diff --git a/.freeradius.metadata b/.freeradius.metadata index 71192f0..1dcc6e9 100644 --- a/.freeradius.metadata +++ b/.freeradius.metadata @@ -1 +1 @@ -baa58979672f6fc57ab4f16e947b85b9a6eee969 SOURCES/freeradius-server-3.0.4.tar.bz2 +29d4e4c21db4d17a60eab034c15927c83177c786 SOURCES/freeradius-server-3.0.13.tar.bz2 diff --git a/.gitignore b/.gitignore index 1fd3624..8ce4c4b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeradius-server-3.0.4.tar.bz2 +SOURCES/freeradius-server-3.0.13.tar.bz2 diff --git a/SOURCES/freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch b/SOURCES/freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch deleted file mode 100644 index 71ac3bf..0000000 --- a/SOURCES/freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 64ee0b30df59857bce8f0efea019d065cf48c54c Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Thu, 18 Dec 2014 22:05:35 +0200 -Subject: [PATCH 2/2] Don't overwrite ip_hton af/prefix in fr_pton4/6 - -Don't overwrite address family and prefix set by ip_hton (which can fall -back onto other address family) with AF_INET/32 and AF_INET6/128, in -fr_pton4 and fr_pton6 respectively. - -This fixes radiusd listening on wrong address data when falling back to -another address family. ---- - src/lib/misc.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/lib/misc.c b/src/lib/misc.c -index ad27057..cf49917 100644 ---- a/src/lib/misc.c -+++ b/src/lib/misc.c -@@ -238,6 +238,9 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo - * 192.0.2.2 is parsed as if it was /32 - */ - if (!p) { -+ out->prefix = 32; -+ out->af = AF_INET; -+ - /* - * Allow '*' as the wildcard address usually 0.0.0.0 - */ -@@ -258,9 +261,6 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo - } - } else if (ip_hton(out, AF_INET, value, fallback) < 0) return -1; - -- out->prefix = 32; -- out->af = AF_INET; -- - return 0; - } - -@@ -338,6 +338,9 @@ int fr_pton6(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo - - p = strchr(value, '/'); - if (!p) { -+ out->prefix = 128; -+ out->af = AF_INET6; -+ - /* - * Allow '*' as the wildcard address - */ -@@ -350,9 +353,6 @@ int fr_pton6(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo - } - } else if (ip_hton(out, AF_INET6, value, fallback) < 0) return -1; - -- out->prefix = 128; -- out->af = AF_INET6; -- - return 0; - } - --- -2.1.3 - diff --git a/SOURCES/freeradius-Fix-some-issues-found-with-static-analyzers.patch b/SOURCES/freeradius-Fix-some-issues-found-with-static-analyzers.patch new file mode 100644 index 0000000..759d9d3 --- /dev/null +++ b/SOURCES/freeradius-Fix-some-issues-found-with-static-analyzers.patch @@ -0,0 +1,262 @@ +From 7024d6ce061d57af65fe3a068803212581552f96 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Fri, 10 Mar 2017 09:11:03 -0500 +Subject: [PATCH] Fix some issues found with static analyzers + +Fix some issues found with static analyzers. Includes the following. + +Coverity. Closes #1937 + +(cherry picked from commit 521e2a9bd3b1b49555bcd9fb90b03c456f616070) + +Allo session resumption for RadSec connectins. Closes #1936 + +(cherry picked from commit 43efa4321d7cd9fca1184f999e1cadeff3afda02) + +request->packet cannot be NULL. Helps with #1935 + +(cherry picked from commit 7f22c30476be495438d5bc4dbec2f618f09c0b15) + +remove unused variable + +(cherry picked from commit d9bfc70efbf575258425d2ca86160490e0c36a45) + +close open FDs on error, and use error path in more situations + +(cherry picked from commit e51af914bc5fdf879f821e6a1ecfe700bff937ca) + +return RLM_MODULE_FAIL for default switch statement + +(cherry picked from commit cdfa6e15065a4a616c96af516936117124a1c293) + +Remove always-false condition in rlm_eap_fast + +(cherry picked from commit 96d7a5e2bb393b4fd1b6cb6e0a6858e6c18eb96a) + +Remove always-false condition from cf_item_parse + +(cherry picked from commit 92624adf8170fb133b330fe02d8940a8bac86189) + +Ensure that error is always initialized + +(cherry picked from commit c483d8456e44747621334b318483c3a33752aaac) +--- + src/main/command.c | 15 ++++++++------- + src/main/conffile.c | 2 -- + src/main/process.c | 5 +++-- + src/main/tls.c | 12 ++++++------ + src/main/xlat.c | 6 +++++- + src/modules/rlm_cache/rlm_cache.c | 3 ++- + src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c | 3 --- + src/modules/rlm_mschap/rlm_mschap.c | 2 +- + 8 files changed, 25 insertions(+), 23 deletions(-) + +diff --git a/src/main/command.c b/src/main/command.c +index d3b729f9a..34c5268d7 100644 +--- a/src/main/command.c ++++ b/src/main/command.c +@@ -345,7 +345,7 @@ static int fr_server_domain_socket_perm(UNUSED char const *path, UNUSED uid_t ui + */ + static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + { +- int dir_fd = -1, path_fd = -1, sock_fd = -1, parent_fd = -1; ++ int dir_fd = -1, sock_fd = -1, parent_fd = -1; + char const *name; + char *buff = NULL, *dir = NULL, *p; + +@@ -392,8 +392,9 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + fr_strerror_printf("Failed determining parent directory"); + error: + talloc_free(dir); +- close(dir_fd); +- close(path_fd); ++ if (sock_fd >= 0) close(sock_fd); ++ if (dir_fd >= 0) close(dir_fd); ++ if (parent_fd >= 0) close(parent_fd); + return -1; + } + +@@ -459,7 +460,7 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + if (ret < 0) { + fr_strerror_printf("Failed changing ownership of control socket directory: %s", + fr_syserror(errno)); +- return -1; ++ goto error; + } + /* + * Control socket dir already exists, but we still need to +@@ -527,7 +528,7 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + if (client_fd >= 0) { + fr_strerror_printf("Control socket '%s' is already in use", path); + close(client_fd); +- return -1; ++ goto error; + } + } + +@@ -676,8 +677,8 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) + if (uid != (uid_t)-1) rad_seuid(euid); + if (gid != (gid_t)-1) rad_segid(egid); + +- close(dir_fd); +- close(path_fd); ++ if (dir_fd >= 0) close(dir_fd); ++ if (parent_fd >= 0) close(parent_fd); + + return sock_fd; + } +diff --git a/src/main/conffile.c b/src/main/conffile.c +index df78184bd..10c029a0e 100644 +--- a/src/main/conffile.c ++++ b/src/main/conffile.c +@@ -1474,7 +1474,6 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d + + if (!value) { + if (required) { +- is_required: + cf_log_err(c_item, "Configuration item \"%s\" must have a value", name); + + return -1; +@@ -1620,7 +1619,6 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d + } + } + +- if (required && !value) goto is_required; + if (cant_be_empty && (value[0] == '\0')) goto cant_be_empty; + + if (attribute) { +diff --git a/src/main/process.c b/src/main/process.c +index c5a690672..c3856c7a1 100644 +--- a/src/main/process.c ++++ b/src/main/process.c +@@ -2122,8 +2122,9 @@ static void remove_from_proxy_hash_nl(REQUEST *request, bool yank) + } + + #ifdef WITH_TCP +- rad_assert(request->proxy_listener != NULL); +- request->proxy_listener->count--; ++ if (request->proxy_listener) { ++ request->proxy_listener->count--; ++ } + #endif + request->proxy_listener = NULL; + +diff --git a/src/main/tls.c b/src/main/tls.c +index caa7e62ed..a72be2b63 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -1360,7 +1360,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + blob_len = i2d_SSL_SESSION(sess, NULL); + if (blob_len < 1) { + /* something went wrong */ +- RWDEBUG("Session serialisation failed, couldn't determine required buffer length"); ++ if (request) RWDEBUG("Session serialisation failed, couldn't determine required buffer length"); + return 0; + } + +@@ -1375,7 +1375,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + p = sess_blob; + rv = i2d_SSL_SESSION(sess, &p); + if (rv != blob_len) { +- RWDEBUG("Session serialisation failed"); ++ if (request) RWDEBUG("Session serialisation failed"); + goto error; + } + +@@ -1384,8 +1384,8 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + conf->session_cache_path, FR_DIR_SEP, buffer); + fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); + if (fd < 0) { +- RERROR("Session serialisation failed, failed opening session file %s: %s", +- filename, fr_syserror(errno)); ++ if (request) RERROR("Session serialisation failed, failed opening session file %s: %s", ++ filename, fr_syserror(errno)); + goto error; + } + +@@ -1409,7 +1409,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + while (todo > 0) { + rv = write(fd, p, todo); + if (rv < 1) { +- RWDEBUG("Failed writing session: %s", fr_syserror(errno)); ++ if (request) RWDEBUG("Failed writing session: %s", fr_syserror(errno)); + close(fd); + goto error; + } +@@ -1417,7 +1417,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + todo -= rv; + } + close(fd); +- RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len); ++ if (request) RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len); + } + + error: +diff --git a/src/main/xlat.c b/src/main/xlat.c +index 31987289c..aeac3a4c3 100644 +--- a/src/main/xlat.c ++++ b/src/main/xlat.c +@@ -1787,7 +1787,10 @@ static ssize_t xlat_tokenize_request(REQUEST *request, char const *fmt, xlat_exp + * much faster. + */ + tokens = talloc_typed_strdup(request, fmt); +- if (!tokens) return -1; ++ if (!tokens) { ++ error = "Out of memory"; ++ return -1; ++ } + + slen = xlat_tokenize_literal(request, tokens, head, false, &error); + +@@ -1806,6 +1809,7 @@ static ssize_t xlat_tokenize_request(REQUEST *request, char const *fmt, xlat_exp + */ + if (slen < 0) { + talloc_free(tokens); ++ + rad_assert(error != NULL); + + REMARKER(fmt, -slen, error); +diff --git a/src/modules/rlm_cache/rlm_cache.c b/src/modules/rlm_cache/rlm_cache.c +index 248de8bf9..54449747f 100644 +--- a/src/modules/rlm_cache/rlm_cache.c ++++ b/src/modules/rlm_cache/rlm_cache.c +@@ -126,7 +126,8 @@ static void CC_HINT(nonnull) cache_merge(rlm_cache_t *inst, REQUEST *request, rl + + RDEBUG2("Merging cache entry into request"); + +- if (c->packet && request->packet) { ++ if (c->packet) { ++ rad_assert(request->packet != NULL); + rdebug_pair_list(L_DBG_LVL_2, request, c->packet, "&request:"); + radius_pairmove(request, &request->packet->vps, fr_pair_list_copy(request->packet, c->packet), false); + } +diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c +index dba2c1462..95e521718 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c ++++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c +@@ -1235,9 +1235,6 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) + + eap_fast_append_result(tls_session, code); + +- if (code == PW_CODE_ACCESS_REJECT) +- break; +- + if (t->pac.send) { + RDEBUG("Peer requires new PAC"); + eap_fast_send_pac_tunnel(request, tls_session); +diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c +index aba15f826..c702f1b45 100644 +--- a/src/modules/rlm_mschap/rlm_mschap.c ++++ b/src/modules/rlm_mschap/rlm_mschap.c +@@ -1471,7 +1471,7 @@ static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned c + break; + + default: +- rad_assert(0); ++ return RLM_MODULE_FAIL; + } + mschap_add_reply(request, ident, "MS-CHAP-Error", buffer, strlen(buffer)); + +-- +2.11.0 + diff --git a/SOURCES/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch b/SOURCES/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch new file mode 100644 index 0000000..8dac6ed --- /dev/null +++ b/SOURCES/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch @@ -0,0 +1,30 @@ +From bd67f9fc09690f0b3ac195cb9c57d51bd7a7dc23 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Wed, 29 Mar 2017 10:43:14 +0300 +Subject: [PATCH] Handle connection error in rlm_ldap_cacheable_groupobj + +Closes #1951 + +(cherry picked from commit 208681c80e1149de888affdb87f34de0c371db50) +--- + src/modules/rlm_ldap/groups.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/modules/rlm_ldap/groups.c b/src/modules/rlm_ldap/groups.c +index 12f34da2a..5e0a1819e 100644 +--- a/src/modules/rlm_ldap/groups.c ++++ b/src/modules/rlm_ldap/groups.c +@@ -461,8 +461,10 @@ rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request + + case LDAP_PROC_NO_RESULT: + RDEBUG2("No cacheable group memberships found in group objects"); ++ goto finish; + + default: ++ rcode = RLM_MODULE_FAIL; + goto finish; + } + +-- +2.11.0 + diff --git a/SOURCES/freeradius-Rename-lt_-symbols-to-fr_.patch b/SOURCES/freeradius-Rename-lt_-symbols-to-fr_.patch deleted file mode 100644 index d96a325..0000000 --- a/SOURCES/freeradius-Rename-lt_-symbols-to-fr_.patch +++ /dev/null @@ -1,180 +0,0 @@ -From 31b815dedccaf3fcc21530614493ad4c0bf48ec1 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Mon, 14 Nov 2016 13:08:59 +0200 -Subject: [PATCH] Rename lt_ symbols to fr_ - -Rename lt_ symbols to fr_ to avoid clashes with libltdl. ---- - src/include/modpriv.h | 12 ++++++------ - src/main/listen.c | 10 +++++----- - src/main/modules.c | 10 +++++----- - src/modules/rlm_eap/eap.c | 4 ++-- - src/modules/rlm_eap/rlm_eap.h | 2 +- - src/modules/rlm_sql/rlm_sql.c | 2 +- - 6 files changed, 20 insertions(+), 20 deletions(-) - -diff --git a/src/include/modpriv.h b/src/include/modpriv.h -index 94d320e..446e204 100644 ---- a/src/include/modpriv.h -+++ b/src/include/modpriv.h -@@ -18,12 +18,12 @@ - extern "C" { - #endif - --typedef void *lt_dlhandle; -+typedef void *fr_dlhandle; - --lt_dlhandle lt_dlopenext(char const *name); --void *lt_dlsym(lt_dlhandle handle, char const *symbol); --int lt_dlclose(lt_dlhandle handle); --char const *lt_dlerror(void); -+fr_dlhandle fr_dlopenext(char const *name); -+void *fr_dlsym(fr_dlhandle handle, char const *symbol); -+int fr_dlclose(fr_dlhandle handle); -+char const *fr_dlerror(void); - - /* - * Keep track of which modules we've loaded. -@@ -31,7 +31,7 @@ char const *lt_dlerror(void); - typedef struct module_entry_t { - char name[MAX_STRING_LEN]; - module_t const *module; -- lt_dlhandle handle; -+ fr_dlhandle handle; - } module_entry_t; - - typedef struct fr_module_hup_t fr_module_hup_t; -diff --git a/src/main/listen.c b/src/main/listen.c -index 55e3f86..6c7e3f1 100644 ---- a/src/main/listen.c -+++ b/src/main/listen.c -@@ -2758,7 +2758,7 @@ static const FR_NAME_NUMBER listen_compare[] = { - { NULL, 0 }, - }; - --static int _free_proto_handle(lt_dlhandle *handle) -+static int _free_proto_handle(fr_dlhandle *handle) - { - dlclose(*handle); - return 0; -@@ -2771,7 +2771,7 @@ static rad_listen_t *listen_parse(CONF_SECTION *cs, char const *server) - rad_listen_t *this; - CONF_PAIR *cp; - char const *value; -- lt_dlhandle handle; -+ fr_dlhandle handle; - CONF_SECTION *server_cs; - char buffer[32]; - -@@ -2790,10 +2790,10 @@ static rad_listen_t *listen_parse(CONF_SECTION *cs, char const *server) - } - - snprintf(buffer, sizeof(buffer), "proto_%s", value); -- handle = lt_dlopenext(buffer); -+ handle = fr_dlopenext(buffer); - if (handle) { - fr_protocol_t *proto; -- lt_dlhandle *marker; -+ fr_dlhandle *marker; - - proto = dlsym(handle, buffer); - if (!proto) { -@@ -2812,7 +2812,7 @@ static rad_listen_t *listen_parse(CONF_SECTION *cs, char const *server) - /* - * Ensure handle gets closed if config section gets freed - */ -- marker = talloc(cs, lt_dlhandle); -+ marker = talloc(cs, fr_dlhandle); - *marker = handle; - talloc_set_destructor(marker, _free_proto_handle); - -diff --git a/src/main/modules.c b/src/main/modules.c -index 7a593e1..3bd7239 100644 ---- a/src/main/modules.c -+++ b/src/main/modules.c -@@ -140,7 +140,7 @@ static int check_module_magic(CONF_SECTION *cs, module_t const *module) - return 0; - } - --lt_dlhandle lt_dlopenext(char const *name) -+fr_dlhandle fr_dlopenext(char const *name) - { - int flags = RTLD_NOW; - void *handle; -@@ -224,19 +224,19 @@ lt_dlhandle lt_dlopenext(char const *name) - return dlopen(buffer, flags); - } - --void *lt_dlsym(lt_dlhandle handle, UNUSED char const *symbol) -+void *fr_dlsym(fr_dlhandle handle, UNUSED char const *symbol) - { - return dlsym(handle, symbol); - } - --int lt_dlclose(lt_dlhandle handle) -+int fr_dlclose(fr_dlhandle handle) - { - if (!handle) return 0; - - return dlclose(handle); - } - --char const *lt_dlerror(void) -+char const *fr_dlerror(void) - { - return dlerror(); - } -@@ -472,7 +472,7 @@ static module_entry_t *linkto_module(char const *module_name, - /* - * Keep the handle around so we can dlclose() it. - */ -- handle = lt_dlopenext(module_name); -+ handle = fr_dlopenext(module_name); - if (!handle) { - cf_log_err_cs(cs, - "Failed to link to module '%s': %s\n", -diff --git a/src/modules/rlm_eap/eap.c b/src/modules/rlm_eap/eap.c -index be3e420..25316ea 100644 ---- a/src/modules/rlm_eap/eap.c -+++ b/src/modules/rlm_eap/eap.c -@@ -130,9 +130,9 @@ int eap_module_load(rlm_eap_t *inst, eap_module_t **m_inst, eap_type_t num, CONF - /* - * Link the loaded EAP-Type - */ -- method->handle = lt_dlopenext(mod_name); -+ method->handle = fr_dlopenext(mod_name); - if (!method->handle) { -- ERROR("rlm_eap (%s): Failed to link %s: %s", inst->xlat_name, mod_name, lt_dlerror()); -+ ERROR("rlm_eap (%s): Failed to link %s: %s", inst->xlat_name, mod_name, fr_dlerror()); - - return -1; - } -diff --git a/src/modules/rlm_eap/rlm_eap.h b/src/modules/rlm_eap/rlm_eap.h -index 409f104..17c452a 100644 ---- a/src/modules/rlm_eap/rlm_eap.h -+++ b/src/modules/rlm_eap/rlm_eap.h -@@ -36,7 +36,7 @@ RCSIDH(rlm_eap_h, "$Id$") - typedef struct eap_module { - char const *name; - rlm_eap_module_t *type; -- lt_dlhandle handle; -+ fr_dlhandle handle; - CONF_SECTION *cs; - void *instance; - } eap_module_t; -diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c -index aaf2ed4..bee6758 100644 ---- a/src/modules/rlm_sql/rlm_sql.c -+++ b/src/modules/rlm_sql/rlm_sql.c -@@ -816,7 +816,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) - /* - * Load the appropriate driver for our database - */ -- inst->handle = lt_dlopenext(inst->config->sql_driver_name); -+ inst->handle = fr_dlopenext(inst->config->sql_driver_name); - if (!inst->handle) { - ERROR("Could not link driver %s: %s", - inst->config->sql_driver_name, --- -2.10.2 - diff --git a/SOURCES/freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch b/SOURCES/freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch deleted file mode 100644 index 3faba7a..0000000 --- a/SOURCES/freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch +++ /dev/null @@ -1,64 +0,0 @@ -From a23dbf402ad466bf41c95da82e58dedc7b615f99 Mon Sep 17 00:00:00 2001 -From: Arran Cudbard-Bell -Date: Mon, 1 Dec 2014 14:15:45 -0500 -Subject: [PATCH 1/2] Resolve to all families on ip_hton fallback - -If we're doing fallback resolution we need to set the address family to -AF_UNSPEC to get both IPv6 and IPv4 addresses - -The af that was passed in, is then used to set the preference ---- - src/lib/misc.c | 25 +++++++++++++------------ - 1 file changed, 13 insertions(+), 12 deletions(-) - -diff --git a/src/lib/misc.c b/src/lib/misc.c -index d0ccd6c..ad27057 100644 ---- a/src/lib/misc.c -+++ b/src/lib/misc.c -@@ -845,7 +845,15 @@ int ip_hton(fr_ipaddr_t *out, int af, char const *hostname, bool fallback) - int rcode; - struct addrinfo hints, *ai = NULL, *alt = NULL, *res = NULL; - -+ /* -+ * Avoid malloc for IP addresses. This helps us debug -+ * memory errors when using talloc. -+ */ -+#ifdef TALLOC_DEBUG -+ if (true) { -+#else - if (!fr_hostname_lookups) { -+#endif - #ifdef HAVE_STRUCT_SOCKADDR_IN6 - if (af == AF_UNSPEC) { - char const *p; -@@ -872,22 +880,15 @@ int ip_hton(fr_ipaddr_t *out, int af, char const *hostname, bool fallback) - } - - memset(&hints, 0, sizeof(hints)); -- hints.ai_family = af; - --#ifdef TALLOC_DEBUG - /* -- * Avoid malloc for IP addresses. This helps us debug -- * memory errors when using talloc. -+ * If we're falling back we need both IPv4 and IPv6 records - */ -- if (af == AF_INET) { -- /* -- * If it's all numeric, avoid getaddrinfo() -- */ -- if (inet_pton(af, hostname, &out->ipaddr.ip4addr) == 1) { -- return 0; -- } -+ if (fallback) { -+ hints.ai_family = AF_UNSPEC; -+ } else { -+ hints.ai_family = af; - } --#endif - - if ((rcode = getaddrinfo(hostname, NULL, &hints, &res)) != 0) { - fr_strerror_printf("ip_hton: %s", gai_strerror(rcode)); --- -2.1.3 - diff --git a/SOURCES/freeradius-access-union-consistently.patch b/SOURCES/freeradius-access-union-consistently.patch deleted file mode 100644 index 5e65d6e..0000000 --- a/SOURCES/freeradius-access-union-consistently.patch +++ /dev/null @@ -1,401 +0,0 @@ -From 5e8a69d547461c757abe2870ecbff2aa7a1fea55 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Wed, 1 Oct 2014 11:51:51 -0400 -Subject: [PATCH 2/4] Access union value_data members consistently - -Use the same, appropriate union value_data member for each access of -BOOLEAN, BYTE and SHORT PW_TYPEs, without assuming they're -interchangeable with "integer", as that is only true on little-endian -architectures. - -This fixes at least this wimax unit test failure on s390x and ppc64: - - Mismatch in line 11 of src/tests/unit/wimax.txt, got: 1a 0c 00 00 60 b5 01 06 00 02 03 00 expected: 1a 0c 00 00 60 b5 01 06 00 02 03 01 ---- - src/lib/print.c | 56 ++++++++++++------ - src/lib/radius.c | 8 +-- - src/lib/valuepair.c | 83 +++++++++++++++++++-------- - src/main/evaluate.c | 4 +- - src/main/valuepair.c | 4 ++ - src/main/xlat.c | 4 +- - src/modules/rlm_couchbase/mod.c | 17 +++++- - src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c | 4 +- - 8 files changed, 128 insertions(+), 52 deletions(-) - -diff --git a/src/lib/print.c b/src/lib/print.c -index 67263bc..fc1ae42 100644 ---- a/src/lib/print.c -+++ b/src/lib/print.c -@@ -314,6 +314,7 @@ size_t vp_data_prints_value(char *out, size_t outlen, - char const *a = NULL; - time_t t; - struct tm s_tm; -+ unsigned int i; - - size_t len = 0, freespace = outlen; - -@@ -365,15 +366,24 @@ size_t vp_data_prints_value(char *out, size_t outlen, - return fr_print_string(data->strvalue, data_len, out, outlen); - - case PW_TYPE_INTEGER: -- case PW_TYPE_BYTE: -+ i = data->integer; -+ goto print_int; -+ - case PW_TYPE_SHORT: -+ i = data->ushort; -+ goto print_int; -+ -+ case PW_TYPE_BYTE: -+ i = data->byte; -+ -+print_int: - /* Normal, non-tagged attribute */ -- if ((v = dict_valbyattr(da->attr, da->vendor, data->integer)) != NULL) { -+ if ((v = dict_valbyattr(da->attr, da->vendor, i)) != NULL) { - a = v->name; - len = strlen(a); - } else { - /* should never be truncated */ -- len = snprintf(buf, sizeof(buf), "%u", data->integer); -+ len = snprintf(buf, sizeof(buf), "%u", i); - a = buf; - } - break; -@@ -590,12 +600,20 @@ size_t vp_prints_value_json(char *out, size_t outlen, VALUE_PAIR const *vp) - if (!vp->da->flags.has_tag) { - switch (vp->da->type) { - case PW_TYPE_INTEGER: -- case PW_TYPE_BYTE: -- case PW_TYPE_SHORT: - if (vp->da->flags.has_value) break; - - return snprintf(out, freespace, "%u", vp->vp_integer); - -+ case PW_TYPE_SHORT: -+ if (vp->da->flags.has_value) break; -+ -+ return snprintf(out, freespace, "%u", (unsigned int) vp->vp_short); -+ -+ case PW_TYPE_BYTE: -+ if (vp->da->flags.has_value) break; -+ -+ return snprintf(out, freespace, "%u", (unsigned int) vp->vp_byte); -+ - case PW_TYPE_SIGNED: - return snprintf(out, freespace, "%d", vp->vp_signed); - -@@ -834,6 +852,8 @@ void vp_printlist(FILE *fp, VALUE_PAIR const *vp) - char *vp_aprint_value(TALLOC_CTX *ctx, VALUE_PAIR const *vp, bool escape) - { - char *p; -+ unsigned int i; -+ DICT_VALUE const *dv; - - switch (vp->da->type) { - case PW_TYPE_STRING: -@@ -860,19 +880,23 @@ char *vp_aprint_value(TALLOC_CTX *ctx, VALUE_PAIR const *vp, bool escape) - break; - } - -- case PW_TYPE_BYTE: -- case PW_TYPE_SHORT: - case PW_TYPE_INTEGER: -- { -- DICT_VALUE *dv; -+ i = vp->vp_integer; -+ goto print_int; - -- dv = dict_valbyattr(vp->da->attr, vp->da->vendor, -- vp->vp_integer); -- if (dv) { -- p = talloc_typed_strdup(ctx, dv->name); -- } else { -- p = talloc_typed_asprintf(ctx, "%u", vp->vp_integer); -- } -+ case PW_TYPE_SHORT: -+ i = vp->vp_short; -+ goto print_int; -+ -+ case PW_TYPE_BYTE: -+ i = vp->vp_byte; -+ -+ print_int: -+ dv = dict_valbyattr(vp->da->attr, vp->da->vendor, i); -+ if (dv) { -+ p = talloc_typed_strdup(ctx, dv->name); -+ } else { -+ p = talloc_typed_asprintf(ctx, "%u", i); - } - break; - -diff --git a/src/lib/radius.c b/src/lib/radius.c -index 0a40682..aabc545 100644 ---- a/src/lib/radius.c -+++ b/src/lib/radius.c -@@ -3984,18 +3984,18 @@ ssize_t rad_vp2data(uint8_t const **out, VALUE_PAIR const *vp) - } - - case PW_TYPE_BOOLEAN: -- buffer[0] = vp->vp_integer & 0x01; -+ buffer[0] = vp->vp_byte & 0x01; - *out = buffer; - break; - - case PW_TYPE_BYTE: -- buffer[0] = vp->vp_integer & 0xff; -+ buffer[0] = vp->vp_byte & 0xff; - *out = buffer; - break; - - case PW_TYPE_SHORT: -- buffer[0] = (vp->vp_integer >> 8) & 0xff; -- buffer[1] = vp->vp_integer & 0xff; -+ buffer[0] = (vp->vp_short >> 8) & 0xff; -+ buffer[1] = vp->vp_short & 0xff; - *out = buffer; - break; - -diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c -index 9dcae70..7d6ee88 100644 ---- a/src/lib/valuepair.c -+++ b/src/lib/valuepair.c -@@ -1369,65 +1369,100 @@ int pairparsevalue(VALUE_PAIR *vp, char const *value, size_t inlen) - case PW_TYPE_BYTE: - { - char *p; -- vp->length = 1; -+ unsigned int i; - - /* - * Note that ALL integers are unsigned! - */ -- vp->vp_integer = fr_strtoul(value, &p); -- if (!*p) { -- if (vp->vp_integer > 255) { -+ i = fr_strtoul(value, &p); -+ -+ /* -+ * Look for the named value for the given -+ * attribute. -+ */ -+ if (*p && !is_whitespace(p)) { -+ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) { -+ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name); -+ return -1; -+ } -+ -+ vp->vp_byte = dval->value; -+ } else { -+ if (i > 255) { - fr_strerror_printf("Byte value \"%s\" is larger than 255", value); - return -1; - } -- break; -+ -+ vp->vp_byte = i; - } -- if (is_whitespace(p)) break; -+ -+ vp->length = 1; -+ break; - } -- goto check_for_value; - - case PW_TYPE_SHORT: - { - char *p; -+ unsigned int i; - - /* - * Note that ALL integers are unsigned! - */ -- vp->vp_integer = fr_strtoul(value, &p); -- vp->length = 2; -- if (!*p) { -- if (vp->vp_integer > 65535) { -- fr_strerror_printf("Byte value \"%s\" is larger than 65535", value); -+ i = fr_strtoul(value, &p); -+ -+ /* -+ * Look for the named value for the given -+ * attribute. -+ */ -+ if (*p && !is_whitespace(p)) { -+ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) { -+ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name); - return -1; - } -- break; -+ -+ vp->vp_short = dval->value; -+ } else { -+ if (i > 65535) { -+ fr_strerror_printf("Short value \"%s\" is larger than 65535", value); -+ return -1; -+ } -+ -+ vp->vp_short = i; - } -- if (is_whitespace(p)) break; -+ -+ vp->length = 2; -+ break; - } -- goto check_for_value; - - case PW_TYPE_INTEGER: - { - char *p; -+ unsigned int i; - - /* - * Note that ALL integers are unsigned! - */ -- vp->vp_integer = fr_strtoul(value, &p); -- vp->length = 4; -- if (!*p) break; -- if (is_whitespace(p)) break; -+ i = fr_strtoul(value, &p); - -- check_for_value: - /* - * Look for the named value for the given - * attribute. - */ -- if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) { -- fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name); -- return -1; -+ if (*p && !is_whitespace(p)) { -+ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) { -+ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name); -+ return -1; -+ } -+ -+ vp->vp_integer = dval->value; -+ } else { -+ /* -+ * Value is always within the limits -+ */ -+ vp->vp_integer = i; - } -- vp->vp_integer = dval->value; -+ -+ vp->length = 4; - } - break; - -diff --git a/src/main/evaluate.c b/src/main/evaluate.c -index 5cf597d..a100c70 100644 ---- a/src/main/evaluate.c -+++ b/src/main/evaluate.c -@@ -485,11 +485,11 @@ static int do_cast_copy(VALUE_PAIR *dst, VALUE_PAIR const *src) - break; - - case PW_TYPE_SHORT: -- dst->vp_integer = ntohs(*(uint16_t const *) src->vp_octets); -+ dst->vp_short = ntohs(*(uint16_t const *) src->vp_octets); - break; - - case PW_TYPE_BYTE: -- dst->vp_integer = src->vp_octets[0]; -+ dst->vp_byte = src->vp_octets[0]; - break; - - default: -diff --git a/src/main/valuepair.c b/src/main/valuepair.c -index dc2bfc7..2dd517a 100644 ---- a/src/main/valuepair.c -+++ b/src/main/valuepair.c -@@ -180,7 +180,11 @@ int radius_compare_vps(UNUSED REQUEST *request, VALUE_PAIR *check, VALUE_PAIR *v - break; - - case PW_TYPE_BYTE: -+ ret = vp->vp_byte - check->vp_byte; -+ break; - case PW_TYPE_SHORT: -+ ret = vp->vp_short - check->vp_short; -+ break; - case PW_TYPE_INTEGER: - ret = vp->vp_integer - check->vp_integer; - break; -diff --git a/src/main/xlat.c b/src/main/xlat.c -index f2c8aff..a069919 100644 ---- a/src/main/xlat.c -+++ b/src/main/xlat.c -@@ -177,9 +177,11 @@ static ssize_t xlat_integer(UNUSED void *instance, REQUEST *request, - - case PW_TYPE_INTEGER: - case PW_TYPE_DATE: -+ return snprintf(out, outlen, "%u", vp->vp_integer); - case PW_TYPE_BYTE: -+ return snprintf(out, outlen, "%u", (unsigned int) vp->vp_byte); - case PW_TYPE_SHORT: -- return snprintf(out, outlen, "%u", vp->vp_integer); -+ return snprintf(out, outlen, "%u", (unsigned int) vp->vp_short); - - /* - * Ethernet is weird... It's network related, so we assume to it should be -diff --git a/src/modules/rlm_couchbase/mod.c b/src/modules/rlm_couchbase/mod.c -index cc14677..36406a0 100644 ---- a/src/modules/rlm_couchbase/mod.c -+++ b/src/modules/rlm_couchbase/mod.c -@@ -296,22 +296,33 @@ json_object *mod_value_pair_to_json_object(REQUEST *request, VALUE_PAIR *vp) - - /* add this attribute/value pair to our json output */ - if (!vp->da->flags.has_tag) { -+ unsigned int i; -+ - switch (vp->da->type) { - case PW_TYPE_INTEGER: -- case PW_TYPE_BYTE: -+ i = vp->vp_integer; -+ goto print_int; -+ - case PW_TYPE_SHORT: -+ i = vp->vp_short; -+ goto print_int; -+ -+ case PW_TYPE_BYTE: -+ i = vp->vp_byte; -+ -+ print_int: - /* skip if we have flags */ - if (vp->da->flags.has_value) break; - #ifdef HAVE_JSON_OBJECT_NEW_INT64 - /* debug */ - RDEBUG3("creating new int64 for unsigned 32 bit int/byte/short '%s'", vp->da->name); - /* return as 64 bit int - JSON spec does not support unsigned ints */ -- return json_object_new_int64(vp->vp_integer); -+ return json_object_new_int64(i); - #else - /* debug */ - RDEBUG3("creating new int for unsigned 32 bit int/byte/short '%s'", vp->da->name); - /* return as 64 bit int - JSON spec does not support unsigned ints */ -- return json_object_new_int(vp->vp_integer); -+ return json_object_new_int(i); - #endif - break; - case PW_TYPE_SIGNED: -diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c -index 152f4ca..55e8e14 100644 ---- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c -+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c -@@ -325,12 +325,12 @@ static VALUE_PAIR *diameter2vp(REQUEST *request, REQUEST *fake, SSL *ssl, - - case PW_TYPE_BYTE: - if (size != vp->length) goto raw; -- vp->vp_integer = data[0]; -+ vp->vp_byte = data[0]; - break; - - case PW_TYPE_SHORT: - if (size != vp->length) goto raw; -- vp->vp_integer = (data[0] * 256) + data[1]; -+ vp->vp_short = (data[0] * 256) + data[1]; - break; - - case PW_TYPE_SIGNED: --- -2.1.0 - diff --git a/SOURCES/freeradius-add-P-option-to-radtest-synopsis.patch b/SOURCES/freeradius-add-P-option-to-radtest-synopsis.patch deleted file mode 100644 index eadcf33..0000000 --- a/SOURCES/freeradius-add-P-option-to-radtest-synopsis.