[freeradius] - resolves: bug#1031035 remove radeapclient man page, upstream no longer supports radeapclient,
John Dennis
jdennis at fedoraproject.org
Tue Nov 26 23:34:31 UTC 2013
commit b70e15694d48489d30c8e96f9828829286045766
Author: John Dennis <jdennis at redhat.com>
Date: Tue Nov 26 18:33:56 2013 -0500
- resolves: bug#1031035
remove radeapclient man page,
upstream no longer supports radeapclient, use eapol_test instead
- resolves: bug#1031061
rlm_eap_leap memory corruption, see freeradius-rlm_leap.patch
- move man pages for utils into utils subpackage from doc subpackage
- fix HAVE_EC_CRYPTO test to include f20
- add new directory /var/run/radiusd/tmp
update mods-available/eap so tls-common.verify.tmpdir to point to it
freeradius-redhat-config.patch | 30 +++++++++++--
freeradius-rlm_leap.patch | 88 ++++++++++++++++++++++++++++++++++++++++
freeradius.spec | 42 +++++++++++++------
3 files changed, 142 insertions(+), 18 deletions(-)
---
diff --git a/freeradius-redhat-config.patch b/freeradius-redhat-config.patch
index 6b3ce4e..3a7e428 100644
--- a/freeradius-redhat-config.patch
+++ b/freeradius-redhat-config.patch
@@ -1,14 +1,35 @@
+diff -r -u freeradius-server-3.0.0.orig/raddb/mods-available/eap freeradius-server-3.0.0/raddb/mods-available/eap
+--- freeradius-server-3.0.0.orig/raddb/mods-available/eap 2013-10-07 15:49:47.000000000 -0400
++++ freeradius-server-3.0.0/raddb/mods-available/eap 2013-11-26 17:48:56.081183431 -0500
+@@ -435,7 +435,7 @@
+ #
+ # You should also delete all of the files
+ # in the directory when the server starts.
+- # tmpdir = /tmp/radiusd
++ # tmpdir = /var/run/radiusd/tmp
+
+ # The command used to verify the client cert.
+ # We recommend using the OpenSSL command-line
+@@ -449,7 +449,7 @@
+ # in PEM format. This file is automatically
+ # deleted by the server when the command
+ # returns.
+- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
++ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ }
+
+ #
diff -r -u freeradius-server-3.0.0.orig/raddb/radiusd.conf.in freeradius-server-3.0.0/raddb/radiusd.conf.in
--- freeradius-server-3.0.0.orig/raddb/radiusd.conf.in 2013-10-07 15:49:47.000000000 -0400
-+++ freeradius-server-3.0.0/raddb/radiusd.conf.in 2013-10-09 14:10:18.595543308 -0400
++++ freeradius-server-3.0.0/raddb/radiusd.conf.in 2013-11-26 17:24:52.263467793 -0500
@@ -71,8 +71,7 @@
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
-
+
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
+db_dir = ${localstatedir}/lib/radiusd
-
+
#
# libdir: Where to find the rlm_* modules.
@@ -376,8 +375,8 @@
@@ -19,7 +40,6 @@ diff -r -u freeradius-server-3.0.0.orig/raddb/radiusd.conf.in freeradius-server-
-# group = radius
+ user = radiusd
+ group = radiusd
-
+
# Core dumps are a bad thing. This should only be set to
# 'yes' if you're debugging a problem with the server.
-Only in freeradius-server-3.0.0/raddb: radiusd.conf.in~
diff --git a/freeradius-rlm_leap.patch b/freeradius-rlm_leap.patch
new file mode 100644
index 0000000..abf6426
--- /dev/null
+++ b/freeradius-rlm_leap.patch
@@ -0,0 +1,88 @@
+This patch is the collective application of the following 3
+upstream git commits for the v3.0.x branch.
+
+d8f91f97 Missed PAD macro
+4203125 Proper fix for calculating encoded session-key length
+e96eeea Increase size of LEAP session key buffer
+457beab Sanity checks for leap
+
+These are fixes for the following bugs:
+1031061 1031052
+
+diff -r -u freeradius-server-3.0.0.pre-patch/src/include/libradius.h freeradius-server-3.0.0/src/include/libradius.h
+--- freeradius-server-3.0.0.pre-patch/src/include/libradius.h 2013-11-26 12:33:38.894517298 -0500
++++ freeradius-server-3.0.0/src/include/libradius.h 2013-11-26 13:22:48.215581799 -0500
+@@ -103,6 +103,8 @@
+ #define TAG_ANY -128 /* minimum signed char */
+ #define TAG_UNUSED 0
+
++#define PAD(_x, _y) (_y - ((_x) % _y))
++
+ #if defined(__GNUC__)
+ # define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1)))
+ # define NEVER_RETURNS __attribute__ ((noreturn))
+@@ -424,6 +426,8 @@
+ uint8_t const *vector);
+ int rad_pwdecode(char *encpw, size_t len, char const *secret,
+ uint8_t const *vector);
++
++#define FR_TUNNEL_PW_ENC_LENGTH(_x) (2 + 1 + _x + PAD(_x + 1, 16))
+ int rad_tunnel_pwencode(char *encpw, size_t *len, char const *secret,
+ uint8_t const *vector);
+ int rad_tunnel_pwdecode(uint8_t *encpw, size_t *len,
+diff -r -u freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c
+--- freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2013-11-26 12:33:38.645517611 -0500
++++ freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2013-11-26 13:22:44.218580815 -0500
+@@ -324,7 +324,7 @@
+ */
+ fr_md5_calc(hash, buffer, 16 + 8 + 24 + 8 + 24);
+
+- q = talloc_array(vp, char, 16 + sizeof("leap:session-key="));
++ q = talloc_array(vp, char, FR_TUNNEL_PW_ENC_LENGTH(16) + sizeof("leap:session-key="));
+ strcpy(q, "leap:session-key=");
+
+ memcpy(q + 17, hash, 16);
+@@ -395,6 +395,9 @@
+ {
+ leap_packet_raw_t *data;
+
++ rad_assert(eap_ds->request);
++ rad_assert(reply);
++
+ /*
+ * We need the name and the challenge.
