogen.sh because HAVE_LT_DLADVISE_INIT isn't in src/main/autogen.h + Implemented by: freeradius-lt-dladvise.patch + +* Wed Mar 23 2011 John Dennis - 2.1.10-6 +- Resolves: #599528 - make radtest IPv6 compatible + +* Wed Mar 23 2011 Dan Horák - 2.1.10-5 +- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient) + +* Tue Feb 08 2011 Fedora Release Engineering - 2.1.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sat Jan 1 2011 John Dennis - 2.1.10-3 +- bug 666589 - removing freeradius from system does not delete the user "radiusd" + fix scriptlet argument testing, simplify always exiting with zero + +* Thu Dec 30 2010 John Dennis - 2.1.10-2 +- rebuild for new MySQL libs + +* Tue Oct 19 2010 John Dennis - 2.1.10-1 + Feature improvements + * Install the "radcrypt" program. + * Enable radclient to send requests containing MS-CHAPv1 + Send packets with: MS-CHAP-Password = "password". It will + be automatically converted to the correct MS-CHAP attributes. + * Added "-t" command-line option to radtest. You can use "-t pap", + "-t chap", "-t mschap", or "-t eap-md5". The default is "-t pap" + * Make the "inner-tunnel" virtual server listen on 127.0.0.1:18120 + This change and the previous one makes PEAP testing much easier. + * Added more documentation and examples for the "passwd" module. + * Added dictionaries for RFC 5607 and RFC 5904. + * Added note in proxy.conf that we recommend setting + "require_message_authenticator = yes" for all home servers. + * Added example of second "files" configuration, with documentation. + This shows how and where to use two instances of a module. + * Updated radsniff to have it write pcap files, too. See '-w'. + * Print out large WARNING message if we send an Access-Challenge + for EAP, and receive no follow-up messages from the client. + * Added Cached-Session-Policy for EAP session resumption. See + raddb/eap.conf. + * Added support for TLS-Cert-* attributes. For details, see + raddb/sites-available/default, "post-auth" section. + * Added sample raddb/modules/{opendirectory,dynamic_clients} + * Updated Cisco and Huawei, HP, Redback, and ERX dictionaries. + * Added RFCs 5607, 5904, and 5997. + * For EAP-TLS, client certificates can now be validated using an + external command. See eap.conf, "validate" subsection of "tls". + * Made rlm_pap aware of {nthash} prefix, for compatibility with + legacy RADIUS systems. + * Add Module-Failure-Message for mschap module (ntlm_auth) + * made rlm_sql_sqlite database configurable. Use "filename" + in sql{} section. + * Added %%{tolower: ...string ... }, which returns the lowercase + version of the string. Also added %%{toupper: ... } for uppercase. + + Bug fixes + * Fix endless loop when there are multiple sub-options for + DHCP option 82. + * More debug output when sending / receiving DHCP packets. + * EAP-MSCHAPv2 should return the MPPE keys when used outside + of a TLS tunnel. This is needed for IKE. + * Added SSL "no ticket" option to prevent SSL from creating sessions + without IDs. We need the IDs, so this option should be set. + * Fix proxying of packets from inside a TTLS/PEAP tunnel. + Closes bug #25. + * Allow IPv6 address attributes to be created from domain names + Closes bug #82. + * Set the string length to the correct value when parsing double + quotes. Closes bug #88. + * No longer look users up in /etc/passwd in the default configuration. + This can be reverted by enabling "unix" in the "authorize" section. + * More #ifdef's to enable building on systems without certain + features. + * Fixed SQL-Group comparison to register only if the group + query is defined. + * Fixed SQL-Group comparison to register -SQL-Group, + just like rlm_ldap. This lets you have multiple SQL group checks. + * Fix scanning of octal numbers in "unlang". Closes bug #89. + * Be less aggressive about freeing "stuck" requests. Closes bug #35. + * Fix example in "originate-coa" to refer to the correct packet. + * Change default timeout for dynamic clients to 1 hour, not 1 day. + * Allow passwd module to map IP addresses, too. + * Allow passwd module to be used for CoA packets + * Put boot filename into DHCP header when DHCP-Boot-Filename + is specified. + * raddb/certs/Makefile no longer has certs depend on index.txt and + serial. Closes bug #64. + * Ignore NULL errorcode in PostgreSQL client. Closes bug #39 + * Made Exec-Program and Exec-Program-Wait work in accounting + section again. See sites-available/default. + * Fix long-standing memory leak in esoteric conditions. Found + by Jerry Nichols. + * Added "Password-With-Header == userPassword" to raddb/ldap.attrmap + This will automatically convert more passwords. + * Updated rlm_pap to