From feb37930707107748a31300acb5f30189b7232a3 Mon Sep 17 00:00:00 2001 From: Haixiao Yan Date: Mon, 18 Nov 2024 15:07:49 +0800 Subject: freeradius: upgrade 3.0.21 -> 3.0.27 ChangeLog: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_27 Configuration changes: BlastRADIUS mitigations have been added to the "security" section. See require_message_authenticator and also limit_proxy_state. BlastRADIUS mitigations have been added to radclient. See man radclient, and the -b option. Security fixes: CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3596 https://www.freeradius.org/security/ https://www.blastradius.fail/ https://www.inkbridgenetworks.com/web/content/2557?unique=47be02c8aed46c53b0765db185320249ad873d95 Signed-off-by: Haixiao Yan [Drop CVE-2024-3596 patch backported early] Signed-off-by: Armin Kuster --- .../freeradius/files/0001-Add-autogen.sh.patch | 47 + ...-Makefile-fix-the-existed-certificate-err.patch | 55 - ...-Makefile-fix-the-occasional-verification.patch | 135 -- ...Use-includedir-instead-of-hardcoding-usr-.patch | 28 - .../0001-version.c-don-t-print-build-flags.patch | 41 - .../0001-workaround-error-with-autoconf-2.7.patch | 42 - ...change-user-and-group-of-freeradius-serve.patch | 32 + ...0003-configure.ac-allow-cross-compilation.patch | 37 + .../files/0004-Fix-libtool-detection.patch | 71 + .../0005-configure.ac-add-option-for-libcap.patch | 70 + .../files/0006-Avoid-searching-host-dirs.patch | 198 +++ ...7-rlm_python-add-PY_INC_DIR-in-search-dir.patch | 33 + .../files/0008-libtool-do-not-use-jlibtool.patch | 160 +++ .../files/0009-Fix-quoting-for-BUILD_WITH.patch | 58 + ...-error-for-expansion-of-macro-in-thread.h.patch | 61 + ...Use-includedir-instead-of-hardcoding-usr-.patch | 31 + ...-Makefile-fix-the-existed-certificate-err.patch | 55 + ...-Makefile-fix-the-occasional-verification.patch | 136 ++ .../0014-Workaround-error-with-autoconf-2.7.patch | 42 + ...bootstrap-check-commands-of-openssl-exist.patch | 44 + .../0016-version.c-don-t-print-build-flags.patch | 41 + .../freeradius/files/CVE-2022-41860.patch | 118 -- .../freeradius/files/CVE-2022-41861.patch | 53 - .../freeradius/files/CVE-2024-3596.patch | 1506 -------------------- .../check-openssl-cmds-in-script-bootstrap.patch | 38 - .../freeradius-avoid-searching-host-dirs.patch | 197 --- ...radius-configure.ac-add-option-for-libcap.patch | 70 - ...dius-configure.ac-allow-cross-compilation.patch | 37 - .../files/freeradius-enble-user-in-conf.patch | 28 - ...eeradius-fix-error-for-expansion-of-macro.patch | 61 - .../freeradius-fix-quoting-for-BUILT_WITH.patch | 55 - .../files/freeradius-libtool-detection.patch | 90 -- .../freeradius-libtool-do-not-use-jlibtool.patch | 160 --- .../freeradius-rlm_python-add-PY_INC_DIR.patch | 33 - .../freeradius/freeradius_3.0.21.bb | 257 ---- .../freeradius/freeradius_3.0.27.bb | 257 ++++ 36 files changed, 1373 insertions(+), 3004 deletions(-) create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb create mode 100644 meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch new file mode 100644 index 0000000000..968998ddb6 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch @@ -0,0 +1,47 @@ +From 3be3b9a1345942d1578ec73efa9b2e3c41bd67c5 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 21 Jan 2022 13:22:24 +0800 +Subject: [PATCH] Add autogen.sh + +The autogen.sh has been removed since 3.0.22[1]. But we still need it in +do_configure. Add it back. + +[1] https://github.com/FreeRADIUS/freeradius-server/commit/2e9b6227efd19e2b0926541aa26874908e7b7314 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +Signed-off-by: Haixiao Yan +--- + autogen.sh | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + create mode 100755 autogen.sh + +diff --git a/autogen.sh b/autogen.sh +new file mode 100755 +index 0000000000..959182b39e +--- /dev/null ++++ b/autogen.sh +@@ -0,0 +1,19 @@ ++#!/bin/sh -e ++ ++parentdir=`dirname $0` ++ ++cd $parentdir ++parentdir=`pwd` ++m4include="-I$parentdir -I$parentdir/m4 -Im4" ++ ++autoreconf -Wcross --verbose --install --force ++ ++mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`" ++mysubdirs=`echo $mysubdirs` ++ ++for F in $mysubdirs ++do ++ echo "Configuring in $F..." ++ (cd $F && grep "^AC_CONFIG_HEADER" configure.ac > /dev/null || exit 0; autoheader $m4include) ++ (cd $F && autoconf $m4include) ++done +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch deleted file mode 100644 index 669f363e72..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 084f5467672f2ae37003b77e8f8706772f3da3ec Mon Sep 17 00:00:00 2001 -From: Mingli Yu -Date: Mon, 13 Jul 2020 07:01:45 +0000 -Subject: [PATCH] raddb/certs/Makefile: fix the existed certificate error - -Fixes: - # ./bootstrap - [snip] -openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf -Using configuration from ./client.cnf -Check that the request matches the signature -Signature ok -ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org -The matching entry has the following details -Type :Valid -Expires on :200908024833Z -Serial Number :02 -File name :unknown -Subject Name :/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org -make: *** [Makefile:128: client.crt] Error 1 - -Add the check to fix the above error and it does the same for server.crt. - -Upstream-Status: Pending - -Signed-off-by: Mingli Yu ---- - raddb/certs/Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile -index 5cbfd467ce..77eec9baa1 100644 ---- a/raddb/certs/Makefile -+++ b/raddb/certs/Makefile -@@ -92,7 +92,7 @@ server.csr server.key: server.cnf - chmod g+r server.key - - server.crt: server.csr ca.key ca.pem -- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf -+ @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf - - server.p12: server.crt - $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) -@@ -117,7 +117,7 @@ client.csr client.key: client.cnf - chmod g+r client.key - - client.crt: client.csr ca.pem ca.key -- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf -+ @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf - - client.p12: client.crt - $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) --- -2.26.2 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch deleted file mode 100644 index dce0427e1a..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 3eda5d35fbaf66ed6bdc86ada4320a0a18681b7e Mon Sep 17 00:00:00 2001 -From: Mingli Yu -Date: Wed, 5 Aug 2020 07:23:11 +0000 -Subject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure - -Fixes: - # cd /etc/raddb/certs - # ./bootstrap -[snip] -chmod g+r ca.key -openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever' -chmod g+r server.pem -C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org -error 7 at 0 depth lookup: certificate signature failure -140066667427072:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:../openssl-1.1.1g/crypto/rsa/rsa_ossl.c:553: -140066667427072:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../openssl-1.1.1g/crypto/asn1/a_verify.c:170: -error server.pem: verification failed -make: *** [Makefile:107: server.vrfy] Error 2 - -It seems the ca.pem mismatchs server.pem which results in failing to -execute "openssl verify -CAfile ca.pem server.pem", so add to check -the file to avoid inconsistency. - -Upstream-Status: Pending - -Signed-off-by: Mingli Yu ---- - raddb/certs/Makefile | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile -index 77eec9baa1..3dcb63fe71 100644 ---- a/raddb/certs/Makefile -+++ b/raddb/certs/Makefile -@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf - # - ###################################################################### - dh: -- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) -+ @[ -f dh ] || $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) - - ###################################################################### - # -@@ -69,17 +69,17 @@ dh: - ca.key ca.pem: ca.cnf - @[ -f index.txt ] || $(MAKE) index.txt - @[ -f serial ] || $(MAKE) serial -- $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ -+ @[ -f ca.pem ] || $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ - -days $(CA_DEFAULT_DAYS) -config ./ca.cnf \ - -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) - chmod g+r ca.key - - ca.der: ca.pem -- $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der -+ @[ -f ca.der ] || $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der - - ca.crl: ca.pem -- $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) -- $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl -+ @[ -f ca-crl.pem ] || $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) -+ @[ -f ca.crl ] || $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl - rm ca-crl.pem - - ###################################################################### -@@ -88,18 +88,18 @@ ca.crl: ca.pem - # - ###################################################################### - server.csr server.key: server.cnf -- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -+ @[ -f server.csr ] || $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf - chmod g+r server.key - - server.crt: server.csr ca.key ca.pem - @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf - - server.p12: server.crt -- $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) -+ @[ -f server.p12 ] || $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) - chmod g+r server.p12 - - server.pem: server.p12 -- $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) -+ @[ -f server.pem ] || $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) - chmod g+r server.pem - - .PHONY: server.vrfy -@@ -113,18 +113,18 @@ server.vrfy: ca.pem - # - ###################################################################### - client.csr client.key: client.cnf -- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -+ @[ -f client.csr ] || $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf - chmod g+r client.key - - client.crt: client.csr ca.pem ca.key - @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf - - client.p12: client.crt -- $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) -+ @[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) - chmod g+r client.p12 - - client.pem: client.p12 -- $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) -+ @[ -f client.pem ] || $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) - chmod g+r client.pem - cp client.pem $(USER_NAME).pem - -@@ -139,18 +139,18 @@ client.vrfy: ca.pem client.pem - # - ###################################################################### - inner-server.csr inner-server.key: inner-server.cnf -- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -+ @[ -f inner-server.csr] || $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf - chmod g+r inner-server.key - - inner-server.crt: inner-server.csr ca.key ca.pem -- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf -+ @[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf - - inner-server.p12: inner-server.crt -- $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) -+ @[ -f inner-server.p12 ] || $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) - chmod g+r inner-server.p12 - - inner-server.pem: inner-server.p12 -- $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) -+ @[ -f inner-server.pem ] || $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) - chmod g+r inner-server.pem - - .PHONY: inner-server.vrfy --- -2.26.2 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch deleted file mode 100644 index db8caab12e..