[freeradius/f16] - Add new patch to avoid reading .rpmnew, .rpmsave and other invalid files when loading config fil
John Dennis
jdennis at fedoraproject.org
Tue Oct 9 17:34:21 UTC 2012
commit 42c06ec073ada48e03c1ca5e3173caf81807e8b5
Author: John Dennis <jdennis at redhat.com>
Date: Tue Oct 9 13:33:40 2012 -0400
- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid
files when loading config files
- Upgrade to new 2.2.0 upstream release
- Upstream changelog for 2.1.12:
Feature improvements
* 100% configuration file compatible with 2.1.x.
The only fix needed is to disallow "hashsize=0" for rlm_passwd
* Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
Redback, and Mikrotik dictionaries
* Switch to using SHA1 for certificate digests instead of MD5.
See raddb/certs/*.cnf
* Added copyright statements to the dictionaries, so that we know
when people are using them.
* Better documentation for radrelay and detail file writer.
See raddb/modules/radrelay and raddb/radrelay.conf
* Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
* Added -F <file> to radwho
* Added query timeouts to MySQL driver. Patch from Brian De Wolf.
* Add /etc/default/freeradius to debian package.
Patch from Matthew Newton
* Finalize DHCP and DHCP relay code. It should now work everywhere.
See raddb/sites-available/dhcp, src_ipaddr and src_interface.
* DHCP capabilitiies are now compiled in by default.
It runs as a DHCP server ONLY when manually enabled.
* Added one letter expansions: %G - request minute and %I request
ID.
* Added script to convert ISC DHCP lease files to SQL pools.
See scripts/isc2ippool.pl
* Added rlm_cache to cache arbitrary attributes.
* Added max_use to rlm_ldap to force connection to be re-established
after a given number of queries.
* Added configtest option to Debian init scripts, and automatic
config test on restart.
* Added cache config item to rlm_krb5. When set to "no" ticket
caching is disabled which may increase performance.
Bug fixes
* Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
and 802.1X should upgrade immediately.
* Fix typo in detail file writer, to skip writing if the packet
was read from this detail file.
* Free cached replies when closing resumed SSL sessions.
* Fix a number of issues found by Coverity.
* Fix memory leak and race condition in the EAP-TLS session cache.
Thanks to Phil Mayers for tracking down OpenSSL APIs.
* Restrict ATTRIBUTE names to character sets that make sense.
* Fix EAP-TLS session Id length so that OpenSSL doesn't get
excited.
* Fix SQL IPPool logic for non-timer attributes. Closes bug #181
* Change some informational messages to DEBUG rather than error.
* Portability fixes for FreeBSD. Closes bug #177
* A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
nonsense.
* Safely handle extremely long lines in conf file variable expansion
* Fix for Debian bug #606450
* Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
* The passwd module no longer permits "hashsize = 0". Setting that
is pointless for a host of reasons. It will also break the server.
* Fix proxied inner-tunnel packets sometimes having zero authentication
vector. Found by Brian Julin.
* Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
* Fix minor build issue which would cause rlm_eap to be built twice.
* When using "status_check=request" for a home server, the username
and password must be specified, or the server will not start.
* EAP-SIM now calculates keys from the SIM identity, not from the
EAP-Identity. Changing the EAP type via NAK may result in
identities changing. Bug reported by Microsoft EAP team.
* Use home server src_ipaddr when sending Status-Server packets
* Decrypt encrypted ERX attributes in CoA packets.
* Fix registration of internal xlat's so %{mschap:...} doesn't
disappear after a HUP.
* Can now reference tagged attributes in expansions.
e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
* Correct calculation of Message-Authenticator for CoA and Disconnect
replies. Patch from Jouni Malinen
* Install rad_counter, for managing rlm_counter files.
* Add unique index constraint to all SQL flavours so that alternate
queries work correctly.
* The TTLS diameter decoder is now more lenient. It ignores
unknown attributes, instead of rejecting the TTLS session.
* Use "globfree" in detail file reader. Prevents very slow leak.
Closes bug #207.
* Operator =~ shouldn't copy the attribute, like :=. It should
instead behave more like ==.
* Build main Debian package without SQL dependencies
* Use max_queue_size in threading code
* Update permissions in raddb/sql/postgresql/admin.sql
* Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
wouldn't use methods it knew about.
