diff --git a/.freeradius.metadata b/.freeradius.metadata index 1bde044..71192f0 100644 --- a/.freeradius.metadata +++ b/.freeradius.metadata @@ -1 +1 @@ -3115f18fbe550460617f5a3402017e9b675a8726 SOURCES/freeradius-server-3.0.1.tar.bz2 +baa58979672f6fc57ab4f16e947b85b9a6eee969 SOURCES/freeradius-server-3.0.4.tar.bz2 diff --git a/.gitignore b/.gitignore index 3ea5f53..1fd3624 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeradius-server-3.0.1.tar.bz2 +SOURCES/freeradius-server-3.0.4.tar.bz2 diff --git a/SOURCES/freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch b/SOURCES/freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch new file mode 100644 index 0000000..71ac3bf --- /dev/null +++ b/SOURCES/freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch @@ -0,0 +1,62 @@ +From 64ee0b30df59857bce8f0efea019d065cf48c54c Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Thu, 18 Dec 2014 22:05:35 +0200 +Subject: [PATCH 2/2] Don't overwrite ip_hton af/prefix in fr_pton4/6 + +Don't overwrite address family and prefix set by ip_hton (which can fall +back onto other address family) with AF_INET/32 and AF_INET6/128, in +fr_pton4 and fr_pton6 respectively. + +This fixes radiusd listening on wrong address data when falling back to +another address family. +--- + src/lib/misc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/lib/misc.c b/src/lib/misc.c +index ad27057..cf49917 100644 +--- a/src/lib/misc.c ++++ b/src/lib/misc.c +@@ -238,6 +238,9 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo + * 192.0.2.2 is parsed as if it was /32 + */ + if (!p) { ++ out->prefix = 32; ++ out->af = AF_INET; ++ + /* + * Allow '*' as the wildcard address usually 0.0.0.0 + */ +@@ -258,9 +261,6 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo + } + } else if (ip_hton(out, AF_INET, value, fallback) < 0) return -1; + +- out->prefix = 32; +- out->af = AF_INET; +- + return 0; + } + +@@ -338,6 +338,9 @@ int fr_pton6(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo + + p = strchr(value, '/'); + if (!p) { ++ out->prefix = 128; ++ out->af = AF_INET6; ++ + /* + * Allow '*' as the wildcard address + */ +@@ -350,9 +353,6 @@ int fr_pton6(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo + } + } else if (ip_hton(out, AF_INET6, value, fallback) < 0) return -1; + +- out->prefix = 128; +- out->af = AF_INET6; +- + return 0; + } + +-- +2.1.3 + diff --git a/SOURCES/freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch b/SOURCES/freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch new file mode 100644 index 0000000..3faba7a --- /dev/null +++ b/SOURCES/freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch @@ -0,0 +1,64 @@ +From a23dbf402ad466bf41c95da82e58dedc7b615f99 Mon Sep 17 00:00:00 2001 +From: Arran Cudbard-Bell +Date: Mon, 1 Dec 2014 14:15:45 -0500 +Subject: [PATCH 1/2] Resolve to all families on ip_hton fallback + +If we're doing fallback resolution we need to set the address family to +AF_UNSPEC to get both IPv6 and IPv4 addresses + +The af that was passed in, is then used to set the preference +--- + src/lib/misc.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/src/lib/misc.c b/src/lib/misc.c +index d0ccd6c..ad27057 100644 +--- a/src/lib/misc.c ++++ b/src/lib/misc.c +@@ -845,7 +845,15 @@ int ip_hton(fr_ipaddr_t *out, int af, char const *hostname, bool fallback) + int rcode; + struct addrinfo hints, *ai = NULL, *alt = NULL, *res = NULL; + ++ /* ++ * Avoid malloc for IP addresses. This helps us debug ++ * memory errors when using talloc. ++ */ ++#ifdef TALLOC_DEBUG ++ if (true) { ++#else + if (!fr_hostname_lookups) { ++#endif + #ifdef HAVE_STRUCT_SOCKADDR_IN6 + if (af == AF_UNSPEC) { + char const *p; +@@ -872,22 +880,15 @@ int ip_hton(fr_ipaddr_t *out, int af, char const *hostname, bool fallback) + } + + memset(&hints, 0, sizeof(hints)); +- hints.ai_family = af; + +-#ifdef TALLOC_DEBUG + /* +- * Avoid malloc for IP addresses. This helps us debug +- * memory errors when using talloc. ++ * If we're falling back we need both IPv4 and IPv6 records + */ +- if (af == AF_INET) { +- /* +- * If it's all numeric, avoid getaddrinfo() +- */ +- if (inet_pton(af, hostname, &out->ipaddr.ip4addr) == 1) { +- return 0; +- } ++ if (fallback) { ++ hints.ai_family = AF_UNSPEC; ++ } else { ++ hints.ai_family = af; + } +-#endif + + if ((rcode = getaddrinfo(hostname, NULL, &hints, &res)) != 0) { + fr_strerror_printf("ip_hton: %s", gai_strerror(rcode)); +-- +2.1.3 + diff --git a/SOURCES/freeradius-access-union-consistently.patch b/SOURCES/freeradius-access-union-consistently.patch new file mode 100644 index 0000000..5e65d6e --- /dev/null +++ b/SOURCES/freeradius-access-union-consistently.patch @@ -0,0 +1,401 @@ +From 5e8a69d547461c757abe2870ecbff2aa7a1fea55 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Wed, 1 Oct 2014 11:51:51 -0400 +Subject: [PATCH 2/4] Access union value_data members consistently + +Use the same, appropriate union value_data member for each access of +BOOLEAN, BYTE and SHORT PW_TYPEs, without assuming they're +interchangeable with "integer", as that is only true on little-endian +architectures. + +This fixes at least this wimax unit test failure on s390x and ppc64: + + Mismatch in line 11 of src/tests/unit/wimax.txt, got: 1a 0c 00 00 60 b5 01 06 00 02 03 00 expected: 1a 0c 00 00 60 b5 01 06 00 02 03 01 +--- + src/lib/print.c | 56 ++++++++++++------ + src/lib/radius.c | 8 +-- + src/lib/valuepair.c | 83 +++++++++++++++++++-------- + src/main/evaluate.c | 4 +- + src/main/valuepair.c | 4 ++ + src/main/xlat.c | 4 +- + src/modules/rlm_couchbase/mod.c | 17 +++++- + src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c | 4 +- + 8 files changed, 128 insertions(+), 52 deletions(-) + +diff --git a/src/lib/print.c b/src/lib/print.c +index 67263bc..fc1ae42 100644 +--- a/src/lib/print.c ++++ b/src/lib/print.c +@@ -314,6 +314,7 @@ size_t vp_data_prints_value(char *out, size_t outlen, + char const *a = NULL; + time_t t; + struct tm s_tm; ++ unsigned int i; + + size_t len = 0, freespace = outlen; + +@@ -365,15 +366,24 @@ size_t vp_data_prints_value(char *out, size_t outlen, + return fr_print_string(data->strvalue, data_len, out, outlen); + + case PW_TYPE_INTEGER: +- case PW_TYPE_BYTE: ++ i = data->integer; ++ goto print_int; ++ + case PW_TYPE_SHORT: ++ i = data->ushort; ++ goto print_int; ++ ++ case PW_TYPE_BYTE: ++ i = data->byte; ++ ++print_int: + /* Normal, non-tagged attribute */ +- if ((v = dict_valbyattr(da->attr, da->vendor, data->integer)) != NULL) { ++ if ((v = dict_valbyattr(da->attr, da->vendor, i)) != NULL) { + a = v->name; + len = strlen(a); + } else { + /* should never be truncated */ +- len = snprintf(buf, sizeof(buf), "%u", data->integer); ++ len = snprintf(buf, sizeof(buf), "%u", i); + a = buf; + } + break; +@@ -590,12 +600,20 @@ size_t vp_prints_value_json(char *out, size_t outlen, VALUE_PAIR const *vp) + if (!vp->da->flags.has_tag) { + switch (vp->da->type) { + case PW_TYPE_INTEGER: +- case PW_TYPE_BYTE: +- case PW_TYPE_SHORT: + if (vp->da->flags.has_value) break; + + return snprintf(out, freespace, "%u", vp->vp_integer); + ++ case PW_TYPE_SHORT: ++ if (vp->da->flags.has_value) break; ++ ++ return snprintf(out, freespace, "%u", (unsigned int) vp->vp_short); ++ ++ case PW_TYPE_BYTE: ++ if (vp->da->flags.has_value) break; ++ ++ return snprintf(out, freespace, "%u", (unsigned int) vp->vp_byte); ++ + case PW_TYPE_SIGNED: + return snprintf(out, freespace, "%d", vp->vp_signed); + +@@ -834,6 +852,8 @@ void vp_printlist(FILE *fp, VALUE_PAIR const *vp) + char *vp_aprint_value(TALLOC_CTX *ctx, VALUE_PAIR const *vp, bool escape) + { + char *p; ++ unsigned int i; ++ DICT_VALUE const *dv; + + switch (vp->da->type) { + case PW_TYPE_STRING: +@@ -860,19 +880,23 @@ char *vp_aprint_value(TALLOC_CTX *ctx, VALUE_PAIR const *vp, bool escape) + break; + } + +- case PW_TYPE_BYTE: +- case PW_TYPE_SHORT: + case PW_TYPE_INTEGER: +- { +- DICT_VALUE *dv; ++ i = vp->vp_integer; ++ goto print_int; + +- dv = dict_valbyattr(vp->da->attr, vp->da->vendor, +- vp->vp_integer); +- if (dv) { +- p = talloc_typed_strdup(ctx, dv->name); +- } else { +- p = talloc_typed_asprintf(ctx, "%u", vp->vp_integer); +- } ++ case PW_TYPE_SHORT: ++ i = vp->vp_short; ++ goto print_int; ++ ++ case PW_TYPE_BYTE: ++ i = vp->vp_byte; ++ ++ print_int: ++ dv = dict_valbyattr(vp->da->attr, vp->da->vendor, i); ++ if (dv) { ++ p = talloc_typed_strdup(ctx, dv->name); ++ } else { ++ p = talloc_typed_asprintf(ctx, "%u", i); + } + break; + +diff --git a/src/lib/radius.c b/src/lib/radius.c +index 0a40682..aabc545 100644 +--- a/src/lib/radius.c ++++ b/src/lib/radius.c +@@ -3984,18 +3984,18 @@ ssize_t rad_vp2data(uint8_t const **out, VALUE_PAIR const *vp) + } + + case PW_TYPE_BOOLEAN: +- buffer[0] = vp->vp_integer & 0x01; ++ buffer[0] = vp->vp_byte & 0x01; + *out = buffer; + break; + + case PW_TYPE_BYTE: +- buffer[0] = vp->vp_integer & 0xff; ++ buffer[0] = vp->vp_byte & 0xff; + *out = buffer; + break; + + case PW_TYPE_SHORT: +- buffer[0] = (vp->vp_integer >> 8) & 0xff; +- buffer[1] = vp->vp_integer & 0xff; ++ buffer[0] = (vp->vp_short >> 8) & 0xff; ++ buffer[1] = vp->vp_short & 0xff; + *out = buffer; + break; + +diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c +index 9dcae70..7d6ee88 100644 +--- a/src/lib/valuepair.c ++++ b/src/lib/valuepair.c +@@ -1369,65 +1369,100 @@ int pairparsevalue(VALUE_PAIR *vp, char const *value, size_t inlen) + case PW_TYPE_BYTE: + { + char *p; +- vp->length = 1; ++ unsigned int i; + + /* + * Note that ALL integers are unsigned! + */ +- vp->vp_integer = fr_strtoul(value, &p); +- if (!*p) { +- if (vp->vp_integer > 255) { ++ i = fr_strtoul(value, &p); ++ ++ /* ++ * Look for the named value for the given ++ * attribute. ++ */ ++ if (*p && !is_whitespace(p)) { ++ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) { ++ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name); ++ return -1; ++ } ++ ++ vp->vp_byte = dval->value; ++ } else { ++ if (i > 255) { + fr_strerror_printf("Byte value \"%s\" is larger than 255", value); + return -1; + } +- break; ++ ++ vp->vp_byte = i; + } +- if (is_whitespace(p)) break; ++ ++ vp->length = 1; ++ break; + } +- goto check_for_value; + + case PW_TYPE_SHORT: + { + char *p; ++ unsigned int i; + + /* + * Note that ALL integers are unsigned! + */ +- vp->vp_integer = fr_strtoul(value, &p); +- vp->length = 2; +- if (!*p) { +- if (vp->vp_integer > 65535) { +- fr_strerror_printf("Byte value \"%s\" is larger than 65535", value); ++ i = fr_strtoul(value, &p); ++ ++ /* ++ * Look for the named value for the given ++ * attribute. ++ */ ++ if (*p && !is_whitespace(p)) { ++ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) { ++ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name); + return -1; + } +- break; ++ ++ vp->vp_short = dval->value; ++ } else { ++ if (i > 65535) { ++ fr_strerror_printf("Short value \"%s\" is larger than 65535", value); ++ return -1; ++ } ++ ++ vp->vp_short = i; + } +- if (is_whitespace(p)) break; ++ ++ vp->length = 2; ++ break; + } +- goto check_for_value; + + case PW_TYPE_INTEGER: + { + char *p; ++ unsigned int i; + + /* + * Note that ALL integers are unsigned! + */ +- vp->vp_integer = fr_strtoul(value, &p); +- vp->length = 4; +- if (!*p) break; +- if (is_whitespace(p)) break; ++ i = fr_strtoul(value, &p); + +- check_for_value: + /* + * Look for the named value for the given + * attribute. + */ +- if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) { +- fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name); +- return -1; ++ if (*p && !is_whitespace(p)) { ++ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) { ++ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name); ++ return -1; ++ } ++ ++ vp->vp_integer = dval->value; ++ } else { ++ /* ++ * Value is always within the limits ++ */ ++ vp->vp_integer = i; + } +- vp->vp_integer = dval->value; ++ ++ vp->length = 4; + } + break; + +diff --git a/src/main/evaluate.c b/src/main/evaluate.c +index 5cf597d..a100c70 100644 +--- a/src/main/evaluate.c ++++ b/src/main/evaluate.c +@@ -485,11 +485,11 @@ static int do_cast_copy(VALUE_PAIR *dst, VALUE_PAIR const *src) + break; + + case PW_TYPE_SHORT: +- dst->vp_integer = ntohs(*(uint16_t const *) src->vp_octets); ++ dst->vp_short = ntohs(*(uint16_t const *) src->vp_octets); + break; + + case PW_TYPE_BYTE: +- dst->vp_integer = src->vp_octets[0]; ++ dst->vp_byte = src->vp_octets[0]; + break; + + default: +diff --git a/src/main/valuepair.c b/src/main/valuepair.c +index dc2bfc7..2dd517a 100644 +--- a/src/main/valuepair.c ++++ b/src/main/valuepair.c +@@ -180,7 +180,11 @@ int radius_compare_vps(UNUSED REQUEST *request, VALUE_PAIR *check, VALUE_PAIR *v + break; + + case PW_TYPE_BYTE: ++ ret = vp->vp_byte - check->vp_byte; ++ break; + case PW_TYPE_SHORT: ++ ret = vp->vp_short - check->vp_short; ++ break; + case PW_TYPE_INTEGER: + ret = vp->vp_integer - check->vp_integer; + break; +diff --git a/src/main/xlat.c b/src/main/xlat.c +index f2c8aff..a069919 100644 +--- a/src/main/xlat.c ++++ b/src/main/xlat.c +@@ -177,9 +177,11 @@ static ssize_t xlat_integer(UNUSED void *instance, REQUEST *request, + + case PW_TYPE_INTEGER: + case PW_TYPE_DATE: ++ return snprintf(out, outlen, "%u", vp->vp_integer); + case PW_TYPE_BYTE: ++ return snprintf(out, outlen, "%u", (unsigned int) vp->vp_byte); + case PW_TYPE_SHORT: +- return snprintf(out, outlen, "%u", vp->vp_integer); ++ return snprintf(out, outlen, "%u", (unsigned int) vp->vp_short); + + /* + * Ethernet is weird... It's network related, so we assume to it should be +diff --git a/src/modules/rlm_couchbase/mod.c b/src/modules/rlm_couchbase/mod.c +index cc14677..36406a0 100644 +--- a/src/modules/rlm_couchbase/mod.c ++++ b/src/modules/rlm_couchbase/mod.c +@@ -296,22 +296,33 @@ json_object *mod_value_pair_to_json_object(REQUEST *request, VALUE_PAIR *vp) + + /* add this attribute/value pair to our json output */ + if (!vp->da->flags.has_tag) { ++ unsigned int i; ++ + switch (vp->da->type) { + case PW_TYPE_INTEGER: +- case PW_TYPE_BYTE: ++ i = vp->vp_integer; ++ goto print_int; ++ + case PW_TYPE_SHORT: ++ i = vp->vp_short; ++ goto print_int; ++ ++ case PW_TYPE_BYTE: ++ i = vp->vp_byte; ++ ++ print_int: + /* skip if we have flags */ + if (vp->da->flags.has_value) break; + #ifdef HAVE_JSON_OBJECT_NEW_INT64 + /* debug */ + RDEBUG3("creating new int64 for unsigned 32 bit int/byte/short '%s'", vp->da->name); + /* return as 64 bit int - JSON spec does not support unsigned ints */ +- return json_object_new_int64(vp->vp_integer); ++ return json_object_new_int64(i); + #else + /* debug */ + RDEBUG3("creating new int for unsigned 32 bit int/byte/short '%s'", vp->da->name); + /* return as 64 bit int - JSON spec does not support unsigned ints */ +- return json_object_new_int(vp->vp_integer); ++ return json_object_new_int(i); + #endif + break; + case PW_TYPE_SIGNED: +diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +index 152f4ca..55e8e14 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c ++++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +@@ -325,12 +325,12 @@ static VALUE_PAIR *diameter2vp(REQUEST *request, REQUEST *fake, SSL *ssl, + + case PW_TYPE_BYTE: + if (size != vp->length) goto raw; +- vp->vp_integer = data[0]; ++ vp->vp_byte = data[0]; + break; + + case PW_TYPE_SHORT: + if (size != vp->length) goto raw; +- vp->vp_integer = (data[0] * 256) + data[1]; ++ vp->vp_short = (data[0] * 256) + data[1]; + break; + + case PW_TYPE_SIGNED: +-- +2.1.0 + diff --git a/SOURCES/freeradius-add-P-option-to-radtest-synopsis.patch b/SOURCES/freeradius-add-P-option-to-radtest-synopsis.patch new file mode 100644 index 0000000..eadcf33 --- /dev/null +++ b/SOURCES/freeradius-add-P-option-to-radtest-synopsis.patch @@ -0,0 +1,27 @@ +From 50d13805262202627e0a8494508202d21a86c18b Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 27 Oct 2014 16:24:09 +0200 +Subject: [PATCH 2/2] man: Add -P option to radtest synopsis + +Add "-P" option to radtest's manpage SYNOPSIS to make it match the +OPTIONS section. +--- + man/man1/radtest.1 | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/man/man1/radtest.1 b/man/man1/radtest.1 +index 587870c..b318477 100644 +--- a/man/man1/radtest.1 ++++ b/man/man1/radtest.1 +@@ -5,6 +5,8 @@ radtest - send packets to a RADIUS server, show reply + .B radtest + .RB [ \-d + .IR raddb_directory ] ++.RB [ \-P ++.IR tcp/udp ] + .RB [ \-t + .IR pap/chap/mschap/eap-md5 ] + .RB [ \-x +-- +2.1.1 + diff --git a/SOURCES/freeradius-add-disable-openssl-version-check.patch b/SOURCES/freeradius-add-disable-openssl-version-check.patch new file mode 100644 index 0000000..ec5a92e --- /dev/null +++ b/SOURCES/freeradius-add-disable-openssl-version-check.patch @@ -0,0 +1,258 @@ +From 10636fbfd51320c8ca8b40651bf3e959211ca921 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Tue, 21 Oct 2014 18:30:05 +0300 +Subject: [PATCH 1/1] Add --disable-openssl-version-check option + +Add "--disable-openssl-version-check" configure option, which removes +checking for vulnerable OpenSSL versions. It is supposed to be used by +downstream packagers and distributions who have other means to ensure +vulnerabilities are fixed, such as versioned package dependencies and +vulnerability handling processes. + +This avoids the necessity of editing radiusd.conf on package upgrade to +make sure it keeps working. At the same time, it provides safe default +to those installing FreeRADIUS from source. +--- + configure | 30 ++++++++++++++++++++++++++++++ + configure.ac | 26 ++++++++++++++++++++++++++ + raddb/radiusd.conf.in | 10 +--------- + src/include/autoconf.h.in | 3 +++ + src/include/radiusd.h | 2 ++ + src/include/tls-h | 2 ++ + src/main/mainconfig.c | 2 ++ + src/main/radiusd.c | 2 ++ + src/main/tls.c | 4 ++++ + 9 files changed, 72 insertions(+), 9 deletions(-) + +diff --git a/configure b/configure +index 1b54efd..addfeba 100755 +--- a/configure ++++ b/configure +@@ -652,6 +652,7 @@ RUSERS + SNMPWALK + SNMPGET + PERL ++openssl_version_check_config + modconfdir + dictdir + raddbdir +@@ -754,6 +755,7 @@ with_rlm_FOO_include_dir + with_openssl + with_openssl_lib_dir + with_openssl_include_dir ++enable_openssl_version_check + with_talloc_lib_dir + with_talloc_include_dir + with_pcap_lib_dir +@@ -1396,6 +1398,9 @@ Optional Features: + --disable-largefile omit support for large files + --enable-strict-dependencies fail configure on lack of module dependancy. + --enable-werror causes the build to fail if any warnings are generated. ++ --disable-openssl-version-check ++ disable vulnerable OpenSSL version check ++ + + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +@@ -5430,6 +5435,31 @@ if test "${with_openssl_include_dir+set}" = set; then : + fi + + ++# Check whether --enable-openssl-version-check was given. ++if test "${enable_openssl_version_check+set}" = set; then : ++ enableval=$enable_openssl_version_check; ++fi ++ ++if test "x$enable_openssl_version_check" != "xno"; then ++ ++$as_echo "#define ENABLE_OPENSSL_VERSION_CHECK 1" >>confdefs.h ++ ++ openssl_version_check_config="\ ++ # ++ # allow_vulnerable_openssl: Allow the server to start with ++ # versions of OpenSSL known to have critical vulnerabilities. ++ # ++ # This check is based on the version number reported by libssl ++ # and may not reflect patches applied to libssl by ++ # distribution maintainers. ++ # ++ allow_vulnerable_openssl = no" ++else ++ openssl_version_check_config= ++fi ++ ++ ++ + + CHECKRAD=checkrad + # Extract the first word of "perl", so it can be a program name with args. +diff --git a/configure.ac b/configure.ac +index 30b226b..b223505 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -576,6 +576,32 @@ AC_ARG_WITH(openssl-include-dir, + esac ] + ) + ++dnl # ++dnl # extra argument: --disable-openssl-version-check ++dnl # ++AC_ARG_ENABLE(openssl-version-check, ++[AS_HELP_STRING([--disable-openssl-version-check], ++ [disable vulnerable OpenSSL version check])] ++) ++if test "x$enable_openssl_version_check" != "xno"; then ++ AC_DEFINE(ENABLE_OPENSSL_VERSION_CHECK, [1], ++ [Define to 1 to have OpenSSL version check enabled]) ++ openssl_version_check_config="\ ++ # ++ # allow_vulnerable_openssl: Allow the server to start with ++ # versions of OpenSSL known to have critical vulnerabilities. ++ # ++ # This check is based on the version number reported by libssl ++ # and may not reflect patches applied to libssl by ++ # distribution maintainers. ++ # ++ allow_vulnerable_openssl = no" ++else ++ openssl_version_check_config= ++fi ++AC_SUBST([openssl_version_check_config]) ++ ++ + dnl ############################################################# + dnl # + dnl # 1. Checks for programs +diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in +index 307ae10..0e1ff46 100644 +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -475,15 +475,7 @@ security { + # + status_server = yes + +- # +- # allow_vulnerable_openssl: Allow the server to start with +- # versions of OpenSSL known to have critical vulnerabilities. +- # +- # This check is based on the version number reported by libssl +- # and may not reflect patches applied to libssl by +- # distribution maintainers. +- # +- allow_vulnerable_openssl = no ++@openssl_version_check_config@ + } + + # PROXY CONFIGURATION +diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in +index c313bca..f500049 100644 +--- a/src/include/autoconf.h.in ++++ b/src/include/autoconf.h.in +@@ -9,6 +9,9 @@ + /* style of ctime_r function */ + #undef CTIMERSTYLE + ++/* Define to 1 to have OpenSSL version check enabled */ ++#undef ENABLE_OPENSSL_VERSION_CHECK ++ + /* style of gethostbyaddr_r functions */ + #undef GETHOSTBYADDRRSTYLE + +diff --git a/src/include/radiusd.h b/src/include/radiusd.h +index ebe3a21..1ec6959 100644 +--- a/src/include/radiusd.h ++++ b/src/include/radiusd.h +@@ -437,7 +437,9 @@ typedef struct main_config_t { + #endif + uint32_t reject_delay; + bool status_server; ++#ifdef ENABLE_OPENSSL_VERSION_CHECK + char const *allow_vulnerable_openssl; ++#endif + + uint32_t max_request_time; + uint32_t cleanup_delay; +diff --git a/src/include/tls-h b/src/include/tls-h +index ade93d5..1418ea2 100644 +--- a/src/include/tls-h ++++ b/src/include/tls-h +@@ -295,7 +295,9 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx); + + /* TLS */ + void tls_global_init(void); ++#ifdef ENABLE_OPENSSL_VERSION_CHECK + int tls_global_version_check(char const *acknowledged); ++#endif + void tls_global_cleanup(void); + tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert); + tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd); +diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c +index cf1eea5..76979ad 100644 +--- a/src/main/mainconfig.c ++++ b/src/main/mainconfig.c +@@ -99,7 +99,9 @@ static const CONF_PARSER security_config[] = { + { "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) }, + { "reject_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.reject_delay), STRINGIFY(0) }, + { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"}, ++#ifdef ENABLE_OPENSSL_VERSION_CHECK + { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"}, ++#endif + { NULL, -1, 0, NULL, NULL } + }; + +diff --git a/src/main/radiusd.c b/src/main/radiusd.c +index 620d7d4..fe8057d 100644 +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -359,10 +359,12 @@ int main(int argc, char *argv[]) + + /* Check for vulnerabilities in the version of libssl were linked against */ + #ifdef HAVE_OPENSSL_CRYPTO_H ++#ifdef ENABLE_OPENSSL_VERSION_CHECK + if (tls_global_version_check(main_config.allow_vulnerable_openssl) < 0) { + exit(EXIT_FAILURE); + } + #endif ++#endif + + /* + * Load the modules +diff --git a/src/main/tls.c b/src/main/tls.c +index 542ce69..42b538c 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -51,6 +51,7 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ + #include + #endif + ++#ifdef ENABLE_OPENSSL_VERSION_CHECK + typedef struct libssl_defect { + uint64_t high; + uint64_t low; +@@ -71,6 +72,7 @@ static libssl_defect_t libssl_defects[] = + .comment = "For more information see http://heartbleed.com" + } + }; ++#endif + + /* record */ + static void record_init(record_t *buf); +@@ -2063,6 +2065,7 @@ void tls_global_init(void) + OPENSSL_config(NULL); + } + ++#ifdef ENABLE_OPENSSL_VERSION_CHECK + /** Check for vulnerable versions of libssl + * + * @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl. +@@ -2101,6 +2104,7 @@ int tls_global_version_check(char const *acknowledged) + + return 0; + } ++#endif + + /** Free any memory alloced by libssl + * +-- +2.1.1 + diff --git a/SOURCES/freeradius-added-D-option-to-mirror-radclient.patch b/SOURCES/freeradius-added-D-option-to-mirror-radclient.patch new file mode 100644 index 0000000..1e14f15 --- /dev/null +++ b/SOURCES/freeradius-added-D-option-to-mirror-radclient.patch @@ -0,0 +1,37 @@ +From 08700ea8b1f3a1ace01d294548f3ba2391cc06ab Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Sun, 2 Nov 2014 14:44:32 -0500 +Subject: [PATCH 1/1] Added -D option to mirror radclient + +--- + src/modules/proto_dhcp/dhcpclient.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c +index ac52ffd..3bce4b3 100644 +--- a/src/modules/proto_dhcp/dhcpclient.c ++++ b/src/modules/proto_dhcp/dhcpclient.c +@@ -73,6 +73,7 @@ static void NEVER_RETURNS usage(void) + + fprintf(stderr, " One of discover, request, offer, decline, release, inform.\n"); + fprintf(stderr, " -d Set the directory where the dictionaries are stored (defaults to " RADDBDIR ").\n"); ++ fprintf(stderr, " -D Set main dictionary directory (defaults to " DICTDIR ").\n"); + fprintf(stderr, " -f Read packets from file, not stdin.\n"); + fprintf(stderr, " -t Wait 'timeout' seconds for a reply (may be a floating point number).\n"); + fprintf(stderr, " -v Show program version information.\n"); +@@ -270,7 +271,11 @@ int main(int argc, char **argv) + + fr_debug_flag = 0; + +- while ((c = getopt(argc, argv, "d:f:hr:t:vx")) != EOF) switch(c) { ++ while ((c = getopt(argc, argv, "d:D:f:hr:t:vx")) != EOF) switch(c) { ++ case 'D': ++ dict_dir = optarg; ++ break; ++ + case 'd': + radius_dir = optarg; + break; +-- +2.1.3 + diff --git a/SOURCES/freeradius-connection-fall-through-to-global-module-triggers.patch b/SOURCES/freeradius-connection-fall-through-to-global-module-triggers.patch new file mode 100644 index 0000000..a2c1156 --- /dev/null +++ b/SOURCES/freeradius-connection-fall-through-to-global-module-triggers.patch @@ -0,0 +1,280 @@ +From 132992fe92d53d62499d8c4672feafe210efc573 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Fri, 24 Oct 2014 14:37:11 +0300 +Subject: [PATCH 4/4] connection: Fall through to global module triggers + +Make module connection pool triggers use global module trigger +configuration, if there is no "trigger" section in the pool section. + +Use fully-qualified module-specific trigger names for module-specific +connection pools in connection.c. + +E.g. trigger "modules.ldap.open", instead of just "open" for pools +initialized with fr_connection_pool_module_init, being passed "ldap" +config section. + +Send triggers even if the pool has no "trigger" section. + +This makes exec_trigger fall through to global module triggers, if the +pool configuration doesn't have the "trigger" section. +--- + src/include/connection.h | 3 +- + src/main/connection.c | 81 ++++++++++++++++++++++++++++++------------------ + 2 files changed, 53 insertions(+), 31 deletions(-) + +diff --git a/src/include/connection.h b/src/include/connection.h +index e3752d5..eaf44e8 100644 +--- a/src/include/connection.h ++++ b/src/include/connection.h +@@ -81,7 +81,8 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, + void *opaque, + fr_connection_create_t c, + fr_connection_alive_t a, +- char const *prefix); ++ char const *log_prefix, ++ char const *trigger_prefix); + void fr_connection_pool_delete(fr_connection_pool_t *pool); + + void *fr_connection_get(fr_connection_pool_t *pool); +diff --git a/src/main/connection.c b/src/main/connection.c +index 5f0c8f6..aec4f9d 100644 +--- a/src/main/connection.c ++++ b/src/main/connection.c +@@ -110,10 +110,6 @@ struct fr_connection_pool_t { + uint32_t idle_timeout; //!