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 66e8bcdcca8971b5c43c31755d56d7f675d8b5ff Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Fri, 16 Jun 2017 20:10:49 -0700 -Subject: [PATCH] rlm_mschap: Use includedir instead of hardcoding /usr/include - -OE QA flags it correctly as a voilation of cross compilation -namespace - -Upstream-Status: Pending - -Signed-off-by: Khem Raj ---- - src/modules/rlm_mschap/configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: freeradius-server-3.0.14/src/modules/rlm_mschap/configure.ac -=================================================================== ---- freeradius-server-3.0.14.orig/src/modules/rlm_mschap/configure.ac -+++ freeradius-server-3.0.14/src/modules/rlm_mschap/configure.ac -@@ -72,7 +72,7 @@ if test x$with_[]modname != xno; then - mod_ldflags="-framework DirectoryService" - fi - -- smart_try_dir="$winbind_include_dir /usr/include/samba-4.0" -+ smart_try_dir="$winbind_include_dir =/usr/include/samba-4.0" - FR_SMART_CHECK_INCLUDE(wbclient.h, [#include - #include ]) - if test "x$ac_cv_header_wbclient_h" != "xyes"; then diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch deleted file mode 100644 index 697205efe0..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch +++ /dev/null @@ -1,41 +0,0 @@ -From cbc64dcf6aa2a1be63f45ea6dd7d2c49b70a0bee Mon Sep 17 00:00:00 2001 -From: Mingli Yu -Date: Wed, 3 Aug 2022 16:44:29 +0800 -Subject: [PATCH] version.c: don't print build flags - -Don't print the build flags to avoid collecting the build environment info. - -Upstream-Status: Inappropriate [oe specific] - -Signed-off-by: Mingli Yu ---- - src/main/version.c | 13 ------------- - 1 file changed, 13 deletions(-) - -diff --git a/src/main/version.c b/src/main/version.c -index 62972d9f53..cf81de72c9 100644 ---- a/src/main/version.c -+++ b/src/main/version.c -@@ -589,19 +589,6 @@ void version_print(void) - DEBUG2(" unknown"); - #endif - -- DEBUG2("Compilation flags:"); --#ifdef BUILT_WITH_CPPFLAGS -- DEBUG2(" cppflags : " BUILT_WITH_CPPFLAGS); --#endif --#ifdef BUILT_WITH_CFLAGS -- DEBUG2(" cflags : " BUILT_WITH_CFLAGS); --#endif --#ifdef BUILT_WITH_LDFLAGS -- DEBUG2(" ldflags : " BUILT_WITH_LDFLAGS); --#endif --#ifdef BUILT_WITH_LIBS -- DEBUG2(" libs : " BUILT_WITH_LIBS); --#endif - DEBUG2(" "); - } - INFO("FreeRADIUS Version " RADIUSD_VERSION_STRING); --- -2.25.1 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch deleted file mode 100644 index 80c571df98..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 3b4ba29c7c5800df87eecd65214244619e01162b Mon Sep 17 00:00:00 2001 -From: Hongxu Jia -Date: Sun, 7 Feb 2021 16:02:36 +0800 -Subject: [PATCH] workaround error with autoconf 2.7 - -While using autoconf 2.7, the AM_MISSING_PROG caused unexpected error: -... -configure.ac: error: required file 'missing' not found -... - -Since these tools were explicitly added by autotools bbclass, -remove the testing to workaround the error with autoconf 2.7 - -Upstream-Status: Inappropriate [oe specific] - -Signed-off-by: Hongxu Jia ---- - configure.ac | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 609efb104b..2d761cf62c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -693,14 +693,6 @@ fi - - AC_PATH_PROG(RUSERS, rusers, /usr/bin/rusers) - --dnl # --dnl # FIXME This is truly gross. --dnl # --missing_dir=`cd $ac_aux_dir && pwd` --AM_MISSING_PROG(ACLOCAL, aclocal, $missing_dir) --AM_MISSING_PROG(AUTOCONF, autoconf, $missing_dir) --AM_MISSING_PROG(AUTOHEADER, autoheader, $missing_dir) -- - AC_PATH_PROG(LOCATE,locate) - AC_PATH_PROG(DIRNAME,dirname) - AC_PATH_PROG(GREP,grep) --- -2.27.0 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch b/meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch new file mode 100644 index 0000000000..c57ee93c33 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch @@ -0,0 +1,32 @@ +From 2a74c10836c0d2d19248ca40d113936f4a56b039 Mon Sep 17 00:00:00 2001 +From: "Roy.Li" +Date: Sun, 8 Jan 2023 22:47:11 +0800 +Subject: [PATCH] Enable and change user and group of freeradius server to + radiusd + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Roy.Li +Signed-off-by: Jackie Huang +--- + raddb/radiusd.conf.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in +index 154b50d610..4594d6d2d2 100644 +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -557,8 +557,8 @@ security { + # member. This can allow for some finer-grained access + # controls. + # +-# user = radius +-# group = radius ++ user = radiusd ++ group = radiusd + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch b/meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch new file mode 100644 index 0000000000..e5442360b3 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch @@ -0,0 +1,37 @@ +From ba1390a80662ff2ab7bfda978cde7df9a871f6ae Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Tue, 24 Jul 2018 15:03:39 +0800 +Subject: [PATCH] configure.ac: allow cross-compilation + +The checking OpenSSL library and header version consistency will +always fail in cross compiling, skip the check and give a warning +instead for cross compiling. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Jackie Huang +Signed-off-by: Yi Zhao + +update to new version 3.0.17 to fix patch warning +Signed-off-by: Changqing Li +--- + src/modules/rlm_krb5/configure.ac | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/modules/rlm_krb5/configure.ac b/src/modules/rlm_krb5/configure.ac +index a0f510cfb3..d2f3eca03e 100644 +--- a/src/modules/rlm_krb5/configure.ac ++++ b/src/modules/rlm_krb5/configure.ac +@@ -140,7 +140,8 @@ if test x$with_[]modname != xno; then + FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe) + if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" = xyes; then + AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include ]], [[return krb5_is_thread_safe() ? 0 : 1]])], +- [krb5threadsafe="-DKRB5_IS_THREAD_SAFE"], [AC_MSG_WARN([[libkrb5 is not threadsafe]])]) ++ [krb5threadsafe="-DKRB5_IS_THREAD_SAFE"], [AC_MSG_WARN([[libkrb5 is not threadsafe]])], ++ [AC_MSG_WARN(cross compiling: not checking)]) + fi + else + krb5threadsafe="" +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch b/meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch new file mode 100644 index 0000000000..479e1ba76f --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch @@ -0,0 +1,71 @@ +From 5ba3d140842268cbbdd983266efecb1fba5bdd59 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 22 Aug 2019 10:45:46 +0800 +Subject: [PATCH] Fix libtool detection + +Use LT_INIT instead of the deprecated AC_PROG_LIBTOOL to detect libtool, so it +can work with our libtoolize and libtool. + +Simplify the detection of ltdl. It will find the ltdl from the sysroot; the +switch --with-system-libltdl is no longer needed. The code is copied from +pulseaudio configure.ac, together with the comment paragraph. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Jesse Zhang +Signed-off-by: Jackie Huang +Signed-off-by: Changqing Li +--- + configure.ac | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/configure.ac b/configure.ac +index ad8bc8cdda..ef8fced680 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -321,6 +321,42 @@ dnl # See if we have Git. + dnl # + AC_CHECK_PROG(GIT, git, yes, no) + ++#### libtool stuff #### ++ ++dnl set this shit so it doesn't force CFLAGS... ++LTCFLAGS=" " ++ ++LT_PREREQ(2.2) ++LT_INIT([dlopen disable-static]) ++ ++dnl Unfortunately, even up to libtool 2.2.6a there is no way to know ++dnl exactly which version of libltdl is present in the system, so we ++dnl just assume that it's a working version as long as we have the ++dnl library and the header files. ++dnl ++dnl As an extra safety device, check for lt_dladvise_init() which is ++dnl only implemented in libtool 2.x, and refine as we go if we have ++dnl refined requirements. ++dnl ++dnl Check the header files first since the system may have a ++dnl libltdl.so for runtime, but no headers, and we want to bail out as ++dnl soon as possible. ++dnl ++dnl We don't need any special variable for this though, since the user ++dnl can give the proper place to find libltdl through the standard ++dnl variables like LDFLAGS and CPPFLAGS. ++ ++AC_CHECK_HEADER([ltdl.h], ++ [AC_CHECK_LIB([ltdl], [lt_dladvise_init], [LIBLTDL=-lltdl], [LIBLTDL=])], ++ [LIBLTDL=]) ++ ++AS_IF([test "x$LIBLTDL" = "x"], ++ [AC_MSG_ERROR([Unable to find libltdl version 2. Makes sure you have libtool 2.2 or later installed.])]) ++AC_SUBST([LIBLTDL]) ++LTDL_SUBDIRS= ++INCLTDL=-DWITH_SYSTEM_LTDL ++AC_SUBST(LTDL_SUBDIRS) ++ + dnl Put this in later, when all distributed modules use autoconf. + dnl AC_ARG_WITH(disablemodulefoo, + dnl [ --without-rlm_foo Disables module compilation. Module list:] +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch b/meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch new file mode 100644 index 0000000000..8ef3c4bdf9 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch @@ -0,0 +1,70 @@ +From 9548dc5e1a6c835cd4f387ba384d8f3f14c3fc8b Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 22 Aug 2019 10:50:21 +0800 +Subject: [PATCH] configure.ac: add option for libcap + +Upstream-Status: Pending + +Signed-off-by: Jackie Huang +Signed-off-by: Changqing Li +--- + configure.ac | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/configure.ac b/configure.ac +index ef8fced680..263098f7fd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1161,6 +1161,22 @@ fi + dnl Set by FR_SMART_CHECKLIB + LIBS="${old_LIBS}" + ++dnl # ++dnl # extra argument: --with-libcap ++dnl # ++WITH_LIBCAP=yes ++AC_ARG_WITH(libcap, ++[ --with-licap use licap for debugger checks. (default=yes)], ++[ case "$withval" in ++ no) ++ WITH_LIBCAP=no ++ ;; ++ *) ++ WITH_LIBCAP=yes ++ ;; ++ esac ] ++) ++ + dnl Check for cap + dnl extra argument: --with-cap-lib-dir=DIR + cap_lib_dir= +@@ -1194,15 +1210,17 @@ AC_ARG_WITH(cap-include-dir, + ;; + esac]) + +-smart_try_dir="$cap_lib_dir" +-FR_SMART_CHECK_LIB(cap, cap_get_proc) +-if test "x$ac_cv_lib_cap_cap_get_proc" != "xyes"; then +- AC_MSG_WARN([cap library not found, debugger checks will not be enabled. Use --with-cap-lib-dir=.]) +-else +- AC_DEFINE(HAVE_LIBCAP, 1, +- [Define to 1 if you have the `cap' library (-lcap).] +- ) +- HAVE_LIBCAP=1 ++if test "x$WITH_LIBCAP" = xyes; then ++ smart_try_dir="$cap_lib_dir" ++ FR_SMART_CHECK_LIB(cap, cap_get_proc) ++ if test "x$ac_cv_lib_cap_cap_get_proc" != "xyes"; then ++ AC_MSG_WARN([cap library not found, debugger checks will not be enabled. Use --with-cap-lib-dir=.]) ++ else ++ AC_DEFINE(HAVE_LIBCAP, 1, ++ [Define to 1 if you have the `cap' library (-lcap).] ++ ) ++ HAVE_LIBCAP=1 ++ fi + fi + + dnl # +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch b/meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch new file mode 100644 index 0000000000..8fd0dca443 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch @@ -0,0 +1,198 @@ +From 8fe25b30b6fbb3170705f4468eb4c92eef3a968f Mon Sep 17 00:00:00 2001 +From: Jackie Huang +Date: Mon, 4 Jan 2016 01:44:04 -0500 +Subject: [PATCH] Avoid searching host dirs + +Don't search the hardcoded host dirs to avoid +host contamination. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Jackie Huang +Signed-off-by: Yi Zhao +--- + acinclude.m4 | 4 ++-- + src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac | 4 ++-- + src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac | 4 ++-- + src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac | 4 ++-- + src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac | 6 +++--- + src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac | 2 +- + src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac | 4 ++-- + src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac | 4 ++-- + 8 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/acinclude.m4 b/acinclude.m4 +index a953d0e1b6..ede143d3c2 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -115,7 +115,7 @@ dnl # + dnl # Try to guess possible locations. + dnl # + if test "x$smart_lib" = "x"; then +- for try in /usr/local/lib /opt/lib; do ++ for try in $smart_lib_dir; do + AC_MSG_CHECKING([for $2 in -l$1 in $try]) + LIBS="-l$1 $old_LIBS" + CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +@@ -155,7 +155,7 @@ ac_safe=`echo "$1" | sed 'y%./+-%__pm%'` + old_CPPFLAGS="$CPPFLAGS" + smart_include= + dnl # The default directories we search in (in addition to the compilers search path) +-smart_include_dir="/usr/local/include /opt/include" ++smart_include_dir= + + dnl # Our local versions + _smart_try_dir= +diff --git a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac +index 44f84aa27e..23a1899591 100644 +--- a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac ++++ b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac +@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then + esac]) + + dnl Check for SQLConnect in -ldb2 +- smart_try_dir="$ibmdb2_lib_dir /usr/local/db2/lib /usr/IBMdb2/V7.1/lib" ++ smart_try_dir="$ibmdb2_lib_dir" + FR_SMART_CHECK_LIB(db2, SQLConnect) + if test "x$ac_cv_lib_db2_SQLConnect" != xyes; then + fail="$fail libdb2" + fi + + dnl Check for sqlcli.h +- smart_try_dir="$ibmdb2_include_dir /usr/local/db2/include /usr/IBMdb2/V7.1/include" ++ smart_try_dir="$ibmdb2_include_dir" + FR_SMART_CHECK_INCLUDE(sqlcli.h) + if test "x$ac_cv_header_sqlcli_h" != xyes; then + fail="$fail sqlcli.h" +diff --git a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac +index 4c2fd7ba9e..10c864def5 100644 +--- a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac ++++ b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac +@@ -60,14 +60,14 @@ if test x$with_[]modname != xno; then + esac]) + + dnl Check for isc_attach_database in -lfbclient +- smart_try_dir="$firebird_lib_dir /usr/lib/firebird2/lib /usr/local/firebird/lib" ++ smart_try_dir="$firebird_lib_dir" + FR_SMART_CHECK_LIB(fbclient, isc_attach_database) + if test "x$ac_cv_lib_fbclient_isc_attach_database" != xyes; then + fail="$fail libfbclient" + fi + + dnl Check for ibase.h +- smart_try_dir="$firebird_include_dir /usr/lib/firebird2/include /usr/local/firebird/include" ++ smart_try_dir="$firebird_include_dir" + FR_SMART_CHECK_INCLUDE(ibase.h) + if test "x$ac_cv_header_ibase_h" != xyes; then + fail="$fail ibase.h" +diff --git a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac +index d26ac9c431..6e4500e948 100644 +--- a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac ++++ b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac +@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then + esac]) + + dnl Check for SQLConnect in -liodbc +- smart_try_dir="$iodbc_lib_dir /usr/lib /usr/lib/iodbc /usr/local/lib/iodbc /usr/local/iodbc/lib/iodbc" ++ smart_try_dir="$iodbc_lib_dir" + FR_SMART_CHECK_LIB(iodbc, SQLConnect) + if test "x$ac_cv_lib_iodbc_SQLConnect" != xyes; then + fail="$fail libiodbc" + fi + + dnl Check for isql.h +- smart_try_dir="$iodbc_include_dir /usr/include /usr/include/iodbc /usr/local/iodbc/include" ++ smart_try_dir="$iodbc_include_dir" + FR_SMART_CHECK_INCLUDE(isql.h) + if test "x$ac_cv_header_isql_h" != xyes; then + fail="$fail isql.h" +diff --git a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac +index df36da77bf..31359041c7 100644 +--- a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac ++++ b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac +@@ -140,7 +140,7 @@ if test x$with_[]modname != xno; then + + dnl # Check for libmysqlclient_r + if test "x$have_a_libmysqlclient" != "xyes"; then +- smart_try_dir="$mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql" ++ smart_try_dir="$mysql_lib_dir" + FR_SMART_CHECK_LIB(mysqlclient_r, mysql_init) + if test "x$ac_cv_lib_mysqlclient_r_mysql_init" = "xyes"; then + have_a_libmysqlclient='yes' +@@ -149,7 +149,7 @@ if test x$with_[]modname != xno; then + + dnl # Check for libmysqlclient + if test "x$have_a_libmysqlclient" != "xyes"; then +- smart_try_dir="$mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql" ++ smart_try_dir="$mysql_lib_dir" + FR_SMART_CHECK_LIB(mysqlclient, mysql_init) + if test "x$ac_cv_lib_mysqlclient_mysql_init" = "xyes"; then + have_a_libmysqlclient='yes' +@@ -243,7 +243,7 @@ if test x$with_[]modname != xno; then + fi + + if test "x$have_mysql_h" != "xyes"; then +- smart_try_dir="$mysql_include_dir /usr/local/include /usr/local/mysql/include" ++ smart_try_dir="$mysql_include_dir" + FR_SMART_CHECK_INCLUDE(mysql/mysql.h) + if test "x$ac_cv_header_mysql_mysql_h" = "xyes"; then + AC_DEFINE(HAVE_MYSQL_MYSQL_H, [], [Define if you have ]) +diff --git a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac +index 3b45da582a..03e6607d2b 100644 +--- a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac ++++ b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac +@@ -68,7 +68,7 @@ if test x$with_[]modname != xno; then + dnl # Check for header files + dnl ############################################################ + +- smart_try_dir="$oracle_include_dir /usr/local/instaclient/include" ++ smart_try_dir="$oracle_include_dir" + + if test "x$ORACLE_HOME" != "x"; then + smart_try_dir="${smart_try_dir} ${ORACLE_HOME}/include" +diff --git a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac +index 8ac1022e89..d46c0f66bf 100644 +--- a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac ++++ b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac +@@ -45,7 +45,7 @@ if test x$with_[]modname != xno; then + esac ] + ) + +- smart_try_dir="$rlm_sql_postgresql_include_dir /usr/include/postgresql /usr/local/pgsql/include /usr/include/pgsql" ++ smart_try_dir="$rlm_sql_postgresql_include_dir" + FR_SMART_CHECK_INCLUDE(libpq-fe.h) + if test "x$ac_cv_header_libpqmfe_h" != "xyes"; then + fail="$fail libpq-fe.h" +@@ -94,7 +94,7 @@ if test x$with_[]modname != xno; then + ]) + fi + +- smart_try_dir="$rlm_sql_postgresql_lib_dir /usr/lib /usr/local/pgsql/lib" ++ smart_try_dir="$rlm_sql_postgresql_lib_dir" + FR_SMART_CHECK_LIB(pq, PQconnectdb) + if test "x$ac_cv_lib_pq_PQconnectdb" != "xyes"; then + fail="$fail libpq" +diff --git a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac +index f10279fe1f..0081a338c8 100644 +--- a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac ++++ b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac +@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then + esac]) + + dnl Check for SQLConnect in -lodbc +- smart_try_dir="$unixodbc_lib_dir /usr/local/unixodbc/lib" ++ smart_try_dir="$unixodbc_lib_dir" + FR_SMART_CHECK_LIB(odbc, SQLConnect) + if test "x$ac_cv_lib_odbc_SQLConnect" != xyes; then + fail="$fail libodbc" + fi + + dnl Check for sql.h +- smart_try_dir="$unixodbc_include_dir /usr/local/unixodbc/include" ++ smart_try_dir="$unixodbc_include_dir" + FR_SMART_CHECK_INCLUDE(sql.h) + if test "x$ac_cv_header_sql_h" != xyes; then + fail="$fail sql.h" +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch b/meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch new file mode 100644 index 0000000000..cb71fb1373 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch @@ -0,0 +1,33 @@ +From e4ff7a2a9834e2589bc7bdda4b74f5bc962b15e6 Mon Sep 17 00:00:00 2001 +From: Jackie Huang +Date: Wed, 27 Jan 2016 05:07:19 -0500 +Subject: [PATCH] rlm_python: add PY_INC_DIR in search dir + +configure option --with-rlm-python-include-dir is used to set +PY_INC_DIR which is never used and it fails to find Python.h, +so add it into search dir to fix it. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Jackie Huang +Signed-off-by: Yi Zhao +--- + src/modules/rlm_python/configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modules/rlm_python/configure.ac b/src/modules/rlm_python/configure.ac +index 08ecb62518..d5c0944ff1 100644 +--- a/src/modules/rlm_python/configure.ac ++++ b/src/modules/rlm_python/configure.ac +@@ -98,7 +98,7 @@ if test x$with_[]modname != xno; then + + old_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS $PY_CFLAGS" +- smart_try_dir="$PY_PREFIX/include/python$PY_SYS_VERSION" ++ smart_try_dir="$PY_PREFIX/include/python$PY_SYS_VERSION $PY_INC_DIR" + FR_SMART_CHECK_INCLUDE(Python.h) + CFLAGS=$old_CFLAGS + +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch b/meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch new file mode 100644 index 0000000000..559b857b63 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch @@ -0,0 +1,160 @@ +From d0fa5b259c2dc942d0a43a9cf1bfc32f40c184f9 Mon Sep 17 00:00:00 2001 +From: Jackie Huang +Date: Thu, 7 Jan 2016 22:37:30 -0800 +Subject: [PATCH] libtool: do not use jlibtool + +jlibtool is hardcoded to be used but we need to use +our libtool, so fix the makfiles to make it compatible +with our libtool. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Jackie Huang +Signed-off-by: Yi Zhao +--- + Make.inc.in | 4 ++-- + scripts/boiler.mk | 2 ++ + scripts/install.mk | 14 +++++++------- + scripts/libtool.mk | 22 ++++++++++++++++------ + 4 files changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Make.inc.in b/Make.inc.in +index 05f82776ff..e78f3fe9dc 100644 +--- a/Make.inc.in ++++ b/Make.inc.in +@@ -57,7 +57,7 @@ CPPFLAGS = @CPPFLAGS@ + LIBPREFIX = @LIBPREFIX@ + EXEEXT = @EXEEXT@ + +-LIBTOOL = JLIBTOOL ++LIBTOOL = @LIBTOOL@ + ACLOCAL = @ACLOCAL@ + AUTOCONF = @AUTOCONF@ + AUTOHEADER = @AUTOHEADER@ +@@ -168,7 +168,7 @@ ANALYZE.c := @clang_path@ + # + ifeq "$(USE_SHARED_LIBS)" "yes" + TESTBINDIR = ./$(BUILD_DIR)/bin/local +- TESTBIN = FR_LIBRARY_PATH=./build/lib/.libs $(JLIBTOOL) --quiet --mode=execute $(TESTBINDIR) ++ TESTBIN = FR_LIBRARY_PATH=./build/lib/.libs $(LIBTOOL) --quiet --mode=execute $(TESTBINDIR) + else + TESTBINDIR = ./$(BUILD_DIR)/bin + TESTBIN = ./$(BUILD_DIR)/bin +diff --git a/scripts/boiler.mk b/scripts/boiler.mk +index 2ce0c18f34..567cc0f22f 100644 +--- a/scripts/boiler.mk ++++ b/scripts/boiler.mk +@@ -272,6 +272,7 @@ define COMPILE_C_CMDS + $(Q)$(ECHO) CC $< + $(Q)$(strip ${COMPILE.c} -o $@ -c -MD ${CPPFLAGS} ${CFLAGS} ${SRC_CFLAGS} ${INCDIRS} \ + $(addprefix -I, ${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} $<) ++ ${Q}mv $(dir $@)/.libs/$(notdir $*.d) ${BUILD_DIR}/objs/$*.d + endef + else + # +@@ -287,6 +288,7 @@ define COMPILE_C_CMDS + $(Q)cppcheck --enable=style -q ${CHECKFLAGS} $(filter -isystem%,${SRC_CFLAGS}) \ + $(filter -I%,${SRC_CFLAGS}) $(filter -D%,${SRC_CFLAGS}) ${INCDIRS} \ + $(addprefix -I,${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} --suppress=variableScope --suppress=invalidscanf $< ++ ${Q}mv $(dir $@)/.libs/$(notdir $*.d) ${BUILD_DIR}/objs/$*.d + endef + endif + +diff --git a/scripts/install.mk b/scripts/install.mk +index 916411563b..e38c1ed697 100644 +--- a/scripts/install.mk ++++ b/scripts/install.mk +@@ -46,7 +46,7 @@ define ADD_INSTALL_RULE.exe + install: $${${1}_INSTALLDIR}/$(notdir ${1}) + + # Install executable ${1} +- $${${1}_INSTALLDIR}/$(notdir ${1}): ${JLIBTOOL} $${${1}_BUILD}/${1} | $${${1}_INSTALLDIR} ++ $${${1}_INSTALLDIR}/$(notdir ${1}): ${LIBTOOL} $${${1}_BUILD}/${1} | $${${1}_INSTALLDIR} + @$(ECHO) INSTALL ${1} + $(Q)$${PROGRAM_INSTALL} -c -m 755 $${BUILD_DIR}/bin/${1} $${${1}_INSTALLDIR}/ + $(Q)$${${1}_POSTINSTALL} +@@ -65,7 +65,7 @@ define ADD_INSTALL_RULE.a + install: $${${1}_INSTALLDIR}/$(notdir ${1}) + + # Install static library ${1} +- $${${1}_INSTALLDIR}/$(notdir ${1}): ${JLIBTOOL} ${1} | $${${1}_INSTALLDIR} ++ $${${1}_INSTALLDIR}/$(notdir ${1}): ${LIBTOOL} ${1} | $${${1}_INSTALLDIR} + @$(ECHO) INSTALL ${1} + $(Q)$${PROGRAM_INSTALL} -c -m 755 $${BUILD_DIR}/lib/${1} $${${1}_INSTALLDIR}/ + $(Q)$${${1}_POSTINSTALL} +@@ -87,9 +87,9 @@ define ADD_INSTALL_RULE.la + install: $${${1}_INSTALLDIR}/$(notdir ${1}) + + # Install libtool library ${1} +- $${${1}_INSTALLDIR}/$(notdir ${1}): ${JLIBTOOL} $${${1}_BUILD}/${1} | $${${1}_INSTALLDIR} ++ $${${1}_INSTALLDIR}/$(notdir ${1}): ${LIBTOOL} $${${1}_BUILD}/${1} | $${${1}_INSTALLDIR} + @$(ECHO) INSTALL ${1} +- $(Q)$${PROGRAM_INSTALL} -c -m 755 $${LOCAL_FLAGS_MIN} $${BUILD_DIR}/lib/${1} $${${1}_INSTALLDIR}/ ++ $(Q)$${PROGRAM_INSTALL} -c -m 755 $${BUILD_DIR}/lib/${1} $${${1}_INSTALLDIR}/ + $(Q)$${${1}_POSTINSTALL} + + endef +@@ -107,7 +107,7 @@ define ADD_INSTALL_RULE.man + install: ${2}/$(notdir ${1}) + + # Install manual page ${1} +- ${2}/$(notdir ${1}): ${JLIBTOOL} ${1} | ${2} ++ ${2}/$(notdir ${1}): ${LIBTOOL} ${1} | ${2} + @$(ECHO) INSTALL $(notdir ${1}) + $(Q)$${PROGRAM_INSTALL} -c -m 644 ${1} ${2}/ + +@@ -122,9 +122,9 @@ endef + define ADD_INSTALL_RULE.dir + # Install directory + .PHONY: ${1} +- ${1}: ${JLIBTOOL} ++ ${1}: ${LIBTOOL} + @$(ECHO) INSTALL -d -m 755 ${1} +- $(Q)$${PROGRAM_INSTALL} -d -m 755 ${1} ++ $(Q)$${INSTALL} -d -m 755 ${1} + endef + + +diff --git a/scripts/libtool.mk b/scripts/libtool.mk +index 381127ec2d..e83d7e6ad7 100644 +--- a/scripts/libtool.mk ++++ b/scripts/libtool.mk +@@ -60,7 +60,9 @@ ifeq "${LIBTOOL}" "JLIBTOOL" + # Tell GNU Make to use this value, rather than anything specified + # on the command line. + override LIBTOOL := ${JLIBTOOL} +-endif # else we're not using jlibtool ++else # else we're not using jlibtool ++ all install: ${LIBTOOL} ++endif + + # When using libtool, it produces a '.libs' directory. Ensure that it + # is removed on "make clean", too. +@@ -74,11 +76,19 @@ clean: .libs_clean + # Re-define compilers and linkers + # + OBJ_EXT = lo +-COMPILE.c = ${LIBTOOL} --silent --mode=compile ${CC} +-COMPILE.cxx = ${LIBTOOL} --mode=compile ${CXX} +-LINK.c = ${LIBTOOL} --silent --mode=link ${CC} +-LINK.cxx = ${LIBTOOL} --mode=link ${CXX} +-PROGRAM_INSTALL = ${LIBTOOL} --silent --mode=install ${INSTALL} ++ifeq "${LIBTOOL}" "JLIBTOOL" ++ COMPILE.c = ${LIBTOOL} --silent --mode=compile ${CC} ++ COMPILE.cxx = ${LIBTOOL} --mode=compile ${CXX} ++ LINK.c = ${LIBTOOL} --silent --mode=link ${CC} ++ LINK.cxx = ${LIBTOOL} --mode=link ${CXX} ++ PROGRAM_INSTALL = ${LIBTOOL} --silent --mode=install ${INSTALL} ++else ++ COMPILE.c = ${LIBTOOL} --mode=compile --tag=CC ${CC} ++ COMPILE.cxx = ${LIBTOOL} --mode=compile --tag=CC ${CXX} ++ LINK.c = ${LIBTOOL} --mode=link --tag=CC ${CC} -module -export-dynamic ++ LINK.cxx = ${LIBTOOL} --mode=link --tag=CC ${CXX} -module -export-dynamic ++ PROGRAM_INSTALL = ${LIBTOOL} --mode=install ${INSTALL} ++endif + + + # LIBTOOL_ENDINGS - Given a library ending in ".a" or ".so", replace that +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch b/meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch new file mode 100644 index 0000000000..9386675e46 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch @@ -0,0 +1,58 @@ +From 3e701d6274924adaed568e22af2362aa5af1f055 Mon Sep 17 00:00:00 2001 +From: Peter Seebach +Date: Sun, 8 Jan 2023 23:01:28 +0800 +Subject: [PATCH] Fix quoting for BUILD_WITH + +The escaped quotes are to make the -D values produce strings which +can be used to display these values. However, if the values are more +than one word, with spaces, they also need shell quoting to make them +into single words. + +Upstream-Status: Pending + +Signed-off-by: Peter Seebach +Signed-off-by: Yi Zhao +--- + src/main/libfreeradius-server.mk | 2 +- + src/main/unittest.mk | 2 +- + src/modules/rlm_eap/radeapclient.mk | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/main/libfreeradius-server.mk b/src/main/libfreeradius-server.mk +index 4495f72481..07c28f1968 100644 +--- a/src/main/libfreeradius-server.mk ++++ b/src/main/libfreeradius-server.mk +@@ -18,5 +18,5 @@ SOURCES := conffile.c \ + TGT_LDLIBS := $(OPENSSL_LIBS) + + ifneq ($(MAKECMDGOALS),scan) +-SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS=\"$(CPPFLAGS)\" -DBUILT_WITH_CFLAGS=\"$(CFLAGS)\" -DBUILT_WITH_LDFLAGS=\"$(LDFLAGS)\" -DBUILT_WITH_LIBS=\"$(LIBS)\" ++SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" + endif +diff --git a/src/main/unittest.mk b/src/main/unittest.mk +index edd4f133a7..b5b44d5e11 100644 +--- a/src/main/unittest.mk ++++ b/src/main/unittest.mk +@@ -21,5 +21,5 @@ TGT_PREREQS += libfreeradius-eap.a + endif + + ifneq ($(MAKECMDGOALS),scan) +-SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS=\"$(CPPFLAGS)\" -DBUILT_WITH_CFLAGS=\"$(CFLAGS)\" -DBUILT_WITH_LDFLAGS=\"$(LDFLAGS)\" -DBUILT_WITH_LIBS=\"$(LIBS)\" ++SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" + endif +diff --git a/src/modules/rlm_eap/radeapclient.mk b/src/modules/rlm_eap/radeapclient.mk +index 6068f54813..7d3c55625b 100644 +--- a/src/modules/rlm_eap/radeapclient.mk ++++ b/src/modules/rlm_eap/radeapclient.mk +@@ -23,7 +23,7 @@ SRC_CFLAGS += -DWITH_EAPCLIENT + SRC_INCDIRS := ${top_srcdir}/src/modules/rlm_eap/libeap + + ifneq ($(MAKECMDGOALS),scan) +-SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS=\"$(CPPFLAGS)\" -DBUILT_WITH_CFLAGS=\"$(CFLAGS)\" -DBUILT_WITH_LDFLAGS=\"$(LDFLAGS)\" -DBUILT_WITH_LIBS=\"$(LIBS)\" ++SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" + endif + + endif +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch b/meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch new file mode 100644 index 0000000000..051b66af8f --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch @@ -0,0 +1,61 @@ +From 30ce5ccd62446349d432ff65d3fe8d46872423c8 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Wed, 18 Jan 2017 14:59:39 +0800 +Subject: [PATCH] fix error for expansion of macro in thread.h + +The parameter declaration is missing in expansion of macro +which cause the build error: +| In file included from src/freeradius-devel/libradius.h:80:0, +| from src/lib/log.c:26: +| src/lib/log.c: In function '__fr_thread_local_destroy_fr_strerror_buffer': +| src/lib/log.c:37:31: error: 'fr_strerror_buffer' undeclared (first use in this function) +| fr_thread_local_setup(char *, fr_strerror_buffer) /* macro */ +| ^ + +Add the missing declaration in macro. + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao +--- + src/include/threads.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/include/threads.h b/src/include/threads.h +index e36d81dac0..2bcb6aadcb 100644 +--- a/src/include/threads.h ++++ b/src/include/threads.h +@@ -89,7 +89,7 @@ static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\ + # define fr_thread_local_get(_n) _n + #elif defined(HAVE_PTHREAD_H) + # include +-# define fr_thread_local_setup(_t, _n) \ ++# define fr_thread_local_setup(_t, _n) static __thread _t _n;\ + static pthread_key_t __fr_thread_local_key_##_n;\ + static pthread_once_t __fr_thread_local_once_##_n = PTHREAD_ONCE_INIT;\ + static pthread_destructor_t __fr_thread_local_destructor_##_n = NULL;\ +@@ -100,17 +100,17 @@ static void __fr_thread_local_destroy_##_n(UNUSED void *unused)\ + static void __fr_thread_local_key_init_##_n(void)\ + {\ + (void) pthread_key_create(&__fr_thread_local_key_##_n, __fr_thread_local_destroy_##_n);\ +- (void) pthread_setspecific(__fr_thread_local_key_##_n, &(_n));\ + }\ + static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\ + {\ + __fr_thread_local_destructor_##_n = func;\ + if (_n) return _n; \ + (void) pthread_once(&__fr_thread_local_once_##_n, __fr_thread_local_key_init_##_n);\ ++ (void) pthread_setspecific(__fr_thread_local_key_##_n, &(_n));\ + return _n;\ + } +-# define fr_thread_local_init(_n, _f) __fr_thread_local_init_##_n(_f) +-# define fr_thread_local_set(_n, _v) __fr_thread_local_set_##_n(_v) +-# define fr_thread_local_get(_n) __fr_thread_local_get_##_n() ++# define fr_thread_local_init(_n, _f) __fr_thread_local_init_##_n(_f) ++# define fr_thread_local_set(_n, _v) ((int)!