* Add more sanity checks in dynamic_clients code so the server won't
crash if it attempts to load a badly formated client definition.
.gitignore | 1 +
freeradius-1.1.7-ipa.patch | 794 ---------------------------------
freeradius-cert-config.patch | 46 +--
freeradius-exclude-config-file.patch | 310 +++++++++++++
freeradius-man.patch | 260 -----------
freeradius-radeapclient-ipv6.patch | 158 +++++++
freeradius-unixodbc-type-change.patch | 33 --
freeradius.spec | 112 +++++-
sources | 1 +
9 files changed, 596 insertions(+), 1119 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 97a00d0..55510b1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ freeradius-server-2.1.9.tar.bz2
/freeradius-server-2.1.10.tar.bz2
/freeradius-server-2.1.11.tar.bz2
/freeradius-server-2.1.12.tar.bz2
+/freeradius-server-2.2.0.tar.bz2
diff --git a/freeradius-cert-config.patch b/freeradius-cert-config.patch
index 9967a15..93d3950 100644
--- a/freeradius-cert-config.patch
+++ b/freeradius-cert-config.patch
@@ -1,51 +1,42 @@
-diff -r -u freeradius-server-2.1.12.orig/raddb/certs/ca.cnf freeradius-server-2.1.12/raddb/certs/ca.cnf
---- freeradius-server-2.1.12.orig/raddb/certs/ca.cnf 2011-09-07 06:59:21.000000000 -0400
-+++ freeradius-server-2.1.12/raddb/certs/ca.cnf 2011-09-07 10:28:28.000000000 -0400
-@@ -14,9 +14,9 @@
+diff -r -u freeradius-server-2.2.0.orig/raddb/certs/ca.cnf freeradius-server-2.2.0.work/raddb/certs/ca.cnf
+--- freeradius-server-2.2.0.orig/raddb/certs/ca.cnf 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.work/raddb/certs/ca.cnf 2012-09-25 15:29:08.792013636 -0400
+@@ -14,7 +14,7 @@
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
-default_days = 365
+default_days = 60
default_crl_days = 30
--default_md = md5
-+default_md = sha1
+ default_md = sha1
preserve = no
- policy = policy_match
-
-diff -r -u freeradius-server-2.1.12.orig/raddb/certs/client.cnf freeradius-server-2.1.12/raddb/certs/client.cnf
---- freeradius-server-2.1.12.orig/raddb/certs/client.cnf 2011-09-07 06:59:21.000000000 -0400
-+++ freeradius-server-2.1.12/raddb/certs/client.cnf 2011-09-07 10:28:28.000000000 -0400
-@@ -14,9 +14,9 @@
+diff -r -u freeradius-server-2.2.0.orig/raddb/certs/client.cnf freeradius-server-2.2.0.work/raddb/certs/client.cnf
+--- freeradius-server-2.2.0.orig/raddb/certs/client.cnf 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.work/raddb/certs/client.cnf 2012-09-25 15:29:19.046932303 -0400
+@@ -14,7 +14,7 @@
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
-default_days = 365
+default_days = 60
default_crl_days = 30
--default_md = md5
-+default_md = sha1
+ default_md = sha1
preserve = no
- policy = policy_match
-
-diff -r -u freeradius-server-2.1.12.orig/raddb/certs/server.cnf freeradius-server-2.1.12/raddb/certs/server.cnf
---- freeradius-server-2.1.12.orig/raddb/certs/server.cnf 2011-09-07 06:59:21.000000000 -0400
-+++ freeradius-server-2.1.12/raddb/certs/server.cnf 2011-09-07 10:28:28.000000000 -0400
-@@ -14,9 +14,9 @@
+diff -r -u freeradius-server-2.2.0.orig/raddb/certs/server.cnf freeradius-server-2.2.0.work/raddb/certs/server.cnf
+--- freeradius-server-2.2.0.orig/raddb/certs/server.cnf 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.work/raddb/certs/server.cnf 2012-09-25 15:29:26.118877959 -0400
+@@ -14,7 +14,7 @@
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
-default_days = 365
+default_days = 60
default_crl_days = 30
--default_md = md5
-+default_md = sha1
+ default_md = sha1
preserve = no
- policy = policy_match
-
-diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12/raddb/eap.conf
---- freeradius-server-2.1.12.orig/raddb/eap.conf 2011-09-07 06:59:21.000000000 -0400
-+++ freeradius-server-2.1.12/raddb/eap.conf 2011-09-07 10:28:28.000000000 -0400
+diff -r -u freeradius-server-2.2.0.orig/raddb/eap.conf freeradius-server-2.2.0.work/raddb/eap.conf
+--- freeradius-server-2.2.0.orig/raddb/eap.conf 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.work/raddb/eap.conf 2012-09-25 15:31:17.623971648 -0400
