packages/freeradius
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:89e3079fde92857ae1daf50444d2e34f505a485c
Branches Tags
packages:main
...
compare: packages:de6563e437f975362cff6940d6fc719253cdbc61
Branches Tags
packages:main

10 Commits
89e3079fde ... de6563e437

Author SHA1 Message Date
openeuler-ci-bot
de6563e437
!58 [sync] PR-56: fix CVE-2022-41859 and CVE-2022-41860 and CVE-2022-41861 
From: @openeuler-sync-bot 
Reviewed-by: @gitee-cmd 
Signed-off-by: @gitee-cmd
 2022-12-27 08:18:00 +00:00
peng2285
2c455242bf fix CVE-2022-41859 and CVE-2022-41860 and CVE-2022-41861 
(cherry picked from commit 77b057c9a95b578c38ad5e1f203810ca9a300210)
 2022-12-26 14:27:14 +08:00
openeuler-ci-bot
551863d913 !50 Update to 3.0.25 
Merge pull request !50 from baizg1107/openEuler-22.03-LTS-Next
 2021-12-31 02:26:21 +00:00
bzg1107
7da2ceb11e update to 3.0.25 2021-12-30 07:28:10 +08:00
openeuler-ci-bot
d036b17d84 !46 del rpath from some binaries and bin 
From: @chen-jan
Reviewed-by: @ruebb
Signed-off-by: @ruebb
 2021-09-09 02:21:28 +00:00
chen-jan
1131387cc9 del rpath from some binaries and bin 2021-09-08 07:52:17 +00:00
openeuler-ci-bot
626ab15952 !45 增加构建依赖gcc 
From: @bzg1107
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2021-06-07 20:17:55 +08:00
baizg1107
ba860edf75 add build requires for resolving building errors 2021-06-07 17:06:40 +08:00
openeuler-ci-bot
f19ab4c9a1 !38 Add missing backslash that precluded server from starting 
From: @ultra_planet
Reviewed-by: @si-gui,@small_leek
Signed-off-by: @small_leek
 2021-04-26 19:49:44 +08:00
lingsheng
d4714b9494 Add missing backslash that precluded server from starting 2021-04-26 11:10:54 +08:00
9 changed files with 489 additions and 82 deletions
Show Stats Expand all files Collapse all files

