summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHaixiao Yan <haixiao.yan.cn@windriver.com>2024-11-18 15:07:49 +0800
committerArmin Kuster <akuster808@gmail.com>2024-12-08 14:54:19 -0500
commitfeb37930707107748a31300acb5f30189b7232a3 (patch)
tree181fef6bfd4b21fd6524d4a28fc38c08e3a180e7
parentadf635944c6a2f63b5772ceaa5411be84a9b3711 (diff)
downloadmeta-openembedded-feb37930707107748a31300acb5f30189b7232a3.tar.gz
freeradius: upgrade 3.0.21 -> 3.0.27
ChangeLog: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_27 Configuration changes: BlastRADIUS mitigations have been added to the "security" section. See require_message_authenticator and also limit_proxy_state. BlastRADIUS mitigations have been added to radclient. See man radclient, and the -b option. Security fixes: CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3596 https://www.freeradius.org/security/ https://www.blastradius.fail/ https://www.inkbridgenetworks.com/web/content/2557?unique=47be02c8aed46c53b0765db185320249ad873d95 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> [Drop CVE-2024-3596 patch backported early] Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch47
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch)12
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch)10
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch)33
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch)12
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch)57
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch)12
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch)24
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch)13
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch)6
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch)17
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch)10
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch)17
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch)14
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch)10
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch (renamed from meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch)6
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch118
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch53
-rw-r--r--meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch1506
-rw-r--r--meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb (renamed from meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb)38
20 files changed, 192 insertions, 1823 deletions
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch
new file mode 100644
index 0000000000..968998ddb6
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch
@@ -0,0 +1,47 @@
1From 3be3b9a1345942d1578ec73efa9b2e3c41bd67c5 Mon Sep 17 00:00:00 2001
2From: Yi Zhao <yi.zhao@windriver.com>
3Date: Fri, 21 Jan 2022 13:22:24 +0800
4Subject: [PATCH] Add autogen.sh
5
6The autogen.sh has been removed since 3.0.22[1]. But we still need it in
7do_configure. Add it back.
8
9[1] https://github.com/FreeRADIUS/freeradius-server/commit/2e9b6227efd19e2b0926541aa26874908e7b7314
10
11Upstream-Status: Inappropriate [embedded specific]
12
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
15---
16 autogen.sh | 19 +++++++++++++++++++
17 1 file changed, 19 insertions(+)
18 create mode 100755 autogen.sh
19
20diff --git a/autogen.sh b/autogen.sh
21new file mode 100755
22index 0000000000..959182b39e
23--- /dev/null
24+++ b/autogen.sh
25@@ -0,0 +1,19 @@
26+#!/bin/sh -e
27+
28+parentdir=`dirname $0`
29+
30+cd $parentdir
31+parentdir=`pwd`
32+m4include="-I$parentdir -I$parentdir/m4 -Im4"
33+
34+autoreconf -Wcross --verbose --install --force
35+
36+mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`"
37+mysubdirs=`echo $mysubdirs`
38+
39+for F in $mysubdirs
40+do
41+ echo "Configuring in $F..."
42+ (cd $F && grep "^AC_CONFIG_HEADER" configure.ac > /dev/null || exit 0; autoheader $m4include)
43+ (cd $F && autoconf $m4include)
44+done
45--
462.25.1
47
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch b/meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch
index 4a62bf1fa2..c57ee93c33 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch
@@ -1,4 +1,8 @@
1Enable and change user and group of freeradius server to radiusd 1From 2a74c10836c0d2d19248ca40d113936f4a56b039 Mon Sep 17 00:00:00 2001
2From: "Roy.Li" <rongqing.li@windriver.com>
3Date: Sun, 8 Jan 2023 22:47:11 +0800
4Subject: [PATCH] Enable and change user and group of freeradius server to
5 radiusd
2 6
3Upstream-Status: Inappropriate [configuration] 7Upstream-Status: Inappropriate [configuration]
4 8
@@ -9,10 +13,10 @@ Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
9 1 file changed, 2 insertions(+), 2 deletions(-) 13 1 file changed, 2 insertions(+), 2 deletions(-)
10 14
11diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in 15diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
12index c62f4ff..0b4a84e 100644 16index 154b50d610..4594d6d2d2 100644
13--- a/raddb/radiusd.conf.in 17--- a/raddb/radiusd.conf.in
14+++ b/raddb/radiusd.conf.in 18+++ b/raddb/radiusd.conf.in
15@@ -436,8 +436,8 @@ security { 19@@ -557,8 +557,8 @@ security {
16 # member. This can allow for some finer-grained access 20 # member. This can allow for some finer-grained access
17 # controls. 21 # controls.
18 # 22 #
@@ -24,5 +28,5 @@ index c62f4ff..0b4a84e 100644
24 # Core dumps are a bad thing. This should only be set to 28 # Core dumps are a bad thing. This should only be set to
25 # 'yes' if you're debugging a problem with the server. 29 # 'yes' if you're debugging a problem with the server.
26-- 30--
271.9.1 312.25.1
28 32
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch b/meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch
index 38e7c36227..e5442360b3 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch
@@ -1,4 +1,4 @@
1From 0780b7053fb0d33d721aa70ab2ecd75299e5ba31 Mon Sep 17 00:00:00 2001 1From ba1390a80662ff2ab7bfda978cde7df9a871f6ae Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com> 2From: Changqing Li <changqing.li@windriver.com>
3Date: Tue, 24 Jul 2018 15:03:39 +0800 3Date: Tue, 24 Jul 2018 15:03:39 +0800
4Subject: [PATCH] configure.ac: allow cross-compilation 4Subject: [PATCH] configure.ac: allow cross-compilation
@@ -7,7 +7,7 @@ The checking OpenSSL library and header version consistency will
7always fail in cross compiling, skip the check and give a warning 7always fail in cross compiling, skip the check and give a warning
8instead for cross compiling. 8instead for cross compiling.
9 9
10Upstream-Status: Inappropriate[embedded specific] 10Upstream-Status: Inappropriate [embedded specific]
11 11
12Signed-off-by: Jackie Huang <jackie.huang@windriver.com> 12Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com> 13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
@@ -19,10 +19,10 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com>
19 1 file changed, 2 insertions(+), 1 deletion(-) 19 1 file changed, 2 insertions(+), 1 deletion(-)
20 20
21diff --git a/src/modules/rlm_krb5/configure.ac b/src/modules/rlm_krb5/configure.ac 21diff --git a/src/modules/rlm_krb5/configure.ac b/src/modules/rlm_krb5/configure.ac
22index efc9f29..98a97e4 100644 22index a0f510cfb3..d2f3eca03e 100644
23--- a/src/modules/rlm_krb5/configure.ac 23--- a/src/modules/rlm_krb5/configure.ac
24+++ b/src/modules/rlm_krb5/configure.ac 24+++ b/src/modules/rlm_krb5/configure.ac
25@@ -137,7 +137,8 @@ if test x$with_[]modname != xno; then 25@@ -140,7 +140,8 @@ if test x$with_[]modname != xno; then
26 FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe) 26 FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe)
27 if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" = xyes; then 27 if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" = xyes; then
28 AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[return krb5_is_thread_safe() ? 0 : 1]])], 28 AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[return krb5_is_thread_safe() ? 0 : 1]])],
@@ -33,5 +33,5 @@ index efc9f29..98a97e4 100644
33 else 33 else
34 krb5threadsafe="" 34 krb5threadsafe=""
35-- 35--
362.7.4 362.25.1
37 37
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch b/meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch
index 4265f9d0de..479e1ba76f 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch
@@ -1,9 +1,7 @@
1From bfe4d7ed72edc9d4ae1a0f0d2dd84367d6214886 Mon Sep 17 00:00:00 2001 1From 5ba3d140842268cbbdd983266efecb1fba5bdd59 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com> 2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 22 Aug 2019 10:45:46 +0800 3Date: Thu, 22 Aug 2019 10:45:46 +0800
4Subject: [PATCH 1/2] Fix libtool detection 4Subject: [PATCH] Fix libtool detection
5
6Upstream-Status: pending
7 5
8Use LT_INIT instead of the deprecated AC_PROG_LIBTOOL to detect libtool, so it 6Use LT_INIT instead of the deprecated AC_PROG_LIBTOOL to detect libtool, so it
9can work with our libtoolize and libtool. 7can work with our libtoolize and libtool.
@@ -12,37 +10,20 @@ Simplify the detection of ltdl. It will find the ltdl from the sysroot; the
12switch --with-system-libltdl is no longer needed. The code is copied from 10switch --with-system-libltdl is no longer needed. The code is copied from
13pulseaudio configure.ac, together with the comment paragraph. 11pulseaudio configure.ac, together with the comment paragraph.
14 12
15Also patch autogen.sh so it uses autoreconf, which handles libtoolize better. 13Upstream-Status: Inappropriate [embedded specific]
16 14
17Signed-off-by: Jesse Zhang <sen.zhang@windriver.com> 15Signed-off-by: Jesse Zhang <sen.zhang@windriver.com>
18Signed-off-by: Jackie Huang <jackie.huang@windriver.com> 16Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
19Signed-off-by: Changqing Li <changqing.li@windriver.com> 17Signed-off-by: Changqing Li <changqing.li@windriver.com>
20--- 18---
21 autogen.sh | 5 +----
22 configure.ac | 36 ++++++++++++++++++++++++++++++++++++ 19 configure.ac | 36 ++++++++++++++++++++++++++++++++++++
23 2 files changed, 37 insertions(+), 4 deletions(-) 20 1 file changed, 36 insertions(+)
24 21
25diff --git a/autogen.sh b/autogen.sh
26index a1d08a6..959182b 100755
27--- a/autogen.sh
28+++ b/autogen.sh
29@@ -6,10 +6,7 @@ cd $parentdir
30 parentdir=`pwd`
31 m4include="-I$parentdir -I$parentdir/m4 -Im4"
32
33-libtoolize -f -c
34-#aclocal
35-autoheader
36-autoconf
37+autoreconf -Wcross --verbose --install --force
38
39 mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`"
40 mysubdirs=`echo $mysubdirs`
41diff --git a/configure.ac b/configure.ac 22diff --git a/configure.ac b/configure.ac
42index a7abf00..65db61e 100644 23index ad8bc8cdda..ef8fced680 100644
43--- a/configure.ac 24--- a/configure.ac
44+++ b/configure.ac 25+++ b/configure.ac
45@@ -220,6 +220,42 @@ dnl # See if we have Git. 26@@ -321,6 +321,42 @@ dnl # See if we have Git.
46 dnl # 27 dnl #
47 AC_CHECK_PROG(GIT, git, yes, no) 28 AC_CHECK_PROG(GIT, git, yes, no)
48 29
@@ -86,5 +67,5 @@ index a7abf00..65db61e 100644
86 dnl AC_ARG_WITH(disablemodulefoo, 67 dnl AC_ARG_WITH(disablemodulefoo,
87 dnl [ --without-rlm_foo Disables module compilation. Module list:] 68 dnl [ --without-rlm_foo Disables module compilation. Module list:]
88-- 69--
892.7.4 702.25.1
90 71
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch b/meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch
index 4719358722..8ef3c4bdf9 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch
@@ -1,7 +1,7 @@
1From 98a9eff357959d1113e33a615c2178751d5b2054 Mon Sep 17 00:00:00 2001 1From 9548dc5e1a6c835cd4f387ba384d8f3f14c3fc8b Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com> 2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 22 Aug 2019 10:50:21 +0800 3Date: Thu, 22 Aug 2019 10:50:21 +0800
4Subject: [PATCH 2/2] configure.ac: add option for libcap 4Subject: [PATCH] configure.ac: add option for libcap
5 5
6Upstream-Status: Pending 6Upstream-Status: Pending
7 7
@@ -12,10 +12,10 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com>
12 1 file changed, 27 insertions(+), 9 deletions(-) 12 1 file changed, 27 insertions(+), 9 deletions(-)
13 13
14diff --git a/configure.ac b/configure.ac 14diff --git a/configure.ac b/configure.ac
15index 65db61e..6486aac 100644 15index ef8fced680..263098f7fd 100644
16--- a/configure.ac 16--- a/configure.ac
17+++ b/configure.ac 17+++ b/configure.ac
18@@ -977,6 +977,22 @@ fi 18@@ -1161,6 +1161,22 @@ fi
19 dnl Set by FR_SMART_CHECKLIB 19 dnl Set by FR_SMART_CHECKLIB
20 LIBS="${old_LIBS}" 20 LIBS="${old_LIBS}"
21 21
@@ -38,7 +38,7 @@ index 65db61e..6486aac 100644
38 dnl Check for cap 38 dnl Check for cap
39 dnl extra argument: --with-cap-lib-dir=DIR 39 dnl extra argument: --with-cap-lib-dir=DIR
40 cap_lib_dir= 40 cap_lib_dir=
41@@ -1010,15 +1026,17 @@ AC_ARG_WITH(cap-include-dir, 41@@ -1194,15 +1210,17 @@ AC_ARG_WITH(cap-include-dir,
42 ;; 42 ;;
43 esac]) 43 esac])
44 44
@@ -66,5 +66,5 @@ index 65db61e..6486aac 100644
66 66
67 dnl # 67 dnl #
68-- 68--
692.7.4 692.25.1
70 70
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch b/meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch
index 9c997661fc..8fd0dca443 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch
@@ -1,14 +1,15 @@
1From dc41591d5ceb18900ec85894f8f7b7bb44bb3bd9 Mon Sep 17 00:00:00 2001 1From 8fe25b30b6fbb3170705f4468eb4c92eef3a968f Mon Sep 17 00:00:00 2001
2From: Jackie Huang <jackie.huang@windriver.com> 2From: Jackie Huang <jackie.huang@windriver.com>
3Date: Mon, 4 Jan 2016 01:44:04 -0500 3Date: Mon, 4 Jan 2016 01:44:04 -0500
4Subject: [PATCH] avoid searching host dirs 4Subject: [PATCH] Avoid searching host dirs
5 5
6Don't search the hardcoded host dirs to avoid 6Don't search the hardcoded host dirs to avoid
7host contamination. 7host contamination.