decode Password-With-Header, if it was base64 + encoded, and to treat the contents as potentially binary data. + * Fix Novell eDir code to use the right function parameters. + Closes bug #86. + * Allow spaces to be escaped when executing external programs. + Closes bug #93. + * Be less restrictive about checking permissions on control socket. + If we're root, allow connecting to a non-root socket. + * Remove control socket on normal server exit. If the server isn't + running, the control socket should not exist. + * Use MS-CHAP-User-Name as Name field from EAP-MSCHAPv2 for MS-CHAP + calculations. It *MAY* be different (upper / lower case) from + the User-Name attribute. Closes bug #17. + * If the EAP-TLS methods have problems, more SSL errors are now + available in the Module-Failure-Message attribute. + * Update Oracle configure scripts. Closes bug #57. + * Added text to DESC fields of doc/examples/openldap.schema + * Updated more documentation to use "Restructured Text" format. + Thanks to James Lockie. + * Fixed typos in raddb/sql/mssql/dialup.conf. Closes bug #11. + * Return error for potential proxy loops when using "-XC" + * Produce better error messages when slow databases block + the server. + * Added notes on DHCP broadcast packets for FreeBSD. + * Fixed crash when parsing some date strings. Closes bug #98 + * Improperly formatted Attributes are now printed as "Attr-##". + If they are not correct, they should not use the dictionary name. + * Fix rlm_digest to be check the format of the Digest attributes, + and return "noop" rather than "fail" if they're not right. + * Enable "digest" in raddb/sites-available/default. This change + enables digest authentication to work "out of the box". + * Be less aggressive about marking home servers as zombie. + If they are responding to some packets, they are still alive. + * Added Packet-Transmit-Counter, to track detail file retransmits. + Closes bug #13. + * Added configure check for lt_dladvise_init(). If it exists, then + using it solves some issues related to libraries loading libraries. + * Added indexes to the MySQL IP Pool schema. + * Print WARNING message if too many attributes are put into a packet. + * Include dhcp test client (not built by default) + * Added checks for LDAP constraint violation. Closes bug #18. + * Change default raddebug timeout to 60 seconds. + * Made error / warning messages more consistent. + * Correct back-slash handling in variable expansion. Closes bug #46. + You SHOULD check your configuration for backslash expansion! + * Fix typo in "configure" script (--enable-libltdl-install) + * Use local libltdl in more situations. This helps to avoid + compile issues complaining about lt__PROGRAM__LTX_preloaded_symbols. + * Fix hang on startup when multiple home servers were defined + with "src_ipaddr" field. + * Fix 32/64 bit issue in rlm_ldap. Closes bug #105. + * If the first "listen" section defines 127.0.0.1, don't use that + as a source IP for proxying. It won't work. + * When Proxy-To-Realm is set to a non-existent realm, the EAP module + should handle the request, rather than expecting it to be proxied. + * Fix IPv4 issues with udpfromto. Closes bug #110. + * Clean up child processes of raddebug. Closes bugs #108 and #109 + * retry OTP if the OTP daemon fails. Closes bug #58. + * Multiple calls to ber_printf seem to work better. Closes #106. + * Fix "unlang" so that "attribute not found" is treated as a "false" + comparison, rather than a syntax error in the configuration. + * Fix issue with "Group" attribute. + +* Sat Jul 31 2010 Orcan Ogetbil - 2.1.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Jun 01 2010 Marcela Maslanova - 2.1.9-2 +- Mass rebuild with perl-5.12.0 + +* Mon May 24 2010 John Dennis - 2.1.9-1 +- update to latest upstream, mainly bug fix release + Feature improvements + * Add radmin command "stats detail " to see what + is going on inside of a detail file reader. + * Added documentation for CoA. See raddb/sites-available/coa + * Add sub-option support for Option 82. See dictionary.dhcp + * Add "server" field to default SQL NAS table, and documented it. + + Bug fixes + * Reset "received ping" counter for Status-Server checks. In some + corner cases it was not getting reset. + * Handle large VMPS attributes. + * Count accounting responses from a home server in SNMP / statistics + code. + * Set EAP-Session-Resumed = Yes, not "No" when session is resumed. + * radmin packet counter statistics are now unsigned, for numbers + 2^31..2^32. After that they roll over to zero. + * Be more careful about expanding data in PAP and MS-CHAP modules. + This prevents login failures when passwords contain '{'. + * Clean