@@ -281,7 +281,11 @@
# for the server to print out an error message,
# and refuse to start.
@@ -59,4 +50,3 @@ diff -r -u freeradius-server-2.1.12.orig/raddb/eap.conf freeradius-server-2.1.12
#
# Elliptical cryptography configuration
-Only in freeradius-server-2.1.12/raddb: eap.conf.orig
diff --git a/freeradius-exclude-config-file.patch b/freeradius-exclude-config-file.patch
new file mode 100644
index 0000000..2710349
--- /dev/null
+++ b/freeradius-exclude-config-file.patch
@@ -0,0 +1,310 @@
+diff -u -r freeradius-server-2.2.0.orig/src/include/libradius.h freeradius-server-2.2.0.configfile/src/include/libradius.h
+--- freeradius-server-2.2.0.orig/src/include/libradius.h 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/include/libradius.h 2012-10-03 15:45:13.002106110 -0400
+@@ -416,6 +416,17 @@
+ int fr_sockaddr2ipaddr(const struct sockaddr_storage *sa, socklen_t salen,
+ fr_ipaddr_t *ipaddr, int * port);
+
++int
++str_starts_with(const char *subject, const char *pattern);
++int
++strn_starts_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len);
++int
++str_ends_with(const char *subject, const char *pattern);
++int
++strn_ends_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len);
++int
++fr_exclude_config_file(const char *basename);
++
+
+ #ifdef ASCEND_BINARY
+ /* filters.c */
+diff -u -r freeradius-server-2.2.0.orig/src/lib/misc.c freeradius-server-2.2.0.configfile/src/lib/misc.c
+--- freeradius-server-2.2.0.orig/src/lib/misc.c 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/lib/misc.c 2012-10-03 15:50:27.717357782 -0400
+@@ -28,6 +28,7 @@
+ #include <ctype.h>
+ #include <sys/file.h>
+ #include <fcntl.h>
++#include <string.h>
+
+ int fr_dns_lookups = 0;
+ int fr_debug_flag = 0;
+@@ -650,3 +651,162 @@
+
+ return 1;
+ }
++
++
++/*
++ * Return true if subject starts with pattern, false otherwise.
++ * subject and pattern are NULL terminated strings.
++ */
++int
++str_starts_with(const char *subject, const char *pattern)
++{
++ size_t sbj_len;
++ size_t pat_len;
++
++ pat_len = strlen(pattern);
++ sbj_len = strlen(subject);
++
++ return strn_starts_with(subject, pattern, sbj_len, pat_len);
++}
++
++/*
++ * Return true if subject starts with pattern, false otherwise.
++ * subject and pattern are terminated by their respective length parameters.
++ */
++int
++strn_starts_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len)
++{
++ const char *s = NULL;
++ const char *p = NULL;
++ const char *pat_end = NULL;
++
++ if (subject == NULL || pattern == NULL) return 0;
++
++ if (pat_len > sbj_len) return 0;
++
++ pat_end = pattern + pat_len;
++
++ for (p = pattern, s = subject; p < pat_end; p++, s++) {
++ if (*p != *s) return 0;
++ }
++ return 1;
++
++}
++
++/*
++ * Return true if subject starts with pattern, false otherwise.
++ * subject and pattern are NULL terminated strings.
++ */
++int
++str_ends_with(const char *subject, const char *pattern)
++{
++ size_t sbj_len;
++ size_t pat_len;
++
++ pat_len = strlen(pattern);
++ sbj_len = strlen(subject);
++
++ return strn_ends_with(subject, pattern, sbj_len, pat_len);
++}
++
++/*
++ * Return true if subject ends with pattern, false otherwise.
++ * subject and pattern are terminated by their respective length parameters.