8 8
9Upstream-Status: Inappropriate [cross-compile specific] 9Upstream-Status: Inappropriate [embedded specific]
10 10
11Signed-off-by: Jackie Huang <jackie.huang@windriver.com> 11Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
12Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
12--- 13---
13 acinclude.m4 | 4 ++-- 14 acinclude.m4 | 4 ++--
14 src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac | 4 ++-- 15 src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac | 4 ++--
@@ -21,19 +22,19 @@ Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
21 8 files changed, 16 insertions(+), 16 deletions(-) 22 8 files changed, 16 insertions(+), 16 deletions(-)
22 23
23diff --git a/acinclude.m4 b/acinclude.m4 24diff --git a/acinclude.m4 b/acinclude.m4
24index da48acc..b513ae1 100644 25index a953d0e1b6..ede143d3c2 100644
25--- a/acinclude.m4 26--- a/acinclude.m4
26+++ b/acinclude.m4 27+++ b/acinclude.m4
27@@ -178,7 +178,7 @@ if test "x$smart_lib" = "x"; then 28@@ -115,7 +115,7 @@ dnl #
28 FR_LOCATE_DIR(smart_lib_dir,[lib$1${libltdl_cv_shlibext}]) 29 dnl # Try to guess possible locations.
29 FR_LOCATE_DIR(smart_lib_dir,[lib$1.a]) 30 dnl #
30 31 if test "x$smart_lib" = "x"; then
31- for try in $smart_lib_dir /usr/local/lib /opt/lib; do 32- for try in /usr/local/lib /opt/lib; do
32+ for try in $smart_lib_dir; do 33+ for try in $smart_lib_dir; do
33 AC_MSG_CHECKING([for $2 in -l$1 in $try]) 34 AC_MSG_CHECKING([for $2 in -l$1 in $try])
34 LIBS="-l$1 $old_LIBS" 35 LIBS="-l$1 $old_LIBS"
35 CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" 36 CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS"
36@@ -218,7 +218,7 @@ ac_safe=`echo "$1" | sed 'y%./+-%__pm%'` 37@@ -155,7 +155,7 @@ ac_safe=`echo "$1" | sed 'y%./+-%__pm%'`
37 old_CPPFLAGS="$CPPFLAGS" 38 old_CPPFLAGS="$CPPFLAGS"
38 smart_include= 39 smart_include=
39 dnl # The default directories we search in (in addition to the compilers search path) 40 dnl # The default directories we search in (in addition to the compilers search path)
@@ -43,10 +44,10 @@ index da48acc..b513ae1 100644
43 dnl # Our local versions 44 dnl # Our local versions
44 _smart_try_dir= 45 _smart_try_dir=
45diff --git a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac 46diff --git a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac
46index 75c851a..a262d71 100644 47index 44f84aa27e..23a1899591 100644
47--- a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac 48--- a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac
48+++ b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac 49+++ b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac
49@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then 50@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then
50 esac]) 51 esac])
51 52
52 dnl Check for SQLConnect in -ldb2 53 dnl Check for SQLConnect in -ldb2
@@ -64,10 +65,10 @@ index 75c851a..a262d71 100644
64 if test "x$ac_cv_header_sqlcli_h" != xyes; then 65 if test "x$ac_cv_header_sqlcli_h" != xyes; then
65 fail="$fail sqlcli.h" 66 fail="$fail sqlcli.h"
66diff --git a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac 67diff --git a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac
67index 4da57b3..752b043 100644 68index 4c2fd7ba9e..10c864def5 100644
68--- a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac 69--- a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac
69+++ b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac 70+++ b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac
70@@ -56,14 +56,14 @@ if test x$with_[]modname != xno; then 71@@ -60,14 +60,14 @@ if test x$with_[]modname != xno; then
71 esac]) 72 esac])
72 73
73 dnl Check for isc_attach_database in -lfbclient 74 dnl Check for isc_attach_database in -lfbclient
@@ -85,10 +86,10 @@ index 4da57b3..752b043 100644
85 if test "x$ac_cv_header_ibase_h" != xyes; then 86 if test "x$ac_cv_header_ibase_h" != xyes; then
86 fail="$fail ibase.h" 87 fail="$fail ibase.h"
87diff --git a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac 88diff --git a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac
88index ba6304f..3393557 100644 89index d26ac9c431..6e4500e948 100644
89--- a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac 90--- a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac
90+++ b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac 91+++ b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac
91@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then 92@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then
92 esac]) 93 esac])
93 94
94 dnl Check for SQLConnect in -liodbc 95 dnl Check for SQLConnect in -liodbc
@@ -106,10 +107,10 @@ index ba6304f..3393557 100644
106 if test "x$ac_cv_header_isql_h" != xyes; then 107 if test "x$ac_cv_header_isql_h" != xyes; then
107 fail="$fail isql.h" 108 fail="$fail isql.h"
108diff --git a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac 109diff --git a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac
109index 1401677..2e7db44 100644 110index df36da77bf..31359041c7 100644
110--- a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac 111--- a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac
111+++ b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac 112+++ b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac
112@@ -136,7 +136,7 @@ if test x$with_[]modname != xno; then 113@@ -140,7 +140,7 @@ if test x$with_[]modname != xno; then
113 114
114 dnl # Check for libmysqlclient_r 115 dnl # Check for libmysqlclient_r
115 if test "x$have_a_libmysqlclient" != "xyes"; then 116 if test "x$have_a_libmysqlclient" != "xyes"; then
@@ -118,7 +119,7 @@ index 1401677..2e7db44 100644
118 FR_SMART_CHECK_LIB(mysqlclient_r, mysql_init) 119 FR_SMART_CHECK_LIB(mysqlclient_r, mysql_init)
119 if test "x$ac_cv_lib_mysqlclient_r_mysql_init" = "xyes"; then 120 if test "x$ac_cv_lib_mysqlclient_r_mysql_init" = "xyes"; then
120 have_a_libmysqlclient='yes' 121 have_a_libmysqlclient='yes'
121@@ -145,7 +145,7 @@ if test x$with_[]modname != xno; then 122@@ -149,7 +149,7 @@ if test x$with_[]modname != xno; then
122 123
123 dnl # Check for libmysqlclient 124 dnl # Check for libmysqlclient
124 if test "x$have_a_libmysqlclient" != "xyes"; then 125 if test "x$have_a_libmysqlclient" != "xyes"; then
@@ -127,7 +128,7 @@ index 1401677..2e7db44 100644
127 FR_SMART_CHECK_LIB(mysqlclient, mysql_init) 128 FR_SMART_CHECK_LIB(mysqlclient, mysql_init)
128 if test "x$ac_cv_lib_mysqlclient_mysql_init" = "xyes"; then 129 if test "x$ac_cv_lib_mysqlclient_mysql_init" = "xyes"; then
129 have_a_libmysqlclient='yes' 130 have_a_libmysqlclient='yes'
130@@ -189,7 +189,7 @@ if test x$with_[]modname != xno; then 131@@ -243,7 +243,7 @@ if test x$with_[]modname != xno; then
131 fi 132 fi
132 133
133 if test "x$have_mysql_h" != "xyes"; then 134 if test "x$have_mysql_h" != "xyes"; then
@@ -137,10 +138,10 @@ index 1401677..2e7db44 100644
137 if test "x$ac_cv_header_mysql_mysql_h" = "xyes"; then 138 if test "x$ac_cv_header_mysql_mysql_h" = "xyes"; then
138 AC_DEFINE(HAVE_MYSQL_MYSQL_H, [], [Define if you have <mysql/mysql.h>]) 139 AC_DEFINE(HAVE_MYSQL_MYSQL_H, [], [Define if you have <mysql/mysql.h>])
139diff --git a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac 140diff --git a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac
140index 3178462..5cbc8c2 100644 141index 3b45da582a..03e6607d2b 100644
141--- a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac 142--- a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac
142+++ b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac 143+++ b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac
143@@ -63,7 +63,7 @@ if test x$with_[]modname != xno; then 144@@ -68,7 +68,7 @@ if test x$with_[]modname != xno; then
144 dnl # Check for header files 145 dnl # Check for header files
145 dnl ############################################################ 146 dnl ############################################################
146 147
@@ -150,10 +151,10 @@ index 3178462..5cbc8c2 100644
150 if test "x$ORACLE_HOME" != "x"; then 151 if test "x$ORACLE_HOME" != "x"; then
151 smart_try_dir="${smart_try_dir} ${ORACLE_HOME}/include" 152 smart_try_dir="${smart_try_dir} ${ORACLE_HOME}/include"
152diff --git a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac 153diff --git a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac
153index 4f9a890..e1cf811 100644 154index 8ac1022e89..d46c0f66bf 100644
154--- a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac 155--- a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac
155+++ b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac 156+++ b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac
156@@ -41,7 +41,7 @@ if test x$with_[]modname != xno; then 157@@ -45,7 +45,7 @@ if test x$with_[]modname != xno; then
157 esac ] 158 esac ]
158 ) 159 )
159 160
@@ -162,7 +163,7 @@ index 4f9a890..e1cf811 100644
162 FR_SMART_CHECK_INCLUDE(libpq-fe.h) 163 FR_SMART_CHECK_INCLUDE(libpq-fe.h)
163 if test "x$ac_cv_header_libpqmfe_h" != "xyes"; then 164 if test "x$ac_cv_header_libpqmfe_h" != "xyes"; then
164 fail="$fail libpq-fe.h" 165 fail="$fail libpq-fe.h"
165@@ -76,7 +76,7 @@ if test x$with_[]modname != xno; then 166@@ -94,7 +94,7 @@ if test x$with_[]modname != xno; then
166 ]) 167 ])
167 fi 168 fi
168 169
@@ -172,10 +173,10 @@ index 4f9a890..e1cf811 100644
172 if test "x$ac_cv_lib_pq_PQconnectdb" != "xyes"; then 173 if test "x$ac_cv_lib_pq_PQconnectdb" != "xyes"; then
173 fail="$fail libpq" 174 fail="$fail libpq"
174diff --git a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac 175diff --git a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac
175index 3545387..c543ed4 100644 176index f10279fe1f..0081a338c8 100644
176--- a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac 177--- a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac
177+++ b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac 178+++ b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac
178@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then 179@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then
179 esac]) 180 esac])
180 181
181 dnl Check for SQLConnect in -lodbc 182 dnl Check for SQLConnect in -lodbc
@@ -193,5 +194,5 @@ index 3545387..c543ed4 100644
193 if test "x$ac_cv_header_sql_h" != xyes; then 194 if test "x$ac_cv_header_sql_h" != xyes; then
194 fail="$fail sql.h" 195 fail="$fail sql.h"
195-- 196--
1961.9.1 1972.25.1
197 198
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch b/meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch
index 675940dd6c..cb71fb1373 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch
@@ -1,14 +1,14 @@
1From a0bf65e04d2bbd3271cab94bd5ac93f8e877bfc5 Mon Sep 17 00:00:00 2001 1From e4ff7a2a9834e2589bc7bdda4b74f5bc962b15e6 Mon Sep 17 00:00:00 2001
2From: Jackie Huang <jackie.huang@windriver.com> 2From: Jackie Huang <jackie.huang@windriver.com>
3Date: Wed, 27 Jan 2016 05:07:19 -0500 3Date: Wed, 27 Jan 2016 05:07:19 -0500
4Subject: [PATCH] rlm_python: add PY_INC_DIR in search dir 4Subject: [PATCH] rlm_python: add PY_INC_DIR in search dir
5 5
6Upstream-Status: Pending
7
8configure option --with-rlm-python-include-dir is used to set 6configure option --with-rlm-python-include-dir is used to set
9PY_INC_DIR which is never used and it fails to find Python.h, 7PY_INC_DIR which is never used and it fails to find Python.h,
10so add it into search dir to fix it. 8so add it into search dir to fix it.
11 9
10Upstream-Status: Inappropriate [embedded specific]
11
12Signed-off-by: Jackie Huang <jackie.huang@windriver.com> 12Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com> 13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
14--- 14---
@@ -16,10 +16,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16 1 file changed, 1 insertion(+), 1 deletion(-) 16 1 file changed, 1 insertion(+), 1 deletion(-)
17 17
18diff --git a/src/modules/rlm_python/configure.ac b/src/modules/rlm_python/configure.ac 18diff --git a/src/modules/rlm_python/configure.ac b/src/modules/rlm_python/configure.ac
19index 831a33a..c3792d8 100644 19index 08ecb62518..d5c0944ff1 100644
20--- a/src/modules/rlm_python/configure.ac 20--- a/src/modules/rlm_python/configure.ac
21+++ b/src/modules/rlm_python/configure.ac 21+++ b/src/modules/rlm_python/configure.ac
22@@ -93,7 +93,7 @@ if test x$with_[]modname != xno; then 22@@ -98,7 +98,7 @@ if test x$with_[]modname != xno; then
23 23
24 old_CFLAGS=$CFLAGS 24 old_CFLAGS=$CFLAGS
25 CFLAGS="$CFLAGS $PY_CFLAGS" 25 CFLAGS="$CFLAGS $PY_CFLAGS"
@@ -29,5 +29,5 @@ index 831a33a..c3792d8 100644
29 CFLAGS=$old_CFLAGS 29 CFLAGS=$old_CFLAGS
30 30
31-- 31--
322.10.2 322.25.1
33 33
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch b/meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch
index 1954586b2b..559b857b63 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch
@@ -1,4 +1,4 @@
1From 16bf899447fc1524ffc3c79e1d35380e5285a552 Mon Sep 17 00:00:00 2001 1From d0fa5b259c2dc942d0a43a9cf1bfc32f40c184f9 Mon Sep 17 00:00:00 2001
2From: Jackie Huang <jackie.huang@windriver.com> 2From: Jackie Huang <jackie.huang@windriver.com>
3Date: Thu, 7 Jan 2016 22:37:30 -0800 3Date: Thu, 7 Jan 2016 22:37:30 -0800
4Subject: [PATCH] libtool: do not use jlibtool 4Subject: [PATCH] libtool: do not use jlibtool
@@ -7,7 +7,7 @@ jlibtool is hardcoded to be used but we need to use
7our libtool, so fix the makfiles to make it compatible 7our libtool, so fix the makfiles to make it compatible
8with our libtool. 8with our libtool.