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 50d13805262202627e0a8494508202d21a86c18b Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Mon, 27 Oct 2014 16:24:09 +0200 -Subject: [PATCH 2/2] man: Add -P option to radtest synopsis - -Add "-P" option to radtest's manpage SYNOPSIS to make it match the -OPTIONS section. ---- - man/man1/radtest.1 | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/man/man1/radtest.1 b/man/man1/radtest.1 -index 587870c..b318477 100644 ---- a/man/man1/radtest.1 -+++ b/man/man1/radtest.1 -@@ -5,6 +5,8 @@ radtest - send packets to a RADIUS server, show reply - .B radtest - .RB [ \-d - .IR raddb_directory ] -+.RB [ \-P -+.IR tcp/udp ] - .RB [ \-t - .IR pap/chap/mschap/eap-md5 ] - .RB [ \-x --- -2.1.1 - diff --git a/SOURCES/freeradius-add-disable-openssl-version-check.patch b/SOURCES/freeradius-add-disable-openssl-version-check.patch deleted file mode 100644 index ec5a92e..0000000 --- a/SOURCES/freeradius-add-disable-openssl-version-check.patch +++ /dev/null @@ -1,258 +0,0 @@ -From 10636fbfd51320c8ca8b40651bf3e959211ca921 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Tue, 21 Oct 2014 18:30:05 +0300 -Subject: [PATCH 1/1] Add --disable-openssl-version-check option - -Add "--disable-openssl-version-check" configure option, which removes -checking for vulnerable OpenSSL versions. It is supposed to be used by -downstream packagers and distributions who have other means to ensure -vulnerabilities are fixed, such as versioned package dependencies and -vulnerability handling processes. - -This avoids the necessity of editing radiusd.conf on package upgrade to -make sure it keeps working. At the same time, it provides safe default -to those installing FreeRADIUS from source. ---- - configure | 30 ++++++++++++++++++++++++++++++ - configure.ac | 26 ++++++++++++++++++++++++++ - raddb/radiusd.conf.in | 10 +--------- - src/include/autoconf.h.in | 3 +++ - src/include/radiusd.h | 2 ++ - src/include/tls-h | 2 ++ - src/main/mainconfig.c | 2 ++ - src/main/radiusd.c | 2 ++ - src/main/tls.c | 4 ++++ - 9 files changed, 72 insertions(+), 9 deletions(-) - -diff --git a/configure b/configure -index 1b54efd..addfeba 100755 ---- a/configure -+++ b/configure -@@ -652,6 +652,7 @@ RUSERS - SNMPWALK - SNMPGET - PERL -+openssl_version_check_config - modconfdir - dictdir - raddbdir -@@ -754,6 +755,7 @@ with_rlm_FOO_include_dir - with_openssl - with_openssl_lib_dir - with_openssl_include_dir -+enable_openssl_version_check - with_talloc_lib_dir - with_talloc_include_dir - with_pcap_lib_dir -@@ -1396,6 +1398,9 @@ Optional Features: - --disable-largefile omit support for large files - --enable-strict-dependencies fail configure on lack of module dependancy. - --enable-werror causes the build to fail if any warnings are generated. -+ --disable-openssl-version-check -+ disable vulnerable OpenSSL version check -+ - - Optional Packages: - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] -@@ -5430,6 +5435,31 @@ if test "${with_openssl_include_dir+set}" = set; then : - fi - - -+# Check whether --enable-openssl-version-check was given. -+if test "${enable_openssl_version_check+set}" = set; then : -+ enableval=$enable_openssl_version_check; -+fi -+ -+if test "x$enable_openssl_version_check" != "xno"; then -+ -+$as_echo "#define ENABLE_OPENSSL_VERSION_CHECK 1" >>confdefs.h -+ -+ openssl_version_check_config="\ -+ # -+ # allow_vulnerable_openssl: Allow the server to start with -+ # versions of OpenSSL known to have critical vulnerabilities. -+ # -+ # This check is based on the version number reported by libssl -+ # and may not reflect patches applied to libssl by -+ # distribution maintainers. -+ # -+ allow_vulnerable_openssl = no" -+else -+ openssl_version_check_config= -+fi -+ -+ -+ - - CHECKRAD=checkrad - # Extract the first word of "perl", so it can be a program name with args. -diff --git a/configure.ac b/configure.ac -index 30b226b..b223505 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -576,6 +576,32 @@ AC_ARG_WITH(openssl-include-dir, - esac ] - ) - -+dnl # -+dnl # extra argument: --disable-openssl-version-check -+dnl # -+AC_ARG_ENABLE(openssl-version-check, -+[AS_HELP_STRING([--disable-openssl-version-check], -+ [disable vulnerable OpenSSL version check])] -+) -+if test "x$enable_openssl_version_check" != "xno"; then -+ AC_DEFINE(ENABLE_OPENSSL_VERSION_CHECK, [1], -+ [Define to 1 to have OpenSSL version check enabled]) -+ openssl_version_check_config="\ -+ # -+ # allow_vulnerable_openssl: Allow the server to start with -+ # versions of OpenSSL known to have critical vulnerabilities. -+ # -+ # This check is based on the version number reported by libssl -+ # and may not reflect patches applied to libssl by -+ # distribution maintainers. -+ # -+ allow_vulnerable_openssl = no" -+else -+ openssl_version_check_config= -+fi -+AC_SUBST([openssl_version_check_config]) -+ -+ - dnl ############################################################# - dnl # - dnl # 1. Checks for programs -diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in -index 307ae10..0e1ff46 100644 ---- a/raddb/radiusd.conf.in -+++ b/raddb/radiusd.conf.in -@@ -475,15 +475,7 @@ security { - # - status_server = yes - -- # -- # allow_vulnerable_openssl: Allow the server to start with -- # versions of OpenSSL known to have critical vulnerabilities. -- # -- # This check is based on the version number reported by libssl -- # and may not reflect patches applied to libssl by -- # distribution maintainers. -- # -- allow_vulnerable_openssl = no -+@openssl_version_check_config@ - } - - # PROXY CONFIGURATION -diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in -index c313bca..f500049 100644 ---- a/src/include/autoconf.h.in -+++ b/src/include/autoconf.h.in -@@ -9,6 +9,9 @@ - /* style of ctime_r function */ - #undef CTIMERSTYLE - -+/* Define to 1 to have OpenSSL version check enabled */ -+#undef ENABLE_OPENSSL_VERSION_CHECK -+ - /* style of gethostbyaddr_r functions */ - #undef GETHOSTBYADDRRSTYLE - -diff --git a/src/include/radiusd.h b/src/include/radiusd.h -index ebe3a21..1ec6959 100644 ---- a/src/include/radiusd.h -+++ b/src/include/radiusd.h -@@ -437,7 +437,9 @@ typedef struct main_config_t { - #endif - uint32_t reject_delay; - bool status_server; -+#ifdef ENABLE_OPENSSL_VERSION_CHECK - char const *allow_vulnerable_openssl; -+#endif - - uint32_t max_request_time; - uint32_t cleanup_delay; -diff --git a/src/include/tls-h b/src/include/tls-h -index ade93d5..1418ea2 100644 ---- a/src/include/tls-h -+++ b/src/include/tls-h -@@ -295,7 +295,9 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx); - - /* TLS */ - void tls_global_init(void); -+#ifdef ENABLE_OPENSSL_VERSION_CHECK - int tls_global_version_check(char const *acknowledged); -+#endif - void tls_global_cleanup(void); - tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert); - tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd); -diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c -index cf1eea5..76979ad 100644 ---- a/src/main/mainconfig.c -+++ b/src/main/mainconfig.c -@@ -99,7 +99,9 @@ static const CONF_PARSER security_config[] = { - { "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) }, - { "reject_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.reject_delay), STRINGIFY(0) }, - { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"}, -+#ifdef ENABLE_OPENSSL_VERSION_CHECK - { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"}, -+#endif - { NULL, -1, 0, NULL, NULL } - }; - -diff --git a/src/main/radiusd.c b/src/main/radiusd.c -index 620d7d4..fe8057d 100644 ---- a/src/main/radiusd.c -+++ b/src/main/radiusd.c -@@ -359,10 +359,12 @@ int main(int argc, char *argv[]) - - /* Check for vulnerabilities in the version of libssl were linked against */ - #ifdef HAVE_OPENSSL_CRYPTO_H -+#ifdef ENABLE_OPENSSL_VERSION_CHECK - if (tls_global_version_check(main_config.allow_vulnerable_openssl) < 0) { - exit(EXIT_FAILURE); - } - #endif -+#endif - - /* - * Load the modules -diff --git a/src/main/tls.c b/src/main/tls.c -index 542ce69..42b538c 100644 ---- a/src/main/tls.c -+++ b/src/main/tls.c -@@ -51,6 +51,7 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ - #include - #endif - -+#ifdef ENABLE_OPENSSL_VERSION_CHECK - typedef struct libssl_defect { - uint64_t high; - uint64_t low; -@@ -71,6 +72,7 @@ static libssl_defect_t libssl_defects[] = - .comment = "For more information see http://heartbleed.com" - } - }; -+#endif - - /* record */ - static void record_init(record_t *buf); -@@ -2063,6 +2065,7 @@ void tls_global_init(void) - OPENSSL_config(NULL); - } - -+#ifdef ENABLE_OPENSSL_VERSION_CHECK - /** Check for vulnerable versions of libssl - * - * @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl. -@@ -2101,6 +2104,7 @@ int tls_global_version_check(char const *acknowledged) - - return 0; - } -+#endif - - /** Free any memory alloced by libssl - * --- -2.1.1 - diff --git a/SOURCES/freeradius-added-D-option-to-mirror-radclient.patch b/SOURCES/freeradius-added-D-option-to-mirror-radclient.patch deleted file mode 100644 index 1e14f15..0000000 --- a/SOURCES/freeradius-added-D-option-to-mirror-radclient.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 08700ea8b1f3a1ace01d294548f3ba2391cc06ab Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Sun, 2 Nov 2014 14:44:32 -0500 -Subject: [PATCH 1/1] Added -D option to mirror radclient - ---- - src/modules/proto_dhcp/dhcpclient.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c -index ac52ffd..3bce4b3 100644 ---- a/src/modules/proto_dhcp/dhcpclient.c -+++ b/src/modules/proto_dhcp/dhcpclient.c -@@ -73,6 +73,7 @@ static void NEVER_RETURNS usage(void) - - fprintf(stderr, " One of discover, request, offer, decline, release, inform.\n"); - fprintf(stderr, " -d Set the directory where the dictionaries are stored (defaults to " RADDBDIR ").\n"); -+ fprintf(stderr, " -D Set main dictionary directory (defaults to " DICTDIR ").\n"); - fprintf(stderr, " -f Read packets from file, not stdin.\n"); - fprintf(stderr, " -t Wait 'timeout' seconds for a reply (may be a floating point number).\n"); - fprintf(stderr, " -v Show program version information.\n"); -@@ -270,7 +271,11 @@ int main(int argc, char **argv) - - fr_debug_flag = 0; - -- while ((c = getopt(argc, argv, "d:f:hr:t:vx")) != EOF) switch(c) { -+ while ((c = getopt(argc, argv, "d:D:f:hr:t:vx")) != EOF) switch(c) { -+ case 'D': -+ dict_dir = optarg; -+ break; -+ - case 'd': - radius_dir = optarg; - break; --- -2.1.3 - diff --git a/SOURCES/freeradius-check-sizeof-packet-.-Found-by-PVS-Studio.patch b/SOURCES/freeradius-check-sizeof-packet-.-Found-by-PVS-Studio.patch new file mode 100644 index 0000000..fe9348b --- /dev/null +++ b/SOURCES/freeradius-check-sizeof-packet-.-Found-by-PVS-Studio.patch @@ -0,0 +1,28 @@ +From 815387fe1f5caa6fe517364ac0995df60695f339 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Wed, 17 May 2017 12:03:46 -0400 +Subject: [PATCH] check sizeof(*packet). Found by PVS-Studio + +(cherry picked from commit ffa424d138611d2e7ed57b217a899d0c2009ae74) +--- + src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c +index 9abae5c80..3c043f728 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c ++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c +@@ -386,8 +386,8 @@ static int mod_process(void *arg, eap_handler_t *handler) + } + + packet = (pwd_id_packet_t *) in; +- if (in_len < sizeof(packet)) { +- RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(packet)); ++ if (in_len < sizeof(*packet)) { ++ RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(*packet)); + return 0; + } + +-- +2.11.0 + diff --git a/SOURCES/freeradius-connection-fall-through-to-global-module-triggers.patch b/SOURCES/freeradius-connection-fall-through-to-global-module-triggers.patch deleted file mode 100644 index a2c1156..0000000 --- a/SOURCES/freeradius-connection-fall-through-to-global-module-triggers.patch +++ /dev/null @@ -1,280 +0,0 @@ -From 132992fe92d53d62499d8c4672feafe210efc573 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Fri, 24 Oct 2014 14:37:11 +0300 -Subject: [PATCH 4/4] connection: Fall through to global module triggers - -Make module connection pool triggers use global module trigger -configuration, if there is no "trigger" section in the pool section. - -Use fully-qualified module-specific trigger names for module-specific -connection pools in connection.c. - -E.g. trigger "modules.ldap.open", instead of just "open" for pools -initialized with fr_connection_pool_module_init, being passed "ldap" -config section. - -Send triggers even if the pool has no "trigger" section. - -This makes exec_trigger fall through to global module triggers, if the -pool configuration doesn't have the "trigger" section. ---- - src/include/connection.h | 3 +- - src/main/connection.c | 81 ++++++++++++++++++++++++++++++------------------ - 2 files changed, 53 insertions(+), 31 deletions(-) - -diff --git a/src/include/connection.h b/src/include/connection.h -index e3752d5..eaf44e8 100644 ---- a/src/include/connection.h -+++ b/src/include/connection.h -@@ -81,7 +81,8 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, - void *opaque, - fr_connection_create_t c, - fr_connection_alive_t a, -- char const *prefix); -+ char const *log_prefix, -+ char const *trigger_prefix); - void fr_connection_pool_delete(fr_connection_pool_t *pool); - - void *fr_connection_get(fr_connection_pool_t *pool); -diff --git a/src/main/connection.c b/src/main/connection.c -index 5f0c8f6..aec4f9d 100644 ---- a/src/main/connection.c -+++ b/src/main/connection.c -@@ -110,10 +110,6 @@ struct fr_connection_pool_t { - uint32_t idle_timeout; //!< How long a connection can be idle - //!< before being closed. - -- bool trigger; //!< If true execute connection triggers -- //!< associated with the connection -- //!< pool. -- - bool spread; //!< If true requests will be spread - //!< across all connections, instead of - //!< re-using the most recently used -@@ -158,6 +154,11 @@ struct fr_connection_pool_t { - //!< messages created by the connection - //!< pool code. - -+ char const *trigger_prefix; //!< Prefix to prepend to -+ //!< names of all triggers -+ //!< fired by the connection -+ //!< pool code. -+ - fr_connection_create_t create; //!< Function used to create new - //!< connections. - fr_connection_alive_t alive; //!< Function used to check status -@@ -271,6 +272,20 @@ static void fr_connection_link_tail(fr_connection_pool_t *pool, - } - } - -+/** Send a connection pool trigger. -+ * -+ * @param[in] pool to send trigger for. -+ * @param[in] name_suffix trigger name suffix. -+ */ -+static void fr_connection_exec_trigger(fr_connection_pool_t *pool, -+ char const *name_suffix) -+{ -+ char name[64]; -+ rad_assert(pool != NULL); -+ rad_assert(name_suffix != NULL); -+ snprintf(name, sizeof(name), "%s%s", pool->trigger_prefix, name_suffix); -+ exec_trigger(NULL, pool->cs, name, true); -+} - - /** Spawns a new connection - * -@@ -403,7 +418,7 @@ static fr_connection_t *fr_connection_spawn(fr_connection_pool_t *pool, - - pthread_mutex_unlock(&pool->mutex); - -- if (pool->trigger) exec_trigger(NULL, pool->cs, "open", true); -+ fr_connection_exec_trigger(pool, "open"); - - return this; - } -@@ -436,7 +451,7 @@ static void fr_connection_close(fr_connection_pool_t *pool, - pool->active--; - } - -- if (pool->trigger) exec_trigger(NULL, pool->cs, "close", true); -+ fr_connection_exec_trigger(pool, "close"); - - fr_connection_unlink(pool, this); - rad_assert(pool->num > 0); -@@ -542,7 +557,7 @@ void fr_connection_pool_delete(fr_connection_pool_t *pool) - fr_connection_close(pool, this); - } - -- if (pool->trigger) exec_trigger(NULL, pool->cs, "stop", true); -+ fr_connection_exec_trigger(pool, "stop"); - - rad_assert(pool->head == NULL); - rad_assert(pool->tail == NULL); -@@ -559,33 +574,36 @@ void fr_connection_pool_delete(fr_connection_pool_t *pool) - * @param[in] opaque data pointer to pass to callbacks. - * @param[in] c Callback to create new connections. - * @param[in] a Callback to check the status of connections. -- * @param[in] prefix override, if NULL will be set automatically from the module CONF_SECTION. -+ * @param[in] log_prefix override, if NULL will be set automatically from the module CONF_SECTION. - * @return A new connection pool or NULL on error. - */ - fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, - void *opaque, - fr_connection_create_t c, - fr_connection_alive_t a, -- char const *prefix) -+ char const *log_prefix) - { - CONF_SECTION *cs, *mycs; - char buff[128]; -+ char trigger_prefix[64]; - - fr_connection_pool_t *pool; -+ char const *cs_name1, *cs_name2; - - int ret; - - #define CONNECTION_POOL_CF_KEY "connection_pool" - #define parent_name(_x) cf_section_name(cf_item_parent(cf_sectiontoitem(_x))) - -- if (!prefix) { -- char const *cs_name1, *cs_name2; -- cs_name1 = cf_section_name1(module); -- cs_name2 = cf_section_name2(module); -- if (!cs_name2) cs_name2 = cs_name1; -+ cs_name1 = cf_section_name1(module); -+ cs_name2 = cf_section_name2(module); -+ if (!cs_name2) cs_name2 = cs_name1; -+ -+ snprintf(trigger_prefix, sizeof(trigger_prefix), "modules.