++ */
++int
++strn_ends_with(const char *subject, const char *pattern, size_t sbj_len, size_t pat_len)
++{
++ const char *s = NULL;
++ const char *sbj_end = NULL;
++ const char *p = NULL;
++ const char *pat_end = NULL;
++
++ if (subject == NULL || pattern == NULL) return 0;
++
++ if (pat_len > sbj_len) return 0;
++
++ pat_end = pattern + pat_len - 1;
++ sbj_end = subject + sbj_len - 1;
++
++ for (p = pat_end, s = sbj_end; p >= pattern; p--, s--) {
++ if (*p != *s) return 0;
++ }
++ return 1;
++
++}
++
++/*
++ * Tests to see if the basename of a file found in a config directory
++ * should be excluded from being read because it is not a valid config
++ * file. The function returns true if the file basename should be
++ * excluded.
++ *
++ * The following basename's are excluded:
++ *
++ * Any basename beginning with a dot (.)
++ * Any basename beginning with a hash (i.e. pound sign, octothorp) (#)
++ * Any basename ending with a tilde (~)
++ * Any basename ending with the substring ".rpmsave"
++ * Any basename ending with the substring ".rpmnew"
++ * Any basename ending with the substring ".bak"
++ */
++
++#ifdef HAVE_REGEX_H
++#include <regex.h>
++
++/*
++ * Performs test with a regular expression. The regexp is compiled on
++ * first use and then saved in a static variable for future use.
++ */
++
++int
++fr_exclude_config_file(const char *basename)
++{
++ char *pattern = "^\\.|^#|~$|\\.rpmsave$|\\.rpmnew$|\\.bak$";
++ //char *pattern = "*";
++ int status;
++ static regex_t re;
++ static int compiled = 0;
++
++ if (!compiled) {
++ if ((status = regcomp(&re, pattern, REG_NOSUB | REG_EXTENDED)) != 0) {
++ char error_buf[256];
++
++ regerror(status, &re, error_buf, sizeof(error_buf));
++ fprintf(stderr, "fr_exclude_config_file: failed to compile regular expression \"%s\": %s",
++ pattern, error_buf);
++
++ return(0); /* Since we can't perform test, accept all files */
++ }
++ compiled = 1;
++ }
++ status = regexec(&re, basename, (size_t) 0, NULL, 0);
++
++ if (status == 0) {
++ return 1;
++ } else {
++ return 0;
++ }
++}
++
++#else
++
++/*
++ * Performs the test with starts_with and ends_with string utilities.
++ */
++
++int
++fr_exclude_config_file(const char *basename)
++{
++ if (str_starts_with(basename, ".")) return 1;
++ if (str_starts_with(basename, "#")) return 1;
++
++ if (str_ends_with(basename, "~")) return 1;
++ if (str_ends_with(basename, ".rpmsave")) return 1;
++ if (str_ends_with(basename, ".rpmnew")) return 1;
++ if (str_ends_with(basename, ".bak")) return 1;
++
++ return 0;
++}
++
++#endif
+diff -u -r freeradius-server-2.2.0.orig/src/main/client.c freeradius-server-2.2.0.configfile/src/main/client.c
+--- freeradius-server-2.2.0.orig/src/main/client.c 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/main/client.c 2012-10-03 15:52:35.351241760 -0400
+@@ -845,13 +845,24 @@
+ }
+
+ /*
+- * Read the directory, ignoring "." files.
++ * Read the directory, ignoring invalid files.
+ */
+ while ((dp = readdir(dir)) != NULL) {
+ const char *p;
+ RADCLIENT *dc;
+
+- if (dp->d_name[0] == '.') continue;
++ /*
++ * Check for invalid file names
++ */
++ if (fr_exclude_config_file(dp->d_name)) {
++ if (!(strcmp(dp->d_name, ".") == 0 ||
++ strcmp(dp->d_name, "..") == 0)) {
++ cf_log_info(cs,
++ "skipping client file, invalid name \"%s/%s\"",
++ value, dp->d_name);
++ }
++ continue;
++ }
+
+ /*
+ * Check for valid characters
+@@ -863,7 +874,12 @@
+ (*p == '.')) continue;
+ break;
+ }
+- if (*p != '\0') continue;
++ if (*p != '\0') {
++ cf_log_info(cs,
++ "skipping client file, invalid characters in name \"%s/%s\"",
++ value, dp->d_name);
++ continue;
++ }
+
+ snprintf(buf2, sizeof(buf2), "%s/%s",
+ value, dp->d_name);
+diff -u -r freeradius-server-2.2.0.orig/src/main/conffile.c freeradius-server-2.2.0.configfile/src/main/conffile.c
+--- freeradius-server-2.2.0.orig/src/main/conffile.c 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/main/conffile.c 2012-10-03 15:54:17.465348844 -0400
+@@ -1512,12 +1512,23 @@
+ }
+
+ /*
+- * Read the directory, ignoring "." files.