+ */
+diff -r -u freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h
+--- freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2013-11-26 12:33:38.645517611 -0500
++++ freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2013-11-26 13:22:36.311578784 -0500
+@@ -41,10 +41,10 @@
+ typedef struct leap_packet {
+ unsigned char code;
+ unsigned char id;
+- int length;
++ size_t length;
+ int count;
+ unsigned char *challenge;
+- int name_len;
++ size_t name_len;
+ char *name;
+ } leap_packet_t;
+
+diff -r -u freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c
+--- freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2013-11-26 12:33:38.645517611 -0500
++++ freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2013-11-26 13:22:36.312578784 -0500
+@@ -96,11 +96,13 @@
+ leap_packet_t *reply;
+ VALUE_PAIR *password;
+
++ rad_assert(request);
++
+ if (!handler->opaque) {
+ REDEBUG("Cannot authenticate without LEAP history");
+ return 0;
+ }
+- session = (leap_session_t *) handler->opaque;
++ session = talloc_get_type_abort(handler->opaque, leap_session_t);
+ reply = NULL;
+
+ /*
diff --git a/freeradius.spec b/freeradius.spec
index eb069aa..42025c1 100644
--- a/freeradius.spec
+++ b/freeradius.spec
@@ -1,13 +1,13 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.0
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
# Is elliptic curve cryptography supported?
-%if 0%{?rhel} >= 7
+%if 0%{?rhel} >= 7 || 0%{fedora} >= 20
%global HAVE_EC_CRYPTO 1
%else
%global HAVE_EC_CRYPTO 0
@@ -23,6 +23,7 @@ Source104: freeradius-tmpfiles.conf
Patch1: freeradius-redhat-config.patch
Patch2: freeradius-bool-config.patch
+Patch3: freeradius-rlm_leap.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@@ -177,8 +178,9 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
%prep
%setup -q -n %{dist_base}
-%patch1 -p1 -b .redhat-config
-%patch2 -p1 -b .bool-config
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
# Force compile/link options, extra security for network facing daemon
@@ -219,6 +221,7 @@ install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
install -m 0644 %{SOURCE104} %{buildroot}%{_sysconfdir}/tmpfiles.d/radiusd.conf
# remove unneeded stuff
@@ -233,6 +236,8 @@ rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/serial*
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/dh
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/random
+rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/radeapclient.1
+
rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd
rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.a
rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la
@@ -314,6 +319,7 @@ exit 0
%{_unitdir}/radiusd.service
%config %{_sysconfdir}/tmpfiles.d/radiusd.conf
%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
+%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
# configs (raddb)
@@ -570,10 +576,6 @@ exit 0
%{_libdir}/freeradius/rlm_wimax.so
%{_libdir}/freeradius/rlm_yubikey.so
-%files doc
-
-%doc %{docdir}/
-
# main man pages
%doc %{_mandir}/man5/clients.conf.5.gz
%doc %{_mandir}/man5/dictionary.5.gz
@@ -601,9 +603,16 @@ exit 0
%doc %{_mandir}/man8/radmin.8.gz
%doc %{_mandir}/man8/radrelay.8.gz
+%files doc
+
+%doc %{docdir}/
+
+
+%files utils
+/usr/bin/*
+
# utils man pages
%doc %{_mandir}/man1/radclient.1.gz
-%doc %{_mandir}/man1/radeapclient.1.gz
%doc %{_mandir}/man1/radlast.1.gz
%doc %{_mandir}/man1/radtest.1.gz
%doc %{_mandir}/man1/radwho.1.gz
@@ -616,10 +625,6 @@ exit 0
%doc %{_mandir}/man8/radsqlrelay.8.gz
%doc %{_mandir}/man8/rlm_ippool_tool.8.gz
-
-%files utils
-/usr/bin/*
-
%files devel
/usr/include/freeradius
@@ -722,6 +727,17 @@ exit 0
%{_libdir}/freeradius/rlm_sql_unixodbc.so
%changelog
+* Tue Nov 26 2013 John Dennis <jdennis at redhat.com> - 3.0.0-4
+- resolves: bug#1031035
+ remove radeapclient man page,
+ upstream no longer supports radeapclient, use eapol_test instead
+- resolves: bug#1031061
+ rlm_eap_leap memory corruption, see freeradius-rlm_leap.patch
+- move man pages for utils into utils subpackage from doc subpackage
+- fix HAVE_EC_CRYPTO test to include f20
+- add new directory /var/run/radiusd/tmp
+ update mods-available/eap so tls-common.verify.tmpdir to point to it
+
* Wed Nov 13 2013 John Dennis <jdennis at redhat.com> - 3.0.0-3
- resolves: bug#1029941
PW_TYPE_BOOLEAN config item should be declared int, not bool
More information about the scm-commits
mailing list