< How long a connection can be idle + //!< before being closed. + +- bool trigger; //!< If true execute connection triggers +- //!< associated with the connection +- //!< pool. +- + bool spread; //!< If true requests will be spread + //!< across all connections, instead of + //!< re-using the most recently used +@@ -158,6 +154,11 @@ struct fr_connection_pool_t { + //!< messages created by the connection + //!< pool code. + ++ char const *trigger_prefix; //!< Prefix to prepend to ++ //!< names of all triggers ++ //!< fired by the connection ++ //!< pool code. ++ + fr_connection_create_t create; //!< Function used to create new + //!< connections. + fr_connection_alive_t alive; //!< Function used to check status +@@ -271,6 +272,20 @@ static void fr_connection_link_tail(fr_connection_pool_t *pool, + } + } + ++/** Send a connection pool trigger. ++ * ++ * @param[in] pool to send trigger for. ++ * @param[in] name_suffix trigger name suffix. ++ */ ++static void fr_connection_exec_trigger(fr_connection_pool_t *pool, ++ char const *name_suffix) ++{ ++ char name[64]; ++ rad_assert(pool != NULL); ++ rad_assert(name_suffix != NULL); ++ snprintf(name, sizeof(name), "%s%s", pool->trigger_prefix, name_suffix); ++ exec_trigger(NULL, pool->cs, name, true); ++} + + /** Spawns a new connection + * +@@ -403,7 +418,7 @@ static fr_connection_t *fr_connection_spawn(fr_connection_pool_t *pool, + + pthread_mutex_unlock(&pool->mutex); + +- if (pool->trigger) exec_trigger(NULL, pool->cs, "open", true); ++ fr_connection_exec_trigger(pool, "open"); + + return this; + } +@@ -436,7 +451,7 @@ static void fr_connection_close(fr_connection_pool_t *pool, + pool->active--; + } + +- if (pool->trigger) exec_trigger(NULL, pool->cs, "close", true); ++ fr_connection_exec_trigger(pool, "close"); + + fr_connection_unlink(pool, this); + rad_assert(pool->num > 0); +@@ -542,7 +557,7 @@ void fr_connection_pool_delete(fr_connection_pool_t *pool) + fr_connection_close(pool, this); + } + +- if (pool->trigger) exec_trigger(NULL, pool->cs, "stop", true); ++ fr_connection_exec_trigger(pool, "stop"); + + rad_assert(pool->head == NULL); + rad_assert(pool->tail == NULL); +@@ -559,33 +574,36 @@ void fr_connection_pool_delete(fr_connection_pool_t *pool) + * @param[in] opaque data pointer to pass to callbacks. + * @param[in] c Callback to create new connections. + * @param[in] a Callback to check the status of connections. +- * @param[in] prefix override, if NULL will be set automatically from the module CONF_SECTION. ++ * @param[in] log_prefix override, if NULL will be set automatically from the module CONF_SECTION. + * @return A new connection pool or NULL on error. + */ + fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, + void *opaque, + fr_connection_create_t c, + fr_connection_alive_t a, +- char const *prefix) ++ char const *log_prefix) + { + CONF_SECTION *cs, *mycs; + char buff[128]; ++ char trigger_prefix[64]; + + fr_connection_pool_t *pool; ++ char const *cs_name1, *cs_name2; + + int ret; + + #define CONNECTION_POOL_CF_KEY "connection_pool" + #define parent_name(_x) cf_section_name(cf_item_parent(cf_sectiontoitem(_x))) + +- if (!prefix) { +- char const *cs_name1, *cs_name2; +- cs_name1 = cf_section_name1(module); +- cs_name2 = cf_section_name2(module); +- if (!cs_name2) cs_name2 = cs_name1; ++ cs_name1 = cf_section_name1(module); ++ cs_name2 = cf_section_name2(module); ++ if (!cs_name2) cs_name2 = cs_name1; ++ ++ snprintf(trigger_prefix, sizeof(trigger_prefix), "modules.%s.", cs_name1); + ++ if (!log_prefix) { + snprintf(buff, sizeof(buff), "rlm_%s (%s)", cs_name1, cs_name2); +- prefix = buff; ++ log_prefix = buff; + } + + /* +@@ -597,11 +615,11 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, + return NULL; + + case 1: +- DEBUG4("%s: Using pool section from \"%s\"", prefix, parent_name(cs)); ++ DEBUG4("%s: Using pool section from \"%s\"", log_prefix, parent_name(cs)); + break; + + case 0: +- DEBUG4("%s: Using local pool section", prefix); ++ DEBUG4("%s: Using local pool section", log_prefix); + break; + } + +@@ -610,7 +628,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, + */ + mycs = cf_section_sub_find(module, "pool"); + if (!mycs) { +- DEBUG4("%s: Adding pool section to \"%s\" to store pool references", prefix, ++ DEBUG4("%s: Adding pool section to \"%s\" to store pool references", log_prefix, + cf_section_name(module)); + + mycs = cf_section_alloc(module, "pool", NULL); +@@ -622,7 +640,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, + * Use our own local pool. + */ + if (!cs) { +- DEBUG4("%s: \"%s.pool\" section not found, using \"%s.pool\"", prefix, ++ DEBUG4("%s: \"%s.pool\" section not found, using \"%s.pool\"", log_prefix, + parent_name(cs), parent_name(mycs)); + cs = mycs; + } +@@ -636,16 +654,16 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, + */ + pool = cf_data_find(cs, CONNECTION_POOL_CF_KEY); + if (!pool) { +- DEBUG4("%s: No pool reference found in \"%s.pool\"", prefix, parent_name(cs)); +- pool = fr_connection_pool_init(module, cs, opaque, c, a, prefix); ++ DEBUG4("%s: No pool reference found in \"%s.pool\"", log_prefix, parent_name(cs)); ++ pool = fr_connection_pool_init(module, cs, opaque, c, a, log_prefix, trigger_prefix); + if (!pool) return NULL; + +- DEBUG4("%s: Adding pool reference %p to \"%s.pool\"", prefix, pool, parent_name(cs)); ++ DEBUG4("%s: Adding pool reference %p to \"%s.pool\"", log_prefix, pool, parent_name(cs)); + cf_data_add(cs, CONNECTION_POOL_CF_KEY, pool, NULL); + return pool; + } + +- DEBUG4("%s: Found pool reference %p in \"%s.pool\"", prefix, pool, parent_name(cs)); ++ DEBUG4("%s: Found pool reference %p in \"%s.pool\"", log_prefix, pool, parent_name(cs)); + + /* + * We're reusing pool data add it to our local config +@@ -653,7 +671,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, + * re-use a pool through this module. + */ + if (mycs != cs) { +- DEBUG4("%s: Copying pool reference %p from \"%s.pool\" to \"%s.pool\"", prefix, pool, ++ DEBUG4("%s: Copying pool reference %p from \"%s.pool\" to \"%s.pool\"", log_prefix, pool, + parent_name(cs), parent_name(mycs)); + cf_data_add(mycs, CONNECTION_POOL_CF_KEY, pool, NULL); + } +@@ -676,7 +694,8 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module, + * @param[in] opaque data pointer to pass to callbacks. + * @param[in] c Callback to create new connections. + * @param[in] a Callback to check the status of connections. +- * @param[in] prefix to prepend to all log messages. ++ * @param[in] log_prefix prefix to prepend to all log messages. ++ * @param[in] trigger_prefix prefix to prepend to all trigger names. + * @return A new connection pool or NULL on error. + */ + fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, +@@ -684,7 +703,8 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, + void *opaque, + fr_connection_create_t c, + fr_connection_alive_t a, +- char const *prefix) ++ char const *log_prefix, ++ char const *trigger_prefix) + { + uint32_t i; + fr_connection_pool_t *pool; +@@ -720,7 +740,9 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, + + pool->head = pool->tail = NULL; + +- pool->log_prefix = prefix ? talloc_typed_strdup(pool, prefix) : "core"; ++ pool->log_prefix = log_prefix ? talloc_typed_strdup(pool, log_prefix) : "core"; ++ pool->trigger_prefix = trigger_prefix ? ++ talloc_typed_strdup(pool, trigger_prefix) : ""; + + #ifdef HAVE_PTHREAD_H + pthread_mutex_init(&pool->mutex, NULL); +@@ -729,7 +751,6 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, + DEBUG("%s: Initialising connection pool", pool->log_prefix); + + if (cf_section_parse(cs, pool, connection_config) < 0) goto error; +- if (cf_section_sub_find(cs, "trigger")) pool->trigger = true; + + /* + * Some simple limits +@@ -780,7 +801,7 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent, + } + } + +- if (pool->trigger) exec_trigger(NULL, pool->cs, "start", true); ++ fr_connection_exec_trigger(pool, "start"); + + return pool; + } +@@ -1222,7 +1243,7 @@ void *fr_connection_reconnect(fr_connection_pool_t *pool, void *conn) + return NULL; + } + +- if (pool->trigger) exec_trigger(NULL, pool->cs, "close", true); ++ fr_connection_exec_trigger(pool, "close"); + this->connection = new_conn; + pthread_mutex_unlock(&pool->mutex); + +-- +2.1.1 + diff --git a/SOURCES/freeradius-dhcpclient-Add-a-short-description-to-help-output.patch b/SOURCES/freeradius-dhcpclient-Add-a-short-description-to-help-output.patch new file mode 100644 index 0000000..379c590 --- /dev/null +++ b/SOURCES/freeradius-dhcpclient-Add-a-short-description-to-help-output.patch @@ -0,0 +1,26 @@ +From 313d551547efa8493741ef1344e0629aab04dd70 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Fri, 5 Dec 2014 15:07:59 +0200 +Subject: [PATCH 3/3] dhcpclient: Add a short description to help output + +Add a short description of the program's function to the help output of +dhcpclient. +--- + src/modules/proto_dhcp/dhcpclient.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c +index 64debfe..5677588 100644 +--- a/src/modules/proto_dhcp/dhcpclient.c ++++ b/src/modules/proto_dhcp/dhcpclient.c +@@ -70,6 +70,7 @@ char const *dhcpclient_version = "dhcpclient version " RADIUSD_VERSION_STRING + static void NEVER_RETURNS usage(void) + { + fprintf(stderr, "Usage: dhcpclient [options] server[:port] \n"); ++ fprintf(stderr, "Send a DHCP request with provided RADIUS attrs and output response.\n"); + + fprintf(stderr, " One of discover, request, offer, decline, release, inform.\n"); + fprintf(stderr, " -d Set the directory where the dictionaries are stored (defaults to " RADDBDIR ").\n"); +-- +2.1.3 + diff --git a/SOURCES/freeradius-dont-detach-after-perl_parse.patch b/SOURCES/freeradius-dont-detach-after-perl_parse.patch new file mode 100644 index 0000000..f793945 --- /dev/null +++ b/SOURCES/freeradius-dont-detach-after-perl_parse.patch @@ -0,0 +1,50 @@ +From fa9b2cd01fb5dbe583f5063f611a45c9d033a54a Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Tue, 30 Sep 2014 16:19:47 +0300 +Subject: [PATCH 1/1] perl: Don't call detach after failed perl_parse + +Don't call "detach" callback in rlm_perl, if perl_parse of the Perl +module failed. + +This fixes segfault when the module file cannot be read: + + Can't open perl script "/etc/raddb/mods-config/perl/example.pl": Permission denied + rlm_perl: perl_parse failed: /etc/raddb/mods-config/perl/example.pl not found or has syntax errors. + /etc/raddb/mods-enabled/perl[7]: Instantiation failed for module "perl" + Segmentation fault +--- + src/modules/rlm_perl/rlm_perl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c +index d423524..039d7c8 100644 +--- a/src/modules/rlm_perl/rlm_perl.c ++++ b/src/modules/rlm_perl/rlm_perl.c +@@ -73,6 +73,7 @@ typedef struct rlm_perl_t { + char const *xlat_name; + char const *perl_flags; + PerlInterpreter *perl; ++ bool perl_parsed; + pthread_key_t *thread_key; + + #ifdef USE_ITHREADS +@@ -538,6 +539,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + PL_endav = (AV *)NULL; + + if(!exitstatus) { ++ inst->perl_parsed = true; + perl_run(inst->perl); + } else { + ERROR("rlm_perl: perl_parse failed: %s not found or has syntax errors. \n", inst->module); +@@ -1012,7 +1014,7 @@ static int mod_detach(void *instance) + } + #endif + +- if (inst->func_detach) { ++ if (inst->perl_parsed && inst->func_detach) { + dTHXa(inst->perl); + PERL_SET_CONTEXT(inst->perl); + { +-- +2.1.0 + diff --git a/SOURCES/freeradius-dont-swap-uint128-printing-on-be.patch b/SOURCES/freeradius-dont-swap-uint128-printing-on-be.patch new file mode 100644 index 0000000..ba3c670 --- /dev/null +++ b/SOURCES/freeradius-dont-swap-uint128-printing-on-be.patch @@ -0,0 +1,46 @@ +From 168275c3f4ffe9d0e09ed7a3789b45b440416f73 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Wed, 1 Oct 2014 16:32:11 +0300 +Subject: [PATCH 4/4] Don't assume little-endian in fr_prints_uint128 + +Add handling of big-endian architectures to fr_prints_uint128. +--- + src/lib/misc.