++ * Read the directory, ignoring invalid files.
+ */
+ while ((dp = readdir(dir)) != NULL) {
+ const char *p;
+
+- if (dp->d_name[0] == '.') continue;
++ /*
++ * Check for invalid file names
++ */
++ if (fr_exclude_config_file(dp->d_name)) {
++ if (!(strcmp(dp->d_name, ".") == 0 ||
++ strcmp(dp->d_name, "..") == 0)) {
++ radlog(L_INFO, "skipping config file, invalid name \"%s%s\"",
++ value, dp->d_name);
++ }
++ continue;
++ }
++
+
+ /*
+ * Check for valid characters
+@@ -1530,7 +1541,11 @@
+ (*p == '.')) continue;
+ break;
+ }
+- if (*p != '\0') continue;
++ if (*p != '\0') {
++ radlog(L_INFO, "skipping config file, invalid characters in name \"%s%s\"",
++ value, dp->d_name);
++ continue;
++ }
+
+ snprintf(buf2, sizeof(buf2), "%s%s",
+ value, dp->d_name);
+diff -u -r freeradius-server-2.2.0.orig/src/modules/rlm_policy/parse.c freeradius-server-2.2.0.configfile/src/modules/rlm_policy/parse.c
+--- freeradius-server-2.2.0.orig/src/modules/rlm_policy/parse.c 2012-09-10 07:51:34.000000000 -0400
++++ freeradius-server-2.2.0.configfile/src/modules/rlm_policy/parse.c 2012-10-03 15:55:29.736715648 -0400
+@@ -1584,13 +1584,22 @@
+ }
+
+ /*
+- * Read the directory, ignoring "." files.
++ * Read the directory, ignoring invalid files.
+ */
+ while ((dp = readdir(dir)) != NULL) {
+ struct stat buf;
+
+- if (dp->d_name[0] == '.') continue;
+- if (strchr(dp->d_name, '~') != NULL) continue;
++ /*
++ * Check for invalid file names
++ */
++ if (fr_exclude_config_file(dp->d_name)) {
++ if (!(strcmp(dp->d_name, ".") == 0 ||
++ strcmp(dp->d_name, "..") == 0)) {
++ fprintf(stderr, "skipping policy file, invalid name \"%s%s\"",
++ buffer, dp->d_name);
++ }
++ continue;
++ }
+
+ strlcpy(p, dp->d_name,
+ sizeof(buffer) - (p - buffer));
diff --git a/freeradius-radeapclient-ipv6.patch b/freeradius-radeapclient-ipv6.patch
new file mode 100644
index 0000000..761b599
--- /dev/null
+++ b/freeradius-radeapclient-ipv6.patch
@@ -0,0 +1,158 @@
+diff -r -u freeradius-server-2.1.12.orig/man/man1/radeapclient.1 freeradius-server-2.1.12.work/man/man1/radeapclient.1
+--- freeradius-server-2.1.12.orig/man/man1/radeapclient.1 2011-09-30 10:12:07.000000000 -0400
++++ freeradius-server-2.1.12.work/man/man1/radeapclient.1 2012-02-28 11:11:46.023456307 -0500
+@@ -3,6 +3,8 @@
+ radeapclient - send EAP packets to a RADIUS server, calculate responses
+ .SH SYNOPSIS
+ .B radeapclient
++.RB [ \-4 ]
++.RB [ \-6 ]
+ .RB [ \-c
+ .IR count ]
+ .RB [ \-d
+@@ -27,7 +29,7 @@
+ \fBradeapclient\fP is a radius client program. It can send arbitrary radius
+ packets to a radius server, then shows the reply. Radeapclient differs from
+ radclient in that if there is an EAP-MD5 challenge, then it will be responded
+-to.