9 9
10Upstream-Status: Inappropriate [oe specific] 10Upstream-Status: Inappropriate [embedded specific]
11 11
12Signed-off-by: Jackie Huang <jackie.huang@windriver.com> 12Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
13Signed-off-by: Yi Zhao <yi.zhao@windriver.com> 13Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
@@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
19 4 files changed, 27 insertions(+), 15 deletions(-) 19 4 files changed, 27 insertions(+), 15 deletions(-)
20 20
21diff --git a/Make.inc.in b/Make.inc.in 21diff --git a/Make.inc.in b/Make.inc.in
22index 7a77625..fd8aa3e 100644 22index 05f82776ff..e78f3fe9dc 100644
23--- a/Make.inc.in 23--- a/Make.inc.in
24+++ b/Make.inc.in 24+++ b/Make.inc.in
25@@ -57,7 +57,7 @@ CPPFLAGS = @CPPFLAGS@ 25@@ -57,7 +57,7 @@ CPPFLAGS = @CPPFLAGS@
@@ -31,7 +31,7 @@ index 7a77625..fd8aa3e 100644
31 ACLOCAL = @ACLOCAL@ 31 ACLOCAL = @ACLOCAL@
32 AUTOCONF = @AUTOCONF@ 32 AUTOCONF = @AUTOCONF@
33 AUTOHEADER = @AUTOHEADER@ 33 AUTOHEADER = @AUTOHEADER@
34@@ -163,7 +163,7 @@ ANALYZE.c := @clang_path@ 34@@ -168,7 +168,7 @@ ANALYZE.c := @clang_path@
35 # 35 #
36 ifeq "$(USE_SHARED_LIBS)" "yes" 36 ifeq "$(USE_SHARED_LIBS)" "yes"
37 TESTBINDIR = ./$(BUILD_DIR)/bin/local 37 TESTBINDIR = ./$(BUILD_DIR)/bin/local
@@ -41,10 +41,10 @@ index 7a77625..fd8aa3e 100644
41 TESTBINDIR = ./$(BUILD_DIR)/bin 41 TESTBINDIR = ./$(BUILD_DIR)/bin
42 TESTBIN = ./$(BUILD_DIR)/bin 42 TESTBIN = ./$(BUILD_DIR)/bin
43diff --git a/scripts/boiler.mk b/scripts/boiler.mk 43diff --git a/scripts/boiler.mk b/scripts/boiler.mk
44index bccec5e..926a13e 100644 44index 2ce0c18f34..567cc0f22f 100644
45--- a/scripts/boiler.mk 45--- a/scripts/boiler.mk
46+++ b/scripts/boiler.mk 46+++ b/scripts/boiler.mk
47@@ -266,6 +266,7 @@ define COMPILE_C_CMDS 47@@ -272,6 +272,7 @@ define COMPILE_C_CMDS
48 $(Q)$(ECHO) CC $< 48 $(Q)$(ECHO) CC $<
49 $(Q)$(strip ${COMPILE.c} -o $@ -c -MD ${CPPFLAGS} ${CFLAGS} ${SRC_CFLAGS} ${INCDIRS} \ 49 $(Q)$(strip ${COMPILE.c} -o $@ -c -MD ${CPPFLAGS} ${CFLAGS} ${SRC_CFLAGS} ${INCDIRS} \
50 $(addprefix -I, ${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} $<) 50 $(addprefix -I, ${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} $<)
@@ -52,7 +52,7 @@ index bccec5e..926a13e 100644
52 endef 52 endef
53 else 53 else
54 # 54 #
55@@ -281,6 +282,7 @@ define COMPILE_C_CMDS 55@@ -287,6 +288,7 @@ define COMPILE_C_CMDS
56 $(Q)cppcheck --enable=style -q ${CHECKFLAGS} $(filter -isystem%,${SRC_CFLAGS}) \ 56 $(Q)cppcheck --enable=style -q ${CHECKFLAGS} $(filter -isystem%,${SRC_CFLAGS}) \
57 $(filter -I%,${SRC_CFLAGS}) $(filter -D%,${SRC_CFLAGS}) ${INCDIRS} \ 57 $(filter -I%,${SRC_CFLAGS}) $(filter -D%,${SRC_CFLAGS}) ${INCDIRS} \
58 $(addprefix -I,${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} --suppress=variableScope --suppress=invalidscanf $< 58 $(addprefix -I,${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} --suppress=variableScope --suppress=invalidscanf $<
@@ -61,7 +61,7 @@ index bccec5e..926a13e 100644
61 endif 61 endif
62 62
63diff --git a/scripts/install.mk b/scripts/install.mk 63diff --git a/scripts/install.mk b/scripts/install.mk
64index 9164115..e38c1ed 100644 64index 916411563b..e38c1ed697 100644
65--- a/scripts/install.mk 65--- a/scripts/install.mk
66+++ b/scripts/install.mk 66+++ b/scripts/install.mk
67@@ -46,7 +46,7 @@ define ADD_INSTALL_RULE.exe 67@@ -46,7 +46,7 @@ define ADD_INSTALL_RULE.exe
@@ -116,10 +116,10 @@ index 9164115..e38c1ed 100644
116 116
117 117
118diff --git a/scripts/libtool.mk b/scripts/libtool.mk 118diff --git a/scripts/libtool.mk b/scripts/libtool.mk
119index 57915e1..2cb2f7d 100644 119index 381127ec2d..e83d7e6ad7 100644
120--- a/scripts/libtool.mk 120--- a/scripts/libtool.mk
121+++ b/scripts/libtool.mk 121+++ b/scripts/libtool.mk
122@@ -55,7 +55,9 @@ ifeq "${LIBTOOL}" "JLIBTOOL" 122@@ -60,7 +60,9 @@ ifeq "${LIBTOOL}" "JLIBTOOL"
123 # Tell GNU Make to use this value, rather than anything specified 123 # Tell GNU Make to use this value, rather than anything specified
124 # on the command line. 124 # on the command line.
125 override LIBTOOL := ${JLIBTOOL} 125 override LIBTOOL := ${JLIBTOOL}
@@ -130,7 +130,7 @@ index 57915e1..2cb2f7d 100644
130 130
131 # When using libtool, it produces a '.libs' directory. Ensure that it 131 # When using libtool, it produces a '.libs' directory. Ensure that it
132 # is removed on "make clean", too. 132 # is removed on "make clean", too.
133@@ -69,11 +71,19 @@ clean: .libs_clean 133@@ -74,11 +76,19 @@ clean: .libs_clean
134 # Re-define compilers and linkers 134 # Re-define compilers and linkers
135 # 135 #
136 OBJ_EXT = lo 136 OBJ_EXT = lo
@@ -156,5 +156,5 @@ index 57915e1..2cb2f7d 100644
156 156
157 # LIBTOOL_ENDINGS - Given a library ending in ".a" or ".so", replace that 157 # LIBTOOL_ENDINGS - Given a library ending in ".a" or ".so", replace that
158-- 158--
1592.10.2 1592.25.1
160 160
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch b/meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch
index b0929c4b07..9386675e46 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch
@@ -1,4 +1,7 @@
1Fix quoting for BUILD_WITH 1From 3e701d6274924adaed568e22af2362aa5af1f055 Mon Sep 17 00:00:00 2001
2From: Peter Seebach <peter.seebach@windriver.com>
3Date: Sun, 8 Jan 2023 23:01:28 +0800
4Subject: [PATCH] Fix quoting for BUILD_WITH
2 5
3The escaped quotes are to make the -D values produce strings which 6The escaped quotes are to make the -D values produce strings which
4can be used to display these values. However, if the values are more 7can be used to display these values. However, if the values are more
@@ -16,7 +19,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16 3 files changed, 3 insertions(+), 3 deletions(-) 19 3 files changed, 3 insertions(+), 3 deletions(-)
17 20
18diff --git a/src/main/libfreeradius-server.mk b/src/main/libfreeradius-server.mk 21diff --git a/src/main/libfreeradius-server.mk b/src/main/libfreeradius-server.mk
19index 4495f72..07c28f1 100644 22index 4495f72481..07c28f1968 100644
20--- a/src/main/libfreeradius-server.mk 23--- a/src/main/libfreeradius-server.mk
21+++ b/src/main/libfreeradius-server.mk 24+++ b/src/main/libfreeradius-server.mk
22@@ -18,5 +18,5 @@ SOURCES := conffile.c \ 25@@ -18,5 +18,5 @@ SOURCES := conffile.c \
@@ -27,7 +30,7 @@ index 4495f72..07c28f1 100644
27+SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" 30+SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\""
28 endif 31 endif
29diff --git a/src/main/unittest.mk b/src/main/unittest.mk 32diff --git a/src/main/unittest.mk b/src/main/unittest.mk
30index 09f3938..ed33952 100644 33index edd4f133a7..b5b44d5e11 100644
31--- a/src/main/unittest.mk 34--- a/src/main/unittest.mk
32+++ b/src/main/unittest.mk 35+++ b/src/main/unittest.mk
33@@ -21,5 +21,5 @@ TGT_PREREQS += libfreeradius-eap.a 36@@ -21,5 +21,5 @@ TGT_PREREQS += libfreeradius-eap.a
@@ -38,7 +41,7 @@ index 09f3938..ed33952 100644
38+SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" 41+SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\""
39 endif 42 endif
40diff --git a/src/modules/rlm_eap/radeapclient.mk b/src/modules/rlm_eap/radeapclient.mk 43diff --git a/src/modules/rlm_eap/radeapclient.mk b/src/modules/rlm_eap/radeapclient.mk
41index 6068f54..7d3c556 100644 44index 6068f54813..7d3c55625b 100644
42--- a/src/modules/rlm_eap/radeapclient.mk 45--- a/src/modules/rlm_eap/radeapclient.mk
43+++ b/src/modules/rlm_eap/radeapclient.mk 46+++ b/src/modules/rlm_eap/radeapclient.mk
44@@ -23,7 +23,7 @@ SRC_CFLAGS += -DWITH_EAPCLIENT 47@@ -23,7 +23,7 @@ SRC_CFLAGS += -DWITH_EAPCLIENT
@@ -51,5 +54,5 @@ index 6068f54..7d3c556 100644
51 54
52 endif 55 endif
53-- 56--
542.10.2 572.25.1
55 58
diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch b/meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch
index af1bff051f..051b66af8f 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch
@@ -1,4 +1,4 @@
1From 5b6d8b14f2696fcf1dca119212f9d0a0fa04defd Mon Sep 17 00:00:00 2001 1From 30ce5ccd62446349d432ff65d3fe8d46872423c8 Mon Sep 17 00:00:00 2001
2From: Yi Zhao <yi.zhao@windriver.com> 2From: Yi Zhao <yi.zhao@windriver.com>
3Date: Wed, 18 Jan 2017 14:59:39 +0800 3Date: Wed, 18 Jan 2017 14:59:39 +0800
4Subject: [PATCH] fix error for expansion of macro in thread.h 4Subject: [PATCH] fix error for expansion of macro in thread.h
@@ -22,7 +22,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
22 1 file changed, 5 insertions(+), 5 deletions(-) 22 1 file changed, 5 insertions(+), 5 deletions(-)
23 23
24diff --git a/src/include/threads.h b/src/include/threads.h 24diff --git a/src/include/threads.h b/src/include/threads.h
25index e36d81d..2bcb6aa 100644 25index e36d81dac0..2bcb6aadcb 100644
26--- a/src/include/threads.h 26--- a/src/include/threads.h
27+++ b/src/include/threads.h 27+++ b/src/include/threads.h
28@@ -89,7 +89,7 @@ static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\ 28@@ -89,7 +89,7 @@ static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\
@@ -57,5 +57,5 @@ index e36d81d..2bcb6aa 100644
57 #endif 57 #endif
58 #endif 58 #endif
59-- 59--
602.10.2 602.25.1
61 61
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch b/meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch
index db8caab12e..69125eb3cb 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch
@@ -1,4 +1,4 @@
1From 66e8bcdcca8971b5c43c31755d56d7f675d8b5ff Mon Sep 17 00:00:00 2001 1From f0e764826e3a85488047f7f4e94ebf91460d2c12 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com> 2From: Khem Raj <raj.khem@gmail.com>
3Date: Fri, 16 Jun 2017 20:10:49 -0700 3Date: Fri, 16 Jun 2017 20:10:49 -0700
4Subject: [PATCH] rlm_mschap: Use includedir instead of hardcoding /usr/include 4Subject: [PATCH] rlm_mschap: Use includedir instead of hardcoding /usr/include
@@ -13,12 +13,12 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
13 src/modules/rlm_mschap/configure.ac | 2 +- 13 src/modules/rlm_mschap/configure.ac | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-) 14 1 file changed, 1 insertion(+), 1 deletion(-)
15 15
16Index: freeradius-server-3.0.14/src/modules/rlm_mschap/configure.ac 16diff --git a/src/modules/rlm_mschap/configure.ac b/src/modules/rlm_mschap/configure.ac
17=================================================================== 17index 0fd105d7e6..6ab15509e5 100644
18--- freeradius-server-3.0.14.orig/src/modules/rlm_mschap/configure.ac 18--- a/src/modules/rlm_mschap/configure.ac
19+++ freeradius-server-3.0.14/src/modules/rlm_mschap/configure.ac 19+++ b/src/modules/rlm_mschap/configure.ac
20@@ -72,7 +72,7 @@ if test x$with_[]modname != xno; then 20@@ -75,7 +75,7 @@ if test x$with_[]modname != xno; then
21 mod_ldflags="-framework DirectoryService" 21 mod_ldflags="-F /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks -framework DirectoryService"
22 fi 22 fi
23 23
24- smart_try_dir="$winbind_include_dir /usr/include/samba-4.0" 24- smart_try_dir="$winbind_include_dir /usr/include/samba-4.0"
@@ -26,3 +26,6 @@ Index: freeradius-server-3.0.14/src/modules/rlm_mschap/configure.ac
26 FR_SMART_CHECK_INCLUDE(wbclient.h, [#include <stdint.h> 26 FR_SMART_CHECK_INCLUDE(wbclient.h, [#include <stdint.h>
27 #include <stdbool.h>]) 27 #include <stdbool.h>])
28 if test "x$ac_cv_header_wbclient_h" != "xyes"; then 28 if test "x$ac_cv_header_wbclient_h" != "xyes"; then
29--
302.25.1
31
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch b/meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch
index 669f363e72..cbac989284 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch
@@ -1,4 +1,4 @@
1From 084f5467672f2ae37003b77e8f8706772f3da3ec Mon Sep 17 00:00:00 2001 1From 0f9f18fc330fe88080be13e43f300fbf7ba4a85a Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com> 2From: Mingli Yu <mingli.yu@windriver.com>
3Date: Mon, 13 Jul 2020 07:01:45 +0000 3Date: Mon, 13 Jul 2020 07:01:45 +0000
4Subject: [PATCH] raddb/certs/Makefile: fix the existed certificate error 4Subject: [PATCH] raddb/certs/Makefile: fix the existed certificate error
@@ -29,13 +29,13 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
29 1 file changed, 2 insertions(+), 2 deletions(-) 29 1 file changed, 2 insertions(+), 2 deletions(-)
30 30
31diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile 31diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
32index 5cbfd467ce..77eec9baa1 100644 32index c9fbc9e864..d064fe252d 100644
33--- a/raddb/certs/Makefile 33--- a/raddb/certs/Makefile
34+++ b/raddb/certs/Makefile 34+++ b/raddb/certs/Makefile
35@@ -92,7 +92,7 @@ server.csr server.key: server.cnf 35@@ -92,7 +92,7 @@ server.csr server.key: server.cnf
36 chmod g+r server.key 36 chmod g+r server.key
37 37
38 server.crt: server.csr ca.key ca.pem 38 server.crt: ca.key ca.pem server.csr
39- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf 39- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
40+ @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf 40+ @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
41 41
@@ -44,12 +44,12 @@ index 5cbfd467ce..77eec9baa1 100644
44@@ -117,7 +117,7 @@ client.csr client.key: client.cnf 44@@ -117,7 +117,7 @@ client.csr client.key: client.cnf
45 chmod g+r client.key 45 chmod g+r client.key
46 46
47 client.crt: client.csr ca.pem ca.key 47 client.crt: ca.key ca.pem client.csr
48- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 48- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
49+ @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 49+ @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
50 50
51 client.p12: client.crt 51 client.p12: client.crt
52 $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 52 $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
53-- 53--
542.26.2 542.25.1
55 55
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch b/meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch
index dce0427e1a..287e47adcc 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch
@@ -1,4 +1,4 @@
1From 3eda5d35fbaf66ed6bdc86ada4320a0a18681b7e Mon Sep 17 00:00:00 2001 1From bb1cb2ffc7a31c0a2bb2de51ef82d304b0a107c3 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com> 2From: Mingli Yu <mingli.yu@windriver.com>
3Date: Wed, 5 Aug 2020 07:23:11 +0000 3Date: Wed, 5 Aug 2020 07:23:11 +0000
4Subject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure 4Subject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure
@@ -29,7 +29,7 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
29 1 file changed, 15 insertions(+), 15 deletions(-) 29 1 file changed, 15 insertions(+), 15 deletions(-)
30 30
31diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile 31diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
32index 77eec9baa1..3dcb63fe71 100644 32index d064fe252d..86f4547804 100644
33--- a/raddb/certs/Makefile 33--- a/raddb/certs/Makefile
34+++ b/raddb/certs/Makefile 34+++ b/raddb/certs/Makefile
35@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf 35@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
@@ -71,7 +71,7 @@ index 77eec9baa1..3dcb63fe71 100644
71+ @[ -f server.csr ] || $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf 71+ @[ -f server.csr ] || $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
72 chmod g+r server.key 72 chmod g+r server.key
73 73
74 server.crt: server.csr ca.key ca.pem 74 server.crt: ca.key ca.pem server.csr
75 @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf 75 @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
76 76
77 server.p12: server.crt 77 server.p12: server.crt
@@ -85,7 +85,7 @@ index 77eec9baa1..3dcb63fe71 100644
85 chmod g+r server.pem 85 chmod g+r server.pem
86 86
87 .PHONY: server.vrfy 87 .PHONY: server.vrfy
88@@ -113,18 +113,18 @@ server.vrfy: ca.pem 88@@ -113,19 +113,19 @@ server.vrfy: ca.pem
89 # 89 #
90 ###################################################################### 90 ######################################################################
91 client.csr client.key: client.cnf 91 client.csr client.key: client.cnf
@@ -93,13 +93,14 @@ index 77eec9baa1..3dcb63fe71 100644
93+ @[ -f client.csr ] || $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf 93+ @[ -f client.csr ] || $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
94 chmod g+r client.key 94 chmod g+r client.key
95 95
96 client.crt: client.csr ca.pem ca.key 96 client.crt: ca.key ca.pem client.csr
97 @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 97 @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
98 98
99 client.p12: client.crt 99 client.p12: client.crt
100- $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 100- $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
101+ @[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 101+ @[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
102 chmod g+r client.p12 102 chmod g+r client.p12
103 cp client.p12 $(USER_NAME).p12
103 104
104 client.pem: client.p12 105 client.pem: client.p12
105- $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 106- $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
@@ -107,7 +108,7 @@ index 77eec9baa1..3dcb63fe71 100644
107 chmod g+r client.pem 108 chmod g+r client.pem
108 cp client.pem $(USER_NAME).pem 109 cp client.pem $(USER_NAME).pem
109 110
110@@ -139,18 +139,18 @@ client.vrfy: ca.pem client.pem 111@@ -140,18 +140,18 @@ client.vrfy: ca.pem client.pem
111 # 112 #
112 ###################################################################### 113 ######################################################################
113 inner-server.csr inner-server.key: inner-server.cnf 114 inner-server.csr inner-server.key: inner-server.cnf
@@ -115,7 +116,7 @@ index 77eec9baa1..3dcb63fe71 100644
115+ @[ -f inner-server.csr] || $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf 116+ @[ -f inner-server.csr] || $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
116 chmod g+r inner-server.key 117 chmod g+r inner-server.key
117 118
118 inner-server.crt: inner-server.csr ca.key ca.pem 119 inner-server.crt: ca.key ca.pem inner-server.csr
119- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf 120- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf
120+ @[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf 121+ @[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf
121 122
@@ -131,5 +132,5 @@ index 77eec9baa1..3dcb63fe71 100644
131 132
132 .PHONY: inner-server.vrfy 133 .PHONY: inner-server.vrfy
133-- 134--
1342.26.2 1352.25.1
135 136
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch b/meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch
index 80c571df98..17eadc7e59 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch
@@ -1,7 +1,7 @@
1From 3b4ba29c7c5800df87eecd65214244619e01162b Mon Sep 17 00:00:00 2001 1From c591da4a361496eec93625cf8c4f89bddfedaca7 Mon Sep 17 00:00:00 2001
2From: Hongxu Jia <hongxu.jia@windriver.com> 2From: Hongxu Jia <hongxu.jia@windriver.com>
3Date: Sun, 7 Feb 2021 16:02:36 +0800 3Date: Sun, 7 Feb 2021 16:02:36 +0800
4Subject: [PATCH] workaround error with autoconf 2.7 4Subject: [PATCH] Workaround error with autoconf 2.7
5 5
6While using autoconf 2.7, the AM_MISSING_PROG caused unexpected error: 6While using autoconf 2.7, the AM_MISSING_PROG caused unexpected error:
7... 7...