94
CVE-2022-41859-pre.patch Normal file
View File

@ -0,0 +1,94 @@
From 1df6f266231816171d2662eacf0e528b8ad1d7d8 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Sun, 26 Dec 2021 12:02:30 -0500
Subject: [PATCH] switch to non-deprecated API
---
.../rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index cf7ab61816cb..d428644539ba 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -141,7 +141,7 @@ static void do_equation(EC_GROUP *group, BIGNUM *y2, BIGNUM *x, BN_CTX *bnctx)
p = BN_new();
a = BN_new();
b = BN_new();
- EC_GROUP_get_curve_GFp(group, p, a, b, bnctx);
+ EC_GROUP_get_curve(group, p, a, b, bnctx);
BN_sub(pm1, p, BN_value_one());
@@ -308,7 +308,7 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
goto fail;
}
- if (!EC_GROUP_get_curve_GFp(session->group, session->prime, NULL, NULL, NULL)) {
+ if (!EC_GROUP_get_curve(session->group, session->prime, NULL, NULL, NULL)) {
DEBUG("unable to get prime for GFp curve");
goto fail;
}
@@ -444,7 +444,7 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
* now we can savely construct PWE
*/
BN_bin2bn(xbuf, primebytelen, x_candidate);
- if (!EC_POINT_set_compressed_coordinates_GFp(session->group, session->pwe,
+ if (!EC_POINT_set_compressed_coordinates(session->group, session->pwe,
x_candidate, save_is_odd, NULL)) {
goto fail;
}
@@ -562,7 +562,7 @@ int process_peer_commit(REQUEST *request, pwd_session_t *session, uint8_t *in, s
goto finish;
}
- if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bn_ctx)) {
+ if (!EC_POINT_set_affine_coordinates(session->group, session->peer_element, x, y, bn_ctx)) {
REDEBUG("Unable to get coordinates of peer's element");
goto finish;
}
@@ -621,7 +621,7 @@ int process_peer_commit(REQUEST *request, pwd_session_t *session, uint8_t *in, s
goto finish;
}
- if (!EC_POINT_get_affine_coordinates_GFp(session->group, K, session->k, NULL, bn_ctx)) {
+ if (!EC_POINT_get_affine_coordinates(session->group, K, session->k, NULL, bn_ctx)) {
REDEBUG("Unable to get shared secret from K");
goto finish;
}
@@ -671,7 +671,7 @@ int compute_server_confirm(REQUEST *request, pwd_session_t *session, uint8_t *ou
/*
* next is server element: x, y
*/
- if (!EC_POINT_get_affine_coordinates_GFp(session->group, session->my_element, x, y, bn_ctx)) {
+ if (!EC_POINT_get_affine_coordinates(session->group, session->my_element, x, y, bn_ctx)) {
REDEBUG("Unable to get coordinates of server element");
goto finish;
}
@@ -696,7 +696,7 @@ int compute_server_confirm(REQUEST *request, pwd_session_t *session, uint8_t *ou
/*
* next is peer element: x, y
*/
- if (!EC_POINT_get_affine_coordinates_GFp(session->group, session->peer_element, x, y, bn_ctx)) {
+ if (!EC_POINT_get_affine_coordinates(session->group, session->peer_element, x, y, bn_ctx)) {
REDEBUG("Unable to get coordinates of peer's element");
goto finish;
}
@@ -771,7 +771,7 @@ int compute_peer_confirm(REQUEST *request, pwd_session_t *session, uint8_t *out,
/*
* then peer element: x, y
*/
- if (!EC_POINT_get_affine_coordinates_GFp(session->group, session->peer_element, x, y, bn_ctx)) {
+ if (!EC_POINT_get_affine_coordinates(session->group, session->peer_element, x, y, bn_ctx)) {
REDEBUG("Unable to get coordinates of peer's element");
goto finish;
}
@@ -797,7 +797,7 @@ int compute_peer_confirm(REQUEST *request, pwd_session_t *session, uint8_t *out,
/*
* then server element: x, y
*/
- if (!EC_POINT_get_affine_coordinates_GFp(session->group, session->my_element, x, y, bn_ctx)) {
+ if (!EC_POINT_get_affine_coordinates(session->group, session->my_element, x, y, bn_ctx)) {
REDEBUG("Unable to get coordinates of server element");
goto finish;
}