++to.
+ .PP
+ \fBradeapclient\fP is otherwise identical to \fBradclient\fP.
+ .PP
+@@ -36,11 +38,15 @@
+ .PP
+ .PP
+ The \fIEAP-MD5-Password\fP attribute, if present is used to respond to an
+-MD5 challenge.
++MD5 challenge.
+ .PP
+ No other EAP types are currently supported.
+
+ .SH OPTIONS
++.IP \-4
++Use IPv4 (default)
++.IP \-6
++Use IPv6
+ .IP \-c\ \fIcount\fP
+ Send each packet \fIcount\fP times.
+ .IP \-d\ \fIraddb\fP
+@@ -82,7 +88,7 @@
+ echo 'EAP-Type-Identity = "bob";
+ echo 'Message-Authenticator = 0x00';
+ echo 'NAS-Port = 0' ) >req.txt
+-
++
+ radeapclient -x localhost auth testing123 <req.txt
+ .fi
+ .sp
+diff -r -u freeradius-server-2.1.12.orig/src/modules/rlm_eap/radeapclient.c freeradius-server-2.1.12.work/src/modules/rlm_eap/radeapclient.c
+--- freeradius-server-2.1.12.orig/src/modules/rlm_eap/radeapclient.c 2011-09-30 10:12:07.000000000 -0400
++++ freeradius-server-2.1.12.work/src/modules/rlm_eap/radeapclient.c 2012-02-28 11:44:34.011174367 -0500
+@@ -90,6 +90,8 @@
+ fprintf(stderr, " -s Print out summary information of auth results.\n");
+ fprintf(stderr, " -v Show program version information.\n");
+ fprintf(stderr, " -x Debugging mode.\n");
++ fprintf(stderr, " -4 Use IPv4 address of server\n");
++ fprintf(stderr, " -6 Use IPv6 address of server.\n");
+
+ exit(1);
+ }
+@@ -169,7 +171,7 @@
+ ip = &packet->dst_ipaddr;
+ port = packet->dst_port;
+ }
+-
++
+ /*
+ * Client-specific debugging re-prints the input
+ * packet into the client log.
+@@ -975,15 +977,22 @@
+ FILE *fp;
+ int count = 1;
+ int id;
++ int force_af = AF_UNSPEC;
+
+ id = ((int)getpid() & 0xff);
+ fr_debug_flag = 0;
+
+ radlog_dest = RADLOG_STDERR;
+
+- while ((c = getopt(argc, argv, "c:d:f:hi:qst:r:S:xXv")) != EOF)
++ while ((c = getopt(argc, argv, "46c:d:f:hi:qst:r:S:xXv")) != EOF)
+ {
+ switch(c) {
++ case '4':
++ force_af = AF_INET;
++ break;
++ case '6':
++ force_af = AF_INET6;
++ break;
+ case 'c':
+ if (!isdigit((int) *optarg))
+ usage();
+@@ -1106,11 +1115,45 @@
+ req->id = id;
+
+ /*
+- * Strip port from hostname if needed.
++ * Resolve hostname.
+ */
+- if ((p = strchr(argv[1], ':')) != NULL) {
+- *p++ = 0;
+- port = atoi(p);
++ if (force_af == AF_UNSPEC) force_af = AF_INET;
++ req->dst_ipaddr.af = force_af;
++ if (strcmp(argv[1], "-") != 0) {
++ const char *hostname = argv[1];
++ const char *portname = argv[1];
++ char buffer[256];
++
++ if (*argv[1] == '[') { /* IPv6 URL encoded */
++ p = strchr(argv[1], ']');
++ if ((size_t) (p - argv[1]) >= sizeof(buffer)) {
++ usage();
++ }
++
++ memcpy(buffer, argv[1] + 1, p - argv[1] - 1);
++ buffer[p - argv[1] - 1] = '\0';
++
++ hostname = buffer;
++ portname = p + 1;
++
++ }
++ p = strchr(portname, ':');
++ if (p && (strchr(p + 1, ':') == NULL)) {
++ *p = '\0';
++ portname = p + 1;
++ } else {
++ portname = NULL;
++ }
++
++ if (ip_hton(hostname, force_af, &req->dst_ipaddr) < 0) {
++ fprintf(stderr, "radclient: Failed to find IP address for host %s: %s\n", hostname, strerror(errno));
++ exit(1);
++ }
++
++ /*
++ * Strip port from hostname if needed.