%s.", cs_name1); - -+ if (!log_prefix) { - snprintf(buff, sizeof(buff), "rlm_%s (%s)", cs_name1, cs_name2); -- prefix = buff; -+ log_prefix = buff; - } - - /* -@@ -597,11 +615,11 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, - return NULL; - - case 1: -- DEBUG4("%s: Using pool section from \"%s\"", prefix, parent_name(cs)); -+ DEBUG4("%s: Using pool section from \"%s\"", log_prefix, parent_name(cs)); - break; - - case 0: -- DEBUG4("%s: Using local pool section", prefix); -+ DEBUG4("%s: Using local pool section", log_prefix); - break; - } - -@@ -610,7 +628,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, - */ - mycs = cf_section_sub_find(module, "pool"); - if (!mycs) { -- DEBUG4("%s: Adding pool section to \"%s\" to store pool references", prefix, -+ DEBUG4("%s: Adding pool section to \"%s\" to store pool references", log_prefix, - cf_section_name(module)); - - mycs = cf_section_alloc(module, "pool", NULL); -@@ -622,7 +640,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, - * Use our own local pool. - */ - if (!cs) { -- DEBUG4("%s: \"%s.pool\" section not found, using \"%s.pool\"", prefix, -+ DEBUG4("%s: \"%s.pool\" section not found, using \"%s.pool\"", log_prefix, - parent_name(cs), parent_name(mycs)); - cs = mycs; - } -@@ -636,16 +654,16 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, - */ - pool = cf_data_find(cs, CONNECTION_POOL_CF_KEY); - if (!pool) { -- DEBUG4("%s: No pool reference found in \"%s.pool\"", prefix, parent_name(cs)); -- pool = fr_connection_pool_init(module, cs, opaque, c, a, prefix); -+ DEBUG4("%s: No pool reference found in \"%s.pool\"", log_prefix, parent_name(cs)); -+ pool = fr_connection_pool_init(module, cs, opaque, c, a, log_prefix, trigger_prefix); - if (!pool) return NULL; - -- DEBUG4("%s: Adding pool reference %p to \"%s.pool\"", prefix, pool, parent_name(cs)); -+ DEBUG4("%s: Adding pool reference %p to \"%s.pool\"", log_prefix, pool, parent_name(cs)); - cf_data_add(cs, CONNECTION_POOL_CF_KEY, pool, NULL); - return pool; - } - -- DEBUG4("%s: Found pool reference %p in \"%s.pool\"", prefix, pool, parent_name(cs)); -+ DEBUG4("%s: Found pool reference %p in \"%s.pool\"", log_prefix, pool, parent_name(cs)); - - /* - * We're reusing pool data add it to our local config -@@ -653,7 +671,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, - * re-use a pool through this module. - */ - if (mycs != cs) { -- DEBUG4("%s: Copying pool reference %p from \"%s.pool\" to \"%s.pool\"", prefix, pool, -+ DEBUG4("%s: Copying pool reference %p from \"%s.pool\" to \"%s.pool\"", log_prefix, pool, - parent_name(cs), parent_name(mycs)); - cf_data_add(mycs, CONNECTION_POOL_CF_KEY, pool, NULL); - } -@@ -676,7 +694,8 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, - * @param[in] opaque data pointer to pass to callbacks. - * @param[in] c Callback to create new connections. - * @param[in] a Callback to check the status of connections. -- * @param[in] prefix to prepend to all log messages. -+ * @param[in] log_prefix prefix to prepend to all log messages. -+ * @param[in] trigger_prefix prefix to prepend to all trigger names. - * @return A new connection pool or NULL on error. - */ - fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, -@@ -684,7 +703,8 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, - void *opaque, - fr_connection_create_t c, - fr_connection_alive_t a, -- char const *prefix) -+ char const *log_prefix, -+ char const *trigger_prefix) - { - uint32_t i; - fr_connection_pool_t *pool; -@@ -720,7 +740,9 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, - - pool->head = pool->tail = NULL; - -- pool->log_prefix = prefix ? talloc_typed_strdup(pool, prefix) : "core"; -+ pool->log_prefix = log_prefix ? talloc_typed_strdup(pool, log_prefix) : "core"; -+ pool->trigger_prefix = trigger_prefix ? -+ talloc_typed_strdup(pool, trigger_prefix) : ""; - - #ifdef HAVE_PTHREAD_H - pthread_mutex_init(&pool->mutex, NULL); -@@ -729,7 +751,6 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, - DEBUG("%s: Initialising connection pool", pool->log_prefix); - - if (cf_section_parse(cs, pool, connection_config) < 0) goto error; -- if (cf_section_sub_find(cs, "trigger")) pool->trigger = true; - - /* - * Some simple limits -@@ -780,7 +801,7 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, - } - } - -- if (pool->trigger) exec_trigger(NULL, pool->cs, "start", true); -+ fr_connection_exec_trigger(pool, "start"); - - return pool; - } -@@ -1222,7 +1243,7 @@ void *fr_connection_reconnect(fr_connection_pool_t *pool, void *conn) - return NULL; - } - -- if (pool->trigger) exec_trigger(NULL, pool->cs, "close", true); -+ fr_connection_exec_trigger(pool, "close"); - this->connection = new_conn; - pthread_mutex_unlock(&pool->mutex); - --- -2.1.1 - diff --git a/SOURCES/freeradius-dhcpclient-Add-a-short-description-to-help-output.patch b/SOURCES/freeradius-dhcpclient-Add-a-short-description-to-help-output.patch deleted file mode 100644 index 379c590..0000000 --- a/SOURCES/freeradius-dhcpclient-Add-a-short-description-to-help-output.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 313d551547efa8493741ef1344e0629aab04dd70 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Fri, 5 Dec 2014 15:07:59 +0200 -Subject: [PATCH 3/3] dhcpclient: Add a short description to help output - -Add a short description of the program's function to the help output of -dhcpclient. ---- - src/modules/proto_dhcp/dhcpclient.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c -index 64debfe..5677588 100644 ---- a/src/modules/proto_dhcp/dhcpclient.c -+++ b/src/modules/proto_dhcp/dhcpclient.c -@@ -70,6 +70,7 @@ char const *dhcpclient_version = "dhcpclient version " RADIUSD_VERSION_STRING - static void NEVER_RETURNS usage(void) - { - fprintf(stderr, "Usage: dhcpclient [options] server[:port] \n"); -+ fprintf(stderr, "Send a DHCP request with provided RADIUS attrs and output response.\n"); - - fprintf(stderr, " One of discover, request, offer, decline, release, inform.\n"); - fprintf(stderr, " -d Set the directory where the dictionaries are stored (defaults to " RADDBDIR ").\n"); --- -2.1.3 - diff --git a/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch b/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch index 9268392..ab3cd83 100644 --- a/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch +++ b/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch @@ -1,43 +1,44 @@ -From c76016d3b8051f8e4f55cd547d29d4ac9ec33062 Mon Sep 17 00:00:00 2001 +From 4dd1bad726e993bcd43f16312acaf95596d35680 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Mon, 8 May 2017 16:38:56 -0400 Subject: [PATCH] disable internal OpenSSL cache (cherry picked from commit af030bd4e19c9149e2ffd898ad0c4dfde78c29be) --- - raddb/mods-available/eap | 18 ++++++++---------- - raddb/sites-available/tls | 17 ++++++++--------- - src/main/tls.c | 4 ++-- - 3 files changed, 18 insertions(+), 21 deletions(-) + raddb/mods-available/eap | 18 ++++++++---------- + raddb/sites-available/abfab-tls | 3 ++- + raddb/sites-available/tls | 17 ++++++++--------- + src/main/tls.c | 4 ++-- + 4 files changed, 20 insertions(+), 22 deletions(-) diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap -index 95ef66619..e51860ac2 100644 +index 9659db1cd..bfbfe710e 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap -@@ -352,6 +352,13 @@ eap { - # Deleting the entire "cache" subsection - # also disables caching. +@@ -382,6 +382,13 @@ eap { + # Enable it. The default is "no". Deleting the entire "cache" + # subsection also disables caching. # -+ # As of version 3.0.4-8 (upstream 3.0.14), the ++ # As of version 3.0.13-4 (upstream 3.0.14), the + # session cache requires the use of the "name" and + # "persist_dir" configuration items, below. + # -+ # The internal OpenSSL session cache has been -+ # permanently disabled. ++ # The internal OpenSSL session cache has been permanently ++ # disabled. + # - # You can disallow resumption for a - # particular user by adding the following - # attribute to the control item list: -@@ -362,7 +369,7 @@ eap { - # enable resumption for just one user - # by setting the above attribute to "yes". + # You can disallow resumption for a particular user by adding the + # following attribute to the control item list: + # +@@ -390,7 +397,7 @@ eap { + # If "enable = no" below, you CANNOT enable resumption for just one + # user by setting the above attribute to "yes". # - enable = yes + enable = no # - # Lifetime of the cached entries, in hours. -@@ -372,15 +379,6 @@ eap { + # Lifetime of the cached entries, in hours. The sessions will be +@@ -399,15 +406,6 @@ eap { lifetime = 24 # hours # @@ -50,29 +51,43 @@ index 95ef66619..e51860ac2 100644 - max_entries = 255 - - # - # Internal "name" of the session cache. - # Used to distinguish which TLS context - # sessions belong to. + # Internal "name" of the session cache. Used to + # distinguish which TLS context sessions belong to. + # +diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls +index 79d74e6fc..5dbe143da 100644 +--- a/raddb/sites-available/abfab-tls ++++ b/raddb/sites-available/abfab-tls +@@ -24,7 +24,8 @@ listen { + cache { + enable = no + lifetime = 24 # hours +- max_entries = 255 ++ name = "abfab-tls" ++# persist_dir = ${logdir}/abfab-tls + } + + require_client_cert = yes diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls -index 1ba876745..df687584e 100644 +index c9555e1c7..eb39c659e 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls -@@ -231,6 +231,14 @@ listen { +@@ -239,6 +239,14 @@ listen { # Deleting the entire "cache" subsection # Also disables caching. # + # -+ # As of version 3.0.4-8 (upstream 3.0.14), the session ++ # As of version 3.0.13-4 (upstream 3.0.14), the session + # cache requires the use of the "name" and + # "persist_dir" configuration items, below. + # -+ # The internal OpenSSL session cache has been -+ # permanently disabled. ++ # The internal OpenSSL session cache has been permanently ++ # disabled. + # # You can disallow resumption for a # particular user by adding the following # attribute to the control item list: -@@ -251,15 +259,6 @@ listen { +@@ -259,15 +267,6 @@ listen { lifetime = 24 # hours # @@ -89,10 +104,10 @@ index 1ba876745..df687584e 100644 # Used to distinguish which TLS context # sessions belong to. diff --git a/src/main/tls.c b/src/main/tls.c -index 42b538c4c..b790d2dc1 100644 +index a72be2b63..e992062dc 100644 --- a/src/main/tls.c +++ b/src/main/tls.c -@@ -2489,9 +2489,9 @@ post_ca: +@@ -2937,9 +2937,9 @@ post_ca: } /* diff --git a/SOURCES/freeradius-dont-detach-after-perl_parse.patch b/SOURCES/freeradius-dont-detach-after-perl_parse.patch deleted file mode 100644 index f793945..0000000 --- a/SOURCES/freeradius-dont-detach-after-perl_parse.patch +++ /dev/null @@ -1,50 +0,0 @@ -From fa9b2cd01fb5dbe583f5063f611a45c9d033a54a Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Tue, 30 Sep 2014 16:19:47 +0300 -Subject: [PATCH 1/1] perl: Don't call detach after failed perl_parse - -Don't call "detach" callback in rlm_perl, if perl_parse of the Perl -module failed. - -This fixes segfault when the module file cannot be read: - - Can't open perl script "/etc/raddb/mods-config/perl/example.pl": Permission denied - rlm_perl: perl_parse failed: /etc/raddb/mods-config/perl/example.pl not found or has syntax errors. - /etc/raddb/mods-enabled/perl[7]: Instantiation failed for module "perl" - Segmentation fault ---- - src/modules/rlm_perl/rlm_perl.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c -index d423524..039d7c8 100644 ---- a/src/modules/rlm_perl/rlm_perl.c -+++ b/src/modules/rlm_perl/rlm_perl.c -@@ -73,6 +73,7 @@ typedef struct rlm_perl_t { - char const *xlat_name; - char const *perl_flags; - PerlInterpreter *perl; -+ bool perl_parsed; - pthread_key_t *thread_key; - - #ifdef USE_ITHREADS -@@ -538,6 +539,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) - PL_endav = (AV *)NULL; - - if(!exitstatus) { -+ inst->perl_parsed = true; - perl_run(inst->perl); - } else { - ERROR("rlm_perl: perl_parse failed: %s not found or has syntax errors. \n", inst->module); -@@ -1012,7 +1014,7 @@ static int mod_detach(void *instance) - } - #endif - -- if (inst->func_detach) { -+ if (inst->perl_parsed && inst->func_detach) { - dTHXa(inst->perl); - PERL_SET_CONTEXT(inst->perl); - { --- -2.1.0 - diff --git a/SOURCES/freeradius-dont-swap-uint128-printing-on-be.patch b/SOURCES/freeradius-dont-swap-uint128-printing-on-be.patch deleted file mode 100644 index ba3c670..0000000 --- a/SOURCES/freeradius-dont-swap-uint128-printing-on-be.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 168275c3f4ffe9d0e09ed7a3789b45b440416f73 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Wed, 1 Oct 2014 16:32:11 +0300 -Subject: [PATCH 4/4] Don't assume little-endian in fr_prints_uint128 - -Add handling of big-endian architectures to fr_prints_uint128. ---- - src/lib/misc.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/lib/misc.c b/src/lib/misc.c -index 66171ff..d0ccd6c 100644 ---- a/src/lib/misc.c -+++ b/src/lib/misc.c -@@ -1366,6 +1366,13 @@ size_t fr_prints_uint128(char *out, size_t outlen, uint128_t const num) - uint64_t n[2]; - char *p = buff; - int i; -+#ifdef RADIUS_LITTLE_ENDIAN -+ const size_t l = 0; -+ const size_t h = 1; -+#else -+ const size_t l = 1; -+ const size_t h = 0; -+#endif - - memset(buff, '0', sizeof(buff) - 1); - buff[sizeof(buff) - 1] = '\0'; -@@ -1376,11 +1383,11 @@ size_t fr_prints_uint128(char *out, size_t outlen, uint128_t const num) - ssize_t j; - int carry; - -- carry = (n[1] >= 0x8000000000000000); -+ carry = (n[h] >= 0x8000000000000000); - - // Shift n[] left, doubling it -- n[1] = ((n[1] << 1) & 0xffffffffffffffff) + (n[0] >= 0x8000000000000000); -- n[0] = ((n[0] << 1) & 0xffffffffffffffff); -+ n[h] = ((n[h] << 1) & 0xffffffffffffffff) + (n[l] >= 0x8000000000000000); -+ n[l] = ((n[l] << 1) & 0xffffffffffffffff); - - // Add s[] to itself in decimal, doubling it - for (j = sizeof(buff) - 2; j >= 0; j--) { --- -2.1.0 - diff --git a/SOURCES/freeradius-dont-truncate-uint64.patch b/SOURCES/freeradius-dont-truncate-uint64.patch deleted file mode 100644 index d64a47c..0000000 --- a/SOURCES/freeradius-dont-truncate-uint64.patch +++ /dev/null @@ -1,27 +0,0 @@ -From de77beacf1c0bd64335f0f949af9da71437d3ba5 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Tue, 30 Sep 2014 22:27:36 +0300 -Subject: [PATCH 1/4] Don't truncate 64-bit integers in do_cast_copy - -Assign converted octets to vp_integer64, instead of vp_integer to avoid -truncation in do_cast_copy. ---- - src/main/evaluate.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/main/evaluate.c b/src/main/evaluate.c -index f91d482..5cf597d 100644 ---- a/src/main/evaluate.c -+++ b/src/main/evaluate.c -@@ -475,7 +475,7 @@ static int do_cast_copy(VALUE_PAIR *dst, VALUE_PAIR const *src) - do_octets: - switch (dst->da->type) { - case PW_TYPE_INTEGER64: -- dst->vp_integer = ntohll(*(uint64_t const *) src->vp_octets); -+ dst->vp_integer64 = ntohll(*(uint64_t const *) src->vp_octets); - break; - - case PW_TYPE_INTEGER: --- -2.1.0 - diff --git a/SOURCES/freeradius-exec-dont-assume-request-presence-when-logging.patch b/SOURCES/freeradius-exec-dont-assume-request-presence-when-logging.patch deleted file mode 100644 index 2c0ee52..0000000 --- a/SOURCES/freeradius-exec-dont-assume-request-presence-when-logging.