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/lib/misc.c b/src/lib/misc.c +index 66171ff..d0ccd6c 100644 +--- a/src/lib/misc.c ++++ b/src/lib/misc.c +@@ -1366,6 +1366,13 @@ size_t fr_prints_uint128(char *out, size_t outlen, uint128_t const num) + uint64_t n[2]; + char *p = buff; + int i; ++#ifdef RADIUS_LITTLE_ENDIAN ++ const size_t l = 0; ++ const size_t h = 1; ++#else ++ const size_t l = 1; ++ const size_t h = 0; ++#endif + + memset(buff, '0', sizeof(buff) - 1); + buff[sizeof(buff) - 1] = '\0'; +@@ -1376,11 +1383,11 @@ size_t fr_prints_uint128(char *out, size_t outlen, uint128_t const num) + ssize_t j; + int carry; + +- carry = (n[1] >= 0x8000000000000000); ++ carry = (n[h] >= 0x8000000000000000); + + // Shift n[] left, doubling it +- n[1] = ((n[1] << 1) & 0xffffffffffffffff) + (n[0] >= 0x8000000000000000); +- n[0] = ((n[0] << 1) & 0xffffffffffffffff); ++ n[h] = ((n[h] << 1) & 0xffffffffffffffff) + (n[l] >= 0x8000000000000000); ++ n[l] = ((n[l] << 1) & 0xffffffffffffffff); + + // Add s[] to itself in decimal, doubling it + for (j = sizeof(buff) - 2; j >= 0; j--) { +-- +2.1.0 + diff --git a/SOURCES/freeradius-dont-truncate-uint64.patch b/SOURCES/freeradius-dont-truncate-uint64.patch new file mode 100644 index 0000000..d64a47c --- /dev/null +++ b/SOURCES/freeradius-dont-truncate-uint64.patch @@ -0,0 +1,27 @@ +From de77beacf1c0bd64335f0f949af9da71437d3ba5 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Tue, 30 Sep 2014 22:27:36 +0300 +Subject: [PATCH 1/4] Don't truncate 64-bit integers in do_cast_copy + +Assign converted octets to vp_integer64, instead of vp_integer to avoid +truncation in do_cast_copy. +--- + src/main/evaluate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/main/evaluate.c b/src/main/evaluate.c +index f91d482..5cf597d 100644 +--- a/src/main/evaluate.c ++++ b/src/main/evaluate.c +@@ -475,7 +475,7 @@ static int do_cast_copy(VALUE_PAIR *dst, VALUE_PAIR const *src) + do_octets: + switch (dst->da->type) { + case PW_TYPE_INTEGER64: +- dst->vp_integer = ntohll(*(uint64_t const *) src->vp_octets); ++ dst->vp_integer64 = ntohll(*(uint64_t const *) src->vp_octets); + break; + + case PW_TYPE_INTEGER: +-- +2.1.0 + diff --git a/SOURCES/freeradius-exec-dont-assume-request-presence-when-logging.patch b/SOURCES/freeradius-exec-dont-assume-request-presence-when-logging.patch new file mode 100644 index 0000000..2c0ee52 --- /dev/null +++ b/SOURCES/freeradius-exec-dont-assume-request-presence-when-logging.patch @@ -0,0 +1,139 @@ +From 13c5c908548c29ab30ae2e274a5d2baa96eadae4 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Wed, 15 Oct 2014 20:03:11 +0300 +Subject: [PATCH 1/4] exec: Don't assume request presence when logging + +Use DEBUG* macros for logging, instead of RDEBUG* macros in +radius_start_program and radius_readfrom_program as these are not +guaranteed to be invoked with a valid request. + +For example, not from most of the exec_trigger invocations. +--- + src/include/radiusd.h | 2 +- + src/main/exec.c | 22 +++++++++++----------- + src/modules/rlm_mschap/rlm_mschap.c | 2 +- + 3 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/src/include/radiusd.h b/src/include/radiusd.h +index 21d510b..ebe3a21 100644 +--- a/src/include/radiusd.h ++++ b/src/include/radiusd.h +@@ -606,7 +606,7 @@ int rad_virtual_server(REQUEST *); + pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, + int *input_fd, int *output_fd, + VALUE_PAIR *input_pairs, bool shell_escape); +-int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout, ++int radius_readfrom_program(int fd, pid_t pid, int timeout, + char *answer, int left); + int radius_exec_program(REQUEST *request, char const *cmd, bool exec_wait, bool shell_escape, + char *user_msg, size_t msg_len, int timeout, +diff --git a/src/main/exec.c b/src/main/exec.c +index b421053..1188d0a 100644 +--- a/src/main/exec.c ++++ b/src/main/exec.c +@@ -103,16 +103,16 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, + + argc = rad_expand_xlat(request, cmd, MAX_ARGV, argv, true, sizeof(argv_buf), argv_buf); + if (argc <= 0) { +- RDEBUG("invalid command line '%s'.", cmd); ++ DEBUG("invalid command line '%s'.", cmd); + return -1; + } + + + #ifndef NDEBUG + if (debug_flag > 2) { +- RDEBUG3("executing cmd %s", cmd); ++ DEBUG3("executing cmd %s", cmd); + for (i = 0; i < argc; i++) { +- RDEBUG3("\t[%d] %s", i, argv[i]); ++ DEBUG3("\t[%d] %s", i, argv[i]); + } + } + #endif +@@ -124,13 +124,13 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, + if (exec_wait) { + if (input_fd) { + if (pipe(to_child) != 0) { +- RDEBUG("Couldn't open pipe to child: %s", fr_syserror(errno)); ++ DEBUG("Couldn't open pipe to child: %s", fr_syserror(errno)); + return -1; + } + } + if (output_fd) { + if (pipe(from_child) != 0) { +- RDEBUG("Couldn't open pipe from child: %s", fr_syserror(errno)); ++ DEBUG("Couldn't open pipe from child: %s", fr_syserror(errno)); + /* safe because these either need closing or are == -1 */ + close(to_child[0]); + close(to_child[1]); +@@ -206,7 +206,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, + */ + devnull = open("/dev/null", O_RDWR); + if (devnull < 0) { +- RDEBUG("Failed opening /dev/null: %s\n", fr_syserror(errno)); ++ DEBUG("Failed opening /dev/null: %s\n", fr_syserror(errno)); + + /* + * Where the status code is interpreted as a module rcode +@@ -287,7 +287,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, + * Parent process. + */ + if (pid < 0) { +- RDEBUG("Couldn't fork %s: %s", argv[0], fr_syserror(errno)); ++ DEBUG("Couldn't fork %s: %s", argv[0], fr_syserror(errno)); + if (exec_wait) { + /* safe because these either need closing or are == -1 */ + close(to_child[0]); +@@ -320,7 +320,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, + return pid; + #else + if (exec_wait) { +- RDEBUG("Wait is not supported"); ++ DEBUG("Wait is not supported"); + return -1; + } + +@@ -366,7 +366,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait, + * @param left length of buffer. + * @return -1 on error, or length of output. + */ +-int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout, ++int radius_readfrom_program(int fd, pid_t pid, int timeout, + char *answer, int left) + { + int done = 0; +@@ -422,7 +422,7 @@ int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout, + rcode = select(fd + 1, &fds, NULL, NULL, &wake); + if (rcode == 0) { + too_long: +- RDEBUG("Child PID %u is taking too much time: forcing failure and killing child.", pid); ++ DEBUG("Child PID %u is taking too much time: forcing failure and killing child.", pid); + kill(pid, SIGTERM); + close(fd); /* should give SIGPIPE to child, too */ + +@@ -536,7 +536,7 @@ int radius_exec_program(REQUEST *request, char const *cmd, bool exec_wait, bool + } + + #ifndef __MINGW32__ +- len = radius_readfrom_program(request, from_child, pid, timeout, answer, sizeof(answer)); ++ len = radius_readfrom_program(from_child, pid, timeout, answer, sizeof(answer)); + if (len < 0) { + /* + * Failure - radius_readfrom_program will +diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c +index 0101ddf..03f94a9 100644 +--- a/src/modules/rlm_mschap/rlm_mschap.c ++++ b/src/modules/rlm_mschap/rlm_mschap.c +@@ -794,7 +794,7 @@ static int CC_HINT(nonnull (1, 2, 4, 5)) do_mschap_cpw(rlm_mschap_t *inst, + /* + * Read from the child + */ +- len = radius_readfrom_program(request, from_child, pid, 10, buf, sizeof(buf)); ++ len = radius_readfrom_program(from_child, pid, 10, buf, sizeof(buf)); + if (len < 0) { + /* radius_readfrom_program will have closed from_child for us */ + REDEBUG("Failure reading from child"); +-- +2.1.1 + diff --git a/SOURCES/freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch b/SOURCES/freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch new file mode 100644 index 0000000..e42dd5d --- /dev/null +++ b/SOURCES/freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch @@ -0,0 +1,85 @@ +From bae8305c7c1f35f853d9ffe520983c90f2a927a8 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Sun, 5 Oct 2014 17:31:34 -0400 +Subject: [PATCH 1/1] Fix checks for PW_TYPE_FILE_INPUT + +--- + src/main/conffile.c | 45 +++++++-------------------------------------- + 1 file changed, 7 insertions(+), 38 deletions(-) + +diff --git a/src/main/conffile.c b/src/main/conffile.c +index 37c8aba..a221dcd 100644 +--- a/src/main/conffile.c ++++ b/src/main/conffile.c +@@ -985,7 +985,7 @@ static inline int fr_item_validate_ipaddr(CONF_SECTION *cs, char const *name, PW + int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char const *dflt) + { + int rcode; +- bool deprecated, required, attribute, secret; ++ bool deprecated, required, attribute, secret, input; + char **q; + char const *value; + CONF_PAIR const *cp = NULL; +@@ -998,6 +998,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char + required = (type & PW_TYPE_REQUIRED); + attribute = (type & PW_TYPE_ATTRIBUTE); + secret = (type & PW_TYPE_SECRET); ++ input = (type == PW_TYPE_FILE_INPUT); /* check, not and */ + + type &= 0xff; /* normal types are small */ + rcode = 0; +@@ -1157,46 +1158,14 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char + cs->depth, parse_spaces, name, value ? value : "(null)"); + } + *q = value ? talloc_typed_strdup(cs, value) : NULL; +- break; +- +- /* +- * This is the same as PW_TYPE_STRING, +- * except that we also "stat" the file, and +- * cache the result. +- */ +- case PW_TYPE_FILE_INPUT: +- case PW_TYPE_FILE_OUTPUT: +- q = (char **) data; +- if (*q != NULL) { +- free(*q); +- } +- +- /* +- * Expand variables which haven't already been +- * expanded automagically when the configuration +- * file was read. +- */ +- if ((value == dflt) && cs) { +- int lineno = 0; +- +- value = cf_expand_variables("?", +- &lineno, +- cs, buffer, sizeof(buffer), +- value); +- if (!value) return -1; +- } +- +- if (required && (!value || !*value)) goto is_required; +- +- cf_log_info(cs, "%.*s\t%s = \"%s\"", +- cs->depth, parse_spaces, name, value); +- *q = value ? talloc_typed_strdup(cs, value) : NULL; + + /* +- * If the filename exists and we're supposed to +- * read it, check it. ++ * If there's data AND it's an input file, check ++ * that we can read it. This check allows errors ++ * to be caught as early as possible, during ++ * server startup. + */ +- if (*q && (type == PW_TYPE_FILE_INPUT)) { ++ if (*q && input) { + struct stat buf; + + if (stat(*q, &buf) < 0) { +-- +2.1.1 + diff --git a/SOURCES/freeradius-fix-dhcp-dictionary-loading.patch b/SOURCES/freeradius-fix-dhcp-dictionary-loading.patch new file mode 100644 index 0000000..7cde423 --- /dev/null +++ b/SOURCES/freeradius-fix-dhcp-dictionary-loading.patch @@ -0,0 +1,40 @@ +From dda57af171687d60e21e8e2620e87b25939d0c29 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 6 Oct 2014 17:00:25 +0300 +Subject: [PATCH 1/1] dhcpclient: Load dictionary.dhcp from DICTDIR. + +Load dictionary.dhcp from DICTDIR instead of RADDBDIR in dhcpclient.c, +as it is found only in the former. + +This fixes the following error printed when invoking dhcpclient: + + Failed reading dictionary.dhcp: dict_init: Couldn't open dictionary + "/etc/raddb/dictionary.dhcp": No such file or directory +--- + src/modules/proto_dhcp/dhcpclient.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c +index b29b9a2..ac52ffd 100644 +--- a/src/modules/proto_dhcp/dhcpclient.c ++++ b/src/modules/proto_dhcp/dhcpclient.c +@@ -264,6 +264,7 @@ int main(int argc, char **argv) + char *p; + int c; + char const *radius_dir = RADDBDIR; ++ char const *dict_dir = DICTDIR; + char const *filename = NULL; + DICT_ATTR const *da; + +@@ -315,7 +316,7 @@ int main(int argc, char **argv) + */ + da = dict_attrbyname("DHCP-Message-Type"); + if (!da) { +- if (dict_read(radius_dir, "dictionary.dhcp") < 0) { ++ if (dict_read(dict_dir, "dictionary.dhcp") < 0) { + fprintf(stderr, "Failed reading dictionary.dhcp: %s", + fr_strerror()); + return -1; +-- +2.1.1 + diff --git a/SOURCES/freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch b/SOURCES/freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch new file mode 100644 index 0000000..daefbb4 --- /dev/null +++ b/SOURCES/freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch @@ -0,0 +1,59 @@ +From b5b92669c32b50b2f96a3ae53d4222d6cb3d1287 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Tue, 28 Oct 2014 15:57:56 +0200 +Subject: [PATCH 1/1] Ignore SIGTERM when firing stop and signal.term + +Move firing "server.stop" and "server.signal.term" triggers beyond +setting SIGTERM action to SIG_IGN in main(). + +This way handler commands for these triggers don't receive SIGTERM with +the rest of the process group and don't possibly terminate before doing +their work. E.g. snmptrap manages to send the notifications. +--- + src/main/process.c | 1 - + src/main/radiusd.c | 10 ++++++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/main/process.c b/src/main/process.c +index 7e1a51e..f427205 100644 +--- a/src/main/process.c ++++ b/src/main/process.c +@@ -4536,7 +4536,6 @@ static void handle_signal_self(int flag) + fr_event_loop_exit(el, 1); + } else { + INFO("Signalled to terminate"); +- exec_trigger(NULL, NULL, "server.signal.term", true); + fr_event_loop_exit(el, 2); + } + +diff --git a/src/main/radiusd.c b/src/main/radiusd.c +index 620d7d4..86c7013 100644 +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -592,8 +592,6 @@ int main(int argc, char *argv[]) + INFO("Exiting normally"); + } + +- exec_trigger(NULL, NULL, "server.stop", false); +- + /* + * Ignore the TERM signal: we're + * about to die. +@@ -601,6 +599,14 @@ int main(int argc, char *argv[]) + signal(SIGTERM, SIG_IGN); + + /* ++ * Fire signal and stop triggers after ignoring SIGTERM, so handlers are ++ * not killed with the rest of the process group, below. ++ */ ++ if (status == 2) ++ exec_trigger(NULL, NULL, "server.signal.term", true); ++ exec_trigger(NULL, NULL, "server.stop", false); ++ ++ /* + * Send a TERM signal to all + * associated processes + * (including us, which gets +-- +2.1.1 + diff --git a/SOURCES/freeradius-imacros.patch b/SOURCES/freeradius-imacros.patch deleted file mode 100644 index 0a4be7e..0000000 --- a/SOURCES/freeradius-imacros.