++ */
++ if (portname) port = atoi(portname);
+ }
+
+ /*
+@@ -1143,15 +1186,7 @@
+ } else {
+ usage();
+ }
+-
+- /*
+- * Resolve hostname.
+- */
+ req->dst_port = port;
+- if (ip_hton(argv[1], AF_INET, &req->dst_ipaddr) < 0) {
+- fprintf(stderr, "radclient: Failed to find IP address for host %s\n", argv[1]);
+- exit(1);
+- }
+
+ /*
+ * Add the secret.
diff --git a/freeradius.spec b/freeradius.spec
index c8cb892..14b08ff 100644
--- a/freeradius.spec
+++ b/freeradius.spec
@@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
-Version: 2.1.12
-Release: 4%{?dist}
+Version: 2.2.0
+Release: 0%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@@ -14,7 +14,8 @@ Source104: %{name}-tmpfiles.conf
Patch1: freeradius-cert-config.patch
Patch2: freeradius-radtest.patch
-Patch3: freeradius-man.patch
+Patch3: freeradius-radeapclient-ipv6.patch
+Patch4: freeradius-exclude-config-file.patch
Obsoletes: freeradius-devel
Obsoletes: freeradius-libs
@@ -35,6 +36,7 @@ BuildRequires: readline-devel
BuildRequires: libpcap-devel
BuildRequires: systemd-units
+Requires: openssl
Requires(pre): shadow-utils glibc-common
Requires(post): systemd-sysv
Requires(post): systemd-units
@@ -147,7 +149,9 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
%setup -q -n freeradius-server-%{version}
%patch1 -p1 -b .cert-config
%patch2 -p1 -b .radtest
-%patch3 -p1 -b .man
+%patch3 -p1 -b radeapclient-ipv6
+%patch4 -p1 -b exclude-config-file
+
# Some source files mistakenly have execute permissions set
find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} +
@@ -161,7 +165,9 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic"
%configure \
--libdir=%{_libdir}/freeradius \
--with-system-libtool \
+ --with-system-libltdl \
--disable-ltdl-install \
+ --with-udpfromto \
--with-gnu-ld \
--with-threads \
--with-thread-pool \
@@ -342,6 +348,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/always
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/attr_filter
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/attr_rewrite
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/cache
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/chap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/checkval
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/counter
@@ -349,6 +356,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.example.com
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/detail.log
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dhcp_sqlippool
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/digest
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/dynamic_clients
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/echo
@@ -373,6 +381,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/passwd
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/policy
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/preprocess
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/radrelay
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/radutmp
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/realm
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/modules/redis
@@ -448,6 +457,8 @@ exit 0
%{_libdir}/freeradius/rlm_attr_filter-%{version}.so
%{_libdir}/freeradius/rlm_attr_rewrite.so
%{_libdir}/freeradius/rlm_attr_rewrite-%{version}.so
+%{_libdir}/freeradius/rlm_cache.so
+%{_libdir}/freeradius/rlm_cache-%{version}.so
%{_libdir}/freeradius/rlm_chap.so
%{_libdir}/freeradius/rlm_chap-%{version}.so
%{_libdir}/freeradius/rlm_checkval.so
@@ -590,6 +601,99 @@ exit 0
%{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so
%changelog
+* Tue Oct 9 2012 John Dennis <jdennis at redhat.com> - 2.2.0-0
+- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid
+ files when loading config files
+- Upgrade to new 2.2.0 upstream release
+- Upstream changelog for 2.1.12:
+ Feature improvements
+ * 100% configuration file compatible with 2.1.x.
+ The only fix needed is to disallow "hashsize=0" for rlm_passwd
+ * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
+ Redback, and Mikrotik dictionaries
+ * Switch to using SHA1 for certificate digests instead of MD5.
+ See raddb/certs/*.cnf
+ * Added copyright statements to the dictionaries, so that we know
+ when people are using them.
+ * Better documentation for radrelay and detail file writer.
+ See raddb/modules/radrelay and raddb/radrelay.conf
+ * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
+ * Added -F <file> to radwho
+ * Added query timeouts to MySQL driver. Patch from Brian De Wolf.