up zombie children if there were many "exec" modules being + run for one packet, all with "wait = no". + * re-open log file after HUP. Closes bug #63. + * Fix "no response to proxied packet" complaint for Coa / Disconnect + packets. It shouldn't ignore replies to packets it sent. + * Calculate IPv6 netmasks correctly. Closes bug #69. + * Fix SQL module to re-open sockets if they unexpectedly close. + * Track scope for IPv6 addresses. This lets us use link-local + addresses properly. Closes bug #70. + * Updated Makefiles to no longer use the shell for recursing into + subdirs. "make -j 2" should now work. + * Updated raddb/sql/mysql/ippool.conf to use "= NULL". Closes + bug #75. + * Updated Makefiles so that "make reconfig" no longer uses the shell + for recursing into subdirs, and re-builds all "configure" files. + * Used above method to regenerate all configure scripts. + Closes bug #34. + * Updated SQL module to allow "server" field of "nas" table + to be blank: "". This means the same as it being NULL. + * Fixed regex realm example. Create Realm attribute with value + of realm from User-Name, not from regex. Closes bug #40. + * If processing a DHCP Discover returns "fail / reject", ignore + the packet rather than sending a NAK. + * Allow '%%' to be escaped in sqlcounter module. + * Fix typo internal hash table. + * For PEAP and TTLS, the tunneled reply is added to the reply, + rather than integrated via the operators. This allows multiple + VSAs to be added, where they would previously be discarded. + * Make request number unsigned. This changes nothing other than + the debug output when the server receives more than 2^31 packets. + * Don't block when reading child output in 'exec wait'. This means + that blocked children get killed, instead of blocking the server. + * Enabled building without any proxy functionality + * radclient now prefers IPv4, to match the default server config. + * Print useful error when a realm regex is invalid + * relaxed rules for preprocess module "with_cisco_vsa_hack". The + attributes can now be integer, ipaddr, etc. (i.e. non-string) + * Allow rlm_ldap to build if ldap_set_rebind_proc() has only + 2 arguments. + * Update configure script for rlm_python to avoid dynamic linking + problems on some platforms. + * Work-around for bug #35 + * Do suid to "user" when running in debug mode as root + * Make "allow_core_dumps" work in more situations. + * In detail file reader, treat bad records as EOF. + This allows it to continue working when the disk is full. + * Fix Oracle default accounting queries to work when there are no + gigawords attributes. Other databases already had the fix. + * Fix rlm_sql to show when it opens and closes sockets. It already + says when it cannot connect, so it should say when it can connect. + * "chmod -x" for a few C source files. + * Pull update spec files, etc. from RedHat into the redhat/ directory. + * Allow spaces when parsing integer values. This helps people who + put "too much" into an SQL value field. + +* Thu Jan 7 2010 John Dennis - 2.1.8-2 +- resolves: bug #526559 initial install should run bootstrap to create certificates + running radiusd in debug mode to generate inital temporary certificates + is no longer necessary, the /etc/raddb/certs/bootstrap is invoked on initial + rpm install (not upgrade) if there is no existing /etc/raddb/certs/server.pem file +- resolves: bug #528493 use sha1 algorithm instead of md5 during cert generation + the certificate configuration (/etc/raddb/certs/{ca,server,client}.cnf) files + were modifed to use sha1 instead of md5 and the validity reduced from 1 year to 2 months + +* Wed Dec 30 2009 John Dennis - 2.1.8-1 +- update to latest upstream + Feature improvements + * Print more descriptive error message for too many EAP sessions. + This gives hints on what to do when "failed to store handler" + * Commands received from radmin are now printed on stdout when + in debugging mode. + * Allow accounting packets to be written to a detail file, even + if they were read from a different detail file. + * Added OpenSSL license exception (src/LICENSE.openssl) + + Bug fixes + * DHCP sockets can now set the broadcast flag before binding to a + socket. You need to set "broadcast = yes" in the DHCP listener. + * Be more restrictive on string parsing in the config files + * Fix password length in scripts/create-users.pl + * Be more flexible about parsing the detail file. This allows + it to read files where the attributes have been edited. + * Ensure that requests read from the detail file are cleaned up + (i.e. don't leak) if they are proxied without a response. + * Write the PID file after opening sockets, not before + (closes bug #29) + * Proxying large numbers of packets no longer gives error + "unable to open proxy socket". + * Avoid mutex locks in libc after fork + * Retry packet from detail file if there was no response. + * Allow old-style dictionary formats, where the vendor name is the + last field in an ATTRIBUTE definition. + * Removed all recursive use of mutexes. Some systems just don't + support this. + * Allow !