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 13c5c908548c29ab30ae2e274a5d2baa96eadae4 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Wed, 15 Oct 2014 20:03:11 +0300 -Subject: [PATCH 1/4] exec: Don't assume request presence when logging - -Use DEBUG* macros for logging, instead of RDEBUG* macros in -radius_start_program and radius_readfrom_program as these are not -guaranteed to be invoked with a valid request. - -For example, not from most of the exec_trigger invocations. ---- - src/include/radiusd.h | 2 +- - src/main/exec.c | 22 +++++++++++----------- - src/modules/rlm_mschap/rlm_mschap.c | 2 +- - 3 files changed, 13 insertions(+), 13 deletions(-) - -diff --git a/src/include/radiusd.h b/src/include/radiusd.h -index 21d510b..ebe3a21 100644 ---- a/src/include/radiusd.h -+++ b/src/include/radiusd.h -@@ -606,7 +606,7 @@ int rad_virtual_server(REQUEST *); - pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, - int *input_fd, int *output_fd, - VALUE_PAIR *input_pairs, bool shell_escape); --int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout, -+int radius_readfrom_program(int fd, pid_t pid, int timeout, - char *answer, int left); - int radius_exec_program(REQUEST *request, char const *cmd, bool exec_wait, bool shell_escape, - char *user_msg, size_t msg_len, int timeout, -diff --git a/src/main/exec.c b/src/main/exec.c -index b421053..1188d0a 100644 ---- a/src/main/exec.c -+++ b/src/main/exec.c -@@ -103,16 +103,16 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, - - argc = rad_expand_xlat(request, cmd, MAX_ARGV, argv, true, sizeof(argv_buf), argv_buf); - if (argc <= 0) { -- RDEBUG("invalid command line '%s'.", cmd); -+ DEBUG("invalid command line '%s'.", cmd); - return -1; - } - - - #ifndef NDEBUG - if (debug_flag > 2) { -- RDEBUG3("executing cmd %s", cmd); -+ DEBUG3("executing cmd %s", cmd); - for (i = 0; i < argc; i++) { -- RDEBUG3("\t[%d] %s", i, argv[i]); -+ DEBUG3("\t[%d] %s", i, argv[i]); - } - } - #endif -@@ -124,13 +124,13 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, - if (exec_wait) { - if (input_fd) { - if (pipe(to_child) != 0) { -- RDEBUG("Couldn't open pipe to child: %s", fr_syserror(errno)); -+ DEBUG("Couldn't open pipe to child: %s", fr_syserror(errno)); - return -1; - } - } - if (output_fd) { - if (pipe(from_child) != 0) { -- RDEBUG("Couldn't open pipe from child: %s", fr_syserror(errno)); -+ DEBUG("Couldn't open pipe from child: %s", fr_syserror(errno)); - /* safe because these either need closing or are == -1 */ - close(to_child[0]); - close(to_child[1]); -@@ -206,7 +206,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, - */ - devnull = open("/dev/null", O_RDWR); - if (devnull < 0) { -- RDEBUG("Failed opening /dev/null: %s\n", fr_syserror(errno)); -+ DEBUG("Failed opening /dev/null: %s\n", fr_syserror(errno)); - - /* - * Where the status code is interpreted as a module rcode -@@ -287,7 +287,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, - * Parent process. - */ - if (pid < 0) { -- RDEBUG("Couldn't fork %s: %s", argv[0], fr_syserror(errno)); -+ DEBUG("Couldn't fork %s: %s", argv[0], fr_syserror(errno)); - if (exec_wait) { - /* safe because these either need closing or are == -1 */ - close(to_child[0]); -@@ -320,7 +320,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, - return pid; - #else - if (exec_wait) { -- RDEBUG("Wait is not supported"); -+ DEBUG("Wait is not supported"); - return -1; - } - -@@ -366,7 +366,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, - * @param left length of buffer. - * @return -1 on error, or length of output. - */ --int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout, -+int radius_readfrom_program(int fd, pid_t pid, int timeout, - char *answer, int left) - { - int done = 0; -@@ -422,7 +422,7 @@ int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout, - rcode = select(fd + 1, &fds, NULL, NULL, &wake); - if (rcode == 0) { - too_long: -- RDEBUG("Child PID %u is taking too much time: forcing failure and killing child.", pid); -+ DEBUG("Child PID %u is taking too much time: forcing failure and killing child.", pid); - kill(pid, SIGTERM); - close(fd); /* should give SIGPIPE to child, too */ - -@@ -536,7 +536,7 @@ int radius_exec_program(REQUEST *request, char const *cmd, bool exec_wait, bool - } - - #ifndef __MINGW32__ -- len = radius_readfrom_program(request, from_child, pid, timeout, answer, sizeof(answer)); -+ len = radius_readfrom_program(from_child, pid, timeout, answer, sizeof(answer)); - if (len < 0) { - /* - * Failure - radius_readfrom_program will -diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c -index 0101ddf..03f94a9 100644 ---- a/src/modules/rlm_mschap/rlm_mschap.c -+++ b/src/modules/rlm_mschap/rlm_mschap.c -@@ -794,7 +794,7 @@ static int CC_HINT(nonnull (1, 2, 4, 5)) do_mschap_cpw(rlm_mschap_t *inst, - /* - * Read from the child - */ -- len = radius_readfrom_program(request, from_child, pid, 10, buf, sizeof(buf)); -+ len = radius_readfrom_program(from_child, pid, 10, buf, sizeof(buf)); - if (len < 0) { - /* radius_readfrom_program will have closed from_child for us */ - REDEBUG("Failure reading from child"); --- -2.1.1 - diff --git a/SOURCES/freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch b/SOURCES/freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch deleted file mode 100644 index e42dd5d..0000000 --- a/SOURCES/freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch +++ /dev/null @@ -1,85 +0,0 @@ -From bae8305c7c1f35f853d9ffe520983c90f2a927a8 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Sun, 5 Oct 2014 17:31:34 -0400 -Subject: [PATCH 1/1] Fix checks for PW_TYPE_FILE_INPUT - ---- - src/main/conffile.c | 45 +++++++-------------------------------------- - 1 file changed, 7 insertions(+), 38 deletions(-) - -diff --git a/src/main/conffile.c b/src/main/conffile.c -index 37c8aba..a221dcd 100644 ---- a/src/main/conffile.c -+++ b/src/main/conffile.c -@@ -985,7 +985,7 @@ static inline int fr_item_validate_ipaddr(CONF_SECTION *cs, char const *name, PW - int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char const *dflt) - { - int rcode; -- bool deprecated, required, attribute, secret; -+ bool deprecated, required, attribute, secret, input; - char **q; - char const *value; - CONF_PAIR const *cp = NULL; -@@ -998,6 +998,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char - required = (type & PW_TYPE_REQUIRED); - attribute = (type & PW_TYPE_ATTRIBUTE); - secret = (type & PW_TYPE_SECRET); -+ input = (type == PW_TYPE_FILE_INPUT); /* check, not and */ - - type &= 0xff; /* normal types are small */ - rcode = 0; -@@ -1157,46 +1158,14 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char - cs->depth, parse_spaces, name, value ? value : "(null)"); - } - *q = value ? talloc_typed_strdup(cs, value) : NULL; -- break; -- -- /* -- * This is the same as PW_TYPE_STRING, -- * except that we also "stat" the file, and -- * cache the result. -- */ -- case PW_TYPE_FILE_INPUT: -- case PW_TYPE_FILE_OUTPUT: -- q = (char **) data; -- if (*q != NULL) { -- free(*q); -- } -- -- /* -- * Expand variables which haven't already been -- * expanded automagically when the configuration -- * file was read. -- */ -- if ((value == dflt) && cs) { -- int lineno = 0; -- -- value = cf_expand_variables("?", -- &lineno, -- cs, buffer, sizeof(buffer), -- value); -- if (!value) return -1; -- } -- -- if (required && (!value || !*value)) goto is_required; -- -- cf_log_info(cs, "%.*s\t%s = \"%s\"", -- cs->depth, parse_spaces, name, value); -- *q = value ? talloc_typed_strdup(cs, value) : NULL; - - /* -- * If the filename exists and we're supposed to -- * read it, check it. -+ * If there's data AND it's an input file, check -+ * that we can read it. This check allows errors -+ * to be caught as early as possible, during -+ * server startup. - */ -- if (*q && (type == PW_TYPE_FILE_INPUT)) { -+ if (*q && input) { - struct stat buf; - - if (stat(*q, &buf) < 0) { --- -2.1.1 - diff --git a/SOURCES/freeradius-fix-dhcp-dictionary-loading.patch b/SOURCES/freeradius-fix-dhcp-dictionary-loading.patch deleted file mode 100644 index 7cde423..0000000 --- a/SOURCES/freeradius-fix-dhcp-dictionary-loading.patch +++ /dev/null @@ -1,40 +0,0 @@ -From dda57af171687d60e21e8e2620e87b25939d0c29 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Mon, 6 Oct 2014 17:00:25 +0300 -Subject: [PATCH 1/1] dhcpclient: Load dictionary.dhcp from DICTDIR. - -Load dictionary.dhcp from DICTDIR instead of RADDBDIR in dhcpclient.c, -as it is found only in the former. - -This fixes the following error printed when invoking dhcpclient: - - Failed reading dictionary.dhcp: dict_init: Couldn't open dictionary - "/etc/raddb/dictionary.dhcp": No such file or directory ---- - src/modules/proto_dhcp/dhcpclient.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c -index b29b9a2..ac52ffd 100644 ---- a/src/modules/proto_dhcp/dhcpclient.c -+++ b/src/modules/proto_dhcp/dhcpclient.c -@@ -264,6 +264,7 @@ int main(int argc, char **argv) - char *p; - int c; - char const *radius_dir = RADDBDIR; -+ char const *dict_dir = DICTDIR; - char const *filename = NULL; - DICT_ATTR const *da; - -@@ -315,7 +316,7 @@ int main(int argc, char **argv) - */ - da = dict_attrbyname("DHCP-Message-Type"); - if (!da) { -- if (dict_read(radius_dir, "dictionary.dhcp") < 0) { -+ if (dict_read(dict_dir, "dictionary.dhcp") < 0) { - fprintf(stderr, "Failed reading dictionary.dhcp: %s", - fr_strerror()); - return -1; --- -2.1.1 - diff --git a/SOURCES/freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch b/SOURCES/freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch deleted file mode 100644 index daefbb4..0000000 --- a/SOURCES/freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch +++ /dev/null @@ -1,59 +0,0 @@ -From b5b92669c32b50b2f96a3ae53d4222d6cb3d1287 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Tue, 28 Oct 2014 15:57:56 +0200 -Subject: [PATCH 1/1] Ignore SIGTERM when firing stop and signal.term - -Move firing "server.stop" and "server.signal.term" triggers beyond -setting SIGTERM action to SIG_IGN in main(). - -This way handler commands for these triggers don't receive SIGTERM with -the rest of the process group and don't possibly terminate before doing -their work. E.g. snmptrap manages to send the notifications. ---- - src/main/process.c | 1 - - src/main/radiusd.c | 10 ++++++++-- - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/main/process.c b/src/main/process.c -index 7e1a51e..f427205 100644 ---- a/src/main/process.c -+++ b/src/main/process.c -@@ -4536,7 +4536,6 @@ static void handle_signal_self(int flag) - fr_event_loop_exit(el, 1); - } else { - INFO("Signalled to terminate"); -- exec_trigger(NULL, NULL, "server.signal.term", true); - fr_event_loop_exit(el, 2); - } - -diff --git a/src/main/radiusd.c b/src/main/radiusd.c -index 620d7d4..86c7013 100644 ---- a/src/main/radiusd.c -+++ b/src/main/radiusd.c -@@ -592,8 +592,6 @@ int main(int argc, char *argv[]) - INFO("Exiting normally"); - } - -- exec_trigger(NULL, NULL, "server.stop", false); -- - /* - * Ignore the TERM signal: we're - * about to die. -@@ -601,6 +599,14 @@ int main(int argc, char *argv[]) - signal(SIGTERM, SIG_IGN); - - /* -+ * Fire signal and stop triggers after ignoring SIGTERM, so handlers are -+ * not killed with the rest of the process group, below. -+ */ -+ if (status == 2) -+ exec_trigger(NULL, NULL, "server.signal.term", true); -+ exec_trigger(NULL, NULL, "server.stop", false); -+ -+ /* - * Send a TERM signal to all - * associated processes - * (including us, which gets --- -2.1.1 - diff --git a/SOURCES/freeradius-logrotate b/SOURCES/freeradius-logrotate index ec19fd3..1c3c5b9 100644 --- a/SOURCES/freeradius-logrotate +++ b/SOURCES/freeradius-logrotate @@ -31,18 +31,10 @@ missingok compress postrotate - /sbin/service radiusd reload + /usr/bin/systemctl reload-or-try-restart radiusd endscript } -/var/log/radius/radutmp { - monthly - rotate 4 - create - compress - missingok -} - /var/log/radius/radwtmp { monthly rotate 4 diff --git a/SOURCES/freeradius-make-grp-tallo-c-too.patch b/SOURCES/freeradius-make-grp-tallo-c-too.patch deleted file mode 100644 index ad7d192..0000000 --- a/SOURCES/freeradius-make-grp-tallo-c-too.patch +++ /dev/null @@ -1,53 +0,0 @@ -From d51daa8f56f5c55f2effdb308ef4a14016118753 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Sun, 5 Oct 2014 17:22:26 -0400 -Subject: [PATCH 1/1] Make grp tallo'c, too - ---- - src/modules/rlm_unix/rlm_unix.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c -index 0a01074..9e55c26 100644 ---- a/src/modules/rlm_unix/rlm_unix.c -+++ b/src/modules/rlm_unix/rlm_unix.c -@@ -75,20 +75,20 @@ static const CONF_PARSER module_config[] = { - #else - static struct group *fr_getgrnam(TALLOC_CTX *ctx, char const *name) - { -- struct group *grp, my_group; -+ struct group *grp, *result; - char *group_buffer; - size_t group_size = 1024; - -- grp = NULL; -- group_buffer = talloc_array(ctx, char, group_size); -+ grp = talloc(ctx, struct group); -+ group_buffer = talloc_array(grp, char, group_size); - while (group_buffer) { - int err; - -- err = getgrnam_r(name, &my_group, group_buffer, group_size, &grp); -+ err = getgrnam_r(name, grp, group_buffer, group_size, &result); - if (err == ERANGE) { - group_size *= 2; - talloc_free(group_buffer); -- group_buffer = talloc_array(ctx, char, group_size); -+ group_buffer = talloc_array(grp, char, group_size); - continue; - } - -@@ -145,6 +145,10 @@ static int groupcmp(UNUSED void *instance, REQUEST *req, UNUSED VALUE_PAIR *requ - } - } - -+#ifdef HAVE_GETGRNAM_R -+ talloc_free(grp); -+#endif -+ - return retval; - } - --- -2.1.1 - diff --git a/SOURCES/freeradius-man-remove-client-attribute-description.patch b/SOURCES/freeradius-man-remove-client-attribute-description.patch deleted file mode 100644 index 8acb7b2..0000000 --- a/SOURCES/freeradius-man-remove-client-attribute-description.patch +++ /dev/null @@ -1,100 +0,0 @@ -From ca2eedaad0bc27dd6a540e61c583f0b745641a84 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Tue, 2 Dec 2014 16:39:28 +0200 -Subject: [PATCH 1/2] man: Remove client attribute description - -Remove attribute description from clients.conf(5) source as it is -outdated, lists just a few attributes and wasn't updated for more than a -year. Refer to clients.conf file itself, instead. ---- - man/man5/clients.conf.5 | 74 +++---------------------------------------------- - 1 file changed, 4 insertions(+), 70 deletions(-) - -diff --git a/man/man5/clients.conf.5 b/man/man5/clients.conf.5 -index 9af246a..f9207d1 100644 ---- a/man/man5/clients.conf.5 -+++ b/man/man5/clients.conf.5 -@@ -26,76 +26,10 @@ client { - = - } - .fi --.SH ATTRIBUTES --The attributes that can appear in a --.B client --section are listed below. Required attributes are labelled as --such. All other attributes are optional. --.TP 0.5i --.B ipaddr [Required] --The IP address of the client. For IPv6, use "ipv6addr" --.TP 0.5i --.B secret [Required] --The RADIUS shared secret used for communication between the client/NAS --and the RADIUS server. --.TP 0.5i --.B shortname [optional] --A short alias that can be used in place of the IP address or fully --qualified hostname provided in the first line of the section. --.TP 0.5i --.B nas_type --The nas_type attribute is used to tell the --.BR checkrad.pl --script which NAS-specific method it should use when checking --simultaneous use. -- --The following values are currently recognized: --.nf --cisco --computone --livingston --max40xx --multitech --netserver --pathras --patton --portslave --tc --usrhiper --other --.fi --.TP 0.5i --.B login --Reserved for future use. --.TP 0.5i --.B password --Reserved for future use. --.SH EXAMPLES --.IP --.nf --client localhost { -- ipaddr = 127.0.0.1 -- secret = testing123 -- shortname = localhost -- nas_type = other --} --.fi --.LP --This adds a client for the loopback address. This is useful in testing --the --server locally, for example with --.BR radclient (1). --.IP --.nf --client private-network-1 { -- ipaddr = 192.0.2.0 -- netmask = 24 -- secret = testing123-1 -- shortname = private-network-1 --} --.fi --.LP --This entry represents any client from the 192.0.2.0/24 network. -+.PP -+Clients have many configuration parameters. Most are documented in the file -+itself as comments. This page documents only the format of the file. Please -+read the \fBclients.conf\fP file itself for more information. - - The old-style format from 1.x is still accepted by the server, but - that form is deprecated. --- -2.1.3 - diff --git a/SOURCES/freeradius-man-remove-references-to-naslist-and-clients.patch b/SOURCES/freeradius-man-remove-references-to-naslist-and-clients.patch deleted file mode 100644 index df2ba67..0000000 --- a/SOURCES/freeradius-man-remove-references-to-naslist-and-clients.