@@ -11,7 +11,7 @@ configure.ac: error: required file 'missing' not found
11Since these tools were explicitly added by autotools bbclass, 11Since these tools were explicitly added by autotools bbclass,
12remove the testing to workaround the error with autoconf 2.7 12remove the testing to workaround the error with autoconf 2.7
13 13
14Upstream-Status: Inappropriate [oe specific] 14Upstream-Status: Inappropriate [embedded specific]
15 15
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> 16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
17--- 17---
@@ -19,10 +19,10 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
19 1 file changed, 8 deletions(-) 19 1 file changed, 8 deletions(-)
20 20
21diff --git a/configure.ac b/configure.ac 21diff --git a/configure.ac b/configure.ac
22index 609efb104b..2d761cf62c 100644 22index 263098f7fd..fc296832d8 100644
23--- a/configure.ac 23--- a/configure.ac
24+++ b/configure.ac 24+++ b/configure.ac
25@@ -693,14 +693,6 @@ fi 25@@ -878,14 +878,6 @@ fi
26 26
27 AC_PATH_PROG(RUSERS, rusers, /usr/bin/rusers) 27 AC_PATH_PROG(RUSERS, rusers, /usr/bin/rusers)
28 28
@@ -34,9 +34,9 @@ index 609efb104b..2d761cf62c 100644
34-AM_MISSING_PROG(AUTOCONF, autoconf, $missing_dir) 34-AM_MISSING_PROG(AUTOCONF, autoconf, $missing_dir)
35-AM_MISSING_PROG(AUTOHEADER, autoheader, $missing_dir) 35-AM_MISSING_PROG(AUTOHEADER, autoheader, $missing_dir)
36- 36-
37 AC_PATH_PROG(LOCATE,locate)
38 AC_PATH_PROG(DIRNAME,dirname) 37 AC_PATH_PROG(DIRNAME,dirname)
39 AC_PATH_PROG(GREP,grep) 38 AC_PATH_PROG(GREP,grep)
39
40-- 40--
412.27.0 412.25.1
42 42
diff --git a/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch b/meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch
index fcadae93a0..d1d0111607 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch
@@ -1,4 +1,7 @@
1bootstrap: check commands of openssl exist 1From 78494ea005bd38324953b05176d6eb2c3f55af2c Mon Sep 17 00:00:00 2001
2From: Kai Kang <kai.kang@windriver.com>
3Date: Sun, 8 Jan 2023 23:21:24 +0800
4Subject: [PATCH] bootstrap: check commands of openssl exist
2 5
3It calls openssl commands dhparam and pkcs12 in script bootstrap. These 6It calls openssl commands dhparam and pkcs12 in script bootstrap. These
4commands are configurable based on configure options 'no-dh' and 7commands are configurable based on configure options 'no-dh' and
@@ -18,7 +21,7 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com>
18 1 file changed, 8 insertions(+) 21 1 file changed, 8 insertions(+)
19 22
20diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap 23diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
21index 0f719aafd4..17feddbeeb 100755 24index 57de8cf0d7..4641c71700 100755
22--- a/raddb/certs/bootstrap 25--- a/raddb/certs/bootstrap
23+++ b/raddb/certs/bootstrap 26+++ b/raddb/certs/bootstrap
24@@ -13,6 +13,14 @@ 27@@ -13,6 +13,14 @@
@@ -36,3 +39,6 @@ index 0f719aafd4..17feddbeeb 100755
36 make -h > /dev/null 2>&1 39 make -h > /dev/null 2>&1
37 40
38 # 41 #
42--
432.25.1
44
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch b/meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch
index 697205efe0..2d67fdef05 100644
--- a/meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch
+++ b/meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch
@@ -1,11 +1,11 @@
1From cbc64dcf6aa2a1be63f45ea6dd7d2c49b70a0bee Mon Sep 17 00:00:00 2001 1From cbbb62ddda5c189c225f96bf6b599b3b3e8c8252 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com> 2From: Mingli Yu <mingli.yu@windriver.com>
3Date: Wed, 3 Aug 2022 16:44:29 +0800 3Date: Wed, 3 Aug 2022 16:44:29 +0800
4Subject: [PATCH] version.c: don't print build flags 4Subject: [PATCH] version.c: don't print build flags
5 5
6Don't print the build flags to avoid collecting the build environment info. 6Don't print the build flags to avoid collecting the build environment info.
7 7
8Upstream-Status: Inappropriate [oe specific] 8Upstream-Status: Inappropriate [embedded specific]
9 9
10Signed-off-by: Mingli Yu <mingli.yu@windriver.com> 10Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
11--- 11---
@@ -13,7 +13,7 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
13 1 file changed, 13 deletions(-) 13 1 file changed, 13 deletions(-)
14 14
15diff --git a/src/main/version.c b/src/main/version.c 15diff --git a/src/main/version.c b/src/main/version.c
16index 62972d9f53..cf81de72c9 100644 16index f1f1e87810..3ffcbb25a0 100644
17--- a/src/main/version.c 17--- a/src/main/version.c
18+++ b/src/main/version.c 18+++ b/src/main/version.c
19@@ -589,19 +589,6 @@ void version_print(void) 19@@ -589,19 +589,6 @@ void version_print(void)
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch
deleted file mode 100644
index 4ea519c752..0000000000
--- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch
+++ /dev/null
@@ -1,118 +0,0 @@
1From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001
2From: "Alan T. DeKok" <aland@freeradius.org>
3Date: Mon, 7 Feb 2022 22:26:05 -0500
4Subject: [PATCH] it's probably wrong to be completely retarded. Let's fix
5 that.
6
7CVE: CVE-2022-41860
8
9Upstream-Status: Backport
10[https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708]
11
12Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
13---
14 src/modules/rlm_eap/libeap/eapsimlib.c | 69 +++++++++++++++++++-------
15 1 file changed, 52 insertions(+), 17 deletions(-)
16
17diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
18index cf1e8a7dd9..e438a844ea 100644
19--- a/src/modules/rlm_eap/libeap/eapsimlib.c
20+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
21@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
22 newvp->vp_length = 1;
23 fr_pair_add(&(r->vps), newvp);
24
25+ /*
26+ * EAP-SIM has a 1 octet of subtype, and 2 octets
27+ * reserved.
28+ */
29 attr += 3;
30 attrlen -= 3;
31
32- /* now, loop processing each attribute that we find */
33- while(attrlen > 0) {
34+ /*
35+ * Loop over each attribute. The format is:
36+ *
37+ * 1 octet of type
38+ * 1 octet of length (value 1..255)
39+ * ((4 * length) - 2) octets of data.
40+ */
41+ while (attrlen > 0) {
42 uint8_t *p;
43
44- if(attrlen < 2) {
45+ if (attrlen < 2) {
46 fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
47 return 0;
48 }
49
50+ if (!attr[1]) {
51+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute,
52+ es_attribute_count);
53+ return 0;
54+ }
55+
56 eapsim_attribute = attr[0];
57 eapsim_len = attr[1] * 4;
58
59+ /*
60+ * The length includes the 2-byte header.
61+ */
62 if (eapsim_len > attrlen) {
63 fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
64 eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
65 return 0;
66 }
67
68- if(eapsim_len > MAX_STRING_LEN) {
69- eapsim_len = MAX_STRING_LEN;
70- }
71- if (eapsim_len < 2) {
72- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
73- es_attribute_count);
74- return 0;
75- }
76+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
77+ if (!newvp) {
78+ /*
79+ * RFC 4186 Section 8.1 says 0..127 are
80+ * "non-skippable". If one such
81+ * attribute is found and we don't
82+ * understand it, the server has to send:
83+ *
84+ * EAP-Request/SIM/Notification packet with an
85+ * (AT_NOTIFICATION code, which implies general failure ("General
86+ * failure after authentication" (0), or "General failure" (16384),
87+ * depending on the phase of the exchange), which terminates the
88+ * authentication exchange.
89+ */
90+ if (eapsim_attribute <= 127) {
91+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
92+ eapsim_attribute);
93+ return 0;
94+ }
95
96- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
97- newvp->vp_length = eapsim_len-2;
98- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
99- memcpy(p, &attr[2], eapsim_len-2);
100- fr_pair_add(&(r->vps), newvp);
101- newvp = NULL;
102+ } else {
103+ /*
104+ * It's known, ccount for header, and
105+ * copy the value over.
106+ */
107+ newvp->vp_length = eapsim_len - 2;
108+
109+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
110+ memcpy(p, &attr[2], newvp->vp_length);
111+ fr_pair_add(&(r->vps), newvp);
112+ }
113
114 /* advance pointers, decrement length */
115 attr += eapsim_len;
116--
1172.25.1
118
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch
deleted file mode 100644
index 352c02137a..0000000000
--- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch
+++ /dev/null
@@ -1,53 +0,0 @@
1From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001
2From: "Alan T. DeKok" <aland@freeradius.org>
3Date: Mon, 28 Feb 2022 10:34:15 -0500
4Subject: [PATCH] manual port of commit 5906bfa1
5
6CVE: CVE-2022-41861
7
8Upstream-Status: Backport
9[https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62]
10
11Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
12---
13 src/lib/filters.c | 12 +++++++++---
14 1 file changed, 9 insertions(+), 3 deletions(-)
15
16diff --git a/src/lib/filters.c b/src/lib/filters.c
17index 4868cd385d..3f3b63daee 100644
18--- a/src/lib/filters.c
19+++ b/src/lib/filters.c
20@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
21 }
22 }
23 } else if (filter->type == RAD_FILTER_GENERIC) {
24- int count;
25+ size_t count, masklen;
26+
27+ masklen = ntohs(filter->u.generic.len);
28+ if (masklen >= sizeof(filter->u.generic.mask)) {
29+ *p = '\0';
30+ return;
31+ }
32
33 i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
34 p += i;
35
36 /* show the mask */
37- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
38+ for (count = 0; count < masklen; count++) {
39 i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
40 p += i;
41 outlen -= i;
42@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
43 outlen--;
44
45 /* show the value */
46- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
47+ for (count = 0; count < masklen; count++) {
48 i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
49 p += i;
50 outlen -= i;
51--
522.25.1
53
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch
deleted file mode 100644
index 1778e8e927..0000000000
--- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch
+++ /dev/null
@@ -1,1506 +0,0 @@
1From 441967ba1d1ec28aa9582ab0253ad01e14b42148 Mon Sep 17 00:00:00 2001
2From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
3Date: Sun, 30 Jun 2024 14:03:17 -0600
4Subject: [PATCH] CVE-2024-3596: Backport fix for BlastRADIUS
5
6Upstream-Status: Backport from v3.0.x branch, commit range 3a00a6ecc188629b0441fd45ad61ca8986de156e..da643f1edc267ce95260dc36069e6f1a7a4d66f8
7CVE: CVE-2024-3596
8
9Signed-off-by: Rohini Sangam <rsangam@mvista.com>
10---
11 man/man1/radclient.1 | 10 ++-
12 man/man1/radtest.1 | 11 ++-
13 raddb/clients.conf | 47 ++++++++--
14 raddb/proxy.conf | 19 +++++
15 raddb/radiusd.conf.in | 185 ++++++++++++++++++++++++++++++++++++++++
16 src/include/clients.h | 6 +-
17 src/include/conffile.h | 1 +
18 src/include/libradius.h | 19 ++++-
19 src/include/radius.h | 1 +
20 src/include/radiusd.h | 6 ++
21 src/include/realms.h | 1 +
22 src/lib/radius.c | 87 +++++++++++++++++--
23 src/main/client.c | 45 ++++++++--
24 src/main/conffile.c | 4 +-
25 src/main/listen.c | 141 +++++++++++++++++++++++++++++-
26 src/main/mainconfig.c | 70 +++++++++++++++
27 src/main/process.c | 65 ++++++++++++++
28 src/main/radclient.c | 147 ++++++++++++++++++++++++++++++-
29 src/main/radtest.in | 6 +-
30 src/main/realms.c | 11 +++
31 src/main/tls_listen.c | 5 ++
32 21 files changed, 855 insertions(+), 32 deletions(-)
33
34diff --git a/man/man1/radclient.1 b/man/man1/radclient.1
35index 229dcae0c7..b83bee931a 100644
36--- a/man/man1/radclient.1
37+++ b/man/man1/radclient.1
38@@ -1,10 +1,11 @@
39-.TH RADCLIENT 1 "22 March 2019" "" "FreeRADIUS Daemon"
40+.TH RADCLIENT 1 "21 May 2024" "" "FreeRADIUS Daemon"
41 .SH NAME
42 radclient - send packets to a RADIUS server, show reply
43 .SH SYNOPSIS
44 .B radclient
45 .RB [ \-4 ]
46 .RB [ \-6 ]
47+.RB [ \-b ]
48 .RB [ \-c
49 .IR count ]
50 .RB [ \-d
51@@ -52,6 +53,13 @@ automatically encrypted before the packet is sent to the server.