((_n = _v) || 1)) ++# define fr_thread_local_get(_n) _n + #endif + #endif +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch b/meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch new file mode 100644 index 0000000000..69125eb3cb --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch @@ -0,0 +1,31 @@ +From f0e764826e3a85488047f7f4e94ebf91460d2c12 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Fri, 16 Jun 2017 20:10:49 -0700 +Subject: [PATCH] rlm_mschap: Use includedir instead of hardcoding /usr/include + +OE QA flags it correctly as a voilation of cross compilation +namespace + +Upstream-Status: Pending + +Signed-off-by: Khem Raj +--- + src/modules/rlm_mschap/configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modules/rlm_mschap/configure.ac b/src/modules/rlm_mschap/configure.ac +index 0fd105d7e6..6ab15509e5 100644 +--- a/src/modules/rlm_mschap/configure.ac ++++ b/src/modules/rlm_mschap/configure.ac +@@ -75,7 +75,7 @@ if test x$with_[]modname != xno; then + mod_ldflags="-F /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks -framework DirectoryService" + fi + +- smart_try_dir="$winbind_include_dir /usr/include/samba-4.0" ++ smart_try_dir="$winbind_include_dir =/usr/include/samba-4.0" + FR_SMART_CHECK_INCLUDE(wbclient.h, [#include + #include ]) + if test "x$ac_cv_header_wbclient_h" != "xyes"; then +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch b/meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch new file mode 100644 index 0000000000..cbac989284 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch @@ -0,0 +1,55 @@ +From 0f9f18fc330fe88080be13e43f300fbf7ba4a85a Mon Sep 17 00:00:00 2001 +From: Mingli Yu +Date: Mon, 13 Jul 2020 07:01:45 +0000 +Subject: [PATCH] raddb/certs/Makefile: fix the existed certificate error + +Fixes: + # ./bootstrap + [snip] +openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf +Using configuration from ./client.cnf +Check that the request matches the signature +Signature ok +ERROR:There is already a certificate for /C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org +The matching entry has the following details +Type :Valid +Expires on :200908024833Z +Serial Number :02 +File name :unknown +Subject Name :/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org +make: *** [Makefile:128: client.crt] Error 1 + +Add the check to fix the above error and it does the same for server.crt. + +Upstream-Status: Pending + +Signed-off-by: Mingli Yu +--- + raddb/certs/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile +index c9fbc9e864..d064fe252d 100644 +--- a/raddb/certs/Makefile ++++ b/raddb/certs/Makefile +@@ -92,7 +92,7 @@ server.csr server.key: server.cnf + chmod g+r server.key + + server.crt: ca.key ca.pem server.csr +- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf ++ @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf + + server.p12: server.crt + $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) +@@ -117,7 +117,7 @@ client.csr client.key: client.cnf + chmod g+r client.key + + client.crt: ca.key ca.pem client.csr +- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf ++ @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf + + client.p12: client.crt + $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch b/meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch new file mode 100644 index 0000000000..287e47adcc --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch @@ -0,0 +1,136 @@ +From bb1cb2ffc7a31c0a2bb2de51ef82d304b0a107c3 Mon Sep 17 00:00:00 2001 +From: Mingli Yu +Date: Wed, 5 Aug 2020 07:23:11 +0000 +Subject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure + +Fixes: + # cd /etc/raddb/certs + # ./bootstrap +[snip] +chmod g+r ca.key +openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever' +chmod g+r server.pem +C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org +error 7 at 0 depth lookup: certificate signature failure +140066667427072:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:../openssl-1.1.1g/crypto/rsa/rsa_ossl.c:553: +140066667427072:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../openssl-1.1.1g/crypto/asn1/a_verify.c:170: +error server.pem: verification failed +make: *** [Makefile:107: server.vrfy] Error 2 + +It seems the ca.pem mismatchs server.pem which results in failing to +execute "openssl verify -CAfile ca.pem server.pem", so add to check +the file to avoid inconsistency. + +Upstream-Status: Pending + +Signed-off-by: Mingli Yu +--- + raddb/certs/Makefile | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile +index d064fe252d..86f4547804 100644 +--- a/raddb/certs/Makefile ++++ b/raddb/certs/Makefile +@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf + # + ###################################################################### + dh: +- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) ++ @[ -f dh ] || $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) + + ###################################################################### + # +@@ -69,17 +69,17 @@ dh: + ca.key ca.pem: ca.cnf + @[ -f index.txt ] || $(MAKE) index.txt + @[ -f serial ] || $(MAKE) serial +- $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ ++ @[ -f ca.pem ] || $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ + -days $(CA_DEFAULT_DAYS) -config ./ca.cnf \ + -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) + chmod g+r ca.key + + ca.der: ca.pem +- $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der ++ @[ -f ca.der ] || $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der + + ca.crl: ca.pem +- $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) +- $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl ++ @[ -f ca-crl.pem ] || $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) ++ @[ -f ca.crl ] || $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl + rm ca-crl.pem + + ###################################################################### +@@ -88,18 +88,18 @@ ca.crl: ca.pem + # + ###################################################################### + server.csr server.key: server.cnf +- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf ++ @[ -f server.csr ] || $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf + chmod g+r server.key + + server.crt: ca.key ca.pem server.csr + @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf + + server.p12: server.crt +- $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) ++ @[ -f server.p12 ] || $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) + chmod g+r server.p12 + + server.pem: server.p12 +- $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) ++ @[ -f server.pem ] || $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) + chmod g+r server.pem + + .PHONY: server.vrfy +@@ -113,19 +113,19 @@ server.vrfy: ca.pem + # + ###################################################################### + client.csr client.key: client.cnf +- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf ++ @[ -f client.csr ] || $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf + chmod g+r client.key + + client.crt: ca.key ca.pem client.csr + @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf + + client.p12: client.crt +- $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) ++ @[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) + chmod g+r client.p12 + cp client.p12 $(USER_NAME).p12 + + client.pem: client.p12 +- $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) ++ @[ -f client.pem ] || $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) + chmod g+r client.pem + cp client.pem $(USER_NAME).pem + +@@ -140,18 +140,18 @@ client.vrfy: ca.pem client.pem + # + ###################################################################### + inner-server.csr inner-server.key: inner-server.cnf +- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf ++ @[ -f inner-server.csr] || $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf + chmod g+r inner-server.key + + inner-server.crt: ca.key ca.pem inner-server.csr +- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf ++ @[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf + + inner-server.p12: inner-server.crt +- $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) ++ @[ -f inner-server.p12 ] || $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) + chmod g+r inner-server.p12 + + inner-server.pem: inner-server.p12 +- $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) ++ @[ -f inner-server.pem ] || $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) + chmod g+r inner-server.pem + + .PHONY: inner-server.vrfy +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch b/meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch new file mode 100644 index 0000000000..17eadc7e59 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch @@ -0,0 +1,42 @@ +From c591da4a361496eec93625cf8c4f89bddfedaca7 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Sun, 7 Feb 2021 16:02:36 +0800 +Subject: [PATCH] Workaround error with autoconf 2.7 + +While using autoconf 2.7, the AM_MISSING_PROG caused unexpected error: +... +configure.ac: error: required file 'missing' not found +... + +Since these tools were explicitly added by autotools bbclass, +remove the testing to workaround the error with autoconf 2.7 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Hongxu Jia +--- + configure.ac | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 263098f7fd..fc296832d8 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -878,14 +878,6 @@ fi + + AC_PATH_PROG(RUSERS, rusers, /usr/bin/rusers) + +-dnl # +-dnl # FIXME This is truly gross. +-dnl # +-missing_dir=`cd $ac_aux_dir && pwd` +-AM_MISSING_PROG(ACLOCAL, aclocal, $missing_dir) +-AM_MISSING_PROG(AUTOCONF, autoconf, $missing_dir) +-AM_MISSING_PROG(AUTOHEADER, autoheader, $missing_dir) +- + AC_PATH_PROG(DIRNAME,dirname) + AC_PATH_PROG(GREP,grep) + +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch b/meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch new file mode 100644 index 0000000000..d1d0111607 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch @@ -0,0 +1,44 @@ +From 78494ea005bd38324953b05176d6eb2c3f55af2c Mon Sep 17 00:00:00 2001 +From: Kai Kang +Date: Sun, 8 Jan 2023 23:21:24 +0800 +Subject: [PATCH] bootstrap: check commands of openssl exist + +It calls openssl commands dhparam and pkcs12 in script bootstrap. These +commands are configurable based on configure options 'no-dh' and +'no-des', and may not be provided by openssl. So check existence of +these commands. If not, abort running of script bootstrap. + +1. https://github.com/openssl/openssl/blob/master/apps/build.info#L37 +2. https://github.com/openssl/openssl/blob/master/apps/build.info#L22 + +Upstream-Status: Denied [https://github.com/FreeRADIUS/freeradius-server/pull/4059] + The maintainer commented in the pull that the script could + be run on a host which provides these openssl commands. + +Signed-off-by: Kai Kang +--- + raddb/certs/bootstrap | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 57de8cf0d7..4641c71700 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -13,6 +13,14 @@ + umask 027 + cd `dirname $0` + ++# check commands of openssl exist ++for cmd in dhparam pkcs12; do ++ if ! openssl ${cmd} -help >/dev/null 2>&1; then ++ echo "Error: command ${cmd} is not supported by openssl." ++ exit 1 ++ fi ++done ++ + make -h > /dev/null 2>&1 + + # +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch b/meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch new file mode 100644 index 0000000000..2d67fdef05 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch @@ -0,0 +1,41 @@ +From cbbb62ddda5c189c225f96bf6b599b3b3e8c8252 Mon Sep 17 00:00:00 2001 +From: Mingli Yu +Date: Wed, 3 Aug 2022 16:44:29 +0800 +Subject: [PATCH] version.c: don't print build flags + +Don't print the build flags to avoid collecting the build environment info. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Mingli Yu +--- + src/main/version.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/src/main/version.c b/src/main/version.c +index f1f1e87810..3ffcbb25a0 100644 +--- a/src/main/version.c ++++ b/src/main/version.c +@@ -589,19 +589,6 @@ void version_print(void) + DEBUG2(" unknown"); + #endif + +- DEBUG2("Compilation flags:"); +-#ifdef BUILT_WITH_CPPFLAGS +- DEBUG2(" cppflags : " BUILT_WITH_CPPFLAGS); +-#endif +-#ifdef BUILT_WITH_CFLAGS +- DEBUG2(" cflags : " BUILT_WITH_CFLAGS); +-#endif +-#ifdef BUILT_WITH_LDFLAGS +- DEBUG2(" ldflags : " BUILT_WITH_LDFLAGS); +-#endif +-#ifdef BUILT_WITH_LIBS +- DEBUG2(" libs : " BUILT_WITH_LIBS); +-#endif + DEBUG2(" "); + } + INFO("FreeRADIUS Version " RADIUSD_VERSION_STRING); +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch deleted file mode 100644 index 4ea519c752..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch +++ /dev/null @@ -1,118 +0,0 @@ -From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Mon, 7 Feb 2022 22:26:05 -0500 -Subject: [PATCH] it's probably wrong to be completely retarded. Let's fix - that. - -CVE: CVE-2022-41860 - -Upstream-Status: Backport -[https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708] - -Signed-off-by: Yi Zhao ---- - src/modules/rlm_eap/libeap/eapsimlib.c | 69 +++++++++++++++++++------- - 1 file changed, 52 insertions(+), 17 deletions(-) - -diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c -index cf1e8a7dd9..e438a844ea 100644 ---- a/src/modules/rlm_eap/libeap/eapsimlib.c -+++ b/src/modules/rlm_eap/libeap/eapsimlib.c -@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r, - newvp->vp_length = 1; - fr_pair_add(&(r->vps), newvp); - -+ /* -+ * EAP-SIM has a 1 octet of subtype, and 2 octets -+ * reserved. -+ */ - attr += 3; - attrlen -= 3; - -- /* now, loop processing each attribute that we find */ -- while(attrlen > 0) { -+ /* -+ * Loop over each attribute. The format is: -+ * -+ * 1 octet of type -+ * 1 octet of length (value 1..255) -+ * ((4 * length) - 2) octets of data. -+ */ -+ while (attrlen > 0) { - uint8_t *p; - -- if(attrlen < 2) { -+ if (attrlen < 2) { - fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen); - return 0; - } - -+ if (!attr[1]) { -+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute, -+ es_attribute_count); -+ return 0; -+ } -+ - eapsim_attribute = attr[0]; - eapsim_len = attr[1] * 4; - -+ /* -+ * The length includes the 2-byte header. -+ */ - if (eapsim_len > attrlen) { - fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)", - eapsim_attribute, es_attribute_count, eapsim_len, attrlen); - return 0; - } - -- if(eapsim_len > MAX_STRING_LEN) { -- eapsim_len = MAX_STRING_LEN; -- } -- if (eapsim_len < 2) { -- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute, -- es_attribute_count); -- return 0; -- } -+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0); -+ if (!newvp) { -+ /* -+ * RFC 4186 Section 8.1 says 0..127 are -+ * "non-skippable". If one such -+ * attribute is found and we don't -+ * understand it, the server has to send: -+ * -+ * EAP-Request/SIM/Notification packet with an -+ * (AT_NOTIFICATION code, which implies general failure ("General -+ * failure after authentication" (0), or "General failure" (16384), -+ * depending on the phase of the exchange), which terminates the -+ * authentication exchange. -+ */ -+ if (eapsim_attribute <= 127) { -+ fr_strerror_printf("Unknown mandatory attribute %d, failing", -+ eapsim_attribute); -+ return 0; -+ } - -- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0); -- newvp->vp_length = eapsim_len-2; -- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); -- memcpy(p, &attr[2], eapsim_len-2); -- fr_pair_add(&(r->vps), newvp); -- newvp = NULL; -+ } else { -+ /* -+ * It's known, ccount for header, and -+ * copy the value over. -+ */ -+ newvp->vp_length = eapsim_len - 2; -+ -+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); -+ memcpy(p, &attr[2], newvp->vp_length); -+ fr_pair_add(&(r->vps), newvp); -+ } - - /* advance pointers, decrement length */ - attr += eapsim_len; --- -2.25.1 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch deleted file mode 100644 index 352c02137a..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Mon, 28 Feb 2022 10:34:15 -0500 -Subject: [PATCH] manual port of commit 5906bfa1 - -CVE: CVE-2022-41861 - -Upstream-Status: Backport -[https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62] - -Signed-off-by: Yi Zhao ---- - src/lib/filters.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/lib/filters.c b/src/lib/filters.c -index 4868cd385d..3f3b63daee 100644 ---- a/src/lib/filters.c -+++ b/src/lib/filters.c -@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in - } - } - } else if (filter->type == RAD_FILTER_GENERIC) { -- int count; -+ size_t count, masklen; -+ -+ masklen = ntohs(filter->u.generic.len); -+ if (masklen >= sizeof(filter->u.generic.mask)) { -+ *p = '\0'; -+ return; -+ } - - i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset)); - p += i; - - /* show the mask */ -- for (count = 0; count < ntohs(filter->u.generic.len); count++) { -+ for (count = 0; count < masklen; count++) { - i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]); - p += i; - outlen -= i; -@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in - outlen--; - - /* show the value */ -- for (count = 0; count < ntohs(filter->u.generic.len); count++) { -+ for (count = 0; count < masklen; count++) { - i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]); - p += i; - outlen -= i; --- -2.25.1 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch deleted file mode 100644 index 1778e8e927..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch +++ /dev/null @@ -1,1506 +0,0 @@ -From 441967ba1d1ec28aa9582ab0253ad01e14b42148 Mon Sep 17 00:00:00 2001 -From: Arran Cudbard-Bell -Date: Sun, 30 Jun 2024 14:03:17 -0600 -Subject: [PATCH] CVE-2024-3596: Backport fix for BlastRADIUS - -Upstream-Status: Backport from v3.0.x branch, commit range 3a00a6ecc188629b0441fd45ad61ca8986de156e..da643f1edc267ce95260dc36069e6f1a7a4d66f8 -CVE: CVE-2024-3596 - -Signed-off-by: Rohini Sangam ---- - man/man1/radclient.1 | 10 ++- - man/man1/radtest.1 | 11 ++- - raddb/clients.conf | 47 ++++++++-- - raddb/proxy.conf | 19 +++++ - raddb/radiusd.conf.in | 185 ++++++++++++++++++++++++++++++++++++++++ - src/include/clients.h | 6 +- - src/include/conffile.h | 1 + - src/include/libradius.h | 19 ++++- - src/include/radius.h | 1 + - src/include/radiusd.h | 6 ++ - src/include/realms.h | 1 + - src/lib/radius.c | 87 +++++++++++++++++-- - src/main/client.c | 45 ++++++++-- - src/main/conffile.c | 4 +- - src/main/listen.c | 141 +++++++++++++++++++++++++++++- - src/main/mainconfig.c | 70 +++++++++++++++ - src/main/process.c | 65 ++++++++++++++ - src/main/radclient.c | 147 ++++++++++++++++++++++++++++++- - src/main/radtest.in | 6 +- - src/main/realms.c | 11 +++ - src/main/tls_listen.c | 5 ++ - 21 files changed, 855 insertions(+), 32 deletions(-) - -diff --git a/man/man1/radclient.1 b/man/man1/radclient.1 -index 229dcae0c7..b83bee931a 100644 ---- a/man/man1/radclient.1 -+++ b/man/man1/radclient.1 -@@ -1,10 +1,11 @@ --.TH RADCLIENT 1 "22 March 2019" "" "FreeRADIUS Daemon" -+.TH RADCLIENT 1 "21 May 2024" "" "FreeRADIUS Daemon" - .SH NAME - radclient - send packets to a RADIUS server, show reply - .SH SYNOPSIS - .B radclient - .RB [ \-4 ] - .RB [ \-6 ] -+.RB [ \-b ] - .RB [ \-c - .IR count ] - .RB [ \-d -@@ -52,6 +53,13 @@ automatically encrypted before the packet is sent to the server. - Use IPv4 (default) - .IP \-6 - Use IPv6 -+.IP \-b -+Enforce the Blast RADIUS checks. All replies to an Access-Request packet -+must contain a Message-Authenticator as the first attribute. -+ -+For compatibility with old servers, this flag is not set by default. -+However, radclient still checks for the Blast RADIUS signature, and -+discards packets which match the attack. - .IP \-c\ \fIcount\fP - Send each packet \fIcount\fP times. - .IP \-d\ \fIraddb_directory\fP -diff --git a/man/man1/radtest.1 b/man/man1/radtest.1 -index b3184779c0..6bfab75944 100644 ---- a/man/man1/radtest.1 -+++ b/man/man1/radtest.1 -@@ -1,4 +1,4 @@ --.TH RADTEST 1 "5 April 2010" "" "FreeRADIUS Daemon" -+.TH RADTEST 1 "21 May 2024" "" "FreeRADIUS Daemon" - .SH NAME - radtest - send packets to a RADIUS server, show reply - .SH SYNOPSIS -@@ -15,6 +15,8 @@ radtest - send packets to a RADIUS server, show reply - .IR ] - .RB [ \-6 - .IR ] -+.RB [ \-b -+.IR - .I user password radius-server nas-port-number secret - .RB [ ppphint ] - .RB [ nasname ] -@@ -26,6 +28,13 @@ way to test a radius server. - - .SH OPTIONS - -+.IP \-b -+Enforce the Blast RADIUS checks. All replies to an Access-Request packet -+must contain a Message-Authenticator as the first attribute. -+ -+For compatibility with old servers, this flag is not set by default. -+However, radclient still checks for the Blast RADIUS signature, and -+discards packets which match the attack. - .IP "\-d \fIraddb_directory\fP" - The directory that contains the RADIUS dictionary files. Defaults to - \fI/etc/raddb\fP. -diff --git a/raddb/clients.conf b/raddb/clients.conf -index 76b300d3c5..d55414b7d2 100644 ---- a/raddb/clients.conf -+++ b/raddb/clients.conf -@@ -100,15 +100,44 @@ client localhost { - secret = testing123 - - # -- # Old-style clients do not send a Message-Authenticator -- # in an Access-Request. RFC 5080 suggests that all clients -- # SHOULD include it in an Access-Request. The configuration -- # item below allows