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -r -u freeradius-server-3.0.1.bak/Make.inc.in freeradius-server-3.0.1/Make.inc.in ---- freeradius-server-3.0.1.bak/Make.inc.in 2014-01-17 11:20:48.599733053 -0500 -+++ freeradius-server-3.0.1/Make.inc.in 2014-01-17 14:37:33.739853796 -0500 -@@ -47,7 +47,7 @@ - - CC = @CC@ - RANLIB = @RANLIB@ --IMACROS = -imacros ${top_srcdir}/src/freeradius-devel/build.h -imacros ${top_srcdir}/src/freeradius-devel/autoconf.h -imacros ${top_srcdir}/src/freeradius-devel/features.h -+IMACROS = -include ${top_srcdir}/src/freeradius-devel/build.h -include ${top_srcdir}/src/freeradius-devel/autoconf.h -include ${top_srcdir}/src/freeradius-devel/features.h - INCLUDE = -I${top_srcdir} -I${top_srcdir}/src - CFLAGS = $(IMACROS) $(INCLUDE) -std=c99 -fno-strict-aliasing @CFLAGS@ - CPPFLAGS = @CPPFLAGS@ -Only in freeradius-server-3.0.1: Make.inc.in~ diff --git a/SOURCES/freeradius-ippool.patch b/SOURCES/freeradius-ippool.patch deleted file mode 100644 index 383982a..0000000 --- a/SOURCES/freeradius-ippool.patch +++ /dev/null @@ -1,109 +0,0 @@ -diff -r -u freeradius-server-3.0.1.bak/raddb/mods-available/ippool freeradius-server-3.0.1/raddb/mods-available/ippool ---- freeradius-server-3.0.1.bak/raddb/mods-available/ippool 2014-01-17 11:20:48.609733064 -0500 -+++ freeradius-server-3.0.1/raddb/mods-available/ippool 2014-01-17 12:33:11.884537885 -0500 -@@ -1,6 +1,6 @@ - # -*- text -*- - # --# $Id: d52dc9b385dec10e970ba9af070af612f25d596d $ -+# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $ - - # Do server side ip pool management. Should be added in - # post-auth and accounting sections. -@@ -22,54 +22,45 @@ - # DEFAULT Group == teachers, Pool-Name := "teachers" - # DEFAULT Group == other, Pool-Name := "DEFAULT" - # --# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST ********* --# ********* THEN ERASE THE DB FILES ********* -+# Note: If you change the range parameters you must then erase the -+# db files. - # - ippool main_pool { -+ # The main db file used to allocate addresses. -+ filename = ${db_dir}/db.ippool - -- # range-start,range-stop: -- # The start and end ip addresses for this pool. -+ # The start and end ip addresses for this pool. - range_start = 192.0.2.1 - range_stop = 192.0.2.254 - -- # netmask: -- # The network mask used for this pool. -+ # The network mask used for this pool. - netmask = 255.255.255.0 - -- # cache_size: -- # The gdbm cache size for the db files. Should -- # be equal to the number of ip's available in -- # the ip pool -+ # The gdbm cache size for the db files. Should -+ # be equal to the number of ip's available in -+ # the ip pool - cache_size = 800 - -- # session-db: -- # The main db file used to allocate addresses. -- session_db = ${db_dir}/db.ippool -- -- # ip-index: -- # Helper db index file used in multilink -+ # Helper db index file used in multilink - ip_index = ${db_dir}/db.ipindex - -- # override: -- # If set, the Framed-IP-Address already in the -- # reply (if any) will be discarded, and replaced -- # with a Framed-IP-Address assigned here. -+ # If set, the Framed-IP-Address already in the -+ # reply (if any) will be discarded, and replaced -+ # ith a Framed-IP-Address assigned here. - override = no - -- # maximum-timeout: -- # Specifies the maximum time in seconds that an -- # entry may be active. If set to zero, means -- # "no timeout". The default value is 0 -+ # Specifies the maximum time in seconds that an -+ # entry may be active. If set to zero, means -+ # "no timeout". The default value is 0 - maximum_timeout = 0 - -- # key: -- # The key to use for the session database (which -- # holds the allocated ip's) normally it should -- # just be the nas ip/port (which is the default). -+ # The key to use for the session database (which -+ # holds the allocated ip's) normally it should -+ # just be the nas ip/port (which is the default). - # -- # If your NAS sends the same value of NAS-Port -- # all requests, the key should be based on some -- # other attribute that is in ALL requests, AND -- # is unique to each machine needing an IP address. -- #key = "%{NAS-IP-Address} %{NAS-Port}" -+ # If your NAS sends the same value of NAS-Port -+ # all requests, the key should be based on some -+ # other attribute that is in ALL requests, AND -+ # is unique to each machine needing an IP address. -+# key = "%{NAS-IP-Address} %{NAS-Port}" - } -commit 82d3d851e03fdc403c6694d5470905c489acb1b5 -Author: Alan T. DeKok -Date: Sat Jan 18 15:58:28 2014 -0500 - - Set the default length for the attributes - -diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c -index d1d1fca..ac955ad 100644 ---- a/src/lib/valuepair.c -+++ b/src/lib/valuepair.c -@@ -109,6 +109,8 @@ VALUE_PAIR *pairalloc(TALLOC_CTX *ctx, DICT_ATTR const *da) - vp->op = T_OP_EQ; - vp->type = VT_NONE; - -+ vp->length = da->flags.length; -+ - talloc_set_destructor(vp, _pairfree); - - return vp; diff --git a/SOURCES/freeradius-make-grp-tallo-c-too.patch b/SOURCES/freeradius-make-grp-tallo-c-too.patch new file mode 100644 index 0000000..ad7d192 --- /dev/null +++ b/SOURCES/freeradius-make-grp-tallo-c-too.patch @@ -0,0 +1,53 @@ +From d51daa8f56f5c55f2effdb308ef4a14016118753 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Sun, 5 Oct 2014 17:22:26 -0400 +Subject: [PATCH 1/1] Make grp tallo'c, too + +--- + src/modules/rlm_unix/rlm_unix.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c +index 0a01074..9e55c26 100644 +--- a/src/modules/rlm_unix/rlm_unix.c ++++ b/src/modules/rlm_unix/rlm_unix.c +@@ -75,20 +75,20 @@ static const CONF_PARSER module_config[] = { + #else + static struct group *fr_getgrnam(TALLOC_CTX *ctx, char const *name) + { +- struct group *grp, my_group; ++ struct group *grp, *result; + char *group_buffer; + size_t group_size = 1024; + +- grp = NULL; +- group_buffer = talloc_array(ctx, char, group_size); ++ grp = talloc(ctx, struct group); ++ group_buffer = talloc_array(grp, char, group_size); + while (group_buffer) { + int err; + +- err = getgrnam_r(name, &my_group, group_buffer, group_size, &grp); ++ err = getgrnam_r(name, grp, group_buffer, group_size, &result); + if (err == ERANGE) { + group_size *= 2; + talloc_free(group_buffer); +- group_buffer = talloc_array(ctx, char, group_size); ++ group_buffer = talloc_array(grp, char, group_size); + continue; + } + +@@ -145,6 +145,10 @@ static int groupcmp(UNUSED void *instance, REQUEST *req, UNUSED VALUE_PAIR *requ + } + } + ++#ifdef HAVE_GETGRNAM_R ++ talloc_free(grp); ++#endif ++ + return retval; + } + +-- +2.1.1 + diff --git a/SOURCES/freeradius-man-remove-client-attribute-description.patch b/SOURCES/freeradius-man-remove-client-attribute-description.patch new file mode 100644 index 0000000..8acb7b2 --- /dev/null +++ b/SOURCES/freeradius-man-remove-client-attribute-description.patch @@ -0,0 +1,100 @@ +From ca2eedaad0bc27dd6a540e61c583f0b745641a84 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Tue, 2 Dec 2014 16:39:28 +0200 +Subject: [PATCH 1/2] man: Remove client attribute description + +Remove attribute description from clients.conf(5) source as it is +outdated, lists just a few attributes and wasn't updated for more than a +year. Refer to clients.conf file itself, instead. +--- + man/man5/clients.conf.5 | 74 +++---------------------------------------------- + 1 file changed, 4 insertions(+), 70 deletions(-) + +diff --git a/man/man5/clients.conf.5 b/man/man5/clients.conf.5 +index 9af246a..f9207d1 100644 +--- a/man/man5/clients.conf.5 ++++ b/man/man5/clients.conf.5 +@@ -26,76 +26,10 @@ client { + = + } + .fi +-.SH ATTRIBUTES +-The attributes that can appear in a +-.B client +-section are listed below. Required attributes are labelled as +-such. All other attributes are optional. +-.TP 0.5i +-.B ipaddr [Required] +-The IP address of the client. For IPv6, use "ipv6addr" +-.TP 0.5i +-.B secret [Required] +-The RADIUS shared secret used for communication between the client/NAS +-and the RADIUS server. +-.TP 0.5i +-.B shortname [optional] +-A short alias that can be used in place of the IP address or fully +-qualified hostname provided in the first line of the section. +-.TP 0.5i +-.B nas_type +-The nas_type attribute is used to tell the +-.BR checkrad.pl +-script which NAS-specific method it should use when checking +-simultaneous use. +- +-The following values are currently recognized: +-.nf +-cisco +-computone +-livingston +-max40xx +-multitech +-netserver +-pathras +-patton +-portslave +-tc +-usrhiper +-other +-.fi +-.TP 0.5i +-.B login +-Reserved for future use. +-.TP 0.5i +-.B password +-Reserved for future use. +-.SH EXAMPLES +-.IP +-.nf +-client localhost { +- ipaddr = 127.0.0.1 +- secret = testing123 +- shortname = localhost +- nas_type = other +-} +-.fi +-.LP +-This adds a client for the loopback address. This is useful in testing +-the +-server locally, for example with +-.BR radclient (1). +-.IP +-.nf +-client private-network-1 { +- ipaddr = 192.0.2.0 +- netmask = 24 +- secret = testing123-1 +- shortname = private-network-1 +-} +-.fi +-.LP +-This entry represents any client from the 192.0.2.0/24 network. ++.PP ++Clients have many configuration parameters. Most are documented in the file ++itself as comments. This page documents only the format of the file. Please ++read the \fBclients.conf\fP file itself for more information. + + The old-style format from 1.x is still accepted by the server, but + that form is deprecated. +-- +2.1.3 + diff --git a/SOURCES/freeradius-man-remove-references-to-naslist-and-clients.patch b/SOURCES/freeradius-man-remove-references-to-naslist-and-clients.patch new file mode 100644 index 0000000..df2ba67 --- /dev/null +++ b/SOURCES/freeradius-man-remove-references-to-naslist-and-clients.patch @@ -0,0 +1,67 @@ +From 55a489a7885608158f66823686d89eb7cf54d5a9 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Tue, 2 Dec 2014 16:43:49 +0200 +Subject: [PATCH 2/2] man: Remove references to naslist and clients + +Remove references to non-existent naslist and clients manpages as they +are confusing. +--- + man/man5/clients.conf.5 | 8 +++----- + man/man5/dictionary.5 | 1 - + man/man5/users.5 | 1 - + 3 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/man/man5/clients.conf.5 b/man/man5/clients.conf.5 +index f9207d1..6c6b3ee 100644 +--- a/man/man5/clients.conf.5 ++++ b/man/man5/clients.conf.5 +@@ -8,9 +8,9 @@ file contains definitions of RADIUS clients. + .PP + The information in this file overrides any information provided in + the deprecated +-.BR clients (5) ++.BR clients + and +-.BR naslist (5) ++.BR naslist + files. + .PP + The file format is the same as that used for +@@ -39,9 +39,7 @@ that form is deprecated. + .I /etc/raddb/radiusd.conf + .SH "SEE ALSO" + .BR radiusd (8), +-.BR radiusd.conf (5), +-.BR clients (5), +-.BR naslist (5) ++.BR radiusd.conf (5) + + .SH AUTHOR + FreeRADIUS is authored by the FreeRADIUS team. +diff --git a/man/man5/dictionary.5 b/man/man5/dictionary.5 +index 6b60602..d685081 100644 +--- a/man/man5/dictionary.5 ++++ b/man/man5/dictionary.5 +@@ -176,7 +176,6 @@ the attribute number should be used instead. + .I /usr/share/freeradius/dictionary.* + .SH "SEE ALSO" + .BR radiusd (8), +-.BR naslist (5), + .BR RFC2865, + .BR RFC2866, + .BR RFC2868 +diff --git a/man/man5/users.5 b/man/man5/users.5 +index ed8f471..c9aef82 100644 +--- a/man/man5/users.5 ++++ b/man/man5/users.5 +@@ -243,7 +243,6 @@ entries that set reply attributes. + .BR radclient (1), + .BR radiusd (8), + .BR dictionary (5), +-.BR naslist (5) + + .SH AUTHOR + The FreeRADIUS team. +-- +2.1.3 + diff --git a/SOURCES/freeradius-mention-eap-md5-in-radtest-synopsis.patch b/SOURCES/freeradius-mention-eap-md5-in-radtest-synopsis.patch new file mode 100644 index 0000000..20baad1 --- /dev/null +++ b/SOURCES/freeradius-mention-eap-md5-in-radtest-synopsis.patch @@ -0,0 +1,27 @@ +From b00d9a63963c4d5dec72d8c4671a72cde5c4ca69 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 27 Oct 2014 16:14:35 +0200 +Subject: [PATCH 1/2] man: Mention eap-md5 in radtest synopsis + +Add "eap-md5" to the possible values of -t option in radtest's manpage +SYNOPSIS to match the detailed description in the OPTIONS. +--- + man/man1/radtest.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/man1/radtest.1 b/man/man1/radtest.1 +index f4fdba3..587870c 100644 +--- a/man/man1/radtest.1 ++++ b/man/man1/radtest.1 +@@ -6,7 +6,7 @@ radtest - send packets to a RADIUS server, show reply + .RB [ \-d + .IR raddb_directory ] + .RB [ \-t +-.IR pap/chap/mschap ] ++.IR pap/chap/mschap/eap-md5 ] + .RB [ \-x + .IR ] + .RB [ \-4 +-- +2.1.1 + diff --git a/SOURCES/freeradius-mysql-schema.patch b/SOURCES/freeradius-mysql-schema.patch deleted file mode 100644 index a91aa69..0000000 --- a/SOURCES/freeradius-mysql-schema.