52 Use IPv4 (default)
53 .IP \-6
54 Use IPv6
55+.IP \-b
56+Enforce the Blast RADIUS checks. All replies to an Access-Request packet
57+must contain a Message-Authenticator as the first attribute.
58+
59+For compatibility with old servers, this flag is not set by default.
60+However, radclient still checks for the Blast RADIUS signature, and
61+discards packets which match the attack.
62 .IP \-c\ \fIcount\fP
63 Send each packet \fIcount\fP times.
64 .IP \-d\ \fIraddb_directory\fP
65diff --git a/man/man1/radtest.1 b/man/man1/radtest.1
66index b3184779c0..6bfab75944 100644
67--- a/man/man1/radtest.1
68+++ b/man/man1/radtest.1
69@@ -1,4 +1,4 @@
70-.TH RADTEST 1 "5 April 2010" "" "FreeRADIUS Daemon"
71+.TH RADTEST 1 "21 May 2024" "" "FreeRADIUS Daemon"
72 .SH NAME
73 radtest - send packets to a RADIUS server, show reply
74 .SH SYNOPSIS
75@@ -15,6 +15,8 @@ radtest - send packets to a RADIUS server, show reply
76 .IR ]
77 .RB [ \-6
78 .IR ]
79+.RB [ \-b
80+.IR
81 .I user password radius-server nas-port-number secret
82 .RB [ ppphint ]
83 .RB [ nasname ]
84@@ -26,6 +28,13 @@ way to test a radius server.
85
86 .SH OPTIONS
87
88+.IP \-b
89+Enforce the Blast RADIUS checks. All replies to an Access-Request packet
90+must contain a Message-Authenticator as the first attribute.
91+
92+For compatibility with old servers, this flag is not set by default.
93+However, radclient still checks for the Blast RADIUS signature, and
94+discards packets which match the attack.
95 .IP "\-d \fIraddb_directory\fP"
96 The directory that contains the RADIUS dictionary files. Defaults to
97 \fI/etc/raddb\fP.
98diff --git a/raddb/clients.conf b/raddb/clients.conf
99index 76b300d3c5..d55414b7d2 100644
100--- a/raddb/clients.conf
101+++ b/raddb/clients.conf
102@@ -100,15 +100,44 @@ client localhost {
103 secret = testing123
104
105 #
106- # Old-style clients do not send a Message-Authenticator
107- # in an Access-Request. RFC 5080 suggests that all clients
108- # SHOULD include it in an Access-Request. The configuration
109- # item below allows the server to require it. If a client
110- # is required to include a Message-Authenticator and it does
111- # not, then the packet will be silently discarded.
112- #
113- # allowed values: yes, no
114- require_message_authenticator = no
115+ # The global configuration "security.require_message_authenticator"
116+ # flag sets the default for all clients. That default can be
117+ # over-ridden here, by setting it to a value. If no value is set,
118+ # then the default from the "radiusd.conf" file is used.
119+ #
120+ # See that file for full documentation on the flag, along
121+ # with allowed values and meanings.
122+ #
123+ # This flag exists solely for legacy clients which do not send
124+ # Message-Authenticator in all Access-Request packets. We do not
125+ # recommend setting it to "no".
126+ #
127+ # The number one way to protect yourself from the BlastRADIUS
128+ # attack is to update all RADIUS servers, and then set this
129+ # flag to "yes". If all RADIUS servers are updated, and if
130+ # all of them have this flag set to "yes" for all clients,
131+ # then your network is safe. You can then upgrade the
132+ # clients when it is convenient, instead of rushing the
133+ # upgrades.
134+ #
135+ # allowed values: yes, no, auto
136+# require_message_authenticator = no
137+
138+ #
139+ # The global configuration "security.limit_proxy_state"
140+ # flag sets the default for all clients. That default can be
141+ # over-ridden here, by setting it to "no".
142+ #
143+ # See that file for full documentation on the flag, along
144+ # with allowed values,and meanings.
145+ #
146+ # This flag exists solely for legacy clients which do not send
147+ # Message-Authenticator in all Access-Request packets. We do not
148+ # recommend setting it to "no".
149+ #
150+ # allowed values: yes, no, auto
151+ #
152+# limit_proxy_state = yes
153
154 #
155 # The short name is used as an alias for the fully qualified
156diff --git a/raddb/proxy.conf b/raddb/proxy.conf
157index 91b4b37930..fa362b8a74 100644
158--- a/raddb/proxy.conf
159+++ b/raddb/proxy.conf
160@@ -204,6 +204,25 @@ home_server localhost {
161 #
162 secret = testing123
163
164+
165+ #
166+ # The global configuration "security.require_message_authenticator"
167+ # flag sets the default for all home servers. That default can be
168+ # over-ridden here, by setting it to a value. If no value is set,
169+ # then the default from the "radiusd.conf" file is used.
170+ #
171+ # See that file for full documentation on the flag, along
172+ # with allowed values and meanings.
173+ #
174+ # This flag exists solely for legacy home servers which do
175+ # not send Message-Authenticator in all Access-Accept,
176+ # Access-Reject, or Access-Challenge packets. We do not
177+ # recommend setting it to "no".
178+ #
179+ # allowed values: yes, no, auto
180+ #
181+# require_message_authenticator = no
182+
183 ############################################################
184 #
185 # The rest of the configuration items listed here are optional,
186diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
187index e8aee3c001..5b8800bfc8 100644
188--- a/raddb/radiusd.conf.in
189+++ b/raddb/radiusd.conf.in
190@@ -564,6 +564,191 @@ security {
191 #
192 status_server = yes
193
194+ #
195+ # Global configuration for requiring Message-Authenticator in
196+ # all Access-* packets sent over UDP or TCP. This flag is
197+ # ignored for TLS.
198+ #
199+ # The number one way to protect yourself from the BlastRADIUS
200+ # attack is to update all RADIUS servers, and then set this
201+ # flag to "yes". If all RADIUS servers are updated, and if
202+ # all of them have this flag set to "yes" for all clients,
203+ # then your network is safe. You can then upgrade the
204+ # clients when it is convenient, instead of rushing the
205+ # upgrades.
206+ #
207+ # This flag sets the global default for all clients and home
208+ # servers. It can be over-ridden in an individual client or
209+ # home_server definition by adding the same flag to that
210+ # section with an appropriate value.
211+ #
212+ # All upgraded RADIUS implementations should send
213+ # Message-Authenticator in all Access-Request, Access-Accept,
214+ # Access-Reject, and Access-Challenge packets. Once all
215+ # systems are upgraded, setting this flag to "yes" is the
216+ # best protection from the attack.
217+ #
218+ # The possible values and meanings for
219+ # "require_message_authenticator" are;
220+ #
221+ # * "no" - allow Access-* packet which do not contain
222+ # Message-Authenticator
223+ #
224+ # For a client, if this flag is set to "no", then the
225+ # "limit_proxy_state" flag, below, is also checked.
226+ #
227+ # For a home_server, if this flag is set to "no", then the
228+ # Access-Accept, Access-Reject, and Access-Challenge
229+ # packets do not need to contain Message-Authenticator.
230+ #
231+ # The only reason to set this flag to "no" is when the
232+ # RADIUS client or home server has not been updated. It is
233+ # always safer to set this flag "no" in the individual
234+ # client or home_server definition. The global flag SHOULD
235+ # still be set to a safe value: "yes".
236+ #
237+ # WARNING: Setting this flag and the "limit_proxy_state"
238+ # flag to "no" will allow MITM attackers to create fake
239+ # Access-Accept packets to the NAS! At least one of them
240+ # MUST be set to "yes" for the system to have any
241+ # protection against the attack.
242+ #
243+ # * "yes" - Require that all Access-* packets (client and
244+ # home_server) contain Message-Authenticator. If a packet
245+ # does not contain Message-Authenticator, then it is
246+ # discarded.
247+ #
248+ # * "auto" - Automatically determine the value of the flag,
249+ # based on the first packet received from that client or
250+ # home_server.
251+ #
252+ # If the packet does not contain Message-Authenticator,
253+ # then the value of the flag is automatically switched to
254+ # "no".
255+ #
256+ # If the packet contains Message-Authenticator but not
257+ # EAP-Message, then the value of the flag is automatically
258+ # switched to "yes". The server has to check for
259+ # EAP-Message, because the previous RFCs require that the
260+ # packet contains Message-Authenticator when it also
261+ # contains EAP-Message. So having a Message-Authenticator
262+ # in those packets doesn't give the server enough
263+ # information to determined if the client or home_server
264+ # has been updated.
265+ #
266+ # If the packet contains Message-Authenticator and
267+ # EAP-Message, then the flag is left at the "auto" value.
268+ #
269+ # WARNING: This switch is done for the first packet
270+ # received from that client or home server. The change
271+ # does NOT persist across server restarts. You MUST change
272+ # the to "yes" manually, in order to make a permanent
273+ # change to the configuration.
274+ #
275+ # WARNING: If there are multiple NASes with the same source
276+ # IP and client definitions, BUT the NASes have different
277+ # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK.
278+ #
279+ # That is, when there are multiple different RADIUS clients
280+ # behind one NATed IP address, then these security settings
281+ # have to be set to allow the MOST INSECURE packets to be
282+ # processed. This is a terrible idea, and will leave your
283+ # network vulnerable to the attack. Please upgrade all
284+ # clients immediately.
285+ #
286+ # The only solution to that rare configuration is to set
287+ # this flag to "no", in which case the network will work,
288+ # but will be vulnerable to the attack.
289+ #
290+ require_message_authenticator = auto
291+
292+ #
293+ # Global configuration for limiting the combination of
294+ # Proxy-State and Message-Authenticator. This flag only
295+ # applies to packets sent over UDP or TCP. This flag is
296+ # ignored for TLS.
297+ #
298+ # This flag sets the global default for all clients. It can
299+ # be over-ridden in an individual client definition by adding
300+ # the same flag to that section with an appropriate value.
301+ #
302+ # If "require_message_authenticator" is set to "yes", this
303+ # configuration item is ignored.
304+ #
305+ # If "require_message_authenticator" is set to "no", this
306+ # configuration item is checked.
307+ #
308+ # The possible values and meanings for "limit_proxy_state" are;
309+ #
310+ # * "no" - allow any packets from the client, even packets
311+ # which contain the BlastRADIUS attack. Please be aware
312+ # that in this configuration the server will complain for
313+ # EVERY packet which it receives.
314+ #
315+ # The only reason to set this flag to "no" is when the
316+ # client is a proxy, AND the proxy does not send
317+ # Message-Authenticator in Access-Request packets. Even
318+ # then, the best approach to fix the issue is to (1) update
319+ # the proxy to send Message-Authenticator, and if that
320+ # can't be done, then (2) set this flag to "no", but ONLY
321+ # for that one client. The global flag SHOULD still be set
322+ # to a safe value: "yes".
323+ #
324+ # WARNING: Setting both this flag and the
325+ # "require_message_authenticator" flag to "no" will allow
326+ # MITM attackers to create fake Access-Accept packets to the
327+ # NAS! At least one of them MUST be set to "yes" for the
328+ # system to have any protection against the attack.
329+ #
330+ # * "yes" - Allow packets without Message-Authenticator,
331+ # but only when they do not contain Proxy-State.
332+ # packets which contain Proxy-State MUST also contain
333+ # Message-Authenticator, otherwise they are discarded.
334+ #
335+ # This setting is safe for most NASes, GGSNs, BRAS, etc.
336+ # Most regular RADIUS clients do not send Proxy-State
337+ # attributes for Access-Request packets that they originate.
338+ # However some aggregators (e.g. Wireless LAN Controllers)
339+ # may act as a RADIUS proxy for requests from their cohort
340+ # of managed devices, and in such cases will provide a
341+ # Proxy-State attribute. For those systems, you _must_ look
342+ # at the actual packets to determine what to do. It may be
343+ # that the only way to fix the vulnerability is to upgrade
344+ # the WLC, and set "require_message_authenticator" to "yes".
345+ #
346+ # * "auto" - Automatically determine the value of the flag,
347+ # based on the first packet received from that client.
348+ #
349+ # If the packet contains Proxy-State but no
350+ # Message-Authenticator, then the value of the flag is
351+ # automatically switched to "no".
352+ #
353+ # For all other situations, the value of the flag is
354+ # automatically switched to "yes".
355+ #
356+ # WARNING: This switch is done for the first packet
357+ # received from that client. The change does NOT persist
358+ # across server restarts. You MUST change the to "yes"
359+ # manually, in order to make a permanent change to the
360+ # configuration.
361+ #
362+ # WARNING: If there are multiple NASes with the same source
363+ # IP and client definitions, BUT the NASes have different
364+ # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK.
365+ #
366+ # That is, when there are multiple different RADIUS clients
367+ # behind one NATed IP address, then these security settings
368+ # have to be set to allow the MOST INSECURE packets to be
369+ # processed. This is a terrible idea, and will leave your
370+ # network vulnerable to the attack. Please upgrade all
371+ # clients immediately.
372+ #
373+ # The only solution to that rare configuration is to set
374+ # this flag to "no", in which case the network will work,
375+ # but will be vulnerable to the attack.
376+ #
377+ limit_proxy_state = auto
378+
379 @openssl_version_check_config@
380 }
381
382diff --git a/src/include/clients.h b/src/include/clients.h
383index 560211557f..0aeb1da8d9 100644
384--- a/src/include/clients.h
385+++ b/src/include/clients.h
386@@ -39,7 +39,11 @@ typedef struct radclient {
387
388 char const *secret; //!< Secret PSK.
389
390- bool message_authenticator; //!< Require RADIUS message authenticator in requests.
391+ fr_bool_auto_t require_ma; //!< Require RADIUS message authenticator in requests.
392+
393+ bool dynamic_require_ma; //!< for dynamic clients
394+
395+ fr_bool_auto_t limit_proxy_state; //!< Limit Proxy-State in requests
396
397 char const *nas_type; //!< Type of client (arbitrary).
398
399diff --git a/src/include/conffile.h b/src/include/conffile.h
400index 8cb045c946..ddbcae4e4f 100644
401--- a/src/include/conffile.h
402+++ b/src/include/conffile.h
403@@ -140,6 +140,7 @@ typedef struct timeval _timeval_t;
404 #define PW_TYPE_MULTI (1 << 18) //!< CONF_PAIR can have multiple copies.
405 #define PW_TYPE_NOT_EMPTY (1 << 19) //!< CONF_PAIR is required to have a non zero length value.