the server to require it. If a client -- # is required to include a Message-Authenticator and it does -- # not, then the packet will be silently discarded. -- # -- # allowed values: yes, no -- require_message_authenticator = no -+ # The global configuration "security.require_message_authenticator" -+ # flag sets the default for all clients. That default can be -+ # over-ridden here, by setting it to a value. If no value is set, -+ # then the default from the "radiusd.conf" file is used. -+ # -+ # See that file for full documentation on the flag, along -+ # with allowed values and meanings. -+ # -+ # This flag exists solely for legacy clients which do not send -+ # Message-Authenticator in all Access-Request packets. We do not -+ # recommend setting it to "no". -+ # -+ # The number one way to protect yourself from the BlastRADIUS -+ # attack is to update all RADIUS servers, and then set this -+ # flag to "yes". If all RADIUS servers are updated, and if -+ # all of them have this flag set to "yes" for all clients, -+ # then your network is safe. You can then upgrade the -+ # clients when it is convenient, instead of rushing the -+ # upgrades. -+ # -+ # allowed values: yes, no, auto -+# require_message_authenticator = no -+ -+ # -+ # The global configuration "security.limit_proxy_state" -+ # flag sets the default for all clients. That default can be -+ # over-ridden here, by setting it to "no". -+ # -+ # See that file for full documentation on the flag, along -+ # with allowed values,and meanings. -+ # -+ # This flag exists solely for legacy clients which do not send -+ # Message-Authenticator in all Access-Request packets. We do not -+ # recommend setting it to "no". -+ # -+ # allowed values: yes, no, auto -+ # -+# limit_proxy_state = yes - - # - # The short name is used as an alias for the fully qualified -diff --git a/raddb/proxy.conf b/raddb/proxy.conf -index 91b4b37930..fa362b8a74 100644 ---- a/raddb/proxy.conf -+++ b/raddb/proxy.conf -@@ -204,6 +204,25 @@ home_server localhost { - # - secret = testing123 - -+ -+ # -+ # The global configuration "security.require_message_authenticator" -+ # flag sets the default for all home servers. That default can be -+ # over-ridden here, by setting it to a value. If no value is set, -+ # then the default from the "radiusd.conf" file is used. -+ # -+ # See that file for full documentation on the flag, along -+ # with allowed values and meanings. -+ # -+ # This flag exists solely for legacy home servers which do -+ # not send Message-Authenticator in all Access-Accept, -+ # Access-Reject, or Access-Challenge packets. We do not -+ # recommend setting it to "no". -+ # -+ # allowed values: yes, no, auto -+ # -+# require_message_authenticator = no -+ - ############################################################ - # - # The rest of the configuration items listed here are optional, -diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in -index e8aee3c001..5b8800bfc8 100644 ---- a/raddb/radiusd.conf.in -+++ b/raddb/radiusd.conf.in -@@ -564,6 +564,191 @@ security { - # - status_server = yes - -+ # -+ # Global configuration for requiring Message-Authenticator in -+ # all Access-* packets sent over UDP or TCP. This flag is -+ # ignored for TLS. -+ # -+ # The number one way to protect yourself from the BlastRADIUS -+ # attack is to update all RADIUS servers, and then set this -+ # flag to "yes". If all RADIUS servers are updated, and if -+ # all of them have this flag set to "yes" for all clients, -+ # then your network is safe. You can then upgrade the -+ # clients when it is convenient, instead of rushing the -+ # upgrades. -+ # -+ # This flag sets the global default for all clients and home -+ # servers. It can be over-ridden in an individual client or -+ # home_server definition by adding the same flag to that -+ # section with an appropriate value. -+ # -+ # All upgraded RADIUS implementations should send -+ # Message-Authenticator in all Access-Request, Access-Accept, -+ # Access-Reject, and Access-Challenge packets. Once all -+ # systems are upgraded, setting this flag to "yes" is the -+ # best protection from the attack. -+ # -+ # The possible values and meanings for -+ # "require_message_authenticator" are; -+ # -+ # * "no" - allow Access-* packet which do not contain -+ # Message-Authenticator -+ # -+ # For a client, if this flag is set to "no", then the -+ # "limit_proxy_state" flag, below, is also checked. -+ # -+ # For a home_server, if this flag is set to "no", then the -+ # Access-Accept, Access-Reject, and Access-Challenge -+ # packets do not need to contain Message-Authenticator. -+ # -+ # The only reason to set this flag to "no" is when the -+ # RADIUS client or home server has not been updated. It is -+ # always safer to set this flag "no" in the individual -+ # client or home_server definition. The global flag SHOULD -+ # still be set to a safe value: "yes". -+ # -+ # WARNING: Setting this flag and the "limit_proxy_state" -+ # flag to "no" will allow MITM attackers to create fake -+ # Access-Accept packets to the NAS! At least one of them -+ # MUST be set to "yes" for the system to have any -+ # protection against the attack. -+ # -+ # * "yes" - Require that all Access-* packets (client and -+ # home_server) contain Message-Authenticator. If a packet -+ # does not contain Message-Authenticator, then it is -+ # discarded. -+ # -+ # * "auto" - Automatically determine the value of the flag, -+ # based on the first packet received from that client or -+ # home_server. -+ # -+ # If the packet does not contain Message-Authenticator, -+ # then the value of the flag is automatically switched to -+ # "no". -+ # -+ # If the packet contains Message-Authenticator but not -+ # EAP-Message, then the value of the flag is automatically -+ # switched to "yes". The server has to check for -+ # EAP-Message, because the previous RFCs require that the -+ # packet contains Message-Authenticator when it also -+ # contains EAP-Message. So having a Message-Authenticator -+ # in those packets doesn't give the server enough -+ # information to determined if the client or home_server -+ # has been updated. -+ # -+ # If the packet contains Message-Authenticator and -+ # EAP-Message, then the flag is left at the "auto" value. -+ # -+ # WARNING: This switch is done for the first packet -+ # received from that client or home server. The change -+ # does NOT persist across server restarts. You MUST change -+ # the to "yes" manually, in order to make a permanent -+ # change to the configuration. -+ # -+ # WARNING: If there are multiple NASes with the same source -+ # IP and client definitions, BUT the NASes have different -+ # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK. -+ # -+ # That is, when there are multiple different RADIUS clients -+ # behind one NATed IP address, then these security settings -+ # have to be set to allow the MOST INSECURE packets to be -+ # processed. This is a terrible idea, and will leave your -+ # network vulnerable to the attack. Please upgrade all -+ # clients immediately. -+ # -+ # The only solution to that rare configuration is to set -+ # this flag to "no", in which case the network will work, -+ # but will be vulnerable to the attack. -+ # -+ require_message_authenticator = auto -+ -+ # -+ # Global configuration for limiting the combination of -+ # Proxy-State and Message-Authenticator. This flag only -+ # applies to packets sent over UDP or TCP. This flag is -+ # ignored for TLS. -+ # -+ # This flag sets the global default for all clients. It can -+ # be over-ridden in an individual client definition by adding -+ # the same flag to that section with an appropriate value. -+ # -+ # If "require_message_authenticator" is set to "yes", this -+ # configuration item is ignored. -+ # -+ # If "require_message_authenticator" is set to "no", this -+ # configuration item is checked. -+ # -+ # The possible values and meanings for "limit_proxy_state" are; -+ # -+ # * "no" - allow any packets from the client, even packets -+ # which contain the BlastRADIUS attack. Please be aware -+ # that in this configuration the server will complain for -+ # EVERY packet which it receives. -+ # -+ # The only reason to set this flag to "no" is when the -+ # client is a proxy, AND the proxy does not send -+ # Message-Authenticator in Access-Request packets. Even -+ # then, the best approach to fix the issue is to (1) update -+ # the proxy to send Message-Authenticator, and if that -+ # can't be done, then (2) set this flag to "no", but ONLY -+ # for that one client. The global flag SHOULD still be set -+ # to a safe value: "yes". -+ # -+ # WARNING: Setting both this flag and the -+ # "require_message_authenticator" flag to "no" will allow -+ # MITM attackers to create fake Access-Accept packets to the -+ # NAS! At least one of them MUST be set to "yes" for the -+ # system to have any protection against the attack. -+ # -+ # * "yes" - Allow packets without Message-Authenticator, -+ # but only when they do not contain Proxy-State. -+ # packets which contain Proxy-State MUST also contain -+ # Message-Authenticator, otherwise they are discarded. -+ # -+ # This setting is safe for most NASes, GGSNs, BRAS, etc. -+ # Most regular RADIUS clients do not send Proxy-State -+ # attributes for Access-Request packets that they originate. -+ # However some aggregators (e.g. Wireless LAN Controllers) -+ # may act as a RADIUS proxy for requests from their cohort -+ # of managed devices, and in such cases will provide a -+ # Proxy-State attribute. For those systems, you _must_ look -+ # at the actual packets to determine what to do. It may be -+ # that the only way to fix the vulnerability is to upgrade -+ # the WLC, and set "require_message_authenticator" to "yes". -+ # -+ # * "auto" - Automatically determine the value of the flag, -+ # based on the first packet received from that client. -+ # -+ # If the packet contains Proxy-State but no -+ # Message-Authenticator, then the value of the flag is -+ # automatically switched to "no". -+ # -+ # For all other situations, the value of the flag is -+ # automatically switched to "yes". -+ # -+ # WARNING: This switch is done for the first packet -+ # received from that client. The change does NOT persist -+ # across server restarts. You MUST change the to "yes" -+ # manually, in order to make a permanent change to the -+ # configuration. -+ # -+ # WARNING: If there are multiple NASes with the same source -+ # IP and client definitions, BUT the NASes have different -+ # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK. -+ # -+ # That is, when there are multiple different RADIUS clients -+ # behind one NATed IP address, then these security settings -+ # have to be set to allow the MOST INSECURE packets to be -+ # processed. This is a terrible idea, and will leave your -+ # network vulnerable to the attack. Please upgrade all -+ # clients immediately. -+ # -+ # The only solution to that rare configuration is to set -+ # this flag to "no", in which case the network will work, -+ # but will be vulnerable to the attack. -+ # -+ limit_proxy_state = auto -+ - @openssl_version_check_config@ - } - -diff --git a/src/include/clients.h b/src/include/clients.h -index 560211557f..0aeb1da8d9 100644 ---- a/src/include/clients.h -+++ b/src/include/clients.h -@@ -39,7 +39,11 @@ typedef struct radclient { - - char const *secret; //!