* to work as documented. + * make templates work (see templates.conf) + * Enabled "allow_core_dumps" to work again + * Print better errors when reading invalid dictionaries + * Sign client certificates with CA, rather than server certs. + * Fix potential crash in rlm_passwd when file was closed + * Fixed corner cases in conditional dynamic expansion. + * Use InnoDB for MySQL IP Pools, to gain transactional support + * Apply patch to libltdl for CVE-2009-3736. + * Fixed a few issues found by LLVM's static checker + * Keep track of "bad authenticators" for accounting packets + * Keep track of "dropped packets" for auth/acct packets + * Synced the "debian" directory with upstream + * Made "unlang" use unsigned 32-bit integers, to match the + dictionaries. + +* Wed Dec 30 2009 John Dennis - 2.1.7-7 +- Remove devel subpackage. It doesn't make much sense to have a devel package since + we don't ship libraries and it produces multilib conflicts. + +* Mon Dec 21 2009 John Dennis - 2.1.7-6 +- more spec file clean up from review comments +- remove freeradius-libs subpackage, move libfreeradius-eap and + libfreeradius-radius into the main package +- fix subpackage requires, change from freeradius-libs to main package +- fix description of the devel subpackage, remove referene to non-shipped libs +- remove execute permissions on src files included in debuginfo +- remove unnecessary use of ldconfig +- since all sub-packages now require main package remove user creation for sub-packages +- also include the LGPL library license file in addition to the GPL license file +- fix BuildRequires for perl so it's compatible with both Fedora, RHEL5 and RHEL6 + +* Mon Dec 21 2009 John Dennis - 2.1.7-5 +- fix various rpmlint issues. + +* Fri Dec 4 2009 Stepan Kasal - 2.1.7-4 +- rebuild against perl 5.10.1 + +* Thu Dec 3 2009 John Dennis - 2.1.7-3 +- resolves: bug #522111 non-conformant initscript + also change permission of /var/run/radiusd from 0700 to 0755 + so that "service radiusd status" can be run as non-root + +* Wed Sep 16 2009 Tomas Mraz - 2.1.7-2 +- use password-auth common PAM configuration instead of system-auth + +* Tue Sep 15 2009 John Dennis - 2.1.7-1 +- enable building of the rlm_wimax module +- pcap wire analysis support is enabled and available in utils subpackage +- Resolves bug #523053 radtest manpage in wrong package +- update to latest upstream release, from upstream Changelog: + Feature improvements + * Full support for CoA and Disconnect packets as per RFC 3576 + and RFC 5176. Both receiving and proxying CoA is supported. + * Added "src_ipaddr" configuration to "home_server". See + proxy.conf for details. + * radsniff now accepts -I, to read from a filename instead of + a device. + * radsniff also prints matching requests and any responses to those + requests when '-r' is used. + * Added example of attr_filter for Access-Challenge packets + * Added support for udpfromto in DHCP code + * radmin can now selectively mark modules alive/dead. + See "set module state". + * Added customizable messages on login success/fail. + See msg_goodpass && msg_badpass in log{} section of radiusd.conf + * Document "chase_referrals" and "rebind" in raddb/modules/ldap + * Preliminary implementation of DHCP relay. + * Made thread pool section optional. If it doesn't exist, + the server will run single-threaded. + * Added sample radrelay.conf for people upgrading from 1.x + * Made proxying more stable by failing over, rather than + rejecting the first request. See "response_window" in proxy.conf + * Allow home_server_pools to exist without realms. + * Add dictionary.iea (closes bug #7) + * Added support for RFC 5580 + * Added experimental sql_freetds module from Gabriel Blanchard. + * Updated dictionary.foundry + * Added sample configuration for MySQL cluster in raddb/sql/ndb + See the README file for explanations. + Bug fixes + * Fixed corner case where proxied packets could have extra + character in User-Password attribute. Fix from Niko Tyni. + * Extended size of "attribute" field in SQL to 64. + * Fixes to ruby module to be more careful about when it builds. + * Updated Perl module "configure" script to check for broken + Perl installations. + * Fix "status_check = none". It would still send