406 #define PW_TYPE_FILE_EXISTS ((1 << 20) | PW_TYPE_STRING) //!< File matching value must exist
407+#define PW_TYPE_IGNORE_DEFAULT (1 << 21) //!< don't set from .dflt if the CONF_PAIR is missing
408 /* @} **/
409
410 #define FR_INTEGER_COND_CHECK(_name, _var, _cond, _new)\
411diff --git a/src/include/libradius.h b/src/include/libradius.h
412index ce2f713de1..2efef8b1d3 100644
413--- a/src/include/libradius.h
414+++ b/src/include/libradius.h
415@@ -402,6 +402,10 @@ typedef struct radius_packet {
416 size_t partial;
417 int proto;
418 #endif
419+ bool tls; //!< uses secure transport
420+ bool message_authenticator;
421+ bool proxy_state;
422+ bool eap_message;
423 } RADIUS_PACKET;
424
425 typedef enum {
426@@ -507,6 +511,13 @@ DICT_VENDOR *dict_vendorbyvalue(int vendor);
427 /* radius.c */
428 int rad_send(RADIUS_PACKET *, RADIUS_PACKET const *, char const *secret);
429 bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason);
430+
431+/*
432+ * 1 == require_ma
433+ * 2 == msg_peek
434+ * 4 == limit_proxy_state
435+ * 8 == require_ma for Access-* replies and Protocol-Error
436+ */
437 RADIUS_PACKET *rad_recv(TALLOC_CTX *ctx, int fd, int flags);
438 ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, int *code);
439 void rad_recv_discard(int sockfd);
440@@ -694,7 +705,7 @@ extern bool fr_dns_lookups; /* do IP -> hostname lookups? */
441 extern bool fr_hostname_lookups; /* do hostname -> IP lookups? */
442 extern int fr_debug_lvl; /* 0 = no debugging information */
443 extern uint32_t fr_max_attributes; /* per incoming packet */
444-#define FR_MAX_PACKET_CODE (52)
445+#define FR_MAX_PACKET_CODE (53)
446 extern char const *fr_packet_codes[FR_MAX_PACKET_CODE];
447 #define is_radius_code(_x) ((_x > 0) && (_x < FR_MAX_PACKET_CODE))
448 extern FILE *fr_log_fp;
449@@ -932,6 +943,12 @@ int fr_socket_wait_for_connect(int sockfd, struct timeval *timeout);
450 }
451 #endif
452
453+typedef enum {
454+ FR_BOOL_FALSE = 0,
455+ FR_BOOL_TRUE,
456+ FR_BOOL_AUTO,
457+} fr_bool_auto_t;
458+
459 #include <freeradius-devel/packet.h>
460
461 #ifdef WITH_TCP
462diff --git a/src/include/radius.h b/src/include/radius.h
463index 473528d65d..147d674eed 100644
464--- a/src/include/radius.h
465+++ b/src/include/radius.h
466@@ -61,6 +61,7 @@ typedef enum {
467 PW_CODE_COA_REQUEST = 43, //!< RFC3575/RFC5176 - CoA-Request
468 PW_CODE_COA_ACK = 44, //!< RFC3575/RFC5176 - CoA-Ack (positive)
469 PW_CODE_COA_NAK = 45, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform)
470+ PW_CODE_PROTOCOL_ERROR = 52, //!< RFC7930 - Protocol layer issue
471 PW_CODE_MAX = 255, //!< Maximum possible code
472 } PW_CODE;
473
474diff --git a/src/include/radiusd.h b/src/include/radiusd.h
475index b2a0a0f642..e429c5be7a 100644
476--- a/src/include/radiusd.h
477+++ b/src/include/radiusd.h
478@@ -171,6 +171,10 @@ typedef struct main_config {
479
480 bool exiting; //!< are we exiting?
481
482+ fr_bool_auto_t require_ma; //!< global configuration for all clients and home servers
483+
484+ fr_bool_auto_t limit_proxy_state; //!< global configuration for all clients
485+
486
487 #ifdef ENABLE_OPENSSL_VERSION_CHECK
488 char const *allow_vulnerable_openssl; //!< The CVE number of the last security issue acknowledged.
489@@ -558,6 +562,8 @@ int main_config_free(void);
490 void main_config_hup(void);
491 void hup_logfile(void);
492
493+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str);
494+
495 /* listen.c */
496 void listen_free(rad_listen_t **head);
497 int listen_init(CONF_SECTION *cs, rad_listen_t **head, bool spawn_flag);
498diff --git a/src/include/realms.h b/src/include/realms.h
499index 6dae8b4f85..e643818e43 100644
500--- a/src/include/realms.h
501+++ b/src/include/realms.h
502@@ -59,6 +59,7 @@ typedef struct home_server {
503 //!< stats or when specifying home servers for a pool.
504
505 bool dual; //!< One of a pair of homeservers on consecutive ports.
506+ fr_bool_auto_t require_ma; //!< for all replies to Access-Request and Status-Server
507 char const *server; //!< For internal proxying
508 char const *parent_server;
509
510diff --git a/src/lib/radius.c b/src/lib/radius.c
511index 3881111f7d..7b91a4bde2 100644
512--- a/src/lib/radius.c
513+++ b/src/lib/radius.c
514@@ -142,8 +142,9 @@ char const *fr_packet_codes[FR_MAX_PACKET_CODE] = {
515 "47",
516 "48",
517 "49",
518- "IP-Address-Allocate",
519- "IP-Address-Release", //!< 50
520+ "IP-Address-Allocate", //!< 50
521+ "IP-Address-Release",
522+ "Protocol-Error",
523 };
524
525
526@@ -1700,6 +1701,15 @@ int rad_vp2attr(RADIUS_PACKET const *packet, RADIUS_PACKET const *original,
527 return rad_vp2vsa(packet, original, secret, pvp, start, room);
528 }
529
530+static const bool code2ma[FR_MAX_PACKET_CODE] = {
531+ [ PW_CODE_ACCESS_REQUEST ] = true,
532+ [ PW_CODE_ACCESS_ACCEPT ] = true,
533+ [ PW_CODE_ACCESS_REJECT ] = true,
534+ [ PW_CODE_ACCESS_CHALLENGE ] = true,
535+ [ PW_CODE_STATUS_SERVER ] = true,
536+ [ PW_CODE_PROTOCOL_ERROR ] = true,
537+};
538+
539
540 /** Encode a packet
541 *
542@@ -1712,6 +1722,7 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
543 uint16_t total_length;
544 int len;
545 VALUE_PAIR const *reply;
546+ bool seen_ma = false;
547
548 /*
549 * A 4K packet, aligned on 64-bits.
550@@ -1775,6 +1786,27 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
551 * memcpy.
552 */
553
554+ /*
555+ * Always add Message-Authenticator for replies to
556+ * Access-Request packets, and for all Access-Accept,
557+ * Access-Reject, Access-Challenge.
558+ *
559+ * It must be the FIRST attribute in the packet.
560+ */
561+ if (!packet->tls &&
562+ ((code2ma[packet->code]) || (original && code2ma[original->code]))) {
563+ seen_ma = true;
564+
565+ packet->offset = RADIUS_HDR_LEN;
566+
567+ ptr[0] = PW_MESSAGE_AUTHENTICATOR;
568+ ptr[1] = 18;
569+ memset(ptr + 2, 0, 16);
570+
571+ ptr += 18;
572+ total_length += 18;
573+ }
574+
575 /*
576 * Loop over the reply attributes for the packet.
577 */
578@@ -1832,6 +1864,13 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original,
579 * length and initial value.
580 */
581 if (!reply->da->vendor && (reply->da->attr == PW_MESSAGE_AUTHENTICATOR)) {
582+ /*
583+ * We have already encoded the Message-Authenticator, don't do it again.
584+ */
585+ if (seen_ma) {
586+ reply = reply->next;
587+ continue;
588+ }
589 if (room < 18) break;
590
591 /*
592@@ -2323,6 +2362,8 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason)
593 radius_packet_t *hdr;
594 char host_ipaddr[128];
595 bool require_ma = false;
596+ bool limit_proxy_state = false;
597+ bool seen_proxy_state = false;
598 bool seen_ma = false;
599 uint32_t num_attributes;
600 decode_fail_t failure = DECODE_FAIL_NONE;
601@@ -2371,15 +2412,26 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason)
602 }
603
604 /*
605- * Message-Authenticator is required in Status-Server
606- * packets, otherwise they can be trivially forged.
607+ * If the caller requires Message-Authenticator, then set
608+ * the flag.
609 */
610- if (hdr->code == PW_CODE_STATUS_SERVER) require_ma = true;
611
612 /*
613- * It's also required if the caller asks for it.
614+ * We also require Message-Authenticator if the packet
615+ * code is Status-Server.
616+ *
617+ * If we're receiving packets from a proxy socket, then
618+ * require Message-Authenticator for Access-* replies,
619+ * and for Protocol-Error.
620 */
621- if (flags) require_ma = true;
622+ require_ma = ((flags & 0x01) != 0) || (hdr->code == PW_CODE_STATUS_SERVER) || (((flags & 0x08) != 0) && code2ma[hdr->code]);
623+
624+ /*
625+ *
626+ * We only limit Proxy-State if we're not requiring
627+ * Message-Authenticator.
628+ */
629+ limit_proxy_state = ((flags & 0x04) != 0) && !require_ma;
630
631 /*
632 * Repeat the length checks. This time, instead of
633@@ -2534,6 +2586,7 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason)
634 case PW_EAP_MESSAGE:
635 require_ma = true;
636 eap = true;
637+ packet->eap_message = true;
638 break;
639
640 case PW_USER_PASSWORD:
641@@ -2542,6 +2595,11 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason)
642 non_eap = true;
643 break;
644
645+ case PW_PROXY_STATE:
646+ seen_proxy_state = true;
647+ packet->proxy_state = true;
648+ break;
649+
650 case PW_MESSAGE_AUTHENTICATOR:
651 if (attr[1] != 2 + AUTH_VECTOR_LEN) {
652 FR_DEBUG_STRERROR_PRINTF("Malformed RADIUS packet from host %s: Message-Authenticator has invalid length %d",
653@@ -2553,6 +2611,7 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason)
654 goto finish;
655 }
656 seen_ma = true;
657+ packet->message_authenticator = true;
658 break;
659 }
660
661@@ -2609,7 +2668,19 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason)
662 * Message-Authenticator attributes.
663 */
664 if (require_ma && !seen_ma) {
665- FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute",
666+ FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute. You may need to set \"require_message_authenticator = no\" in the configuration.",
667+ inet_ntop(packet->src_ipaddr.af,
668+ &packet->src_ipaddr.ipaddr,
669+ host_ipaddr, sizeof(host_ipaddr)));
670+ failure = DECODE_FAIL_MA_MISSING;
671+ goto finish;
672+ }
673+
674+ /*
675+ * The client is a NAS which shouldn't send Proxy-State, but it did!
676+ */
677+ if (limit_proxy_state && seen_proxy_state && !seen_ma) {
678+ FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute, but still has one or more Proxy-State attributes",
679 inet_ntop(packet->src_ipaddr.af,
680 &packet->src_ipaddr.ipaddr,
681 host_ipaddr, sizeof(host_ipaddr)));
682diff --git a/src/main/client.c b/src/main/client.c
683index 6228438c47..875dc37d60 100644
684--- a/src/main/client.c
685+++ b/src/main/client.c
686@@ -283,7 +283,8 @@ bool client_add(RADCLIENT_LIST *clients, RADCLIENT *client)
687 (old->coa_server == client->coa_server) &&
688 (old->coa_pool == client->coa_pool) &&
689 #endif
690- (old->message_authenticator == client->message_authenticator)) {
691+ (old->require_ma == client->require_ma) &&
692+ (old->limit_proxy_state == client->limit_proxy_state)) {
693 WARN("Ignoring duplicate client %s", client->longname);
694 client_free(client);
695 return true;
696@@ -445,6 +446,8 @@ static fr_ipaddr_t cl_ipaddr;
697 static uint32_t cl_netmask;
698 static char const *cl_srcipaddr = NULL;
699 static char const *hs_proto = NULL;
700+static char const *require_message_authenticator = NULL;
701+static char const *limit_proxy_state = NULL;
702
703 #ifdef WITH_TCP
704 static CONF_PARSER limit_config[] = {
705@@ -467,7 +470,8 @@ static const CONF_PARSER client_config[] = {
706
707 { "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL },
708
709- { "require_message_authenticator", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, message_authenticator), "no" },
710+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &require_message_authenticator), NULL },
711+ { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &limit_proxy_state), NULL },
712
713 { "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL },
714 { "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL },
715@@ -663,7 +667,7 @@ static const CONF_PARSER dynamic_config[] = {
716 { "FreeRADIUS-Client-Src-IP-Address", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, RADCLIENT, src_ipaddr), NULL },
717 { "FreeRADIUS-Client-Src-IPv6-Address", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, RADCLIENT, src_ipaddr), NULL },
718
719- { "FreeRADIUS-Client-Require-MA", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, message_authenticator), NULL },
720+ { "FreeRADIUS-Client-Require-MA", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, dynamic_require_ma), NULL },
721
722 { "FreeRADIUS-Client-Secret", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, secret), "" },
723 { "FreeRADIUS-Client-Shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), "" },
724@@ -845,8 +849,19 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo
725 c = talloc_zero(ctx, RADCLIENT);
726 c->cs = cs;
727
728+ /*
729+ * Set the "require message authenticator" and "limit
730+ * proxy state" flags from the global default. If the
731+ * configuration item exists, AND is set, it will
732+ * over-ride the flag.
733+ */
734+ c->require_ma = main_config.require_ma;
735+ c->limit_proxy_state = main_config.limit_proxy_state;
736+
737 memset(&cl_ipaddr, 0, sizeof(cl_ipaddr));
738 cl_netmask = 255;
739+ require_message_authenticator = NULL;
740+ limit_proxy_state = NULL;
741
742 if (cf_section_parse(cs, c, client_config) < 0) {
743 cf_log_err_cs(cs, "Error parsing client section");
744@@ -857,6 +872,9 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo
745 cl_srcipaddr = NULL;
746 #endif
747
748+ require_message_authenticator = NULL;
749+ limit_proxy_state = NULL;
750+
751 return NULL;
752 }
753
754@@ -1114,6 +1132,16 @@ done_coa:
755 }
756 #endif
757
758+ if (fr_bool_auto_parse(cf_pair_find(cs, "require_message_authenticator"), &c->require_ma, require_message_authenticator) < 0) {
759+ goto error;
760+ }
761+
762+ if (c->require_ma != FR_BOOL_TRUE) {
763+ if (fr_bool_auto_parse(cf_pair_find(cs, "limit_proxy_state"), &c->limit_proxy_state, limit_proxy_state) < 0) {
764+ goto error;
765+ }
766+ }
767+
768 return c;
769 }
770
771@@ -1158,7 +1186,7 @@ RADCLIENT *client_afrom_query(TALLOC_CTX *ctx, char const *identifier, char cons
772 if (shortname) c->shortname = talloc_typed_strdup(c, shortname);
773 if (type) c->nas_type = talloc_typed_strdup(c, type);
774 if (server) c->server = talloc_typed_strdup(c, server);
775- c->message_authenticator = require_ma;
776+ c->require_ma = require_ma;
777
778 return c;
779 }
780@@ -1344,10 +1372,10 @@ RADCLIENT *client_afrom_request(RADCLIENT_LIST *clients, REQUEST *request)
781 *pi = vp->vp_integer;
782
783 /*
784- * Same nastiness as above.
785+ * Same nastiness as above, but hard-coded for require Message-Authenticator.
786 */
787 for (parse = client_config; parse->name; parse++) {
788- if (parse->offset == dynamic_config[i].offset) break;
789+ if (parse->type == PW_TYPE_BOOLEAN) break;
790 }
791 if (!parse) break;
792
793@@ -1436,6 +1464,11 @@ validate:
794 goto error;
795 }
796
797+ /*
798+ * It can't be set to "auto". Too bad.
799+ */
800+ c->require_ma = (fr_bool_auto_t) c->dynamic_require_ma;
801+
802 if (!client_add_dynamic(clients, request->client, c)) {
803 return NULL;
804 }
805diff --git a/src/main/conffile.c b/src/main/conffile.c
806index a8c667bfb5..61754e991f 100644
807--- a/src/main/conffile.c
808+++ b/src/main/conffile.c
809@@ -1418,6 +1418,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d
810 {
811 int rcode;
812 bool deprecated, required, attribute, secret, file_input, cant_be_empty, tmpl, multi, file_exists;
813+ bool ignore_dflt;
814 char **q;
815 char const *value;
816 CONF_PAIR *cp = NULL;
817@@ -1441,6 +1442,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d
818 cant_be_empty = (type & PW_TYPE_NOT_EMPTY);
819 tmpl = (type & PW_TYPE_TMPL);
820 multi = (type & PW_TYPE_MULTI);
821+ ignore_dflt = (type & PW_TYPE_IGNORE_DEFAULT);
822
823 if (attribute) required = true;
824 if (required) cant_be_empty = true; /* May want to review this in the future... */
825@@ -1464,7 +1466,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d
826 * section, use the default value.