+ * Add /etc/default/freeradius to debian package.
+ Patch from Matthew Newton
+ * Finalize DHCP and DHCP relay code. It should now work everywhere.
+ See raddb/sites-available/dhcp, src_ipaddr and src_interface.
+ * DHCP capabilitiies are now compiled in by default.
+ It runs as a DHCP server ONLY when manually enabled.
+ * Added one letter expansions: %G - request minute and %I request
+ ID.
+ * Added script to convert ISC DHCP lease files to SQL pools.
+ See scripts/isc2ippool.pl
+ * Added rlm_cache to cache arbitrary attributes.
+ * Added max_use to rlm_ldap to force connection to be re-established
+ after a given number of queries.
+ * Added configtest option to Debian init scripts, and automatic
+ config test on restart.
+ * Added cache config item to rlm_krb5. When set to "no" ticket
+ caching is disabled which may increase performance.
+
+ Bug fixes
+ * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
+ and 802.1X should upgrade immediately.
+ * Fix typo in detail file writer, to skip writing if the packet
+ was read from this detail file.
+ * Free cached replies when closing resumed SSL sessions.
+ * Fix a number of issues found by Coverity.
+ * Fix memory leak and race condition in the EAP-TLS session cache.
+ Thanks to Phil Mayers for tracking down OpenSSL APIs.
+ * Restrict ATTRIBUTE names to character sets that make sense.
+ * Fix EAP-TLS session Id length so that OpenSSL doesn't get
+ excited.
+ * Fix SQL IPPool logic for non-timer attributes. Closes bug #181
+ * Change some informational messages to DEBUG rather than error.
+ * Portability fixes for FreeBSD. Closes bug #177
+ * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
+ nonsense.
+ * Safely handle extremely long lines in conf file variable expansion
+ * Fix for Debian bug #606450
+ * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
+ * The passwd module no longer permits "hashsize = 0". Setting that
+ is pointless for a host of reasons. It will also break the server.
+ * Fix proxied inner-tunnel packets sometimes having zero authentication
+ vector. Found by Brian Julin.
+ * Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
+ * Fix minor build issue which would cause rlm_eap to be built twice.
+ * When using "status_check=request" for a home server, the username
+ and password must be specified, or the server will not start.
+ * EAP-SIM now calculates keys from the SIM identity, not from the
+ EAP-Identity. Changing the EAP type via NAK may result in
+ identities changing. Bug reported by Microsoft EAP team.
+ * Use home server src_ipaddr when sending Status-Server packets
+ * Decrypt encrypted ERX attributes in CoA packets.
+ * Fix registration of internal xlat's so %{mschap:...} doesn't
+ disappear after a HUP.
+ * Can now reference tagged attributes in expansions.
+ e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
+ * Correct calculation of Message-Authenticator for CoA and Disconnect
+ replies. Patch from Jouni Malinen
+ * Install rad_counter, for managing rlm_counter files.
+ * Add unique index constraint to all SQL flavours so that alternate
+ queries work correctly.
+ * The TTLS diameter decoder is now more lenient. It ignores
+ unknown attributes, instead of rejecting the TTLS session.
+ * Use "globfree" in detail file reader. Prevents very slow leak.
+ Closes bug #207.
+ * Operator =~ shouldn't copy the attribute, like :=. It should
+ instead behave more like ==.
+ * Build main Debian package without SQL dependencies
+ * Use max_queue_size in threading code
+ * Update permissions in raddb/sql/postgresql/admin.sql
+ * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
+ wouldn't use methods it knew about.
+ * Add more sanity checks in dynamic_clients code so the server won't
+ crash if it attempts to load a badly formated client definition.
+
* Tue Feb 7 2012 John Dennis <jdennis at redhat.com> - 2.1.12-4
- resolves: bug#781877 (from RHEL5) rlm_dbm_parse man page misspelled
- resolves: bug#760193 (from RHEL5) radtest PPPhint option is not parsed properly
diff --git a/sources b/sources
index c9b2a89..032f707 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
862d3a2c11011e61890ba84fa636ed8c freeradius-server-2.1.12.tar.bz2
+0fb333fe6a64eb2b1dd6ef67f7bca119 freeradius-server-2.2.0.tar.bz2
More information about the scm-commits
mailing list