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 55a489a7885608158f66823686d89eb7cf54d5a9 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Tue, 2 Dec 2014 16:43:49 +0200 -Subject: [PATCH 2/2] man: Remove references to naslist and clients - -Remove references to non-existent naslist and clients manpages as they -are confusing. ---- - man/man5/clients.conf.5 | 8 +++----- - man/man5/dictionary.5 | 1 - - man/man5/users.5 | 1 - - 3 files changed, 3 insertions(+), 7 deletions(-) - -diff --git a/man/man5/clients.conf.5 b/man/man5/clients.conf.5 -index f9207d1..6c6b3ee 100644 ---- a/man/man5/clients.conf.5 -+++ b/man/man5/clients.conf.5 -@@ -8,9 +8,9 @@ file contains definitions of RADIUS clients. - .PP - The information in this file overrides any information provided in - the deprecated --.BR clients (5) -+.BR clients - and --.BR naslist (5) -+.BR naslist - files. - .PP - The file format is the same as that used for -@@ -39,9 +39,7 @@ that form is deprecated. - .I /etc/raddb/radiusd.conf - .SH "SEE ALSO" - .BR radiusd (8), --.BR radiusd.conf (5), --.BR clients (5), --.BR naslist (5) -+.BR radiusd.conf (5) - - .SH AUTHOR - FreeRADIUS is authored by the FreeRADIUS team. -diff --git a/man/man5/dictionary.5 b/man/man5/dictionary.5 -index 6b60602..d685081 100644 ---- a/man/man5/dictionary.5 -+++ b/man/man5/dictionary.5 -@@ -176,7 +176,6 @@ the attribute number should be used instead. - .I /usr/share/freeradius/dictionary.* - .SH "SEE ALSO" - .BR radiusd (8), --.BR naslist (5), - .BR RFC2865, - .BR RFC2866, - .BR RFC2868 -diff --git a/man/man5/users.5 b/man/man5/users.5 -index ed8f471..c9aef82 100644 ---- a/man/man5/users.5 -+++ b/man/man5/users.5 -@@ -243,7 +243,6 @@ entries that set reply attributes. - .BR radclient (1), - .BR radiusd (8), - .BR dictionary (5), --.BR naslist (5) - - .SH AUTHOR - The FreeRADIUS team. --- -2.1.3 - diff --git a/SOURCES/freeradius-mention-eap-md5-in-radtest-synopsis.patch b/SOURCES/freeradius-mention-eap-md5-in-radtest-synopsis.patch deleted file mode 100644 index 20baad1..0000000 --- a/SOURCES/freeradius-mention-eap-md5-in-radtest-synopsis.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b00d9a63963c4d5dec72d8c4671a72cde5c4ca69 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Mon, 27 Oct 2014 16:14:35 +0200 -Subject: [PATCH 1/2] man: Mention eap-md5 in radtest synopsis - -Add "eap-md5" to the possible values of -t option in radtest's manpage -SYNOPSIS to match the detailed description in the OPTIONS. ---- - man/man1/radtest.1 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/man/man1/radtest.1 b/man/man1/radtest.1 -index f4fdba3..587870c 100644 ---- a/man/man1/radtest.1 -+++ b/man/man1/radtest.1 -@@ -6,7 +6,7 @@ radtest - send packets to a RADIUS server, show reply - .RB [ \-d - .IR raddb_directory ] - .RB [ \-t --.IR pap/chap/mschap ] -+.IR pap/chap/mschap/eap-md5 ] - .RB [ \-x - .IR ] - .RB [ \-4 --- -2.1.1 - diff --git a/SOURCES/freeradius-parse-port.-Closes-2000.patch b/SOURCES/freeradius-parse-port.-Closes-2000.patch new file mode 100644 index 0000000..4d496c6 --- /dev/null +++ b/SOURCES/freeradius-parse-port.-Closes-2000.patch @@ -0,0 +1,32 @@ +From 66e6706039677c364f1181ed3c5620fee59a38e1 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Fri, 2 Jun 2017 09:10:05 -0400 +Subject: [PATCH] parse port. Closes #2000 + +(cherry picked from commit 66c109361ef67906f52fe2d441f6b61ec2492f32) +--- + src/modules/proto_dhcp/dhcpclient.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c +index 5c923f136..adbcb8c9d 100644 +--- a/src/modules/proto_dhcp/dhcpclient.c ++++ b/src/modules/proto_dhcp/dhcpclient.c +@@ -413,10 +413,11 @@ int main(int argc, char **argv) + */ + server_ipaddr.af = AF_INET; + if (strcmp(argv[1], "-") != 0) { +- if (ip_hton(&server_ipaddr, AF_INET, argv[1], false) < 0) { +- fr_perror("dhcpclient"); +- fr_exit_now(1); ++ if (fr_pton_port(&server_ipaddr, &server_port, argv[1], -1, AF_INET, true) < 0) { ++ fprintf(stderr, "dhcpclient: Failed parsing IP:port - %s", fr_strerror()); ++ exit(1); + } ++ + client_ipaddr.af = server_ipaddr.af; + } + +-- +2.11.0 + diff --git a/SOURCES/freeradius-postgres-sql.patch b/SOURCES/freeradius-postgres-sql.patch deleted file mode 100644 index 8746b45..0000000 --- a/SOURCES/freeradius-postgres-sql.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 797e2d603bdc4bea009f7e0053f2e41fdb9238a6 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Thu, 30 Oct 2014 12:15:44 +0200 -Subject: [PATCH 1/1] Fix PostgreSQL setup SQL permissions - ---- - raddb/mods-config/sql/main/postgresql/setup.sql | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/raddb/mods-config/sql/main/postgresql/setup.sql b/raddb/mods-config/sql/main/postgresql/setup.sql -index 26d08ca..407f414 100644 ---- a/raddb/mods-config/sql/main/postgresql/setup.sql -+++ b/raddb/mods-config/sql/main/postgresql/setup.sql -@@ -29,4 +29,7 @@ GRANT SELECT ON radusergroup TO radius; - * The server can write to the accounting and post-auth logging table. - */ - GRANT SELECT, INSERT, UPDATE on radacct TO radius; -+GRANT SELECT, USAGE on radacct_radacctid_seq TO radius; -+ - GRANT SELECT, INSERT, UPDATE on radpostauth TO radius; -+GRANT SELECT, USAGE on radpostauth_id_seq TO radius; --- -2.1.3 - diff --git a/SOURCES/freeradius-prefix-endian-macros.patch b/SOURCES/freeradius-prefix-endian-macros.patch deleted file mode 100644 index 80e3924..0000000 --- a/SOURCES/freeradius-prefix-endian-macros.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 4a906c702ac31da5977eba6698fa5435474cb47f Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Wed, 1 Oct 2014 15:11:12 +0300 -Subject: [PATCH 3/4] Prefix *_ENDIAN macros with RADIUS_ - -Rename LITTLE_ENDIAN and BIG_ENDIAN macros to RADIUS_LITTLE_ENDIAN and -RADIUS_BIG_ENDIAN respectively to avoid clashes with -/usr/include/endian.h defines, which result in always assuming -little-endian architecture. ---- - configure | 4 ++-- - configure.ac | 4 ++-- - src/include/autoconf.h.in | 16 ++++++++-------- - src/include/build.h | 6 +++--- - src/include/missing-h | 4 ++-- - src/lib/missing.c | 2 +- - src/main/version.c | 4 ++-- - 7 files changed, 20 insertions(+), 20 deletions(-) - -diff --git a/configure b/configure -index f15072d..1b54efd 100755 ---- a/configure -+++ b/configure -@@ -4771,11 +4771,11 @@ $as_echo "$ac_cv_c_bigendian" >&6; } - case $ac_cv_c_bigendian in #( - yes) - --$as_echo "#define BIG_ENDIAN 1" >>confdefs.h -+$as_echo "#define RADIUS_BIG_ENDIAN 1" >>confdefs.h - ;; #( - no) - --$as_echo "#define LITTLE_ENDIAN 1" >>confdefs.h -+$as_echo "#define RADIUS_LITTLE_ENDIAN 1" >>confdefs.h - - ;; #( - universal) -diff --git a/configure.ac b/configure.ac -index 76466ec..30b226b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -167,8 +167,8 @@ dnl # check for system bytesex - dnl # AC_DEFINES WORDS_BIGENDIAN - dnl # - AC_C_BIGENDIAN( -- [AC_DEFINE(BIG_ENDIAN, 1, [Define if your processor stores words with the most significant byte first])], -- [AC_DEFINE(LITTLE_ENDIAN, 1, [Define if your processor stores words with the least significant byte first])] -+ [AC_DEFINE(RADIUS_BIG_ENDIAN, 1, [Define if your processor stores words with the most significant byte first])], -+ [AC_DEFINE(RADIUS_LITTLE_ENDIAN, 1, [Define if your processor stores words with the least significant byte first])] - ) - - dnl # -diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in -index 6e6e355..c313bca 100644 ---- a/src/include/autoconf.h.in -+++ b/src/include/autoconf.h.in -@@ -3,10 +3,6 @@ - /* Define if building universal (internal helper macro) */ - #undef AC_APPLE_UNIVERSAL_BUILD - --/* Define if your processor stores words with the most significant byte first -- */ --#undef BIG_ENDIAN -- - /* BSD-Style get*byaddr_r */ - #undef BSDSTYLE - -@@ -443,10 +439,6 @@ - /* compiler specific 128 bit unsigned integer */ - #undef HAVE___UINT128_T - --/* Define if your processor stores words with the least significant byte first -- */ --#undef LITTLE_ENDIAN -- - /* define if you have OSFC2 authentication */ - #undef OSFC2 - -@@ -483,6 +475,14 @@ - /* Raw version string from VERSION file */ - #undef RADIUSD_VERSION_STRING - -+/* Define if your processor stores words with the most significant byte first -+ */ -+#undef RADIUS_BIG_ENDIAN -+ -+/* Define if your processor stores words with the least significant byte first -+ */ -+#undef RADIUS_LITTLE_ENDIAN -+ - /* Define as the return type of signal handlers (`int' or `void'). */ - #undef RETSIGTYPE - -diff --git a/src/include/build.h b/src/include/build.h -index 66c3087..4c1bf1a 100644 ---- a/src/include/build.h -+++ b/src/include/build.h -@@ -105,13 +105,13 @@ extern "C" { - * Here at least the endianess can be set explicitly with - * -DLITTLE_ENDIAN or -DBIG_ENDIAN. - */ --#if !defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) -+#if !defined(RADIUS_LITTLE_ENDIAN) && !defined(RADIUS_BIG_ENDIAN) - # if defined(__LITTLE_ENDIAN__) || \ - (defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)) --# define LITTLE_ENDIAN 1 -+# define RADIUS_LITTLE_ENDIAN 1 - # elif defined(__BIG_ENDIAN__) || \ - (defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)) --# define BIG_ENDIAN 1 -+# define RADIUS_BIG_ENDIAN 1 - # else - # error Failed determining endianness of system - # endif -diff --git a/src/include/missing-h b/src/include/missing-h -index 3f286a4..7136172 100644 ---- a/src/include/missing-h -+++ b/src/include/missing-h -@@ -424,7 +424,7 @@ typedef struct int128_t { uint8_t v[16]; } int128_t; - - /* abcd efgh -> dcba hgfe -> hgfe dcba */ - #ifndef HAVE_HTON_LL --# ifdef LITTLE_ENDIAN -+# ifdef RADIUS_LITTLE_ENDIAN - # ifdef HAVE_BUILTIN_BSWAP64 - # define ntohll(x) __builtin_bswap64(x) - # else -@@ -437,7 +437,7 @@ typedef struct int128_t { uint8_t v[16]; } int128_t; - #endif - - #ifndef HAVE_HTON_LLL --# ifdef LITTLE_ENDIAN -+# ifdef RADIUS_LITTLE_ENDIAN - # ifdef HAVE_128BIT_INTEGERS - # define ntohlll(x) (((uint128_t)ntohll((uint64_t)(x >> 64))) | (((uint128_t)ntohll(((uint64_t) x)) << 64))) - # else -diff --git a/src/lib/missing.c b/src/lib/missing.c -index 4598c8f..efd5461 100644 ---- a/src/lib/missing.c -+++ b/src/lib/missing.c -@@ -273,7 +273,7 @@ ntp2timeval(struct timeval *tv, char const *ntp) - tv->tv_usec = usec / 4295; /* close enough */ - } - --#if !defined(HAVE_128BIT_INTEGERS) && defined(LITTLE_ENDIAN) -+#if !defined(HAVE_128BIT_INTEGERS) && defined(RADIUS_LITTLE_ENDIAN) - /** Swap byte order of 128 bit integer - * - * @param num 128bit integer to swap. -diff --git a/src/main/version.c b/src/main/version.c -index 0aba383..8b56ffa 100644 ---- a/src/main/version.c -+++ b/src/main/version.c -@@ -276,9 +276,9 @@ void version(void) - DEBUG3(" 0x%llx", (unsigned long long) libmagic); - - DEBUG3("Endianess:"); --#if defined(LITTLE_ENDIAN) -+#if defined(RADIUS_LITTLE_ENDIAN) - DEBUG3(" little"); --#elif defined(BIG_ENDIAN) -+#elif defined(RADIUS_BIG_ENDIAN) - DEBUG3(" big"); - #else - DEBUG3(" unknown"); --- -2.1.0 - diff --git a/SOURCES/freeradius-rad_counter-Refine-help-message.patch b/SOURCES/freeradius-rad_counter-Refine-help-message.patch deleted file mode 100644 index 40d9b0c..0000000 --- a/SOURCES/freeradius-rad_counter-Refine-help-message.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 68b1b158029501208d1c6a60aa2794d9589c2a08 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Fri, 5 Dec 2014 12:24:37 +0200 -Subject: [PATCH 2/3] rad_counter: Refine help message - -Refine rad_counter help message: - -* use executable name without path, -* add program purpose, -* shorten usage summary line for clarity, -* separate arguments and options, -* add full stops to sentences, -* wrap a long line. ---- - src/modules/rlm_counter/rad_counter | 24 +++++++++++++++--------- - 1 file changed, 15 insertions(+), 9 deletions(-) - -diff --git a/src/modules/rlm_counter/rad_counter b/src/modules/rlm_counter/rad_counter -index b6c1159..1beef29 100755 ---- a/src/modules/rlm_counter/rad_counter -+++ b/src/modules/rlm_counter/rad_counter -@@ -6,6 +6,7 @@ use warnings ; - use GDBM_File ; - use Fcntl ; - use Getopt::Long; -+use File::Basename; - - my $user = ''; - my $divisor = 1; -@@ -19,17 +20,22 @@ my $help = 0; - $filename = ''; - - sub show_help { -- print <<"EOF"; --Usage: $0 --file= [--reset=] [--match=] --[--user=] [--help] [--hours|--minutes|--seconds] -+ my $progname = basename($0); -+ print < [OPTION...] -+Query and maintain FreeRADIUS rlm_counter DB file. - ----user= Information for specific user ----file= Counter db filename ----match= Information for matching users -+Arguments: -+--file= Counter DB filename. -+ -+Options: -+--user= Information for specific user. -+--match= Information for matching users. - --reset= Reset counter to . -- If divisor is set use it, else means seconds ----help Show this help screen ----(hours|minutes|seconds) Specify information divisor -+ If divisor is set use it, -+ else means seconds. -+--help Show this help screen. -+--(hours|minutes|seconds) Specify information divisor. - EOF - exit 0; - } --- -2.1.3 - diff --git a/SOURCES/freeradius-rad_counter-use-heredoc-for-help-message.patch b/SOURCES/freeradius-rad_counter-use-heredoc-for-help-message.patch deleted file mode 100644 index d18fea7..0000000 --- a/SOURCES/freeradius-rad_counter-use-heredoc-for-help-message.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 70686e8d2b400a804277ba0cdc664e71dd393dd5 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Fri, 5 Dec 2014 12:12:19 +0200 -Subject: [PATCH 1/3] rad_counter: Use heredoc for help message - -Use Perl's here document syntax for rad_counter's help message and -replace tab escape sequences with spaces to make the source more -readable and easier to modify. ---- - src/modules/rlm_counter/rad_counter | 21 ++++++++++++--------- - 1 file changed, 12 insertions(+), 9 deletions(-) - -diff --git a/src/modules/rlm_counter/rad_counter b/src/modules/rlm_counter/rad_counter -index be0a33a..b6c1159 100755 ---- a/src/modules/rlm_counter/rad_counter -+++ b/src/modules/rlm_counter/rad_counter -@@ -19,15 +19,18 @@ my $help = 0; - $filename = ''; - - sub show_help { -- print "Usage: $0 --file= [--reset=] [--match=]\n"; -- print "[--user=] [--help] [--hours|--minutes|--seconds]\n\n"; -- print "--user=", "\t\t", "Information for specific user\n"; -- print "--file=", "\t\t", "Counter db filename\n"; -- print "--match=", "\t\t", "Information for matching users\n"; -- print "--reset=", "\t\t", "Reset counter to .