827 */
828 if (!cp) {
829- if (deprecated) return 0; /* Don't set the default value */
830+ if (deprecated || ignore_dflt) return 0; /* Don't set the default value */
831
832 rcode = 1;
833 value = dflt;
834diff --git a/src/main/listen.c b/src/main/listen.c
835index ebf7f5221c..c20fea243d 100644
836--- a/src/main/listen.c
837+++ b/src/main/listen.c
838@@ -456,6 +456,122 @@ int rad_status_server(REQUEST *request)
839 return 0;
840 }
841
842+static void blastradius_checks(RADIUS_PACKET *packet, RADCLIENT *client)
843+{
844+ if (client->require_ma == FR_BOOL_TRUE) return;
845+
846+ if (client->require_ma == FR_BOOL_AUTO) {
847+ if (!packet->message_authenticator) {
848+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
849+ ERROR("BlastRADIUS check: Received packet without Message-Authenticator.");
850+ ERROR("Setting \"require_message_authenticator = false\" for client %s", client->shortname);
851+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
852+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.");
853+ ERROR("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname);
854+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
855+ client->require_ma = FR_BOOL_FALSE;
856+
857+ /*
858+ * And fall through to the
859+ * limit_proxy_state checks, which might
860+ * complain again. Oh well, maybe that
861+ * will make people read the messages.
862+ */
863+
864+ } else if (packet->eap_message) {
865+ /*
866+ * Don't set it to "true" for packets
867+ * with EAP-Message. It's already
868+ * required there, and we might get a
869+ * non-EAP packet with (or without)
870+ * Message-Authenticator
871+ */
872+ return;
873+ } else {
874+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
875+ ERROR("BlastRADIUS check: Received packet with Message-Authenticator.");
876+ ERROR("Setting \"require_message_authenticator = true\" for client %s", client->shortname);
877+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
878+ ERROR("It looks like the client has been updated to protect from the BlastRADIUS attack.");
879+ ERROR("Please set \"require_message_authenticator = true\" for client %s", client->shortname);
880+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
881+
882+ client->require_ma = FR_BOOL_TRUE;
883+ return;
884+ }
885+
886+ }
887+
888+ /*
889+ * If all of the checks are turned off, then complain for every packet we receive.
890+ */
891+ if (client->limit_proxy_state == FR_BOOL_FALSE) {
892+ /*
893+ * We have a Message-Authenticator, and it's valid. We don't need to compain.
894+ */
895+ if (!fr_debug_lvl) return; /* easier than checking for each line below */
896+
897+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
898+ DEBUG("BlastRADIUS check: Received packet without Message-Authenticator.");
899+ DEBUG("YOU MUST SET \"require_message_authenticator = true\", or");
900+ DEBUG("YOU MUST SET \"limit_proxy_state = true\" for client %s", client->shortname);
901+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
902+ DEBUG("The packet does not contain Message-Authenticator, which is a security issue");
903+ DEBUG("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.");
904+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname);
905+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
906+ return;
907+ }
908+
909+ /*
910+ * Don't complain here. rad_packet_ok() will instead
911+ * complain about every packet with Proxy-State but which
912+ * is missing Message-Authenticator.
913+ */
914+ if (client->limit_proxy_state == FR_BOOL_TRUE) {
915+ return;
916+ }
917+
918+ if (packet->proxy_state && !packet->message_authenticator) {
919+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
920+ ERROR("BlastRADIUS check: Received packet with Proxy-State, but without Message-Authenticator.");
921+ ERROR("This is either a BlastRADIUS attack, OR");
922+ ERROR("the client is a proxy RADIUS server which has not been upgraded.");
923+ ERROR("Setting \"limit_proxy_state = false\" for client %s", client->shortname);
924+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
925+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.");
926+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname);
927+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
928+
929+ client->limit_proxy_state = FR_BOOL_FALSE;
930+
931+ } else {
932+ client->limit_proxy_state = FR_BOOL_TRUE;
933+
934+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
935+ if (!packet->proxy_state) {
936+ ERROR("BlastRADIUS check: Received packet without Proxy-State.");
937+ } else {
938+ ERROR("BlastRADIUS check: Received packet with Proxy-State and Message-Authenticator.");
939+ }
940+
941+ ERROR("Setting \"limit_proxy_state = true\" for client %s", client->shortname);
942+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
943+
944+ if (!packet->message_authenticator) {
945+ ERROR("The packet does not contain Message-Authenticator, which is a security issue.");
946+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.");
947+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname);
948+ } else {
949+ ERROR("The packet contains Message-Authenticator.");
950+ if (!packet->eap_message) ERROR("The client has likely been upgraded to protect from the attack.");
951+ ERROR("Please set \"require_message_authenticator = true\" for client %s", client->shortname);
952+ }
953+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
954+ }
955+}
956+
957+
958 #ifdef WITH_TCP
959 static int dual_tcp_recv(rad_listen_t *listener)
960 {
961@@ -532,6 +648,21 @@ static int dual_tcp_recv(rad_listen_t *listener)
962 switch (packet->code) {
963 case PW_CODE_ACCESS_REQUEST:
964 if (listener->type != RAD_LISTEN_AUTH) goto bad_packet;
965+
966+ /*
967+ * Enforce BlastRADIUS checks on TCP, too.
968+ */
969+ if (!rad_packet_ok(packet, (client->require_ma == FR_BOOL_TRUE) | ((client->limit_proxy_state == FR_BOOL_TRUE) << 2), NULL)) {
970+ FR_STATS_INC(auth, total_malformed_requests);
971+ rad_free(&sock->packet);
972+ return 0;
973+ }
974+
975+ /*
976+ * Perform BlastRADIUS checks and warnings.
977+ */
978+ if (packet->code == PW_CODE_ACCESS_REQUEST) blastradius_checks(packet, client);
979+
980 FR_STATS_INC(auth, total_requests);
981 fun = rad_authenticate;
982 break;
983@@ -1562,7 +1693,7 @@ static int auth_socket_recv(rad_listen_t *listener)
984 * Now that we've sanity checked everything, receive the
985 * packet.
986 */
987- packet = rad_recv(ctx, listener->fd, client->message_authenticator);
988+ packet = rad_recv(ctx, listener->fd, (client->require_ma == FR_BOOL_TRUE) | ((client->limit_proxy_state == FR_BOOL_TRUE) << 2));
989 if (!packet) {
990 FR_STATS_INC(auth, total_malformed_requests);
991 if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
992@@ -1570,6 +1701,12 @@ static int auth_socket_recv(rad_listen_t *listener)
993 return 0;
994 }
995
996+
997+ /*
998+ * Perform BlastRADIUS checks and warnings.
999+ */
1000+ if (packet->code == PW_CODE_ACCESS_REQUEST) blastradius_checks(packet, client);
1001+
1002 #ifdef __APPLE__
1003 #ifdef WITH_UDPFROMTO
1004 /*
1005@@ -1955,7 +2092,7 @@ static int coa_socket_recv(rad_listen_t *listener)
1006 * Now that we've sanity checked everything, receive the
1007 * packet.
1008 */
1009- packet = rad_recv(ctx, listener->fd, client->message_authenticator);
1010+ packet = rad_recv(ctx, listener->fd, client->require_ma | (((int) client->limit_proxy_state) << 2));
1011 if (!packet) {
1012 FR_STATS_INC(coa, total_malformed_requests);
1013 if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
1014diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
1015index e9dd412dee..520d7fa474 100644
1016--- a/src/main/mainconfig.c
1017+++ b/src/main/mainconfig.c
1018@@ -73,6 +73,8 @@ static char const *gid_name = NULL;
1019 static char const *chroot_dir = NULL;
1020 static bool allow_core_dumps = false;
1021 static char const *radlog_dest = NULL;
1022+static char const *require_message_authenticator = NULL;
1023+static char const *limit_proxy_state = NULL;
1024
1025 /*
1026 * These are not used anywhere else..
1027@@ -87,6 +89,53 @@ static bool do_colourise = false;
1028
1029 static char const *radius_dir = NULL; //!< Path to raddb directory
1030
1031+static const FR_NAME_NUMBER fr_bool_auto_names[] = {
1032+ { "false", FR_BOOL_FALSE },
1033+ { "no", FR_BOOL_FALSE },
1034+ { "0", FR_BOOL_FALSE },
1035+
1036+ { "true", FR_BOOL_TRUE },
1037+ { "yes", FR_BOOL_TRUE },
1038+ { "1", FR_BOOL_TRUE },
1039+
1040+ { "auto", FR_BOOL_AUTO },
1041+
1042+ { NULL, 0 }
1043+};
1044+
1045+/*
1046+ * Get decent values for false / true / auto
1047+ */
1048+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str)
1049+{
1050+ int value;
1051+
1052+ /*
1053+ * Don't change anything.
1054+ */
1055+ if (!str) return 0;
1056+
1057+ value = fr_str2int(fr_bool_auto_names, str, -1);
1058+ if (value >= 0) {
1059+ *out = value;
1060+ return 0;
1061+ }
1062+
1063+ /*
1064+ * This should never happen, as the defaults are in the
1065+ * source code. If there's no CONF_PAIR, and there's a
1066+ * parse error, then the source code is wrong.
1067+ */
1068+ if (!cp) {
1069+ fprintf(stderr, "%s: Error - Invalid value in configuration", main_config.name);
1070+ return -1;
1071+ }
1072+
1073+ cf_log_err(cf_pair_to_item(cp), "Invalid value for \"%s\"", cf_pair_attr(cp));
1074+ return -1;
1075+}
1076+
1077+
1078 /**********************************************************************
1079 *
1080 * We need to figure out where the logs go, before doing anything
1081@@ -159,6 +208,8 @@ static const CONF_PARSER security_config[] = {
1082 { "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
1083 { "reject_delay", FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
1084 { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
1085+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING, &require_message_authenticator), "auto"},
1086+ { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING, &limit_proxy_state), "auto"},
1087 #ifdef ENABLE_OPENSSL_VERSION_CHECK
1088 { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
1089 #endif
1090@@ -838,6 +889,8 @@ int main_config_init(void)
1091 if (!main_config.dictionary_dir) {
1092 main_config.dictionary_dir = DICTDIR;
1093 }
1094+ main_config.require_ma = FR_BOOL_AUTO;
1095+ main_config.limit_proxy_state = FR_BOOL_AUTO;
1096
1097 /*
1098 * About sizeof(REQUEST) + sizeof(RADIUS_PACKET) * 2 + sizeof(VALUE_PAIR) * 400
1099@@ -1127,6 +1180,23 @@ do {\
1100 main_config.init_delay.tv_sec = 0;
1101 main_config.init_delay.tv_usec = 2* (1000000 / 3);
1102
1103+ {
1104+ CONF_PAIR *cp = NULL;
1105+
1106+ subcs = cf_section_sub_find(cs, "security");
1107+ if (subcs) cp = cf_pair_find(subcs, "require_message_authenticator");
1108+ if (fr_bool_auto_parse(cp, &main_config.require_ma, require_message_authenticator) < 0) {
1109+ cf_file_free(cs);
1110+ return -1;
1111+ }
1112+
1113+ if (subcs) cp = cf_pair_find(subcs, "limit_proxy_state");
1114+ if (fr_bool_auto_parse(cp, &main_config.limit_proxy_state, limit_proxy_state) < 0) {
1115+ cf_file_free(cs);
1116+ return -1;
1117+ }
1118+ }
1119+
1120 /*
1121 * Free the old configuration items, and replace them
1122 * with the new ones.
1123diff --git a/src/main/process.c b/src/main/process.c
1124index 1a48517d43..401033bdd6 100644
1125--- a/src/main/process.c
1126+++ b/src/main/process.c
1127@@ -2593,6 +2593,23 @@ int request_proxy_reply(RADIUS_PACKET *packet)
1128
1129 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1130
1131+ if (!request->proxy_reply) {
1132+ decode_fail_t reason;
1133+
1134+ /*
1135+ * If the home server configuration requires a Message-Authenticator, then set the flag,
1136+ * but only if the proxied packet is Access-Request or Status-Sercer.
1137+ *
1138+ * The realms.c file already clears require_ma for TLS connections.
1139+ */
1140+ bool require_ma = (request->home_server->require_ma == FR_BOOL_TRUE) && (request->proxy->code == PW_CODE_ACCESS_REQUEST);
1141+
1142+ if(!rad_packet_ok(packet, require_ma, &reason)) {
1143+ DEBUG("Ignoring invalid packet - %s", fr_strerror());
1144+ return 0;
1145+ }
1146+ }
1147+
1148 /*
1149 * No reply, BUT the current packet fails verification:
1150 * ignore it. This does the MD5 calculations in the
1151@@ -2618,6 +2635,54 @@ int request_proxy_reply(RADIUS_PACKET *packet)
1152 return 0;
1153 }
1154
1155+
1156+ /*
1157+ * BlastRADIUS checks. We're running in the main
1158+ * listener thread, so there's no conflict
1159+ * checking or setting these fields.
1160+ */
1161+ if (!request->proxy_reply && (request->proxy->code == PW_CODE_ACCESS_REQUEST) &&
1162+#ifdef WITH_TLS
1163+ !request->home_server->tls &&
1164+#endif
1165+ !packet->eap_message) {
1166+ if (request->home_server->require_ma == FR_BOOL_AUTO) {
1167+ if (!packet->message_authenticator) {
1168+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1169+ RERROR("BlastRADIUS check: Received response to Access-Request without Message-Authenticator.");
1170+ RERROR("Setting \"require_message_authenticator = false\" for home_server %s", request->home_server->name);
1171+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1172+ RERROR("UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.");
1173+ RERROR("Once the home_server is upgraded, set \"require_message_authenticator = true\" for home_server %s.", request->home_server->name);
1174+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1175+
1176+ request->home_server->require_ma = FR_BOOL_FALSE;
1177+ } else {
1178+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1179+ RERROR("BlastRADIUS check: Received response to Access-Request with Message-Authenticator.");
1180+ RERROR("Setting \"require_message_authenticator = true\" for home_server %s", request->home_server->name);
1181+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1182+ RERROR("It looks like the home server has been updated to protect from the BlastRADIUS attack.");
1183+ RERROR("Please set \"require_message_authenticator = true\" for home_server %s", request->home_server->name);
1184+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1185+
1186+ request->home_server->require_ma = FR_BOOL_TRUE;
1187+ }
1188+
1189+ } else if (fr_debug_lvl && (request->home_server->require_ma == FR_BOOL_FALSE) && !packet->message_authenticator) {
1190+ /*
1191+ * If it's "no" AND we don't have a Message-Authenticator, then complain on every packet.
1192+ */
1193+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1194+ RDEBUG("BlastRADIUS check: Received packet without Message-Authenticator from home_server %s", request->home_server->name);
1195+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1196+ RDEBUG("The packet does not contain Message-Authenticator, which is a security issue");
1197+ RDEBUG("UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.");
1198+ RERROR("Once the home_server is upgraded, set \"require_message_authenticator = true\" for home_server %s.", request->home_server->name);
1199+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1200+ }
1201+ }
1202+
1203 /*
1204 * This shouldn't happen, but threads and race
1205 * conditions.