159
CVE-2022-41859.patch Normal file
View File

@ -0,0 +1,159 @@
From 9e5e8f2f912ad2da8ac6e176ac3a606333469937 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Fri, 4 Feb 2022 09:36:26 -0500
Subject: [PATCH] port fixes from master
via the simple expedient of copying the entire function, with
some minor changes to work in v3
---
.../rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 90 ++++++++++++++-----
1 file changed, 66 insertions(+), 24 deletions(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index d428644539ba..26260527a536 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -248,18 +248,16 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
char const *id_peer, int id_peer_len,
uint32_t *token)
{
- BIGNUM *x_candidate = NULL, *rnd = NULL, *y_sqrd = NULL, *qr = NULL, *qnr = NULL;
- HMAC_CTX *ctx = NULL;
- uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, *xbuf = NULL, *pm1buf = NULL, ctr;
- int nid, is_odd, primebitlen, primebytelen, ret = 0, found = 0, mask;
- int save, i, rbits, qr_or_qnr, save_is_odd = 0, cmp;
- unsigned int skip;
-
- ctx = HMAC_CTX_new();
- if (ctx == NULL) {
- DEBUG("failed allocating HMAC context");
- goto fail;
- }
+ BIGNUM *x_candidate = NULL, *rnd = NULL, *y_sqrd = NULL, *qr = NULL, *qnr = NULL, *y1 = NULL, *y2 = NULL, *y = NULL, *exp = NULL;
+ EVP_MD_CTX *hmac_ctx;
+ EVP_PKEY *hmac_pkey;
+ uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, *xbuf = NULL, *pm1buf = NULL, *y1buf = NULL, *y2buf = NULL, *ybuf = NULL, ctr;
+ int nid, is_odd, primebitlen, primebytelen, ret = 0, found = 0, mask;
+ int save, i, rbits, qr_or_qnr, save_is_odd = 0, cmp;
+ unsigned int skip;
+
+ MEM(hmac_ctx = EVP_MD_CTX_new());
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
switch (grp_num) { /* from IANA registry for IKE D-H groups */
case 19:
@@ -303,7 +301,11 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
((qr = consttime_BN()) == NULL) ||
((qnr = consttime_BN()) == NULL) ||
((x_candidate = consttime_BN()) == NULL) ||
- ((y_sqrd = consttime_BN()) == NULL)) {
+ ((y_sqrd = consttime_BN()) == NULL) ||
+ ((y1 = consttime_BN()) == NULL) ||
+ ((y2 = consttime_BN()) == NULL) ||
+ ((y = consttime_BN()) == NULL) ||
+ ((exp = consttime_BN()) == NULL)) {
DEBUG("unable to create bignums");
goto fail;
}
@@ -332,6 +334,19 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
DEBUG("unable to alloc space for pm1 buffer");
goto fail;
}
+ if ((y1buf = talloc_zero_array(request, uint8_t, primebytelen)) == NULL) {
+ DEBUG("unable to alloc space for y1 buffer");
+ goto fail;
+ }
+ if ((y2buf = talloc_zero_array(request, uint8_t, primebytelen)) == NULL) {
+ DEBUG("unable to alloc space for y2 buffer");
+ goto fail;
+ }
+ if ((ybuf = talloc_zero_array(request, uint8_t, primebytelen)) == NULL) {
+ DEBUG("unable to alloc space for y buffer");
+ goto fail;
+ }
+
/*
* derive random quadradic residue and quadratic non-residue
@@ -361,13 +376,19 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
* pwd-seed = H(token | peer-id | server-id | password |
* counter)
*/
- HMAC_Init_ex(ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256(),NULL);
- HMAC_Update(ctx, (uint8_t *)token, sizeof(*token));
- HMAC_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
- HMAC_Update(ctx, (uint8_t const *)id_server, id_server_len);
- HMAC_Update(ctx, (uint8_t const *)password, password_len);
- HMAC_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
- pwd_hmac_final(ctx, pwe_digest);
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
+
+ {
+ size_t mdlen = SHA256_DIGEST_LENGTH;
+
+ EVP_DigestSignFinal(hmac_ctx, pwe_digest, &mdlen);
+ EVP_MD_CTX_reset(hmac_ctx);
+ }
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
@@ -401,7 +422,7 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
* need to unambiguously identify the solution, if there is
* one..
*/
- is_odd = BN_is_odd(rnd) ? 1 : 0;
+ is_odd = BN_is_odd(rnd);
/*
* check whether x^3 + a*x + b is a quadratic residue
@@ -444,8 +465,21 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
* now we can savely construct PWE
*/
BN_bin2bn(xbuf, primebytelen, x_candidate);
- if (!EC_POINT_set_compressed_coordinates(session->group, session->pwe,
- x_candidate, save_is_odd, NULL)) {
+ do_equation(session->group, y_sqrd, x_candidate, session->bnctx);
+ if ( !BN_add(exp, session->prime, BN_value_one()) ||
+ !BN_rshift(exp, exp, 2) ||
+ !BN_mod_exp_mont_consttime(y1, y_sqrd, exp, session->prime, session->bnctx, NULL) ||
+ !BN_sub(y2, session->prime, y1) ||
+ !BN_bn2bin(y1, y1buf) ||
+ !BN_bn2bin(y2, y2buf)) {
+ DEBUG("unable to compute y");
+ goto fail;
+ }
+ mask = const_time_eq(save_is_odd, BN_is_odd(y1));
+ const_time_select_bin(mask, y1buf, y2buf, primebytelen, ybuf);
+ if (BN_bin2bn(ybuf, primebytelen, y) == NULL ||
+ !EC_POINT_set_affine_coordinates(session->group, session->pwe, x_candidate, y, session->bnctx)) {
+ DEBUG("unable to set point coordinate");
goto fail;
}
@@ -461,12 +495,20 @@ int compute_password_element (REQUEST *request, pwd_session_t *session, uint16_t
BN_clear_free(qr);
BN_clear_free(qnr);
BN_clear_free(rnd);
+ BN_clear_free(y1);
+ BN_clear_free(y2);
+ BN_clear_free(y);
+ BN_clear_free(exp);
if (prfbuf) talloc_free(prfbuf);
if (xbuf) talloc_free(xbuf);
if (pm1buf) talloc_free(pm1buf);
+ if (y1buf) talloc_free(y1buf);
+ if (y2buf) talloc_free(y2buf);
+ if (ybuf) talloc_free(ybuf);
- HMAC_CTX_free(ctx);
+ EVP_MD_CTX_free(hmac_ctx);
+ EVP_PKEY_free(hmac_pkey);
return ret;
}