\n"; -- print "\t\t\t\t", "If divisor is set use it, else means seconds\n"; -- print "--help", "\t\t\t\t", "Show this help screen\n"; -- print "--(hours|minutes|seconds)", "\t", "Specify information divisor\n"; -+ print <<"EOF"; -+Usage: $0 --file= [--reset=] [--match=] -+[--user=] [--help] [--hours|--minutes|--seconds] -+ -+--user= Information for specific user -+--file= Counter db filename -+--match= Information for matching users -+--reset= Reset counter to . -+ If divisor is set use it, else means seconds -+--help Show this help screen -+--(hours|minutes|seconds) Specify information divisor -+EOF - exit 0; - } - --- -2.1.3 - diff --git a/SOURCES/freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch b/SOURCES/freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch deleted file mode 100644 index 5f36338..0000000 --- a/SOURCES/freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 40537a80edeba25853df745e969f1b0bd5bc71bf Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Thu, 18 Dec 2014 16:13:58 +0200 -Subject: [PATCH 1/1] raddb: Comment on ipaddr/ipv4addr/ipv6addr use - -Describe combined ipaddr/ipv4addr/ipv6addr use in -raddb/sites-available/default. ---- - raddb/sites-available/default | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - -diff --git a/raddb/sites-available/default b/raddb/sites-available/default -index 77c271c..77602e4 100644 ---- a/raddb/sites-available/default -+++ b/raddb/sites-available/default -@@ -84,17 +84,22 @@ listen { - # source IP address for packets sent to a home server, the - # proxy listeners are automatically created. - -- # IP address on which to listen. -+ # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. -+ # Out of several options the first one will be used. -+ # - # Allowed values are: -- # dotted quad (1.2.3.4) -- # hostname (radius.example.com) -- # wildcard (*) -+ # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) -+ # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) -+ # hostname (radius.example.com, -+ # A record for ipv4addr, -+ # AAAA record for ipv6addr, -+ # A or AAAA record for ipaddr) -+ # wildcard (*) -+ # -+ # ipv4addr = * -+ # ipv6addr = * - ipaddr = * - -- # OR, you can use an IPv6 address, but not both -- # at the same time. --# ipv6addr = :: # any. ::1 == localhost -- - # Port on which to listen. - # Allowed values are: - # integer port number (1812) --- -2.1.3 - diff --git a/SOURCES/freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch b/SOURCES/freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch deleted file mode 100644 index 994dda0..0000000 --- a/SOURCES/freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 1b32a0e398871f0f5b7b41d200b1b9db371e84d5 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Mon, 15 Dec 2014 16:48:26 +0200 -Subject: [PATCH 1/1] raddb: Move trigger.conf INCLUDE before modules - -Move "$INCLUDE trigger.conf" chunk before module section in -"radiusd.conf.in". This makes it possible to reference "snmptrap" and -related trigger variables under "pool.trigger" in module configurations, -simplifying them. - -E.g. like this (in raddb/mods-enabled/ldap): - -ldap ldap_instance { - pool { - trigger { - args = "radiusdModuleName s '${...:name}' radiusdModuleInstance s '${...:instance}'" - open = "${snmptrap}::serverModuleConnectionUp ${args}" - close = "${snmptrap}::serverModuleConnectionDown ${args}" - } - } -} ---- - raddb/radiusd.conf.in | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in -index c6d5834..fb7d1bd 100644 ---- a/raddb/radiusd.conf.in -+++ b/raddb/radiusd.conf.in -@@ -648,6 +648,14 @@ thread pool { - auto_limit_acct = no - } - -+###################################################################### -+# -+# SNMP notifications. Uncomment the following line to enable -+# snmptraps. Note that you MUST also configure the full path -+# to the "snmptrap" command in the "trigger.conf" file. -+# -+#$INCLUDE trigger.conf -+ - # MODULE CONFIGURATION - # - # The names and configuration of each module is located in this section. -@@ -780,14 +788,6 @@ policy { - - ###################################################################### - # --# SNMP notifications. Uncomment the following line to enable --# snmptraps. Note that you MUST also configure the full path --# to the "snmptrap" command in the "trigger.conf" file. --# --#$INCLUDE trigger.conf -- --###################################################################### --# - # Load virtual servers. - # - # This next $INCLUDE line loads files in the directory that --- -2.1.3 - diff --git a/SOURCES/freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch b/SOURCES/freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch deleted file mode 100644 index 99592c4..0000000 --- a/SOURCES/freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e37dbd2dd0f20ff255ddc934296afa67e59695c6 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Thu, 16 Oct 2014 13:48:32 +0300 -Subject: [PATCH 2/4] raddb: Remove extra apostrophe from trigger.conf - -Remove a spurious apostrophe from trigger.conf's trigger.modules.args. - -This fixes module triggers, otherwise producing this error: - - rad_expand_xlat: Invalid string passed as argument ---- - raddb/trigger.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/raddb/trigger.conf b/raddb/trigger.conf -index aa846c3..b80089c 100644 ---- a/raddb/trigger.conf -+++ b/raddb/trigger.conf -@@ -194,7 +194,7 @@ trigger { - # "trigger" subsection in the module configuration. - modules { - # Common arguments -- args = "radiusdModuleName s ldap' radiusdModuleInstance s ''" -+ args = "radiusdModuleName s ldap radiusdModuleInstance s ''" - - # The files module - files { --- -2.1.1 - diff --git a/SOURCES/freeradius-raddb-update-triggers-in-trigger.conf.patch b/SOURCES/freeradius-raddb-update-triggers-in-trigger.conf.patch deleted file mode 100644 index 58bd9bc..0000000 --- a/SOURCES/freeradius-raddb-update-triggers-in-trigger.conf.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 7162088ec80add0e83d1073b67001546be3d0d8d Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Thu, 23 Oct 2014 13:56:46 +0300 -Subject: [PATCH 1/1] raddb: Update triggers in trigger.conf - -Update trigger.conf's available triggers and comments to correspond to -actual code. ---- - raddb/trigger.conf | 23 ++++++++++++----------- - 1 file changed, 12 insertions(+), 11 deletions(-) - -diff --git a/raddb/trigger.conf b/raddb/trigger.conf -index 44f9f36..413a182 100644 ---- a/raddb/trigger.conf -+++ b/raddb/trigger.conf -@@ -222,11 +222,8 @@ trigger { - # A connection to the DB has been closed - close = "${snmptrap}::serverModuleConnectionDown ${args}" - -- # Failed to open a new connection to the DB -- fail = "${snmptrap}::serverModuleConnectionFail ${args}" -- -- # There are no DB handles available. -- none = "${snmptrap}::serverModuleConnectionNone ${args}" -+ # The module has been HUP'd via radmin -+ hup = "${snmptrap}::serverModuleHup ${args}" - } - - # The SQL module -@@ -243,12 +240,13 @@ trigger { - # Failed to open a new connection to the DB - fail = "${snmptrap}::serverModuleConnectionFail ${args}" - -- # There are no DB handles available. -- none = "${snmptrap}::serverModuleConnectionNone ${args}" -+ # The module has been HUP'd via radmin -+ hup = "${snmptrap}::serverModuleHup ${args}" - } - -- # You can use the same opn / close / fail / none triggers for -- # any module which uses the "pool" directive. -+ # You can also use connection pool's start/stop/open/close triggers -+ # for any module which uses the "pool" section, here and under -+ # pool.trigger in module configuration. - } - } - -@@ -267,10 +265,9 @@ trigger { - # home_server_pool.fallback - # home_server_pool.normal - # modules.*.hup --# modules.ldap.fail -+# modules.ldap.timeout - # modules.sql.close - # modules.sql.fail --# modules.sql.none - # modules.sql.open - # server.client.add - # server.max_requests -@@ -278,3 +275,7 @@ trigger { - # server.signal.term - # server.start - # server.stop -+# server.thread.max_threads -+# server.thread.start -+# server.thread.stop -+# server.thread.unresponsive --- -2.1.1 - diff --git a/SOURCES/freeradius-raddb-use-appropriate-module-names-in-traps.patch b/SOURCES/freeradius-raddb-use-appropriate-module-names-in-traps.patch deleted file mode 100644 index 0455dbb..0000000 --- a/SOURCES/freeradius-raddb-use-appropriate-module-names-in-traps.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 039f85dfe9a09478c9581b87113e73e2205abd53 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Thu, 16 Oct 2014 13:59:51 +0300 -Subject: [PATCH 3/4] raddb: Use appropriate module names in traps - -Specify appropriate module names for all module traps in trigger.conf, -instead of using "ldap" for all. ---- - raddb/trigger.conf | 29 +++++++++++++++++++---------- - 1 file changed, 19 insertions(+), 10 deletions(-) - -diff --git a/raddb/trigger.conf b/raddb/trigger.conf -index b80089c..44f9f36 100644 ---- a/raddb/trigger.conf -+++ b/raddb/trigger.conf -@@ -194,12 +194,15 @@ trigger { - # "trigger" subsection in the module configuration. - modules { - # Common arguments -- args = "radiusdModuleName s ldap radiusdModuleInstance s ''" -+ args = "radiusdModuleInstance s ''" - - # The files module - files { -+ # Common arguments -+ args = "radiusdModuleName s files ${..args}" -+ - # The module has been HUP'd via radmin -- hup = "${snmptrap}::serverModuleHup ${..args}" -+ hup = "${snmptrap}::serverModuleHup ${args}" - - # Note that "hup" can be used for every module - # which can be HUP'd via radmin -@@ -210,32 +213,38 @@ trigger { - # an LDAP connection ofr every "bind as user". Be aware that - # this will likely produce a lot of triggers. - ldap { -+ # Common arguments -+ args = "radiusdModuleName s ldap ${..args}" -+ - # A new connection to the DB has been opened -- open = "${snmptrap}::serverModuleConnectionUp ${..args}" -+ open = "${snmptrap}::serverModuleConnectionUp ${args}" - - # A connection to the DB has been closed -- close = "${snmptrap}::serverModuleConnectionDown ${..args}" -+ close = "${snmptrap}::serverModuleConnectionDown ${args}" - - # Failed to open a new connection to the DB -- fail = "${snmptrap}::serverModuleConnectionFail ${..args}" -+ fail = "${snmptrap}::serverModuleConnectionFail ${args}" - - # There are no DB handles available. -- none = "${snmptrap}::serverModuleConnectionNone ${..args}" -+ none = "${snmptrap}::serverModuleConnectionNone ${args}" - } - - # The SQL module - sql { -+ # Common arguments -+ args = "radiusdModuleName s sql ${..args}" -+ - # A new connection to the DB has been opened -- open = "${snmptrap}::serverModuleConnectionUp ${..args}" -+ open = "${snmptrap}::serverModuleConnectionUp ${args}" - - # A connection to the DB has been closed -- close = "${snmptrap}::serverModuleConnectionDown ${..args}" -+ close = "${snmptrap}::serverModuleConnectionDown ${args}" - - # Failed to open a new connection to the DB -- fail = "${snmptrap}::serverModuleConnectionFail ${..args}" -+ fail = "${snmptrap}::serverModuleConnectionFail ${args}" - - # There are no DB handles available. -- none = "${snmptrap}::serverModuleConnectionNone ${..args}" -+ none = "${snmptrap}::serverModuleConnectionNone ${args}" - } - - # You can use the same opn / close / fail / none triggers for --- -2.1.1 - diff --git a/SOURCES/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch b/SOURCES/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch new file mode 100644 index 0000000..3787926 --- /dev/null +++ b/SOURCES/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch @@ -0,0 +1,39 @@ +From 362533a64646cce89799ba0759d4304b8de1e917 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Tue, 7 Mar 2017 09:22:10 -0500 +Subject: [PATCH] radtest should use Cleartext-Password for EAP + +(cherry picked from commit 0251c6c9d049f06c8f10974f9e67ef8142b17047) +--- + src/main/radtest.in | 2 +- + src/modules/rlm_eap/radeapclient.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/main/radtest.in b/src/main/radtest.in +index 7f009ae68..38b1ba9a0 100644 +--- a/src/main/radtest.in ++++ b/src/main/radtest.in +@@ -81,7 +81,7 @@ do + PASSWORD="MS-CHAP-Password" + ;; + eap-md5) +- PASSWORD="User-Password" ++ PASSWORD="Cleartext-Password" + if [ ! -x "$radeapclient" ] + then + echo "radtest: No 'radeapclient' program was found. Cannot perform EAP-MD5." >&1 +diff --git a/src/modules/rlm_eap/radeapclient.c b/src/modules/rlm_eap/radeapclient.c +index 020d252f1..ff69361e4 100644 +--- a/src/modules/rlm_eap/radeapclient.c ++++ b/src/modules/rlm_eap/radeapclient.c +@@ -468,6 +468,7 @@ static int rc_init_packet(rc_transaction_t *trans) + /* + * Keep a copy of the the password attribute. + */ ++ case PW_CLEARTEXT_PASSWORD: + case PW_USER_PASSWORD: + case PW_CHAP_PASSWORD: + case PW_MS_CHAP_PASSWORD: +-- +2.11.0 + diff --git a/SOURCES/freeradius-redhat-config.patch b/SOURCES/freeradius-redhat-config.patch index 7baf80d..a120128 100644 --- a/SOURCES/freeradius-redhat-config.patch +++ b/SOURCES/freeradius-redhat-config.patch @@ -1,7 +1,7 @@ -From 61aa3696bb0179a8296e4f389f34ffc31424dbf1 Mon Sep 17 00:00:00 2001 +From 0d05cf9318ff5861d9833007d46a4a7ed78cbafd Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov Date: Mon, 8 Sep 2014 12:32:13 +0300 -Subject: [PATCH 1/1] Adjust configuration to fit Red Hat specifics +Subject: [PATCH] Adjust configuration to fit Red Hat specifics --- raddb/mods-available/eap | 4 ++-- @@ -9,10 +9,10 @@ Subject: [PATCH 1/1] Adjust configuration to fit Red Hat specifics 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap -index 6938171..95ef666 100644 +index 427016c66..9659db1cd 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap -@@ -430,7 +430,7 @@ eap { +@@ -470,7 +470,7 @@ eap { # # You should also delete all of the files # in the directory when the server starts. @@ -21,7 +21,7 @@ index 6938171..95ef666 100644 # The command used to verify the client cert. # We recommend using the OpenSSL command-line -@@ -444,7 +444,7 @@ eap { +@@ -484,7 +484,7 @@ eap { # in PEM format. This file is automatically # deleted by the server when the command # returns. @@ -31,7 +31,7 @@ index 6938171..95ef666 100644 # diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in -index 307ae10..7cf71be 100644 +index c62f4ffed..625f43447 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -70,8 +70,7 @@ certdir = ${confdir}/certs @@ -44,7 +44,7 @@ index 307ae10..7cf71be 100644 # # libdir: Where to find the rlm_* modules. -@@ -415,8 +414,8 @@ security { +@@ -436,8 +435,8 @@ security { # member. This can allow for some finer-grained access # controls. # @@ -56,5 +56,5 @@ index 307ae10..7cf71be 100644 # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. -- -2.1.0 +2.11.0 diff --git a/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file-not-later.patch b/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file-not-later.patch new file mode 100644 index 0000000..3edff67 --- /dev/null +++ b/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file-not-later.patch @@ -0,0 +1,35 @@ +From 1a39666a0dc41d76524001461cd47a19600deaba Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Mon, 8 May 2017 16:00:01 -0400 +Subject: [PATCH] set S_IWUSER when creating the file, not later + +(cherry picked from commit 8f53382c64114936a0433d68101a24570783e13a) +--- + src/main/tls.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index e992062dc..1008e8a51 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -1382,7 +1382,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + /* open output file */ + snprintf(filename, sizeof(filename), "%s%c%s.asn1", + conf->session_cache_path, FR_DIR_SEP, buffer); +- fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); ++ fd = open(filename, O_RDWR|O_CREAT|O_EXCL, S_IWUSR); + if (fd < 0) { + if (request) RERROR("Session serialisation failed, failed opening session file %s: %s", + filename, fr_syserror(errno)); +@@ -1400,8 +1400,6 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + fr_pair_value_strcpy(vp, filename); + fr_pair_add(&request->state, vp); + } +- +- (void) fchmod(fd, S_IWUSR); + } + + todo = blob_len; +-- +2.11.0 + diff --git a/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file.patch b/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file.patch deleted file mode 100644 index df8d501..0000000 --- a/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 608943a10f589974191fe69ec6ab2b9b456fd85b Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Mon, 8 May 2017 16:00:01 -0400 -Subject: [PATCH] set S_IWUSER when creating the file - -(cherry picked from commit 8f53382c64114936a0433d68101a24570783e13a) ---- - src/main/tls.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/main/tls.c b/src/main/tls.c -index b790d2dc1..887f81755 100644 ---- a/src/main/tls.c -+++ b/src/main/tls.c -@@ -1143,7 +1143,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) - /* open output file */ - snprintf(filename, sizeof(filename), "%s%c%s.asn1", - conf->session_cache_path, FR_DIR_SEP, buffer); -- fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); -+ fd = open(filename, O_RDWR|O_CREAT|O_EXCL, S_IWUSR); - if (fd < 0) { - DEBUG2(" SSL: could not open session file %s: %s", filename, fr_syserror(errno)); - goto error; --- -2.11.0 - diff --git a/SOURCES/freeradius-talloc-dummy-request.patch b/SOURCES/freeradius-talloc-dummy-request.patch deleted file mode 100644 index e84111f..0000000 --- a/SOURCES/freeradius-talloc-dummy-request.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 03c5915208234255484ece4c233c9e252776e3a3 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Mon, 29 Sep 2014 17:40:10 +0300 -Subject: [PATCH 1/1] process: Talloc home_trigger dummy request - -Allocate the dummy request in home_trigger with talloc, instead of -allocating it on the stack, as the rest of the code expects it to be a -valid talloc context. - -This fixes a talloc_abort resulting from xlat_tokenize_request invoking -talloc_typed_strdup with the dummy request as the talloc context. ---- - src/main/process.