1206diff --git a/src/main/radclient.c b/src/main/radclient.c
1207index 52d2872b13..47d5f07785 100644
1208--- a/src/main/radclient.c
1209+++ b/src/main/radclient.c
1210@@ -54,6 +54,7 @@ static fr_ipaddr_t server_ipaddr;
1211 static int resend_count = 1;
1212 static bool done = true;
1213 static bool print_filename = false;
1214+static bool blast_radius = false;
1215
1216 static fr_ipaddr_t client_ipaddr;
1217 static uint16_t client_port = 0;
1218@@ -89,6 +90,7 @@ static void NEVER_RETURNS usage(void)
1219 fprintf(stderr, " <command> One of auth, acct, status, coa, disconnect or auto.\n");
1220 fprintf(stderr, " -4 Use IPv4 address of server\n");
1221 fprintf(stderr, " -6 Use IPv6 address of server.\n");
1222+ fprintf(stderr, " -b Mandate checks for Blast RADIUS (this is not set by default).\n");
1223 fprintf(stderr, " -c <count> Send each packet 'count' times.\n");
1224 fprintf(stderr, " -d <raddb> Set user dictionary directory (defaults to " RADDBDIR ").\n");
1225 fprintf(stderr, " -D <dictdir> Set main dictionary directory (defaults to " DICTDIR ").\n");
1226@@ -1000,6 +1002,130 @@ static int send_one_packet(rc_request_t *request)
1227 return 0;
1228 }
1229
1230+/*
1231+ * Do Blast RADIUS checks.
1232+ *
1233+ * The request is an Access-Request, and does NOT contain Proxy-State.
1234+ *
1235+ * The reply is a raw packet, and is NOT yet decoded.
1236+ */
1237+static int blast_radius_check(rc_request_t *request, RADIUS_PACKET *reply)
1238+{
1239+ uint8_t *attr, *end;
1240+ VALUE_PAIR *vp;
1241+ bool have_message_authenticator = false;
1242+
1243+ /*
1244+ * We've received a raw packet. Nothing has (as of yet) checked
1245+ * anything in it other than the length, and that it's a
1246+ * well-formed RADIUS packet.
1247+ */
1248+ switch (reply->data[0]) {
1249+ case PW_CODE_ACCESS_ACCEPT:
1250+ case PW_CODE_ACCESS_REJECT:
1251+ case PW_CODE_ACCESS_CHALLENGE:
1252+ if (reply->data[1] != request->packet->id) {
1253+ ERROR("Invalid reply ID %d to Access-Request ID %d", reply->data[1], request->packet->id);
1254+ return -1;
1255+ }
1256+ break;
1257+
1258+ default:
1259+ ERROR("Invalid reply code %d to Access-Request", reply->data[0]);
1260+ return -1;
1261+ }
1262+
1263+ /*
1264+ * If the reply has a Message-Authenticator, then it MIGHT be fine.
1265+ */
1266+ attr = reply->data + 20;
1267+ end = reply->data + reply->data_len;
1268+
1269+ /*
1270+ * It should be the first attribute, so we warn if it isn't there.
1271+ *
1272+ * But it's not a fatal error.
1273+ */
1274+ if (blast_radius && (attr[0] != PW_MESSAGE_AUTHENTICATOR)) {
1275+ RDEBUG("WARNING The %s reply packet does not have Message-Authenticator as the first attribute. The packet may be vulnerable to Blast RADIUS attacks.",
1276+ fr_packet_codes[reply->data[0]]);
1277+ }
1278+
1279+ /*
1280+ * Set up for Proxy-State checks.
1281+ *
1282+ * If we see a Proxy-State in the reply which we didn't send, then it's a Blast RADIUS attack.
1283+ */
1284+ vp = fr_pair_find_by_num(request->packet->vps, PW_PROXY_STATE, 0, TAG_ANY);
1285+
1286+ while (attr < end) {
1287+ /*
1288+ * Blast RADIUS work-arounds require that
1289+ * Message-Authenticator is the first attribute in the
1290+ * reply. Note that we don't check for it being the
1291+ * first attribute, but simply that it exists.
1292+ *
1293+ * That check is a balance between securing the reply
1294+ * packet from attacks, and not violating the RFCs which
1295+ * say that there is no order to attributes in the
1296+ * packet.
1297+ *
1298+ * However, no matter the status of the '-b' flag we
1299+ * still can check for the signature of the attack, and
1300+ * discard packets which are suspicious. This behavior
1301+ * protects radclient from the attack, without mandating
1302+ * new behavior on the server side.
1303+ *
1304+ * Note that we don't set the '-b' flag by default.
1305+ * radclient is intended for testing / debugging, and is
1306+ * not intended to be used as part of a secure login /
1307+ * user checking system.
1308+ */
1309+ if (attr[0] == PW_MESSAGE_AUTHENTICATOR) {
1310+ have_message_authenticator = true;
1311+ goto next;
1312+ }
1313+
1314+ /*
1315+ * If there are Proxy-State attributes in the reply, they must
1316+ * match EXACTLY the Proxy-State attributes in the request.
1317+ *
1318+ * Note that we don't care if there are more Proxy-States
1319+ * in the request than in the reply. The Blast RADIUS
1320+ * issue requires _adding_ Proxy-State attributes, and
1321+ * cannot work when the server _deletes_ Proxy-State
1322+ * attributes.
1323+ */
1324+ if (attr[0] == PW_PROXY_STATE) {
1325+ if (!vp || (vp->length != (size_t) (attr[1] - 2)) || (memcmp(vp->vp_octets, attr + 2, vp->length) != 0)) {
1326+ ERROR("Invalid reply to Access-Request ID %d - Discarding packet due to Blast RADIUS attack being detected.", request->packet->id);
1327+ ERROR("We received a Proxy-State in the reply which we did not send, or which is different from what we sent.");
1328+ return -1;
1329+ }
1330+
1331+ vp = fr_pair_find_by_num(vp->next, PW_PROXY_STATE, 0, TAG_ANY);
1332+ }
1333+
1334+ next:
1335+ attr += attr[1];
1336+ }
1337+
1338+ /*
1339+ * If "-b" is set, then we require Message-Authenticator in the reply.
1340+ */
1341+ if (blast_radius && !have_message_authenticator) {
1342+ ERROR("The %s reply packet does not contain Message-Authenticator - discarding packet due to Blast RADIUS checks.",
1343+ fr_packet_codes[reply->data[0]]);
1344+ return -1;
1345+ }
1346+
1347+ /*
1348+ * The packet doesn't look like it's a Blast RADIUS attack. The
1349+ * caller will now verify the packet signature.
1350+ */
1351+ return 0;
1352+}
1353+
1354 /*
1355 * Receive one packet, maybe.
1356 */
1357@@ -1051,6 +1177,21 @@ static int recv_one_packet(int wait_time)
1358 }
1359 request = fr_packet2myptr(rc_request_t, packet, packet_p);
1360
1361+
1362+ /*
1363+ * We want radclient to be able to send any packet, including
1364+ * imperfect ones. However, we do NOT want to be vulnerable to
1365+ * the "Blast RADIUS" issue. Instead of adding command-line
1366+ * flags to enable/disable similar flags to what the server
1367+ * sends, we just do a few more smart checks to double-check
1368+ * things.
1369+ */
1370+ if ((request->packet->code == PW_CODE_ACCESS_REQUEST) &&
1371+ blast_radius_check(request, reply) < 0) {
1372+ rad_free(&reply);
1373+ return -1;
1374+ }
1375+
1376 /*
1377 * Fails the signature validation: not a real reply.
1378 * FIXME: Silently drop it and listen for another packet.
1379@@ -1183,7 +1324,7 @@ int main(int argc, char **argv)
1380 exit(1);
1381 }
1382
1383- while ((c = getopt(argc, argv, "46c:d:D:f:Fhn:p:qr:sS:t:vx"
1384+ while ((c = getopt(argc, argv, "46bc:d:D:f:Fhn:p:qr:sS:t:vx"
1385 #ifdef WITH_TCP
1386 "P:"
1387 #endif
1388@@ -1192,6 +1333,10 @@ int main(int argc, char **argv)
1389 force_af = AF_INET;
1390 break;
1391
1392+ case 'b':
1393+ blast_radius = true;
1394+ break;
1395+
1396 case '6':
1397 force_af = AF_INET6;
1398 break;
1399diff --git a/src/main/radtest.in b/src/main/radtest.in
1400index 38b1ba9a0f..8a6741a26c 100644
1401--- a/src/main/radtest.in
1402+++ b/src/main/radtest.in
1403@@ -19,6 +19,7 @@ usage() {
1404 echo " -x Enable debug output" >&2
1405 echo " -4 Use IPv4 for the NAS address (default)" >&2
1406 echo " -6 Use IPv6 for the NAS address" >&2
1407+ echo " -6 Mandate checks for Blast RADIUS (this is not set by default)." >&2
1408 exit 1
1409 }
1410
1411@@ -55,6 +56,10 @@ do
1412 NAS_ADDR_ATTR="NAS-IPv6-Address"
1413 shift
1414 ;;
1415+ -b)
1416+ OPTIONS="$OPTIONS -b"
1417+ shift
1418+ ;;
1419 -d)
1420 OPTIONS="$OPTIONS -d $2"
1421 shift;shift
1422@@ -120,7 +125,6 @@ fi
1423 echo "$PASSWORD = \"$2\""
1424 echo "$NAS_ADDR_ATTR = $nas"
1425 echo "NAS-Port = $4"
1426- echo "Message-Authenticator = 0x00"
1427 if [ "$radclient" = "$radeapclient" ]
1428 then
1429 echo "EAP-Code = Response"
1430diff --git a/src/main/realms.c b/src/main/realms.c
1431index eb42598116..5e1215c0bb 100644
1432--- a/src/main/realms.c
1433+++ b/src/main/realms.c
1434@@ -366,7 +366,10 @@ static CONF_PARSER home_server_coa[] = {
1435 };
1436 #endif
1437
1438+static const char *require_message_authenticator = NULL;
1439+
1440 static CONF_PARSER home_server_config[] = {
1441+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &require_message_authenticator), NULL },
1442 { "ipaddr", FR_CONF_OFFSET(PW_TYPE_COMBO_IP_ADDR, home_server_t, ipaddr), NULL },
1443 { "ipv4addr", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, home_server_t, ipaddr), NULL },
1444 { "ipv6addr", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, home_server_t, ipaddr), NULL },
1445@@ -640,6 +643,9 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE
1446 home->cs = cs;
1447 home->state = HOME_STATE_UNKNOWN;
1448 home->proto = IPPROTO_UDP;
1449+ home->require_ma = main_config.require_ma;
1450+
1451+ require_message_authenticator = false;
1452
1453 /*
1454 * Parse the configuration into the home server
1455@@ -647,6 +653,10 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE
1456 */
1457 if (cf_section_parse(cs, home, home_server_config) < 0) goto error;
1458
1459+ if (fr_bool_auto_parse(cf_pair_find(cs, "require_message_authenticator"), &home->require_ma, require_message_authenticator) < 0) {
1460+ goto error;
1461+ }
1462+
1463 /*
1464 * It has an IP address, it must be a remote server.
1465 */
1466@@ -924,6 +934,7 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE
1467 * Parse the SSL client configuration.
1468 */
1469 if (tls) {
1470+ home->require_ma = false;
1471 home->tls = tls_client_conf_parse(tls);
1472 if (!home->tls) {
1473 goto error;
1474diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c
1475index 0eed87b64f..4ae3c5b975 100644
1476--- a/src/main/tls_listen.c
1477+++ b/src/main/tls_listen.c
1478@@ -299,6 +299,8 @@ get_application_data:
1479 packet->vps = NULL;
1480 PTHREAD_MUTEX_UNLOCK(&sock->mutex);
1481
1482+ packet->tls = true;
1483+
1484 if (!rad_packet_ok(packet, 0, NULL)) {
1485 if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
1486 DEBUG("Closing TLS socket from client");
1487@@ -713,6 +715,8 @@ int proxy_tls_recv(rad_listen_t *listener)
1488 memcpy(packet->data, data, packet->data_len);
1489 memcpy(packet->vector, packet->data + 4, 16);
1490
1491+ packet->tls = true;
1492+
1493 /*
1494 * FIXME: Client MIB updates?
1495 */
1496@@ -765,6 +769,7 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
1497 * if there's no packet, encode it here.
1498 */
1499 if (!request->proxy->data) {
1500+ request->reply->tls = true;
1501 request->proxy_listener->encode(request->proxy_listener,
1502 request);
1503 }
1504--
15052.35.7
1506
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb
index 01d23fdf83..27cc12c347 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb
@@ -16,31 +16,31 @@ DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc"
16SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;;protocol=https \ 16SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;;protocol=https \
17 file://freeradius \ 17 file://freeradius \
18 file://volatiles.58_radiusd \ 18 file://volatiles.58_radiusd \
19 file://freeradius-enble-user-in-conf.patch \
20 file://freeradius-configure.ac-allow-cross-compilation.patch \
21 file://freeradius-libtool-detection.patch \
22 file://freeradius-configure.ac-add-option-for-libcap.patch \
23 file://freeradius-avoid-searching-host-dirs.patch \
24 file://freeradius-rlm_python-add-PY_INC_DIR.patch \
25 file://freeradius-libtool-do-not-use-jlibtool.patch \
26 file://freeradius-fix-quoting-for-BUILT_WITH.patch \
27 file://freeradius-fix-error-for-expansion-of-macro.patch \
28 file://0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \
29 file://0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch \
30 file://0001-raddb-certs-Makefile-fix-the-occasional-verification.patch \
31 file://0001-workaround-error-with-autoconf-2.7.patch \
32 file://radiusd.service \ 19 file://radiusd.service \
33 file://radiusd-volatiles.conf \ 20 file://radiusd-volatiles.conf \
34 file://check-openssl-cmds-in-script-bootstrap.patch \ 21 file://0001-Add-autogen.sh.patch \
35 file://0001-version.c-don-t-print-build-flags.patch \ 22 file://0002-Enable-and-change-user-and-group-of-freeradius-serve.patch \
36 file://CVE-2022-41860.patch \ 23 file://0003-configure.ac-allow-cross-compilation.patch \
37 file://CVE-2022-41861.patch \ 24 file://0004-Fix-libtool-detection.patch \
38 file://CVE-2024-3596.patch \ 25 file://0005-configure.ac-add-option-for-libcap.patch \
26 file://0006-Avoid-searching-host-dirs.patch \
27 file://0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch \
28 file://0008-libtool-do-not-use-jlibtool.patch \
29 file://0009-Fix-quoting-for-BUILD_WITH.patch \
30 file://0010-fix-error-for-expansion-of-macro-in-thread.h.patch \
31 file://0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \
32 file://0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch \
33 file://0013-raddb-certs-Makefile-fix-the-occasional-verification.patch \
34 file://0014-Workaround-error-with-autoconf-2.7.patch \
35 file://0015-bootstrap-check-commands-of-openssl-exist.patch \
36 file://0016-version.c-don-t-print-build-flags.patch \
39" 37"
40 38
41raddbdir="${sysconfdir}/${MLPREFIX}raddb" 39raddbdir="${sysconfdir}/${MLPREFIX}raddb"
42 40
43SRCREV = "af428abda249b2279ba0582180985a9f6f4a144a" 41SRCREV = "f317c5b2668a4de7065df46b31267cd6ff32ddf1"
42
43UPSTREAM_CHECK_GITTAGREGEX = "release_(?P<pver>\d+(\_\d+)+)"
44 44
45CVE_CHECK_IGNORE = "\ 45CVE_CHECK_IGNORE = "\
46 CVE-2002-0318 \ 46 CVE-2002-0318 \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-25 22:37:25 +0000