packets + in some cases. + * Set recursive flag on the proxy mutex, which enables safer + cleanup on some platforms. + * Copy the EAP username verbatim, rather than escaping it. + * Update handling so that robust-proxy-accounting works when + all home servers are down for extended periods of time. + * Look for DHCP option 53 anywhere in the packet, not just + at the start. + * Fix processing of proxy fail handler with virtual servers. + * DHCP code now prints out correct src/dst IP addresses + when sending packets. + * Removed requirement for DHCP to have clients + * Fixed handling of DHCP packets with message-type buried in the packet + * Fixed corner case with negation in unlang. + * Minor fixes to default MySQL & PostgreSQL schemas + * Suppress MSCHAP complaints in debugging mode. + * Fix SQL module for multiple instance, and possible crash on HUP + * Fix permissions for radius.log for sites that change user/group, + but which don't create the file before starting radiusd. + * Fix double counting of packets when proxying + * Make %%l work + * Fix pthread keys in rlm_perl + * Log reasons for EAP failure (closes bug #8) + * Load home servers and pools that aren't referenced from a realm. + * Handle return codes from virtual attributes in "unlang" + (e.g. LDAP-Group). This makes "!(expr)" work for them. + * Enable VMPS to see contents of virtual server again + * Fix WiMAX module to be consistent with examples. (closes bug #10) + * Fixed crash with policies dependent on NAS-Port comparisons + * Allowed vendor IDs to be be higher than 32767. + * Fix crash on startup with certain regexes in "hints" file. + * Fix crash in attr_filter module when packets don't exist + * Allow detail file reader to be faster when "load_factor = 100" + * Add work-around for build failures with errors related to + lt__PROGRAM__LTX_preloaded_symbols. libltdl / libtool are horrible. + * Made ldap module "rebind" option aware of older, incompatible + versions of OpenLDAP. + * Check value of Fall-Through in attr_filter module. + +* Fri Aug 21 2009 Tomas Mraz - 2.1.6-6 +- rebuilt with new openssl + +* Fri Jul 24 2009 Fedora Release Engineering - 2.1.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Jul 10 2009 John Dennis - 2.1.6-4 +- install COPYRIGHT CREDITS INSTALL LICENSE README into docdir + +* Tue Jun 23 2009 John Dennis - 2.1.6-3 +- resolves bug #507571 freeradius packages do not check for user/group existence + +* Tue Jun 2 2009 John Dennis - 2.1.6-2 +- make /etc/raddb/sites-available/* be config(noreplace) + +* Mon May 18 2009 John Dennis - 2.1.6-1 +- update to latest upstream release, from upstream Changelog: + Feature improvements + * radclient exits with 0 on successful (accept / ack), and 1 + otherwise (no response / reject) + * Added support for %%{sql:UPDATE ..}, and insert/delete + Patch from Arran Cudbard-Bell + * Added sample "do not respond" policy. See raddb/policy.conf + and raddb/sites-available/do_not_respond + * Cleanups to Suse spec file from Norbert Wegener + * New VSAs for Juniper from Bjorn Mork + * Include more RFC dictionaries in the default install + * More documentation for the WiMAX module + * Added "chase_referrals" and "rebind" configuration to rlm_ldap. + This helps with Active Directory. See raddb/modules/ldap + * Don't load pre/post-proxy if proxying is disabled. + * Added %%{md5:...}, which returns MD5 hash in hex. + * Added configurable "retry_interval" and "poll_interval" + for "detail" listeners. + * Added "delete_mppe_keys" configuration option to rlm_wimax. + Apparently some WiMAX clients misbehave when they see those keys. + * Added experimental rlm_ruby from + http://github.com/Antti/freeradius-server/tree/master + * Add Tunnel attributes to ldap.attrmap + * Enable virtual servers to be reloaded on HUP. For now, only + the "authorize", "authenticate", etc. processing sections are + reloaded. Clients and "listen" sections are NOT reloaded. + * Updated "radwatch" script to be more robust. See scripts/radwatch + * Added certificate compatibility notes in raddb/certs/README, + for compatibility with different operating systems. (i.e. Windows) + * Permit multiple "-e" in radmin. + * Add support for originating CoA-Request and Disconnect-Request. + See raddb/sites-available/originate-coa. + * Added "lifetime" and "max_queries" to raddb/sql.conf. + This helps address the problem of hung SQL sockets. + * Allow packets to be injected via radmin. See "inject help" + in radmin. + * Answer VMPS reconfirmation request. Patch from Hermann Lauer. + * Sample logrotate script in scripts/logrotate.freeradius + * Add configurable poll interval for "detail" listeners + * New "raddebug" command. This