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -r -u freeradius-server-3.0.1.orig/raddb/mods-config/sql/main/mysql/schema.sql freeradius-server-3.0.1/raddb/mods-config/sql/main/mysql/schema.sql ---- freeradius-server-3.0.1.orig/raddb/mods-config/sql/main/mysql/schema.sql 2014-01-13 20:13:56.000000000 -0500 -+++ freeradius-server-3.0.1/raddb/mods-config/sql/main/mysql/schema.sql 2014-01-21 12:37:29.349480066 -0500 -@@ -28,7 +28,7 @@ - acctupdatetime datetime NULL default NULL, - acctstoptime datetime NULL default NULL, - acctinterval int(12) default NULL, -- acctsessiontime unsigned int(12) default NULL, -+ acctsessiontime int(12) unsigned default NULL, - acctauthentic varchar(32) default NULL, - connectinfo_start varchar(50) default NULL, - connectinfo_stop varchar(50) default NULL, diff --git a/SOURCES/freeradius-perl.patch b/SOURCES/freeradius-perl.patch deleted file mode 100644 index bdac7fb..0000000 --- a/SOURCES/freeradius-perl.patch +++ /dev/null @@ -1,19 +0,0 @@ -commit 57d0db0e1dfa3fc25d0bfc146fec1c89a446a9ea -Author: Alan T. DeKok -Date: Wed Jan 22 15:11:33 2014 -0500 - - Use size out output buffer, not size of output pointer - -diff --git a/src/lib/print.c b/src/lib/print.c -index a6e5391..5bc5e02 100644 ---- a/src/lib/print.c -+++ b/src/lib/print.c -@@ -266,7 +266,7 @@ size_t vp_prints_value(char *out, size_t outlen, VALUE_PAIR const *vp, int8_t qu - return strlen(out); - } - -- return fr_print_string(vp->vp_strvalue, vp->length, out, sizeof(out)); -+ return fr_print_string(vp->vp_strvalue, vp->length, out, outlen); - - case PW_TYPE_INTEGER: - if (vp->da->flags.has_tag) { diff --git a/SOURCES/freeradius-postgres-sql.patch b/SOURCES/freeradius-postgres-sql.patch index 33235b7..8746b45 100644 --- a/SOURCES/freeradius-postgres-sql.patch +++ b/SOURCES/freeradius-postgres-sql.patch @@ -1,6 +1,17 @@ ---- freeradius-server-3.0.0.orig/raddb/mods-config/sql/main/postgresql/setup.sql 2013-10-07 15:49:47.000000000 -0400 -+++ freeradius-server-3.0.0/raddb/mods-config/sql/main/postgresql/setup.sql 2013-12-13 12:58:38.261559789 -0500 -@@ -29,4 +29,7 @@ +From 797e2d603bdc4bea009f7e0053f2e41fdb9238a6 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Thu, 30 Oct 2014 12:15:44 +0200 +Subject: [PATCH 1/1] Fix PostgreSQL setup SQL permissions + +--- + raddb/mods-config/sql/main/postgresql/setup.sql | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/raddb/mods-config/sql/main/postgresql/setup.sql b/raddb/mods-config/sql/main/postgresql/setup.sql +index 26d08ca..407f414 100644 +--- a/raddb/mods-config/sql/main/postgresql/setup.sql ++++ b/raddb/mods-config/sql/main/postgresql/setup.sql +@@ -29,4 +29,7 @@ GRANT SELECT ON radusergroup TO radius; * The server can write to the accounting and post-auth logging table. */ GRANT SELECT, INSERT, UPDATE on radacct TO radius; @@ -8,3 +19,6 @@ + GRANT SELECT, INSERT, UPDATE on radpostauth TO radius; +GRANT SELECT, USAGE on radpostauth_id_seq TO radius; +-- +2.1.3 + diff --git a/SOURCES/freeradius-prefix-endian-macros.patch b/SOURCES/freeradius-prefix-endian-macros.patch new file mode 100644 index 0000000..80e3924 --- /dev/null +++ b/SOURCES/freeradius-prefix-endian-macros.patch @@ -0,0 +1,168 @@ +From 4a906c702ac31da5977eba6698fa5435474cb47f Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Wed, 1 Oct 2014 15:11:12 +0300 +Subject: [PATCH 3/4] Prefix *_ENDIAN macros with RADIUS_ + +Rename LITTLE_ENDIAN and BIG_ENDIAN macros to RADIUS_LITTLE_ENDIAN and +RADIUS_BIG_ENDIAN respectively to avoid clashes with +/usr/include/endian.h defines, which result in always assuming +little-endian architecture. +--- + configure | 4 ++-- + configure.ac | 4 ++-- + src/include/autoconf.h.in | 16 ++++++++-------- + src/include/build.h | 6 +++--- + src/include/missing-h | 4 ++-- + src/lib/missing.c | 2 +- + src/main/version.c | 4 ++-- + 7 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/configure b/configure +index f15072d..1b54efd 100755 +--- a/configure ++++ b/configure +@@ -4771,11 +4771,11 @@ $as_echo "$ac_cv_c_bigendian" >&6; } + case $ac_cv_c_bigendian in #( + yes) + +-$as_echo "#define BIG_ENDIAN 1" >>confdefs.h ++$as_echo "#define RADIUS_BIG_ENDIAN 1" >>confdefs.h + ;; #( + no) + +-$as_echo "#define LITTLE_ENDIAN 1" >>confdefs.h ++$as_echo "#define RADIUS_LITTLE_ENDIAN 1" >>confdefs.h + + ;; #( + universal) +diff --git a/configure.ac b/configure.ac +index 76466ec..30b226b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -167,8 +167,8 @@ dnl # check for system bytesex + dnl # AC_DEFINES WORDS_BIGENDIAN + dnl # + AC_C_BIGENDIAN( +- [AC_DEFINE(BIG_ENDIAN, 1, [Define if your processor stores words with the most significant byte first])], +- [AC_DEFINE(LITTLE_ENDIAN, 1, [Define if your processor stores words with the least significant byte first])] ++ [AC_DEFINE(RADIUS_BIG_ENDIAN, 1, [Define if your processor stores words with the most significant byte first])], ++ [AC_DEFINE(RADIUS_LITTLE_ENDIAN, 1, [Define if your processor stores words with the least significant byte first])] + ) + + dnl # +diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in +index 6e6e355..c313bca 100644 +--- a/src/include/autoconf.h.in ++++ b/src/include/autoconf.h.in +@@ -3,10 +3,6 @@ + /* Define if building universal (internal helper macro) */ + #undef AC_APPLE_UNIVERSAL_BUILD + +-/* Define if your processor stores words with the most significant byte first +- */ +-#undef BIG_ENDIAN +- + /* BSD-Style get*byaddr_r */ + #undef BSDSTYLE + +@@ -443,10 +439,6 @@ + /* compiler specific 128 bit unsigned integer */ + #undef HAVE___UINT128_T + +-/* Define if your processor stores words with the least significant byte first +- */ +-#undef LITTLE_ENDIAN +- + /* define if you have OSFC2 authentication */ + #undef OSFC2 + +@@ -483,6 +475,14 @@ + /* Raw version string from VERSION file */ + #undef RADIUSD_VERSION_STRING + ++/* Define if your processor stores words with the most significant byte first ++ */ ++#undef RADIUS_BIG_ENDIAN ++ ++/* Define if your processor stores words with the least significant byte first ++ */ ++#undef RADIUS_LITTLE_ENDIAN ++ + /* Define as the return type of signal handlers (`int' or `void'). */ + #undef RETSIGTYPE + +diff --git a/src/include/build.h b/src/include/build.h +index 66c3087..4c1bf1a 100644 +--- a/src/include/build.h ++++ b/src/include/build.h +@@ -105,13 +105,13 @@ extern "C" { + * Here at least the endianess can be set explicitly with + * -DLITTLE_ENDIAN or -DBIG_ENDIAN. + */ +-#if !defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) ++#if !defined(RADIUS_LITTLE_ENDIAN) && !defined(RADIUS_BIG_ENDIAN) + # if defined(__LITTLE_ENDIAN__) || \ + (defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)) +-# define LITTLE_ENDIAN 1 ++# define RADIUS_LITTLE_ENDIAN 1 + # elif defined(__BIG_ENDIAN__) || \ + (defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)) +-# define BIG_ENDIAN 1 ++# define RADIUS_BIG_ENDIAN 1 + # else + # error Failed determining endianness of system + # endif +diff --git a/src/include/missing-h b/src/include/missing-h +index 3f286a4..7136172 100644 +--- a/src/include/missing-h ++++ b/src/include/missing-h +@@ -424,7 +424,7 @@ typedef struct int128_t { uint8_t v[16]; } int128_t; + + /* abcd efgh -> dcba hgfe -> hgfe dcba */ + #ifndef HAVE_HTON_LL +-# ifdef LITTLE_ENDIAN ++# ifdef RADIUS_LITTLE_ENDIAN + # ifdef HAVE_BUILTIN_BSWAP64 + # define ntohll(x) __builtin_bswap64(x) + # else +@@ -437,7 +437,7 @@ typedef struct int128_t { uint8_t v[16]; } int128_t; + #endif + + #ifndef HAVE_HTON_LLL +-# ifdef LITTLE_ENDIAN ++# ifdef RADIUS_LITTLE_ENDIAN + # ifdef HAVE_128BIT_INTEGERS + # define ntohlll(x) (((uint128_t)ntohll((uint64_t)(x >> 64))) | (((uint128_t)ntohll(((uint64_t) x)) << 64))) + # else +diff --git a/src/lib/missing.c b/src/lib/missing.c +index 4598c8f..efd5461 100644 +--- a/src/lib/missing.c ++++ b/src/lib/missing.c +@@ -273,7 +273,7 @@ ntp2timeval(struct timeval *tv, char const *ntp) + tv->tv_usec = usec / 4295; /* close enough */ + } + +-#if !defined(HAVE_128BIT_INTEGERS) && defined(LITTLE_ENDIAN) ++#if !defined(HAVE_128BIT_INTEGERS) && defined(RADIUS_LITTLE_ENDIAN) + /** Swap byte order of 128 bit integer + * + * @param num 128bit integer to swap. +diff --git a/src/main/version.c b/src/main/version.c +index 0aba383..8b56ffa 100644 +--- a/src/main/version.c ++++ b/src/main/version.c +@@ -276,9 +276,9 @@ void version(void) + DEBUG3(" 0x%llx", (unsigned long long) libmagic); + + DEBUG3("Endianess:"); +-#if defined(LITTLE_ENDIAN) ++#if defined(RADIUS_LITTLE_ENDIAN) + DEBUG3(" little"); +-#elif defined(BIG_ENDIAN) ++#elif defined(RADIUS_BIG_ENDIAN) + DEBUG3(" big"); + #else + DEBUG3(" unknown"); +-- +2.1.0 + diff --git a/SOURCES/freeradius-rad_counter-Refine-help-message.patch b/SOURCES/freeradius-rad_counter-Refine-help-message.patch new file mode 100644 index 0000000..40d9b0c --- /dev/null +++ b/SOURCES/freeradius-rad_counter-Refine-help-message.patch @@ -0,0 +1,64 @@ +From 68b1b158029501208d1c6a60aa2794d9589c2a08 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Fri, 5 Dec 2014 12:24:37 +0200 +Subject: [PATCH 2/3] rad_counter: Refine help message + +Refine rad_counter help message: + +* use executable name without path, +* add program purpose, +* shorten usage summary line for clarity, +* separate arguments and options, +* add full stops to sentences, +* wrap a long line. +--- + src/modules/rlm_counter/rad_counter | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/src/modules/rlm_counter/rad_counter b/src/modules/rlm_counter/rad_counter +index b6c1159..1beef29 100755 +--- a/src/modules/rlm_counter/rad_counter ++++ b/src/modules/rlm_counter/rad_counter +@@ -6,6 +6,7 @@ use warnings ; + use GDBM_File ; + use Fcntl ; + use Getopt::Long; ++use File::Basename; + + my $user = ''; + my $divisor = 1; +@@ -19,17 +20,22 @@ my $help = 0; + $filename = ''; + + sub show_help { +- print <<"EOF"; +-Usage: $0 --file= [--reset=] [--match=] +-[--user=] [--help] [--hours|--minutes|--seconds] ++ my $progname = basename($0); ++ print < [OPTION...] ++Query and maintain FreeRADIUS rlm_counter DB file. + +---user= Information for specific user +---file= Counter db filename +---match= Information for matching users ++Arguments: ++--file= Counter DB filename. ++ ++Options: ++--user= Information for specific user. ++--match= Information for matching users. + --reset= Reset counter to . +- If divisor is set use it, else means seconds +---help Show this help screen +---(hours|minutes|seconds) Specify information divisor ++ If divisor is set use it, ++ else means seconds. ++--help Show this help screen. ++--(hours|minutes|seconds) Specify information divisor. + EOF + exit 0; + } +-- +2.1.3 + diff --git a/SOURCES/freeradius-rad_counter-use-heredoc-for-help-message.patch b/SOURCES/freeradius-rad_counter-use-heredoc-for-help-message.patch new file mode 100644 index 0000000..d18fea7 --- /dev/null +++ b/SOURCES/freeradius-rad_counter-use-heredoc-for-help-message.patch @@ -0,0 +1,47 @@ +From 70686e8d2b400a804277ba0cdc664e71dd393dd5 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Fri, 5 Dec 2014 12:12:19 +0200 +Subject: [PATCH 1/3] rad_counter: Use heredoc for help message + +Use Perl's here document syntax for rad_counter's help message and +replace tab escape sequences with spaces to make the source more +readable and easier to modify. +--- + src/modules/rlm_counter/rad_counter | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/modules/rlm_counter/rad_counter b/src/modules/rlm_counter/rad_counter +index be0a33a..b6c1159 100755 +--- a/src/modules/rlm_counter/rad_counter ++++ b/src/modules/rlm_counter/rad_counter +@@ -19,15 +19,18 @@ my $help = 0; + $filename = ''; + + sub show_help { +- print "Usage: $0 --file= [--reset=] [--match=]\n"; +- print "[--user=] [--help] [--hours|--minutes|--seconds]\n\n"; +- print "--user=", "\t\t", "Information for specific user\n"; +- print "--file=", "\t\t", "Counter db filename\n"; +- print "--match=", "\t\t", "Information for matching users\n"; +- print "--reset=", "\t\t", "Reset counter to .\n"; +- print "\t\t\t\t", "If divisor is set use it, else means seconds\n"; +- print "--help", "\t\t\t\t", "Show this help screen\n"; +- print "--(hours|minutes|seconds)", "\t", "Specify information divisor\n"; ++ print <<"EOF"; ++Usage: $0 --file= [--reset=] [--match=] ++[--user=] [--help] [--hours|--minutes|--seconds] ++ ++--user= Information for specific user ++--file= Counter db filename ++--match= Information for matching users ++--reset= Reset counter to . ++ If divisor is set use it, else means seconds ++--help Show this help screen ++--(hours|minutes|seconds) Specify information divisor ++EOF + exit 0; + } + +-- +2.1.3 + diff --git a/SOURCES/freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch b/SOURCES/freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch new file mode 100644 index 0000000..5f36338 --- /dev/null +++ b/SOURCES/freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch @@ -0,0 +1,49 @@ +From 40537a80edeba25853df745e969f1b0bd5bc71bf Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Thu, 18 Dec 2014 16:13:58 +0200 +Subject: [PATCH 1/1] raddb: Comment on ipaddr/ipv4addr/ipv6addr use + +Describe combined ipaddr/ipv4addr/ipv6addr use in +raddb/sites-available/default. +--- + raddb/sites-available/default | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/raddb/sites-available/default b/raddb/sites-available/default +index 77c271c..77602e4 100644 +--- a/raddb/sites-available/default ++++ b/raddb/sites-available/default +@@ -84,17 +84,22 @@ listen { + # source IP address for packets sent to a home server, the + # proxy listeners are automatically created. + +- # IP address on which to listen. ++ # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. ++ # Out of several options the first one will be used. ++ # + # Allowed values are: +- # dotted quad (1.2.3.4) +- # hostname (radius.example.com) +- # wildcard (*) ++ # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) ++ # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) ++ # hostname (radius.example.com, ++ # A record for ipv4addr, ++ # AAAA record for ipv6addr, ++ # A or AAAA record for ipaddr) ++ # wildcard (*) ++ # ++ # ipv4addr = * ++ # ipv6addr = * + ipaddr = * + +- # OR, you can use an IPv6 address, but not both +- # at the same time. +-# ipv6addr = :: # any. ::1 == localhost +- + # Port on which to listen. + # Allowed values are: + # integer port number (1812) +-- +2.1.3 + diff --git a/SOURCES/freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch b/SOURCES/freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch new file mode 100644 index 0000000..994dda0 --- /dev/null +++ b/SOURCES/freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch @@ -0,0 +1,62 @@ +From 1b32a0e398871f0f5b7b41d200b1b9db371e84d5 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 15 Dec 2014 16:48:26 +0200 +Subject: [PATCH 1/1] raddb: Move trigger.conf INCLUDE before modules + +Move "$INCLUDE trigger.conf" chunk before module section in +"radiusd.conf.in". This makes it possible to reference "snmptrap" and +related trigger variables under "pool.trigger" in module configurations, +simplifying them. + +E.g. like this (in raddb/mods-enabled/ldap): + +ldap ldap_instance { + pool { + trigger { + args = "radiusdModuleName s '${...:name}' radiusdModuleInstance s '${...:instance}'" + open = "${snmptrap}::serverModuleConnectionUp ${args}" + close = "${snmptrap}::serverModuleConnectionDown ${args}" + } + } +} +--- + raddb/radiusd.conf.in | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in +index c6d5834..fb7d1bd 100644 +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -648,6 +648,14 @@ thread pool { + auto_limit_acct = no + } + ++###################################################################### ++# ++# SNMP notifications. Uncomment the following line to enable ++# snmptraps. Note that you MUST also configure the full path ++# to the "snmptrap" command in the "trigger.conf" file. ++# ++#$INCLUDE trigger.conf ++ + # MODULE CONFIGURATION + # + # The names and configuration of each module is located in this section. +@@ -780,14 +788,6 @@ policy { + + ###################################################################### + # +-# SNMP notifications. Uncomment the following line to enable +-# snmptraps. Note that you MUST also configure the full path +-# to the "snmptrap" command in the "trigger.conf" file. +-# +-#$INCLUDE trigger.conf +- +-###################################################################### +-# + # Load virtual servers. + # + # This next $INCLUDE line loads files in the directory that +-- +2.1.3 + diff --git a/SOURCES/freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch b/SOURCES/freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch new file mode 100644 index 0000000..99592c4 --- /dev/null +++ b/SOURCES/freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch @@ -0,0 +1,30 @@ +From e37dbd2dd0f20ff255ddc934296afa67e59695c6 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Thu, 16 Oct 2014 13:48:32 +0300 +Subject: [PATCH 2/4] raddb: Remove extra apostrophe from trigger.conf + +Remove a spurious apostrophe from trigger.conf's trigger.modules.args. + +This fixes module triggers, otherwise producing this error: + + rad_expand_xlat: Invalid string passed as argument +--- + raddb/trigger.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/raddb/trigger.conf b/raddb/trigger.conf +index aa846c3..b80089c 100644 +--- a/raddb/trigger.conf ++++ b/raddb/trigger.conf +@@ -194,7 +194,7 @@ trigger { + # "trigger" subsection in the module configuration. + modules { + # Common arguments +- args = "radiusdModuleName s ldap' radiusdModuleInstance s ''" ++ args = "radiusdModuleName s ldap radiusdModuleInstance s ''" + + # The files module + files { +-- +2.1.1 + diff --git a/SOURCES/freeradius-raddb-update-triggers-in-trigger.conf.patch b/SOURCES/freeradius-raddb-update-triggers-in-trigger.conf.patch new file mode 100644 index 0000000..58bd9bc --- /dev/null +++ b/SOURCES/freeradius-raddb-update-triggers-in-trigger.conf.patch @@ -0,0 +1,70 @@ +From 7162088ec80add0e83d1073b67001546be3d0d8d Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Thu, 23 Oct 2014 13:56:46 +0300 +Subject: [PATCH 1/1] raddb: Update triggers in trigger.conf + +Update trigger.conf's available triggers and comments to correspond to +actual code. +--- + raddb/trigger.conf | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/raddb/trigger.conf b/raddb/trigger.conf +index 44f9f36..413a182 100644 +--- a/raddb/trigger.conf ++++ b/raddb/trigger.conf +@@ -222,11 +222,8 @@ trigger { + # A connection to the DB has been closed + close = "${snmptrap}::serverModuleConnectionDown ${args}" + +- # Failed to open a new connection to the DB +- fail = "${snmptrap}::serverModuleConnectionFail ${args}" +- +- # There are no DB handles available. +- none = "${snmptrap}::serverModuleConnectionNone ${args}" ++ # The module has been HUP'd via radmin ++ hup = "${snmptrap}::serverModuleHup ${args}" + } + + # The SQL module +@@ -243,12 +240,13 @@ trigger { + # Failed to open a new connection to the DB + fail = "${snmptrap}::serverModuleConnectionFail ${args}" + +- # There are no DB handles available. +- none = "${snmptrap}::serverModuleConnectionNone ${args}" ++ # The module has been HUP'd via radmin ++ hup = "${snmptrap}::serverModuleHup ${args}" + } + +- # You can use the same opn / close / fail / none triggers for +- # any module which uses the "pool" directive. ++ # You can also use connection pool's start/stop/open/close triggers ++ # for any module which uses the "pool" section, here and under ++ # pool.trigger in module configuration. + } + } + +@@ -267,10 +265,9 @@ trigger { + # home_server_pool.fallback + # home_server_pool.normal + # modules.*.hup +-# modules.ldap.fail ++# modules.ldap.timeout + # modules.sql.close + # modules.sql.fail +-# modules.sql.none + # modules.sql.open + # server.client.add + # server.max_requests +@@ -278,3 +275,7 @@ trigger { + # server.signal.term + # server.start + # server.stop ++# server.thread.max_threads ++# server.thread.start ++# server.thread.stop ++# server.thread.unresponsive +-- +2.1.1 + diff --git a/SOURCES/freeradius-raddb-use-appropriate-module-names-in-traps.patch b/SOURCES/freeradius-raddb-use-appropriate-module-names-in-traps.patch new file mode 100644 index 0000000..0455dbb --- /dev/null +++ b/SOURCES/freeradius-raddb-use-appropriate-module-names-in-traps.patch @@ -0,0 +1,83 @@ +From 039f85dfe9a09478c9581b87113e73e2205abd53 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Thu, 16 Oct 2014 13:59:51 +0300 +Subject: [PATCH 3/4] raddb: Use appropriate module names in traps + +Specify appropriate module names for all module traps in trigger.conf, +instead of using "ldap" for all. +--- + raddb/trigger.conf | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +diff --git a/raddb/trigger.conf b/raddb/trigger.conf +index b80089c..44f9f36 100644 +--- a/raddb/trigger.conf ++++ b/raddb/trigger.conf +@@ -194,12 +194,15 @@ trigger { + # "trigger" subsection in the module configuration. + modules { + # Common arguments +- args = "radiusdModuleName s ldap radiusdModuleInstance s ''" ++ args = "radiusdModuleInstance s ''" + + # The files module + files { ++ # Common arguments ++ args = "radiusdModuleName s files ${..args}" ++ + # The module has been HUP'd via radmin +- hup = "${snmptrap}::serverModuleHup ${..args}" ++ hup = "${snmptrap}::serverModuleHup ${args}" + + # Note that "hup" can be used for every module + # which can be HUP'd via radmin +@@ -210,32 +213,38 @@ trigger { + # an LDAP connection ofr every "bind as user". Be aware that + # this will likely produce a lot of triggers. + ldap { ++ # Common arguments ++ args = "radiusdModuleName s ldap ${..args}" ++ + # A new connection to the DB has been opened +- open = "${snmptrap}::serverModuleConnectionUp ${..args}" ++ open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed +- close = "${snmptrap}::serverModuleConnectionDown ${..args}" ++ close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # Failed to open a new connection to the DB +- fail = "${snmptrap}::serverModuleConnectionFail ${..args}" ++ fail = "${snmptrap}::serverModuleConnectionFail ${args}" + + # There are no DB handles available. +- none = "${snmptrap}::serverModuleConnectionNone ${..args}" ++ none = "${snmptrap}::serverModuleConnectionNone ${args}" + } + + # The SQL module + sql { ++ # Common arguments ++ args = "radiusdModuleName s sql ${..args}" ++ + # A new connection to the DB has been opened +- open = "${snmptrap}::serverModuleConnectionUp ${..args}" ++ open = "${snmptrap}::serverModuleConnectionUp ${args}" + + # A connection to the DB has been closed +- close = "${snmptrap}::serverModuleConnectionDown ${..args}" ++ close = "${snmptrap}::serverModuleConnectionDown ${args}" + + # Failed to open a new connection to the DB +- fail = "${snmptrap}::serverModuleConnectionFail ${..args}" ++ fail = "${snmptrap}::serverModuleConnectionFail ${args}" + + # There are no DB handles available. +- none = "${snmptrap}::serverModuleConnectionNone ${..args}" ++ none = "${snmptrap}::serverModuleConnectionNone ${args}" + } + + # You can use the same opn / close / fail / none triggers for +-- +2.1.1 + diff --git a/SOURCES/freeradius-redhat-config.patch b/SOURCES/freeradius-redhat-config.patch index 3a7e428..7baf80d 100644 --- a/SOURCES/freeradius-redhat-config.patch +++ b/SOURCES/freeradius-redhat-config.patch @@ -1,38 +1,50 @@ -diff -r -u freeradius-server-3.0.0.orig/raddb/mods-available/eap freeradius-server-3.0.0/raddb/mods-available/eap ---- freeradius-server-3.0.0.orig/raddb/mods-available/eap 2013-10-07 15:49:47.000000000 -0400 -+++ freeradius-server-3.0.0/raddb/mods-available/eap 2013-11-26 17:48:56.081183431 -0500 -@@ -435,7 +435,7 @@ +From 61aa3696bb0179a8296e4f389f34ffc31424dbf1 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 8 Sep 2014 12:32:13 +0300 +Subject: [PATCH 1/1] Adjust configuration to fit Red Hat specifics + +--- + raddb/mods-available/eap | 4 ++-- + raddb/radiusd.conf.in | 7 +++---- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap +index 6938171..95ef666 100644 +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -430,7 +430,7 @@ eap { # # You should also delete all of the files # in the directory when the server starts. -- # tmpdir = /tmp/radiusd -+ # tmpdir = /var/run/radiusd/tmp - +- # tmpdir = /tmp/radiusd ++ # tmpdir = /var/run/radiusd/tmp + # The command used to verify the client cert. # We recommend using the OpenSSL command-line -@@ -449,7 +449,7 @@ +@@ -444,7 +444,7 @@ eap { # in PEM format. This file is automatically # deleted by the server when the command # returns. -- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" -+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" +- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" ++ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } - + # -diff -r -u freeradius-server-3.0.0.orig/raddb/radiusd.conf.in freeradius-server-3.0.0/raddb/radiusd.conf.in ---- freeradius-server-3.0.0.orig/raddb/radiusd.conf.in 2013-10-07 15:49:47.000000000 -0400 -+++ freeradius-server-3.0.0/raddb/radiusd.conf.in 2013-11-26 17:24:52.263467793 -0500 -@@ -71,8 +71,7 @@ +diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in +index 307ae10..7cf71be 100644 +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -70,8 +70,7 @@ certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} - + -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} +db_dir = ${localstatedir}/lib/radiusd - + # # libdir: Where to find the rlm_* modules. -@@ -376,8 +375,8 @@ +@@ -415,8 +414,8 @@ security { # member. This can allow for some finer-grained access # controls. # @@ -40,6 +52,9 @@ diff -r -u freeradius-server-3.0.0.orig/raddb/radiusd.conf.in freeradius-server- -# group = radius + user = radiusd + group = radiusd - + # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. +-- +2.1.0 + diff --git a/SOURCES/freeradius-rlm_pap-overflow.patch b/SOURCES/freeradius-rlm_pap-overflow.patch deleted file mode 100644 index a1ae93a..0000000 --- a/SOURCES/freeradius-rlm_pap-overflow.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ff5147c9e5088c7cf5c0b6ec6bfdd3a9d2042a28 Mon Sep 17 00:00:00 2001 -From: Arran Cudbard-Bell -Date: Thu, 13 Feb 2014 13:49:54 +0000 -Subject: [PATCH 1/1] Fix potential crash with SSHA and salts > 44bytes - ---- - src/modules/rlm_pap/rlm_pap.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c -index 689acf0..1bf6d4e 100644 ---- a/src/modules/rlm_pap/rlm_pap.c -+++ b/src/modules/rlm_pap/rlm_pap.c -@@ -123,7 +123,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) - static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) - { - -- uint8_t buffer[64]; -+ uint8_t buffer[256]; - - if (min_length >= sizeof(buffer)) return; /* paranoia */ - -@@ -132,9 +132,10 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) - */ - if (vp->length >= (2 * min_length)) { - size_t decoded; -- decoded = fr_hex2bin(buffer, vp->vp_strvalue, vp->length >> 1); -+ decoded = fr_hex2bin(buffer, vp->vp_strvalue, sizeof(buffer)); - if (decoded == (vp->length >> 1)) { -- RDEBUG2("Normalizing %s from hex encoding", vp->da->name); -+ RDEBUG2("Normalizing %s from hex encoding, %zu bytes -> %zu bytes", -+ vp->da->name, vp->length, decoded); - pairmemcpy(vp, buffer, decoded); - return; - } -@@ -150,7 +151,8 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) - sizeof(buffer)); - if (decoded < 0) return; - if (decoded >= (ssize_t) min_length) { -- RDEBUG2("Normalizing %s from base64 encoding", vp->da->name); -+ RDEBUG2("Normalizing %s from base64 encoding, %zu bytes -> %zu bytes", -+ vp->da->name, vp->length, decoded); - pairmemcpy(vp, buffer, decoded); - return; - } --- -1.8.5.3 - diff --git a/SOURCES/freeradius-talloc-dummy-request.patch b/SOURCES/freeradius-talloc-dummy-request.patch new file mode 100644 index 0000000..e84111f --- /dev/null +++ b/SOURCES/freeradius-talloc-dummy-request.patch @@ -0,0 +1,48 @@ +From 03c5915208234255484ece4c233c9e252776e3a3 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 29 Sep 2014 17:40:10 +0300 +Subject: [PATCH 1/1] process: Talloc home_trigger dummy request + +Allocate the dummy request in home_trigger with talloc, instead of +allocating it on the stack, as the rest of the code expects it to be a +valid talloc context. + +This fixes a talloc_abort resulting from xlat_tokenize_request invoking +talloc_typed_strdup with the dummy request as the talloc context. +--- + src/main/process.