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/src/main/process.c b/src/main/process.c -index 76ce4ea..7e1a51e 100644 ---- a/src/main/process.c -+++ b/src/main/process.c -@@ -3212,16 +3212,17 @@ static void ping_home_server(void *ctx) - - static void home_trigger(home_server_t *home, char const *trigger) - { -- REQUEST my_request; -- RADIUS_PACKET my_packet; -+ REQUEST *my_request; -+ RADIUS_PACKET *my_packet; - -- memset(&my_request, 0, sizeof(my_request)); -- memset(&my_packet, 0, sizeof(my_packet)); -- my_request.proxy = &my_packet; -- my_packet.dst_ipaddr = home->ipaddr; -- my_packet.src_ipaddr = home->src_ipaddr; -+ my_request = talloc_zero(NULL, REQUEST); -+ my_packet = talloc_zero(my_request, RADIUS_PACKET); -+ my_request->proxy = my_packet; -+ my_packet->dst_ipaddr = home->ipaddr; -+ my_packet->src_ipaddr = home->src_ipaddr; - -- exec_trigger(&my_request, home->cs, trigger, false); -+ exec_trigger(my_request, home->cs, trigger, false); -+ talloc_free(my_request); - } - - static void mark_home_server_zombie(home_server_t *home, struct timeval *now, struct timeval *response_window) --- -2.1.0 - diff --git a/SOURCES/freeradius-valuepair-don-t-remove-unkown-backslash.patch b/SOURCES/freeradius-valuepair-don-t-remove-unkown-backslash.patch deleted file mode 100644 index 2607c54..0000000 --- a/SOURCES/freeradius-valuepair-don-t-remove-unkown-backslash.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 90b5b46341dbba78d8cd98d55d1b9321544c7887 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Mon, 15 Dec 2014 14:42:56 +0200 -Subject: [PATCH 1/1] valuepair: Don't remove unknown backslash - -Don't remove backslash from unknown escape sequences in pairparsevalue, -adhering to behavior common to most other programs dealing with -backslash escape sequences. ---- - src/lib/valuepair.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c -index 7d6ee88..7742b81 100644 ---- a/src/lib/valuepair.c -+++ b/src/lib/valuepair.c -@@ -1176,12 +1176,14 @@ int pairparsevalue(VALUE_PAIR *vp, char const *value, size_t inlen) - c = x; - cp += 3; - -- } else if (cp[0]) { -- /* -- * \p --> p -- */ -- c = *cp++; -- } /* else at EOL \ --> \ */ -+ } -+ -+ /* -+ * Else It's not a recognised escape sequence DON'T -+ * consume the backslash. This is identical -+ * behaviour to bash and most other things that -+ * use backslash escaping. -+ */ - } - *p++ = c; - vp_len++; --- -2.1.3 - diff --git a/SOURCES/radiusd.service b/SOURCES/radiusd.service index 635b6d6..67696ad 100644 --- a/SOURCES/radiusd.service +++ b/SOURCES/radiusd.service @@ -1,6 +1,6 @@ [Unit] Description=FreeRADIUS high performance RADIUS server. -After=syslog.target network.target +After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service [Service] Type=forking diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec index d10f52f..81d16bc 100644 --- a/SPECS/freeradius.spec +++ b/SPECS/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius -Version: 3.0.4 -Release: 8%{?dist} +Version: 3.0.13 +Release: 6%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -22,39 +22,13 @@ Source103: freeradius-pam-conf Source104: freeradius-tmpfiles.conf Patch1: freeradius-redhat-config.patch -Patch2: freeradius-postgres-sql.patch -Patch3: freeradius-add-disable-openssl-version-check.patch -Patch4: freeradius-talloc-dummy-request.patch -Patch5: freeradius-dont-detach-after-perl_parse.patch -Patch6: freeradius-access-union-consistently.patch -Patch7: freeradius-dont-truncate-uint64.patch -Patch8: freeradius-prefix-endian-macros.patch -Patch9: freeradius-dont-swap-uint128-printing-on-be.patch -Patch10: freeradius-fix-dhcp-dictionary-loading.patch -Patch11: freeradius-mention-eap-md5-in-radtest-synopsis.patch -Patch12: freeradius-add-P-option-to-radtest-synopsis.patch -Patch13: freeradius-exec-dont-assume-request-presence-when-logging.patch -Patch14: freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch -Patch15: freeradius-raddb-use-appropriate-module-names-in-traps.patch -Patch16: freeradius-connection-fall-through-to-global-module-triggers.patch -Patch17: freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch -Patch18: freeradius-raddb-update-triggers-in-trigger.conf.patch -Patch19: freeradius-make-grp-tallo-c-too.patch -Patch20: freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch -Patch21: freeradius-added-D-option-to-mirror-radclient.patch -Patch22: freeradius-man-remove-client-attribute-description.patch -Patch23: freeradius-man-remove-references-to-naslist-and-clients.patch -Patch24: freeradius-valuepair-don-t-remove-unkown-backslash.patch -Patch25: freeradius-rad_counter-use-heredoc-for-help-message.patch -Patch26: freeradius-rad_counter-Refine-help-message.patch -Patch27: freeradius-dhcpclient-Add-a-short-description-to-help-output.patch -Patch28: freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch -Patch29: freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch -Patch30: freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch -Patch31: freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch -Patch32: freeradius-Rename-lt_-symbols-to-fr_.patch -Patch33: freeradius-disable-internal-OpenSSL-cache.patch -Patch34: freeradius-set-S_IWUSER-when-creating-the-file.patch +Patch2: freeradius-Fix-some-issues-found-with-static-analyzers.patch +Patch3: freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch +Patch4: freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch +Patch5: freeradius-disable-internal-OpenSSL-cache.patch +Patch6: freeradius-check-sizeof-packet-.-Found-by-PVS-Studio.patch +Patch7: freeradius-parse-port.-Closes-2000.patch +Patch8: freeradius-set-S_IWUSER-when-creating-the-file-not-later.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -219,32 +193,6 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -269,7 +217,10 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. --without-rlm_sql_db2 \ --without-rlm_sql_oracle \ --without-rlm_rest \ - --without-rlm_unbound + --without-rlm_unbound \ + --without-rlm_redis \ + --without-rlm_rediswho \ + --without-rlm_cache_memcached make @@ -281,15 +232,19 @@ make install R=$RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/var/log/radius/radacct touch $RPM_BUILD_ROOT/var/log/radius/{radutmp,radius.log} -install -D -m 755 %{SOURCE100} $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service +install -D -m 644 %{SOURCE100} $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service install -D -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd -mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d +install -d -m 0755 %{buildroot}%{_prefix}/lib/tmpfiles.d mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp -install -m 0644 %{SOURCE104} %{buildroot}%{_sysconfdir}/tmpfiles.d/radiusd.conf +install -m 0644 %{SOURCE104} %{buildroot}%{_prefix}/lib/tmpfiles.d/radiusd.conf + +# install SNMP MIB files +mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ +install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ # remove unneeded stuff rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt @@ -303,10 +258,6 @@ rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/serial* rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/dh rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/random -# install SNMP MIB files -mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ -install -m 644 mibs/*RADIUS*.txt $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ - rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd rm -f $RPM_BUILD_ROOT/usr/bin/rbmonkey rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.a @@ -321,6 +272,12 @@ rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/unbound rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/abfab* +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/abfab* +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/moonshot-targeted-ids +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab* + +rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so # remove unsupported config files rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf @@ -391,7 +348,7 @@ exit 0 %config(noreplace) %{_sysconfdir}/pam.d/radiusd %config(noreplace) %{_sysconfdir}/logrotate.d/radiusd %{_unitdir}/radiusd.service -%config %{_sysconfdir}/tmpfiles.d/radiusd.conf +%{_prefix}/lib/tmpfiles.d/radiusd.conf %dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd %dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp %dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd @@ -423,6 +380,7 @@ exit 0 # certs %dir %attr(770,root,radiusd) /etc/raddb/certs %config(noreplace) /etc/raddb/certs/Makefile +%config(noreplace) /etc/raddb/certs/passwords.mk /etc/raddb/certs/README %config(noreplace) /etc/raddb/certs/xpextensions %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf @@ -469,6 +427,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/buffered-sql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge # sites-enabled # symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx @@ -544,6 +503,7 @@ exit 0 %config(missingok) /etc/raddb/mods-enabled/attr_filter %config(missingok) /etc/raddb/mods-enabled/cache_eap %config(missingok) /etc/raddb/mods-enabled/chap +%config(missingok) /etc/raddb/mods-enabled/date %config(missingok) /etc/raddb/mods-enabled/detail %config(missingok) /etc/raddb/mods-enabled/detail.log %config(missingok) /etc/raddb/mods-enabled/dhcp @@ -611,6 +571,7 @@ exit 0 %{_libdir}/freeradius/rlm_always.so %{_libdir}/freeradius/rlm_attr_filter.so %{_libdir}/freeradius/rlm_cache.so +%{_libdir}/freeradius/rlm_cache_rbtree.so %{_libdir}/freeradius/rlm_chap.so %{_libdir}/freeradius/rlm_counter.so %{_libdir}/freeradius/rlm_cram.so @@ -620,6 +581,7 @@ exit 0 %{_libdir}/freeradius/rlm_digest.so %{_libdir}/freeradius/rlm_dynamic_clients.so %{_libdir}/freeradius/rlm_eap.so +%{_libdir}/freeradius/rlm_eap_fast.so %{_libdir}/freeradius/rlm_eap_gtc.so %{_libdir}/freeradius/rlm_eap_leap.so %{_libdir}/freeradius/rlm_eap_md5.so @@ -688,7 +650,7 @@ exit 0 %doc %{_mandir}/man8/radrelay.8.gz # MIB files -%{_datadir}/snmp/mibs/*RADIUS*.txt +%{_datadir}/snmp/mibs/*RADIUS*.mib %files doc @@ -705,7 +667,9 @@ exit 0 %doc %{_mandir}/man1/radtest.1.gz %doc %{_mandir}/man1/radwho.1.gz %doc %{_mandir}/man1/radzap.1.gz +%doc %{_mandir}/man1/rad_counter.1.gz %doc %{_mandir}/man1/smbencrypt.1.gz +%doc %{_mandir}/man1/dhcpclient.1.gz %doc %{_mandir}/man5/checkrad.5.gz %doc %{_mandir}/man8/radcrypt.8.gz %doc %{_mandir}/man8/radsniff.8.gz @@ -829,14 +793,125 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc.so %changelog -* Thu Jun 15 2017 Nikolai Kondrashov - 3.0.4-8 -- Disable internal OpenSSL cache and fix session cache file permissions. - Resolves: Bug#1459131 CVE-2017-9148 freeradius: TLS resumption +* Thu Jun 15 2017 Nikolai Kondrashov - 3.0.13-6 +- Avoid race condition when creating session cache file + Resolves: Bug#1458746 CVE-2017-9148 freeradius: TLS resumption + authentication bypass + +* Tue Jun 06 2017 Nikolai Kondrashov - 3.0.13-5 +- Refer to correct package version in configuration comments for Bug#1458746 + (CVE-2017-9148) fix. + Related: Bug#1458746 CVE-2017-9148 freeradius: TLS resumption + authentication bypass + +* Tue Jun 06 2017 Nikolai Kondrashov - 3.0.13-4 +- Disable internal OpenSSL cache. + Resolves: Bug#1458746 CVE-2017-9148 freeradius: TLS resumption authentication bypass +- Check sizeof(*packet), not sizeof(packet) in EAP-PWD + Resolves: Bug#1459073 Potential buffer overflow in FreeRADIUS EAP-PWD +- Parse port as well as address for dhcpclient destination + Resolves: Bug#1457825 dhcpclient does no accept IP:PORT + +* Wed Mar 29 2017 Nikolai Kondrashov - 3.0.13-3 +- Explicitly disable rlm_cache_memcached to avoid error when the module's + dependencies are installed, and it is built, but not packaged. + Related: Bug#1202751 Rebase FreeRADIUS to 3.0.12 or later minor release +- Prevent segfaults by adding a missing handling of connection errors in + rlm_ldap. + Resolves: Bug#1437409 [abrt] freeradius: radiusd killed by SIGSEGV +- Make radtest use Cleartext-Password for EAP, fixing its support for eap-md5. + Resolves: Bug#1436619 radtest does not work with eap-md5 + +* Thu Mar 23 2017 Nikolai Kondrashov - 3.0.13-2 +- Fix some issues found with static analyzers. + Resolves: Bug#1432103 FreeRADIUS fails covscan checks +- Revert rlm_eap_tnc removal, because the tncfhh package is still in RHEL. + Related: Bug#1202751 Rebase FreeRADIUS to 3.0.12 or later minor release + +* Tue Mar 07 2017 Nikolai Kondrashov - 3.0.13-1 +- Upgrade to upstream v3.0.13 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 Rebase FreeRADIUS to 3.0.12 or later minor release + Resolves: Bug#1329181 freeradius-python fix libpython2.7.so dependency at + compile time + Resolves: Bug#1425869 Radiusd does not trigger modules.sql.fail trap if it + can't connect to mysql server + Resolves: Bug#1427829 Stack overflow when passing bare IPv6 to radclient + +* Tue Feb 21 2017 Nikolai Kondrashov - 3.0.12-2 +- Do not fail logrotate if radiusd is not running. + Resolves: Bug#1365226 error running non-shared postrotate script for + /var/log/radius/radius.log of + '/var/log/radius/radius.log ' +- Fix output to log file specified with -l option. + Resolves: Bug#1421207 radiusd does not work with log file specified by -l + option +- Fix long hostnames interpreted as IP addresses. + Resolves: Bug#1420359 radclient does not detect 4. level and higher domain + name as a domain name +- Avoid clashes with libtool library symbols. + Resolves: Bug#1391960 undefined symbol: get_vtable in + /usr/lib64/libtdsodbc.so.0 with freeradius-unixODBC +- Remove mentions of Auth-Type = System from docs. + Resolves: Bug#1420293 Freeradius does not know Auth-Type = System +- Improve ip/v4/v6/addr documentation. + Resolves: Bug#1179736 add description for ipaddr = hostname from DNS with A + and AAAA entries + +* Fri Nov 25 2016 Nikolai Kondrashov - 3.0.12-1 +- Upgrade to upstream v3.0.12 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 Rebase FreeRADIUS to 3.0.7 or later minor release + Resolves: Bug#1358989 FreeRADIUS stops reading the accounting packets from the + detail file + Resolves: Bug#1269217 FreeRADIUS triggers mprotect with large radius reply + Resolves: Bug#1344183 radiusd crashed in rbtree_find() after receiving a packet + Resolves: Bug#1370431 FreeRADIUS fails to establish LDAP connections under + load + Resolves: Bug#1397981 [abrt] freeradius: radiusd killed by SIGSEGV + +* Mon Apr 18 2016 Nikolai Kondrashov - 3.0.11-1 +- Upgrade to upstream v3.0.11 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Resolves: Bug#1197551 + Resolves: Bug#1179745 + Resolves: Bug#1202751 Rebase FreeRADIUS to 3.0.7 or later minor release + Resolves: Bug#1289849 FreeRadius should start after ldap, ipa and krb5kdc + Resolves: Bug#1208886 Add the latest Mikrotik dictionary into Freeradius + Resolves: Bug#1198620 radutmp should not rotate + Resolves: Bug#1180979 Freeradius is installing files under /etc/tmpfiles.d/ + Resolves: Bug#1187904 radiusd logrotate config file contains old style + "/sbin/service radius reload" reload call + Resolves: Bug#1167846 radiusd fails to load clients from ldap + Resolves: Bug#1422018 /usr/lib/systemd/system/radiusd.service is marked + executable. Please remove executable permission bits + Resolves: Bug#1167843 support for older style generic attributes in + rlm_ldap doesn't work + Resolves: Bug#1354234 home servers are marked as dead by radiusd + +* Wed Dec 09 2015 Nikolai Kondrashov - 3.0.10-1 +- Upgrade to upstream v3.0.10 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 + Resolves: Bug#1340334 freeradius: Decryption of very long Tunnel-Passwords + can cause buffer overflow +- Remove rlm_eap_tnc support as the required package "tncfhh" was retired. -* Mon Nov 14 2016 Nikolai Kondrashov - 3.0.4-7 -- Rename lt_ symbols to fr_ to avoid clashes with libltdl. - Resolves: Bug#1394787 +* Wed Aug 19 2015 Nikolai Kondrashov - 3.0.9-1 +- Upgrade to upstream v3.0.9 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 + +* Tue Apr 28 2015 Nikolai Kondrashov - 3.0.8-1 +- Upgrade to upstream v3.0.8 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 + +* Thu Mar 19 2015 Nikolai Kondrashov - 3.0.7-1 +- Upgrade to upstream v3.0.7 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1202751 * Fri Dec 26 2014 Nikolai Kondrashov - 3.0.4-6 - Don't remove backslash from unknown escape sequences in LDAP values.