prints debugging information from + a running server. See "man raddebug. + * Add "require_message_authenticator" configuration to home_server + configuration. This makes the server add Message-Authenticator + to all outgoing Access-Request packets. + * Added smsotp module, as contributed by Siemens. + * Enabled the administration socket in the default install. + See raddb/sites-available/control-socket, and "man radmin" + * Handle duplicate clients, such as with replicated or + load-balanced SQL servers and "readclients = yes" + Bug fixes + * Minor changes to allow building without VQP. + * Minor fixes from John Center + * Fixed raddebug example + * Don't crash when deleting attributes via unlang + * Be friendlier to very fast clients + * Updated the "detail" listener so that it only polls once, + and not many times in a row, leaking memory each time... + * Update comparison for Packet-Src-IP-Address (etc.) so that + the operators other than '==' work. + * Did autoconf magic to work around weird libtool bug + * Make rlm_perl keep tags for tagged attributes in more situations + * Update UID checking for radmin + * Added "include_length" field for TTLS. It's needed for RFC + compliance, but not (apparently) for interoperability. + * Clean up control sockets when they are closed, so that we don't + leak memory. + * Define SUN_LEN for systems that don't have it. + * Correct some boundary conditions in the conditional checker ("if") + in "unlang". Bug noted by Arran Cudbard-Bell. + * Work around minor building issues in gmake. This should only + have affected developers. + * Change how we manage unprivileged user/group, so that we do not + create control sockets owned by root. + * Fixed more minor issues found by Coverity. + * Allow raddb/certs/bootstrap to run when there is no "make" + command installed. + * In radiusd.conf, run_dir depends on the name of the program, + and isn't hard-coded to "..../radiusd" + * Check for EOF in more places in the "detail" file reader. + * Added Freeswitch dictionary. + * Chop ethernet frames in VMPS, rather than droppping packets. + * Fix EAP-TLS bug. Patch from Arnaud Ebalard + * Don't lose string for regex-compares in the "users" file. + * Expose more functions in rlm_sql to rlm_sqlippool, which + helps on systems where RTLD_GLOBAL is off. + * Fix typos in MySQL schemas for ippools. + * Remove macro that was causing build issues on some platforms. + * Fixed issues with dead home servers. Bug noted by Chris Moules. + * Fixed "access after free" with some dynamic clients. + +- fix packaging bug, some directories missing execute permission + /etc/raddb/dictionary now readable by all. + +* Tue Feb 24 2009 John Dennis - 2.1.3-4 +- fix type usage in unixodbc to match new type usage in unixodbc API + +* Thu Feb 19 2009 John Dennis - 2.1.3-3 +- add pointer to Red Hat documentation in docdir + +* Sat Jan 24 2009 Caolán McNamara - 2.1.3-2 +- rebuild for dependencies + +* Thu Dec 4 2008 John Dennis - 2.1.3-1 +- upgrade to latest upstream release, upstream summary follows: + The focus of this release is stability. + Feature Improvements: + * Allow running with "user=radiusd" and binding to secure sockets. + * Start sending Status-Server "are you alive" messages earlier, which + helps with proxying multiple realms to a home server. + * Removed thread pool code from rlm_perl. It's not necessary. + * Added example Perl configuration to raddb/modules/perl + * Force OpenSSL to support certificates with SHA256. This seems to be + necessary for WiMAX certs. + Bug fixes: + * Fix Debian patch to allow it to build. + * Fix potential NULL dereference in debugging mode on certain + platforms for TTLS and PEAP inner tunnels. + * Fix uninitialized memory in handling of vendor definitions + * Fix parsing of quoted (but non-string) attributes in the "users" file. + * Initialize uknown NAS IP to 255.255.255.255, rather than 0.0.0.0 + * use SUN_LEN in control socket, to avoid truncation on some platforms. + * Correct internal handling of "debug condition" to prevent it from + being over-written. + * Check return code of regcomp in "unlang", so that invalid regular + expressions are caught rather than mishandled. + * Make rlm_sql use . Addresses bug #610. + * Document list "type = status" better. Closes bug #580. + * Set "default days" for certificates, because OpenSSL won't do it. + This closes bug #615. + * Reference correct list in example raddb/modules/ldap. Closes #596. + * Increase default schema size for Acct-Session-Id to 64. Closes #540. + * Fix use of temporary files in dialup-admin. Closes #605 and + addresses CVE-2008-4474. + * Addressed a number of minor issues found by Coverity. + * Added