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/main/process.c b/src/main/process.c +index 76ce4ea..7e1a51e 100644 +--- a/src/main/process.c ++++ b/src/main/process.c +@@ -3212,16 +3212,17 @@ static void ping_home_server(void *ctx) + + static void home_trigger(home_server_t *home, char const *trigger) + { +- REQUEST my_request; +- RADIUS_PACKET my_packet; ++ REQUEST *my_request; ++ RADIUS_PACKET *my_packet; + +- memset(&my_request, 0, sizeof(my_request)); +- memset(&my_packet, 0, sizeof(my_packet)); +- my_request.proxy = &my_packet; +- my_packet.dst_ipaddr = home->ipaddr; +- my_packet.src_ipaddr = home->src_ipaddr; ++ my_request = talloc_zero(NULL, REQUEST); ++ my_packet = talloc_zero(my_request, RADIUS_PACKET); ++ my_request->proxy = my_packet; ++ my_packet->dst_ipaddr = home->ipaddr; ++ my_packet->src_ipaddr = home->src_ipaddr; + +- exec_trigger(&my_request, home->cs, trigger, false); ++ exec_trigger(my_request, home->cs, trigger, false); ++ talloc_free(my_request); + } + + static void mark_home_server_zombie(home_server_t *home, struct timeval *now, struct timeval *response_window) +-- +2.1.0 + diff --git a/SOURCES/freeradius-valuepair-don-t-remove-unkown-backslash.patch b/SOURCES/freeradius-valuepair-don-t-remove-unkown-backslash.patch new file mode 100644 index 0000000..2607c54 --- /dev/null +++ b/SOURCES/freeradius-valuepair-don-t-remove-unkown-backslash.patch @@ -0,0 +1,40 @@ +From 90b5b46341dbba78d8cd98d55d1b9321544c7887 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 15 Dec 2014 14:42:56 +0200 +Subject: [PATCH 1/1] valuepair: Don't remove unknown backslash + +Don't remove backslash from unknown escape sequences in pairparsevalue, +adhering to behavior common to most other programs dealing with +backslash escape sequences. +--- + src/lib/valuepair.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c +index 7d6ee88..7742b81 100644 +--- a/src/lib/valuepair.c ++++ b/src/lib/valuepair.c +@@ -1176,12 +1176,14 @@ int pairparsevalue(VALUE_PAIR *vp, char const *value, size_t inlen) + c = x; + cp += 3; + +- } else if (cp[0]) { +- /* +- * \p --> p +- */ +- c = *cp++; +- } /* else at EOL \ --> \ */ ++ } ++ ++ /* ++ * Else It's not a recognised escape sequence DON'T ++ * consume the backslash. This is identical ++ * behaviour to bash and most other things that ++ * use backslash escaping. ++ */ + } + *p++ = c; + vp_len++; +-- +2.1.3 + diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec index f2e2dcf..d6cdf29 100644 --- a/SPECS/freeradius.spec +++ b/SPECS/freeradius.spec @@ -1,6 +1,6 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius -Version: 3.0.1 +Version: 3.0.4 Release: 6%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons @@ -23,11 +23,35 @@ Source104: freeradius-tmpfiles.conf Patch1: freeradius-redhat-config.patch Patch2: freeradius-postgres-sql.patch -Patch3: freeradius-ippool.patch -Patch4: freeradius-imacros.patch -Patch5: freeradius-mysql-schema.patch -Patch6: freeradius-perl.patch -Patch7: freeradius-rlm_pap-overflow.patch +Patch3: freeradius-add-disable-openssl-version-check.patch +Patch4: freeradius-talloc-dummy-request.patch +Patch5: freeradius-dont-detach-after-perl_parse.patch +Patch6: freeradius-access-union-consistently.patch +Patch7: freeradius-dont-truncate-uint64.patch +Patch8: freeradius-prefix-endian-macros.patch +Patch9: freeradius-dont-swap-uint128-printing-on-be.patch +Patch10: freeradius-fix-dhcp-dictionary-loading.patch +Patch11: freeradius-mention-eap-md5-in-radtest-synopsis.patch +Patch12: freeradius-add-P-option-to-radtest-synopsis.patch +Patch13: freeradius-exec-dont-assume-request-presence-when-logging.patch +Patch14: freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch +Patch15: freeradius-raddb-use-appropriate-module-names-in-traps.patch +Patch16: freeradius-connection-fall-through-to-global-module-triggers.patch +Patch17: freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch +Patch18: freeradius-raddb-update-triggers-in-trigger.conf.patch +Patch19: freeradius-make-grp-tallo-c-too.patch +Patch20: freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch +Patch21: freeradius-added-D-option-to-mirror-radclient.patch +Patch22: freeradius-man-remove-client-attribute-description.patch +Patch23: freeradius-man-remove-references-to-naslist-and-clients.patch +Patch24: freeradius-valuepair-don-t-remove-unkown-backslash.patch +Patch25: freeradius-rad_counter-use-heredoc-for-help-message.patch +Patch26: freeradius-rad_counter-Refine-help-message.patch +Patch27: freeradius-dhcpclient-Add-a-short-description-to-help-output.patch +Patch28: freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch +Patch29: freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch +Patch30: freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch +Patch31: freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -51,7 +75,7 @@ BuildRequires: libyubikey-devel BuildRequires: ykclient-devel %endif -Requires: openssl +Requires: openssl >= 1.0.1e-34 Requires(pre): shadow-utils glibc-common Requires(post): systemd-sysv Requires(post): systemd-units @@ -191,6 +215,30 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -198,6 +246,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %configure \ --libdir=%{_libdir}/freeradius \ + --disable-openssl-version-check \ --with-udpfromto \ --with-threads \ --with-docdir=%{docdir} \ @@ -212,7 +261,9 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. --without-rlm_sql_iodbc \ --without-rlm_sql_firebird \ --without-rlm_sql_db2 \ - --without-rlm_sql_oracle + --without-rlm_sql_oracle \ + --without-rlm_rest \ + --without-rlm_unbound make @@ -246,17 +297,24 @@ rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/serial* rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/dh rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/random -rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/radeapclient.1 +# install SNMP MIB files +mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ +install -m 644 mibs/*RADIUS*.txt $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd +rm -f $RPM_BUILD_ROOT/usr/bin/rbmonkey rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.a rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/unbound +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase # remove unsupported config files rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf @@ -336,6 +394,8 @@ exit 0 %dir %attr(755,root,radiusd) /etc/raddb %defattr(-,root,radiusd) /etc/raddb/README.rst +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/panic.gdb + %attr(644,root,radiusd) %config(noreplace) /etc/raddb/dictionary %attr(640,root,radiusd) %config(noreplace) /etc/raddb/clients.conf @@ -402,6 +462,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/copy-acct-to-home-server %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/buffered-sql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings # sites-enabled # symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx @@ -465,6 +526,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey @@ -500,6 +562,7 @@ exit 0 %config(missingok) /etc/raddb/mods-enabled/soh %config(missingok) /etc/raddb/mods-enabled/sradutmp %config(missingok) /etc/raddb/mods-enabled/unix +%config(missingok) /etc/raddb/mods-enabled/unpack %config(missingok) /etc/raddb/mods-enabled/utf8 # policy @@ -508,6 +571,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/canonicalization %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/control %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/cui +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/debug %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/dhcp %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter @@ -585,6 +649,7 @@ exit 0 %{_libdir}/freeradius/rlm_sqlippool.so %{_libdir}/freeradius/rlm_sql_null.so %{_libdir}/freeradius/rlm_unix.so +%{_libdir}/freeradius/rlm_unpack.so %{_libdir}/freeradius/rlm_utf8.so %{_libdir}/freeradius/rlm_wimax.so %{_libdir}/freeradius/rlm_yubikey.so @@ -616,6 +681,9 @@ exit 0 %doc %{_mandir}/man8/radmin.8.gz %doc %{_mandir}/man8/radrelay.8.gz +# MIB files +%{_datadir}/snmp/mibs/*RADIUS*.txt + %files doc %doc %{docdir}/ @@ -626,13 +694,13 @@ exit 0 # utils man pages %doc %{_mandir}/man1/radclient.1.gz +%doc %{_mandir}/man1/radeapclient.1.gz %doc %{_mandir}/man1/radlast.1.gz %doc %{_mandir}/man1/radtest.1.gz %doc %{_mandir}/man1/radwho.1.gz %doc %{_mandir}/man1/radzap.1.gz %doc %{_mandir}/man1/smbencrypt.1.gz %doc %{_mandir}/man5/checkrad.5.gz -%doc %{_mandir}/man8/radconf2xml.8.gz %doc %{_mandir}/man8/radcrypt.8.gz %doc %{_mandir}/man8/radsniff.8.gz %doc %{_mandir}/man8/radsqlrelay.8.gz @@ -649,13 +717,14 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/perl %dir %attr(750,root,radiusd) /etc/raddb/mods-config/perl -/etc/raddb/mods-config/perl/example.pl +%attr(640,root,radiusd) /etc/raddb/mods-config/perl/example.pl %{_libdir}/freeradius/rlm_perl.so %files python %dir %attr(750,root,radiusd) /etc/raddb/mods-config/python /etc/raddb/mods-config/python/example.py* +/etc/raddb/mods-config/python/radiusd.py* %{_libdir}/freeradius/rlm_python.so %files mysql @@ -675,6 +744,7 @@ exit 0 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql @@ -737,6 +807,7 @@ exit 0 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf @@ -752,6 +823,92 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc.so %changelog +* Fri Dec 26 2014 Nikolai Kondrashov - 3.0.4-6 +- Don't remove backslash from unknown escape sequences in LDAP values. + Resolves: Bug#1173526 +- Improve dhcpclient and rad_counter online help. + Resolves: Bug#1146966 +- raddb: Move trigger.conf INCLUDE before modules, making it easier to refer + to trigger variables from module configurations. + Resolves: Bug#1155961 +- Fix ipaddr option fallback onto ipv6. + Resolves: Bug#1168868 +- raddb: Comment on ipaddr/ipv4addr/ipv6addr use. + Resolves: Bug#1168247 + +* Tue Dec 09 2014 Nikolai Kondrashov - 3.0.4-5 +- Disable rlm_rest building explicitly to avoid unintended builds on some + architectures breaking RPM build. + Resolves: Bug#1162156 +- Add -D option support to dhcpclient. + Related: Bug#1146939 +- Don't install rbmonkey - a test tool only useful to developers. + Related: Bug#1146966 +- Update clients(5) man page + Resolves: Bug#1147464 + +* Thu Oct 30 2014 Nikolai Kondrashov - 3.0.4-4 +- Fix possible group info corruption/segfault in rlm_unix' fr_getgrnam. +- Fix file configuration item parsing. + +* Wed Oct 29 2014 Nikolai Kondrashov - 3.0.4-3 +- Fix a number of trigger issues. + Resolves: Bug#1110407 radiusd doesn't send snmp trap after "radmin -e 'hup + files'" + Resolves: Bug#1110414 radiusd doesn't send snmp trap when sql connection is + opened,closed or fail + Resolves: Bug#1110186 radiusd doesn't send snmp trap when ldap connection + fails/opens/closes + Resolves: Bug#1109164 snmp trap messages send by radiusd are inconsistent + and incomplete +- Fix two omissions from radtest manpage. + Resolves: Bug#1146898 'eap-md5' value is missing in -t option in SYNOPSIS + of radtest man page + Resolves: Bug#1114669 Missing -P option in radtest manpage +- Disable OpenSSL version checking to avoid the need to edit radiusd.conf to + confirm heartbleed is fixed. + Resolves: Bug#1155070 FreeRADIUS doesn't start after upgrade due to failing + OpenSSL version check + +* Mon Oct 6 2014 Nikolai Kondrashov - 3.0.4-2 +- Fix abort on home server triggers. + Resolves: Bug#1113509 radiusd aborts when it has no proxy response with active + snmp traps +- Fix segfault upon example.pl read failure. + Resolves: Bug#1146403 radiusd segfaults when file for perl module has + wrong permissions +- Fix example.pl permissions. + Resolves: Bug#1146406 /etc/raddb/mods-config/perl/example.pl has wrong + permissions and radiusd fails to start +- Fix integer handling in various cases. + Resolves: Bug#1146441 upstream test suite fails +- Fix dhcpclient's dictionary.dhcp loading. + Resolves: Bug#1146939 dhcpclient lookups dictionary.dhcp file in wrong + location + +* Mon Sep 15 2014 Nikolai Kondrashov - 3.0.4-1 +- Upgrade to upstream 3.0.4 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + +* Mon Sep 8 2014 Nikolai Kondrashov - 3.0.4-0.1.rc2 +- Upgrade to upstream 3.0.4-rc2 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). +- Add installation of SNMP MIB files. +- Resolves: Bug#1036562 Missing doc page for kerberos module +- Resolves: Bug#1099625 Default message digest defaults to sha1 +- Resolves: Bug#1109159 missing mib files in freeradius package +- Resolves: Bug#1113010 radiusd doesn't send snmp trap when max_threads value + is reached +- Resolves: Bug#1114669 Missing -P option in radtest manpage +- Resolves: Bug#1115128 radisud can't start if proto = udp is specified +- Resolves: Bug#1115134 radiusd aborts after 'Access-Request' when listens on + TCP port +- Resolves: Bug#1115137 radiusd listens on udp port even if proto = tcp is + specified +- Resolves: Bug#1126725 radiusd silently fails when start_servers is higher + than max_servers +- Resolves: Bug#1135446 Radeapclient is not available + * Thu Feb 27 2014 Nikolai Kondrashov - 3.0.1-6 - Fix CVE-2014-2015 "freeradius: stack-based buffer overflow flaw in rlm_pap module"