109
CVE-2022-41860.patch Normal file
View File

@ -0,0 +1,109 @@
From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 7 Feb 2022 22:26:05 -0500
Subject: [PATCH] it's probably wrong to be completely retarded. Let's fix
that.
---
src/modules/rlm_eap/libeap/eapsimlib.c | 69 +++++++++++++++++++-------
1 file changed, 52 insertions(+), 17 deletions(-)
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
index cf1e8a7dd924..e438a844eab3 100644
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
newvp->vp_length = 1;
fr_pair_add(&(r->vps), newvp);
+ /*
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
+ * reserved.
+ */
attr += 3;
attrlen -= 3;
- /* now, loop processing each attribute that we find */
- while(attrlen > 0) {
+ /*
+ * Loop over each attribute. The format is:
+ *
+ * 1 octet of type
+ * 1 octet of length (value 1..255)
+ * ((4 * length) - 2) octets of data.
+ */
+ while (attrlen > 0) {
uint8_t *p;
- if(attrlen < 2) {
+ if (attrlen < 2) {
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
return 0;
}
+ if (!attr[1]) {
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute,
+ es_attribute_count);
+ return 0;
+ }
+
eapsim_attribute = attr[0];
eapsim_len = attr[1] * 4;
+ /*
+ * The length includes the 2-byte header.
+ */
if (eapsim_len > attrlen) {
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
return 0;
}
- if(eapsim_len > MAX_STRING_LEN) {
- eapsim_len = MAX_STRING_LEN;
- }
- if (eapsim_len < 2) {
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
- es_attribute_count);
- return 0;
- }
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
+ if (!newvp) {
+ /*
+ * RFC 4186 Section 8.1 says 0..127 are
+ * "non-skippable". If one such
+ * attribute is found and we don't
+ * understand it, the server has to send:
+ *
+ * EAP-Request/SIM/Notification packet with an
+ * (AT_NOTIFICATION code, which implies general failure ("General
+ * failure after authentication" (0), or "General failure" (16384),
+ * depending on the phase of the exchange), which terminates the
+ * authentication exchange.
+ */
+ if (eapsim_attribute <= 127) {
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
+ eapsim_attribute);
+ return 0;
+ }
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
- newvp->vp_length = eapsim_len-2;
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
- memcpy(p, &attr[2], eapsim_len-2);
- fr_pair_add(&(r->vps), newvp);
- newvp = NULL;
+ } else {
+ /*
+ * It's known, ccount for header, and
+ * copy the value over.
+ */
+ newvp->vp_length = eapsim_len - 2;
+
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+ memcpy(p, &attr[2], newvp->vp_length);
+ fr_pair_add(&(r->vps), newvp);
+ }
/* advance pointers, decrement length */
attr += eapsim_len;

44
CVE-2022-41861.patch Normal file
View File

@ -0,0 +1,44 @@
From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 28 Feb 2022 10:34:15 -0500
Subject: [PATCH] manual port of commit 5906bfa1
---
src/lib/filters.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/lib/filters.c b/src/lib/filters.c
index 4868cd385d9f..3f3b63daeef3 100644
--- a/src/lib/filters.c
+++ b/src/lib/filters.c
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
}
}
} else if (filter->type == RAD_FILTER_GENERIC) {
- int count;
+ size_t count, masklen;
+
+ masklen = ntohs(filter->u.generic.len);
+ if (masklen >= sizeof(filter->u.generic.mask)) {
+ *p = '\0';
+ return;
+ }
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
p += i;
/* show the mask */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
p += i;
outlen -= i;
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
outlen--;
/* show the value */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
p += i;
outlen -= i;

43
Fix-radeapclient-option-q.patch
View File

@ -1,43 +0,0 @@
From 8a6cdf29ea6427cd8e96c00bc3d03abe1a67e8a3 Mon Sep 17 00:00:00 2001
From: lingsheng <lingsheng@huawei.com>
Date: Thu, 11 Mar 2021 16:03:35 +0800
Subject: [PATCH] Fix radeapclient option -q
---
src/modules/rlm_eap/radeapclient.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/modules/rlm_eap/radeapclient.c b/src/modules/rlm_eap/radeapclient.c
index 553a6a6..d505ae8 100644
--- a/src/modules/rlm_eap/radeapclient.c
+++ b/src/modules/rlm_eap/radeapclient.c
@@ -1899,8 +1899,6 @@ int main(int argc, char **argv)
.debug_file = NULL,
};
- radlog_init(&radclient_log, false);
-
/*
* We probably don't want to free the talloc autofree context
* directly, so we'll allocate a new context beneath it, and
@@ -1938,6 +1936,8 @@ int main(int argc, char **argv)
break;
case 'q':
do_output = 0;
+ radclient_log.dst = L_DST_NULL;
+ radclient_log.fd = 0;
break;
case 'x':
rad_debug_lvl++;
@@ -2013,6 +2013,8 @@ int main(int argc, char **argv)
usage();
}
+ radlog_init(&radclient_log, false);
+
/* Prepare the timeout. */
rc_float_to_timeval(&tv_timeout, timeout);
--
2.23.0