DHCP option 150 to the dictionary. Closes #618. + +* Wed Dec 3 2008 John Dennis - 2.1.1-8 +- add --with-system-libtool to configure as a workaround for +undefined reference to lt__PROGRAM__LTX_preloaded_symbols + +* Mon Dec 1 2008 John Dennis - 2.1.1-7 +- add obsoletes tag for dialupadmin subpackages which were removed + +* Mon Dec 1 2008 John Dennis - 2.1.1-7 +- add readline-devel BuildRequires + +* Sun Nov 30 2008 Ignacio Vazquez-Abrams - 2.1.1-4 +- Rebuild for Python 2.6 + +* Fri Nov 21 2008 John Dennis - 2.1.1-3 +- make spec file buildable on RHEL5.2 by making perl-devel a fedora only dependency. +- remove diaupadmin packages, it's not well supported and there are problems with it. + +* Fri Sep 26 2008 John Dennis - 2.1.1-1 +- Resolves: bug #464119 bootstrap code could not create initial certs in /etc/raddb/certs because + permissions were 750, radiusd running as euid radiusd could not write there, permissions now 770 + +* Thu Sep 25 2008 John Dennis - 2.1.1-1 +- upgrade to new upstream 2.1.1 release + +* Wed Jul 30 2008 John Dennis - 2.0.5-2 +- Resolves: bug #453761: FreeRADIUS %%post should not include chown -R + specify file attributes for /etc/raddb/ldap.attrmap + fix consistent use of tabs/spaces (rpmlint warning) + +* Mon Jun 9 2008 John Dennis - 2.0.5-1 +- upgrade to latest upstream, see Changelog for details, + upstream now has more complete fix for bug #447545, local patch removed + +* Wed May 28 2008 John Dennis - 2.0.4-1 +- upgrade to latest upstream, see Changelog for details +- resolves: bug #447545: freeradius missing /etc/raddb/sites-available/inner-tunnel + +* Fri May 16 2008 - 2.0.3-3 +- # Temporary fix for bug #446864, turn off optimization + +* Fri Apr 18 2008 John Dennis - 2.0.3-2 +- remove support for radrelay, it's different now +- turn off default inclusion of SQL config files in radiusd.conf since SQL + is an optional RPM install +- remove mssql config files + +* Thu Apr 17 2008 John Dennis - 2.0.3-1 +- Upgrade to current upstream 2.0.3 release +- Many thanks to Enrico Scholz for his spec file suggestions incorporated here +- Resolve: bug #438665: Contains files owned by buildsystem +- Add dialupadmin-mysql, dialupadmin-postgresql, dialupadmin-ldap subpackages + to further partition external dependencies. +- Clean up some unnecessary requires dependencies +- Add versioned requires between subpackages + +* Tue Mar 18 2008 Tom "spot" Callaway - 2.0.2-2 +- add Requires for versioned perl (libperl.so) + +* Thu Feb 28 2008 - 2.0.2-1 +- upgrade to new 2.0 release +- split into subpackages for more fine grained installation + +* Tue Feb 19 2008 Fedora Release Engineering - 1.1.7-4.4.ipa +- Autorebuild for GCC 4.3 + +* Thu Dec 06 2007 Release Engineering - 1.1.7-3.4.ipa +- Rebuild for deps + +* Sat Nov 10 2007 - 1.1.7-3.3.ipa +- add support in rlm_ldap for reading clients from ldap +- fix TLS parameter controling if a cert which fails to validate + will be accepted (i.e. self-signed), + rlm_ldap config parameter=tls_require_cert + ldap LDAP_OPT_X_TLS_REQUIRE_CERT parameter was being passed to + ldap_set_option() when it should have been ldap_int_tls_config() + +* Sat Nov 3 2007 - 1.1.7-3.2.ipa +- add support in rlm_ldap for SASL/GSSAPI binds to the LDAP server + +* Mon Sep 17 2007 Thomas Woerner 1.1.7-3.1 +- made init script fully lsb conform + +* Mon Sep 17 2007 Thomas Woerner 1.1.7-3 +- fixed initscript problem (rhbz#292521) + +* Tue Aug 28 2007 Thomas Woerner 1.1.7-2 +- fixed initscript for LSB (rhbz#243671, rhbz#243928) +- fixed license tag + +* Tue Aug 7 2007 Thomas Woerner 1.1.7-1 +- new versin 1.1.7 +- install snmp MIB files +- dropped LDAP_DEPRECATED flag, it is upstream +- marked config files for sub packages as config (rhbz#240400) +- moved db files to /var/lib/raddb (rhbz#199082) + +* Fri Jun 15 2007 Thomas Woerner 1.1.6-2 +- radiusd expects /etc/raddb to not be world readable or writable + /etc/raddb now belongs to radiusd, post script sets permissions + +* Fri Jun 15 2007 Thomas Woerner 1.1.6-1 +- new version 1.1.6 + +* Fri Mar 9 2007 Thomas Woerner 1.1.5-1 +- new version 1.1.5 + - no /etc/raddb/otppasswd.sample anymore + - build is pie by default, dropped pie patch +- fixed build requirement for perl (perl-devel) + +* Fri Feb 23 2007 Karsten Hopp 1.1.3-3 +- remove trailing dot from summary +- fix buildroot +- fix post/postun/preun requirements +- use rpm macros + +* Fri Dec 8 2006 Thomas Woerner 1.1.3-2.1 +- rebuild for new postgresql library version + +* Thu Nov 30 2006 Thomas Woerner 1.1.3-2 +- fixed ldap code to not use internals, added LDAP_DEPRECATED compile time flag + (#210912) + +* Tue Aug 15 2006 Thomas Woerner 1.1.3-1 +- new version 1.1.3 with lots