BIN
freeradius-server-3.0.21.tar.bz2
View File

Binary file not shown.

BIN
freeradius-server-3.0.25.tar.gz Normal file
View File

Binary file not shown.

98
freeradius.spec
View File

@ -3,25 +3,25 @@
%define perl_version %(eval "`%{__perl} -V:version`"; echo $version)
Name: freeradius
Version: 3.0.21
Release: 5
Version: 3.0.25
Release: 2
Summary: Remote Authentication Dial-In User Service
License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/
Source0: https://freeradius.org/ftp/pub/radius/freeradius-server-%{version}.tar.bz2
Source0: https://freeradius.org/ftp/pub/radius/freeradius-server-%{version}.tar.gz
Source1: radiusd.service
Source2: freeradius-logrotate
Source3: freeradius-pam-conf
Source4: freeradius-tmpfiles.conf
Patch0000: remove-unused-arguement.patch
Patch0001: Fix-radeapclient-option-q.patch
# patch for backport CVE
patch0000: CVE-2022-41859-pre.patch
patch0001: CVE-2022-41859.patch
patch0002: CVE-2022-41860.patch
patch0003: CVE-2022-41861.patch
BuildRequires: autoconf gdbm-devel openssl openssl-devel pam-devel zlib-devel net-snmp-devel
BuildRequires: net-snmp-utils readline-devel libpcap-devel systemd-units libtalloc-devel
BuildRequires: pcre-devel unixODBC-devel json-c-devel libcurl-devel
BuildRequires: pcre-devel unixODBC-devel json-c-devel libcurl-devel gcc chrpath
Requires: openssl >= %{openssl_version}
Requires(pre): shadow-utils glibc-common
@ -168,7 +168,6 @@ install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/mssql
install -D LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.gpl
@ -179,12 +178,23 @@ for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do
cp $f $RPM_BUILD_ROOT/%{docdir}
done
cd $RPM_BUILD_ROOT/usr
file `find -type f`| grep -w ELF | awk -F":" '{print $1}' | for i in `xargs`
do
chrpath -d $i
done
cd -
mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
echo "%{_bindir}/%{name}" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
echo "%{_libdir}/%{name}" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
%pre
getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" \
-d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1
%post
/sbin/ldconfig
%systemd_post radiusd.service
if [ $1 -eq 1 ]; then
if [ ! -e /etc/raddb/certs/server.pem ]; then
@ -197,6 +207,7 @@ exit 0
%systemd_preun radiusd.service
%postun
/sbin/ldconfig
%systemd_postun_with_restart radiusd.service
if [ $1 -eq 0 ]; then
getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1
@ -235,7 +246,7 @@ exit 0
%config(noreplace) /etc/raddb/certs/{Makefile,passwords.mk,xpextensions}
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
%attr(750,root,radiusd) /etc/raddb/certs/{bootstrap}
/etc/raddb/certs/README
/etc/raddb/certs/README.md
%exclude /etc/raddb/certs/{*.crt,*.crl,*.csr,*.der,*.key,*.pem,*.p12}
%exclude /etc/raddb/certs/{index.*,serial*,dh,random}
@ -269,6 +280,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{proxy-inner-tunnel,dynamic-clients}
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{copy-acct-to-home-server,buffered-sql}
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{tls,channel_bindings,challenge}
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/{resource-check,totp}
%exclude /etc/raddb/sites-available/abfab*
# /etc/raddb/sites-enabled dir
@ -292,6 +304,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{smsotp,soh,sometimes,sql,sqlcounter}
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{sqlippool,sradutmp,unix,unpack}
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{utf8,wimax,yubikey}
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/{dhcp_files,dhcp_passwd,dhcp_sql,sql_map,totp}
%exclude /etc/raddb/mods-available/{unbound,couchbase,abfab*,moonshot-targeted-ids}
# /etc/raddb/mods-enabled dir
@ -299,7 +312,7 @@ exit 0
%config(missingok) /etc/raddb/mods-enabled/{always,attr_filter,cache_eap,chap,date,detail,detail.log}
%config(missingok) /etc/raddb/mods-enabled/{dhcp,digest,dynamic_clients,eap,echo,exec,expiration,expr}
%config(missingok) /etc/raddb/mods-enabled/{files,linelog,logintime,mschap,ntlm_auth,pap,passwd,preprocess}
%config(missingok) /etc/raddb/mods-enabled/{radutmp,realm,replicate,soh,sradutmp,unix,unpack,utf8}
%config(missingok) /etc/raddb/mods-enabled/{radutmp,realm,replicate,soh,sradutmp,unix,unpack,utf8,totp}
# /etc/raddb/policy.d dir
%dir %attr(750,root,radiusd) /etc/raddb/policy.d
@ -335,6 +348,7 @@ exit 0
%{_libdir}/freeradius/{rlm_preprocess.so,rlm_radutmp.so,rlm_realm.so,rlm_replicate.so,rlm_soh.so}
%{_libdir}/freeradius/{rlm_sometimes.so,rlm_sql.so,rlm_sqlcounter.so,rlm_sqlippool.so,rlm_sql_null.so}
%{_libdir}/freeradius/{rlm_unix.so,rlm_unpack.so,rlm_utf8.so,rlm_wimax.so,rlm_yubikey.so}
%{_libdir}/freeradius/{rlm_sql_map.so,rlm_totp.so}
%exclude %{_libdir}/freeradius/{*.a,*.la,rlm_test.so}
# MIB files
@ -347,6 +361,8 @@ exit 0
%{_libdir}/freeradius/rlm_rest.so
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%config(noreplace) /etc/ld.so.conf.d/*
%files help
%doc %{docdir}/
# utils man pages
@ -384,7 +400,32 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/*
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/*
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/*
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/schema.sql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/setup.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/schema.sql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/setup.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/*
@ -392,11 +433,20 @@ exit 0
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/*
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mssql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/*
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/extras/wimax/*
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/ndb
@ -416,8 +466,10 @@ exit 0
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/*
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/*
%{_libdir}/freeradius/rlm_sql_postgresql.so
%files sqlite
%{_libdir}/freeradius/rlm_sql_sqlite.so
@ -441,6 +493,22 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap
%changelog
* Wed Dec 21 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 3.0.25-2
- Fix CVE-2022-41859 and CVE-2022-41860 and CVE-2022-41861
* Thu Dec 30 2021 baizhonggui <baizhonggui@huawei.com> - 3.0.25-1
- update to 3.0.25
* Wed Sep 08 2021 chenchen <chen_aka_jan@163.com> - 3.0.21-8
- del rpath from some binaries and bin
* Wed Jun 2 2021 baizhonggui <baizhonggui@huawei.com> - 3.0.21-7
- Fix building error: configure: error: no acceptable C compiler found in $PATH
- Add gcc in BuildRequires
* Mon Apr 26 2021 lingsheng <lingsheng@huawei.com> - 3.0.21-6
- Add missing backslash that precluded server from starting
* Thu Mar 11 2021 lingsheng <lingsheng@huawei.com> - 3.0.21-5
* Fix radeapclient option -q

24
remove-unused-arguement.patch
View File

@ -1,24 +0,0 @@
From f06084a007fdcaad3bd68f29e243fa8edcf0b590 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Thu, 24 Dec 2020 07:38:59 -0500
Subject: [PATCH] remove unused argument. Fixes #3817
---
src/tests/map/map_unit.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/tests/map/map_unit.c b/src/tests/map/map_unit.c
index af6d016..df906a5 100644
--- a/src/tests/map/map_unit.c
+++ b/src/tests/map/map_unit.c
@@ -81,7 +81,6 @@ static void NEVER_RETURNS usage(void)
fprintf(stderr, "usage: map_unit [OPTS] filename ...\n");
fprintf(stderr, " -d <raddb> Set user dictionary directory (defaults to " RADDBDIR ").\n");
fprintf(stderr, " -D <dictdir> Set main dictionary directory (defaults to " DICTDIR ").\n");
- fprintf(stderr, " -O <output_dir> Set output directory\n");
fprintf(stderr, " -x Debugging mode.\n");
fprintf(stderr, " -M Show program version information.\n");
--
2.23.0