of upstream bug fixes, some security fixes + (#205654) + +* Tue Aug 15 2006 Thomas Woerner 1.1.2-2 +- commented out include for sql.conf in radiusd.conf (#202561) + +* Wed Jul 12 2006 Jesse Keating - 1.1.2-1.1 +- rebuild + +* Thu Jun 1 2006 Thomas Woerner 1.1.2-1 +- new version 1.1.2 + +* Wed May 31 2006 Thomas Woerner 1.1.1-1 +- new version 1.1.1 +- fixed incorrect rlm_sql globbing (#189095) + Thanks to Yanko Kaneti for the fix. +- fixed chown syntax in post script (#182777) +- dropped gcc34, libdir and realloc-return patch +- spec file cleanup with additional libtool build fixes + +* Fri Feb 10 2006 Jesse Keating - 1.0.5-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.0.5-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Dec 13 2005 Thomas Woerner 1.0.5-1 +- new version 1.0.5 + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Sat Nov 12 2005 Tom Lane - 1.0.4-5 +- Rebuild due to mysql update. + +* Wed Nov 9 2005 Tomas Mraz - 1.0.4-4 +- rebuilt with new openssl +- fixed ignored return value of realloc + +* Fri Sep 30 2005 Tomas Mraz - 1.0.4-3 +- use include instead of pam_stack in pam config + +* Wed Jul 20 2005 Thomas Woerner 1.0.4-2 +- added missing build requires for libtool-ltdl-devel (#160877) +- modified file list to get a report for missing plugins + +* Tue Jun 28 2005 Thomas Woerner 1.0.4-1 +- new version 1.0.4 +- droppend radrelay patch (fixed upstream) + +* Thu Apr 14 2005 Warren Togami 1.0.2-2 +- rebuild against new postgresql-libs + +* Mon Apr 4 2005 Thomas Woerner 1.0.2-1 +- new version 1.0.2 + +* Fri Nov 19 2004 Thomas Woerner 1.0.1-3 +- rebuild for MySQL 4 +- switched over to installed libtool + +* Fri Nov 5 2004 Thomas Woerner 1.0.1-2 +- Fixed install problem of radeapclient (#138069) + +* Wed Oct 6 2004 Thomas Woerner 1.0.1-1 +- new version 1.0.1 +- applied radrelay CVS patch from Kevin Bonner + +* Wed Aug 25 2004 Warren Togami 1.0.0-3 +- BuildRequires pam-devel and libtool +- Fix errant text in description +- Other minor cleanups + +* Wed Aug 25 2004 Thomas Woerner 1.0.0-2.1 +- renamed /etc/pam.d/radius to /etc/pam.d/radiusd to match default + configuration (#130613) + +* Wed Aug 25 2004 Thomas Woerner 1.0.0-2 +- fixed BuildRequires for openssl-devel (#130606) + +* Mon Aug 16 2004 Thomas Woerner 1.0.0-1 +- 1.0.0 final + +* Mon Jul 5 2004 Thomas Woerner 1.0.0-0.pre3.2 +- added buildrequires for zlib-devel (#127162) +- fixed libdir patch to prefer own libeap instead of installed one (#127168) +- fixed samba account maps in LDAP for samba v3 (#127173) + +* Thu Jul 1 2004 Thomas Woerner 1.0.0-0.pre3.1 +- third "pre" release of version 1.0.0 +- rlm_ldap is using SASLv2 (#126507) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu Jun 3 2004 Thomas Woerner 0.9.3-4.1 +- fixed BuildRequires for gdbm-devel + +* Tue Mar 30 2004 Harald Hoyer - 0.9.3-4 +- gcc34 compilation fixes + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Tue Feb 24 2004 Thomas Woerner 0.9.3-3.2 +- added sql scripts for rlm_sql to documentation (#116435) + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Feb 5 2004 Thomas Woerner 0.9.3-2.1 +- using -fPIC instead of -fpic for s390 ans s390x + +* Thu Feb 5 2004 Thomas Woerner 0.9.3-2 +- radiusd is pie, now + +* Tue Nov 25 2003 Thomas Woerner 0.9.3-1 +- new version 0.9.3 (bugfix release) + +* Fri Nov 7 2003 Thomas Woerner 0.9.2-1 +- new version 0.9.2 + +* Mon Sep 29 2003 Thomas Woerner 0.9.1-1 +- new version 0.9.1 + +* Mon Sep 22 2003 Nalin Dahyabhai 0.9.0-2.2 +- modify default PAM configuration to remove the directory part of the module + name, so that 32- and 64-bit libpam (called from 32- or 64-bit radiusd) on + multilib systems will always load the right module for the architecture +- modify default PAM configuration to use pam_stack + +* Mon Sep 1 2003 Thomas Woerner 0.9.0-2.1 +- com_err.h moved to /usr/include/et + +* Tue Jul 22 2003 Thomas Woerner 0.9.0-1 +- 0.9.0 final + +* Wed Jul 16 2003 Thomas Woerner 0.9.0-0.9.0 +- new version 0.9.0 pre3 + +* Thu May 22 2003 Thomas Woerner 0.8.1-6 +- included directory /var/log/radius/radacct for logrotate + +* Wed May 21 2003 Thomas Woerner 0.8.1-5 +- moved log and run dir to files section, cleaned up post + +* Wed May 21 2003 Thomas Woerner 0.8.1-4 +- added missing run dir in post + +* Tue May 20 2003 Thomas Woerner 0.8.1-3 +- fixed module load patch + +* Fri May 16 2003 Thomas Woerner +- removed la files, removed devel package +- split into 4 packages: freeradius, freeradius-mysql, freeradius-postgresql, + freeradius-unixODBC +- fixed requires and buildrequires +- create logging dir in post if it does not exist +- fixed module load without la files + +* Thu Apr 17 2003 Thomas Woerner +- Initial build.