< Secret PSK. - -- bool message_authenticator; //!< Require RADIUS message authenticator in requests. -+ fr_bool_auto_t require_ma; //!< Require RADIUS message authenticator in requests. -+ -+ bool dynamic_require_ma; //!< for dynamic clients -+ -+ fr_bool_auto_t limit_proxy_state; //!< Limit Proxy-State in requests - - char const *nas_type; //!< Type of client (arbitrary). - -diff --git a/src/include/conffile.h b/src/include/conffile.h -index 8cb045c946..ddbcae4e4f 100644 ---- a/src/include/conffile.h -+++ b/src/include/conffile.h -@@ -140,6 +140,7 @@ typedef struct timeval _timeval_t; - #define PW_TYPE_MULTI (1 << 18) //!< CONF_PAIR can have multiple copies. - #define PW_TYPE_NOT_EMPTY (1 << 19) //!< CONF_PAIR is required to have a non zero length value. - #define PW_TYPE_FILE_EXISTS ((1 << 20) | PW_TYPE_STRING) //!< File matching value must exist -+#define PW_TYPE_IGNORE_DEFAULT (1 << 21) //!< don't set from .dflt if the CONF_PAIR is missing - /* @} **/ - - #define FR_INTEGER_COND_CHECK(_name, _var, _cond, _new)\ -diff --git a/src/include/libradius.h b/src/include/libradius.h -index ce2f713de1..2efef8b1d3 100644 ---- a/src/include/libradius.h -+++ b/src/include/libradius.h -@@ -402,6 +402,10 @@ typedef struct radius_packet { - size_t partial; - int proto; - #endif -+ bool tls; //!< uses secure transport -+ bool message_authenticator; -+ bool proxy_state; -+ bool eap_message; - } RADIUS_PACKET; - - typedef enum { -@@ -507,6 +511,13 @@ DICT_VENDOR *dict_vendorbyvalue(int vendor); - /* radius.c */ - int rad_send(RADIUS_PACKET *, RADIUS_PACKET const *, char const *secret); - bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason); -+ -+/* -+ * 1 == require_ma -+ * 2 == msg_peek -+ * 4 == limit_proxy_state -+ * 8 == require_ma for Access-* replies and Protocol-Error -+ */ - RADIUS_PACKET *rad_recv(TALLOC_CTX *ctx, int fd, int flags); - ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, int *code); - void rad_recv_discard(int sockfd); -@@ -694,7 +705,7 @@ extern bool fr_dns_lookups; /* do IP -> hostname lookups? */ - extern bool fr_hostname_lookups; /* do hostname -> IP lookups? */ - extern int fr_debug_lvl; /* 0 = no debugging information */ - extern uint32_t fr_max_attributes; /* per incoming packet */ --#define FR_MAX_PACKET_CODE (52) -+#define FR_MAX_PACKET_CODE (53) - extern char const *fr_packet_codes[FR_MAX_PACKET_CODE]; - #define is_radius_code(_x) ((_x > 0) && (_x < FR_MAX_PACKET_CODE)) - extern FILE *fr_log_fp; -@@ -932,6 +943,12 @@ int fr_socket_wait_for_connect(int sockfd, struct timeval *timeout); - } - #endif - -+typedef enum { -+ FR_BOOL_FALSE = 0, -+ FR_BOOL_TRUE, -+ FR_BOOL_AUTO, -+} fr_bool_auto_t; -+ - #include - - #ifdef WITH_TCP -diff --git a/src/include/radius.h b/src/include/radius.h -index 473528d65d..147d674eed 100644 ---- a/src/include/radius.h -+++ b/src/include/radius.h -@@ -61,6 +61,7 @@ typedef enum { - PW_CODE_COA_REQUEST = 43, //!< RFC3575/RFC5176 - CoA-Request - PW_CODE_COA_ACK = 44, //!< RFC3575/RFC5176 - CoA-Ack (positive) - PW_CODE_COA_NAK = 45, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform) -+ PW_CODE_PROTOCOL_ERROR = 52, //!< RFC7930 - Protocol layer issue - PW_CODE_MAX = 255, //!< Maximum possible code - } PW_CODE; - -diff --git a/src/include/radiusd.h b/src/include/radiusd.h -index b2a0a0f642..e429c5be7a 100644 ---- a/src/include/radiusd.h -+++ b/src/include/radiusd.h -@@ -171,6 +171,10 @@ typedef struct main_config { - - bool exiting; //!< are we exiting? - -+ fr_bool_auto_t require_ma; //!< global configuration for all clients and home servers -+ -+ fr_bool_auto_t limit_proxy_state; //!< global configuration for all clients -+ - - #ifdef ENABLE_OPENSSL_VERSION_CHECK - char const *allow_vulnerable_openssl; //!< The CVE number of the last security issue acknowledged. -@@ -558,6 +562,8 @@ int main_config_free(void); - void main_config_hup(void); - void hup_logfile(void); - -+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str); -+ - /* listen.c */ - void listen_free(rad_listen_t **head); - int listen_init(CONF_SECTION *cs, rad_listen_t **head, bool spawn_flag); -diff --git a/src/include/realms.h b/src/include/realms.h -index 6dae8b4f85..e643818e43 100644 ---- a/src/include/realms.h -+++ b/src/include/realms.h -@@ -59,6 +59,7 @@ typedef struct home_server { - //!< stats or when specifying home servers for a pool. - - bool dual; //!< One of a pair of homeservers on consecutive ports. -+ fr_bool_auto_t require_ma; //!< for all replies to Access-Request and Status-Server - char const *server; //!< For internal proxying - char const *parent_server; - -diff --git a/src/lib/radius.c b/src/lib/radius.c -index 3881111f7d..7b91a4bde2 100644 ---- a/src/lib/radius.c -+++ b/src/lib/radius.c -@@ -142,8 +142,9 @@ char const *fr_packet_codes[FR_MAX_PACKET_CODE] = { - "47", - "48", - "49", -- "IP-Address-Allocate", -- "IP-Address-Release", //!< 50 -+ "IP-Address-Allocate", //!< 50 -+ "IP-Address-Release", -+ "Protocol-Error", - }; - - -@@ -1700,6 +1701,15 @@ int rad_vp2attr(RADIUS_PACKET const *packet, RADIUS_PACKET const *original, - return rad_vp2vsa(packet, original, secret, pvp, start, room); - } - -+static const bool code2ma[FR_MAX_PACKET_CODE] = { -+ [ PW_CODE_ACCESS_REQUEST ] = true, -+ [ PW_CODE_ACCESS_ACCEPT ] = true, -+ [ PW_CODE_ACCESS_REJECT ] = true, -+ [ PW_CODE_ACCESS_CHALLENGE ] = true, -+ [ PW_CODE_STATUS_SERVER ] = true, -+ [ PW_CODE_PROTOCOL_ERROR ] = true, -+}; -+ - - /** Encode a packet - * -@@ -1712,6 +1722,7 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original, - uint16_t total_length; - int len; - VALUE_PAIR const *reply; -+ bool seen_ma = false; - - /* - * A 4K packet, aligned on 64-bits. -@@ -1775,6 +1786,27 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original, - * memcpy. - */ - -+ /* -+ * Always add Message-Authenticator for replies to -+ * Access-Request packets, and for all Access-Accept, -+ * Access-Reject, Access-Challenge. -+ * -+ * It must be the FIRST attribute in the packet. -+ */ -+ if (!packet->tls && -+ ((code2ma[packet->code]) || (original && code2ma[original->code]))) { -+ seen_ma = true; -+ -+ packet->offset = RADIUS_HDR_LEN; -+ -+ ptr[0] = PW_MESSAGE_AUTHENTICATOR; -+ ptr[1] = 18; -+ memset(ptr + 2, 0, 16); -+ -+ ptr += 18; -+ total_length += 18; -+ } -+ - /* - * Loop over the reply attributes for the packet. - */ -@@ -1832,6 +1864,13 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original, - * length and initial value. - */ - if (!reply->da->vendor && (reply->da->attr == PW_MESSAGE_AUTHENTICATOR)) { -+ /* -+ * We have already encoded the Message-Authenticator, don't do it again. -+ */ -+ if (seen_ma) { -+ reply = reply->next; -+ continue; -+ } - if (room < 18) break; - - /* -@@ -2323,6 +2362,8 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - radius_packet_t *hdr; - char host_ipaddr[128]; - bool require_ma = false; -+ bool limit_proxy_state = false; -+ bool seen_proxy_state = false; - bool seen_ma = false; - uint32_t num_attributes; - decode_fail_t failure = DECODE_FAIL_NONE; -@@ -2371,15 +2412,26 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - } - - /* -- * Message-Authenticator is required in Status-Server -- * packets, otherwise they can be trivially forged. -+ * If the caller requires Message-Authenticator, then set -+ * the flag. - */ -- if (hdr->code == PW_CODE_STATUS_SERVER) require_ma = true; - - /* -- * It's also required if the caller asks for it. -+ * We also require Message-Authenticator if the packet -+ * code is Status-Server. -+ * -+ * If we're receiving packets from a proxy socket, then -+ * require Message-Authenticator for Access-* replies, -+ * and for Protocol-Error. - */ -- if (flags) require_ma = true; -+ require_ma = ((flags & 0x01) != 0) || (hdr->code == PW_CODE_STATUS_SERVER) || (((flags & 0x08) != 0) && code2ma[hdr->code]); -+ -+ /* -+ * -+ * We only limit Proxy-State if we're not requiring -+ * Message-Authenticator. -+ */ -+ limit_proxy_state = ((flags & 0x04) != 0) && !require_ma; - - /* - * Repeat the length checks. This time, instead of -@@ -2534,6 +2586,7 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - case PW_EAP_MESSAGE: - require_ma = true; - eap = true; -+ packet->eap_message = true; - break; - - case PW_USER_PASSWORD: -@@ -2542,6 +2595,11 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - non_eap = true; - break; - -+ case PW_PROXY_STATE: -+ seen_proxy_state = true; -+ packet->proxy_state = true; -+ break; -+ - case PW_MESSAGE_AUTHENTICATOR: - if (attr[1] != 2 + AUTH_VECTOR_LEN) { - FR_DEBUG_STRERROR_PRINTF("Malformed RADIUS packet from host %s: Message-Authenticator has invalid length %d", -@@ -2553,6 +2611,7 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - goto finish; - } - seen_ma = true; -+ packet->message_authenticator = true; - break; - } - -@@ -2609,7 +2668,19 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - * Message-Authenticator attributes. - */ - if (require_ma && !seen_ma) { -- FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute", -+ FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute. You may need to set \"require_message_authenticator = no\" in the configuration.", -+ inet_ntop(packet->src_ipaddr.af, -+ &packet->src_ipaddr.ipaddr, -+ host_ipaddr, sizeof(host_ipaddr))); -+ failure = DECODE_FAIL_MA_MISSING; -+ goto finish; -+ } -+ -+ /* -+ * The client is a NAS which shouldn't send Proxy-State, but it did! -+ */ -+ if (limit_proxy_state && seen_proxy_state && !seen_ma) { -+ FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute, but still has one or more Proxy-State attributes", - inet_ntop(packet->src_ipaddr.af, - &packet->src_ipaddr.ipaddr, - host_ipaddr, sizeof(host_ipaddr))); -diff --git a/src/main/client.c b/src/main/client.c -index 6228438c47..875dc37d60 100644 ---- a/src/main/client.c -+++ b/src/main/client.c -@@ -283,7 +283,8 @@ bool client_add(RADCLIENT_LIST *clients, RADCLIENT *client) - (old->coa_server == client->coa_server) && - (old->coa_pool == client->coa_pool) && - #endif -- (old->message_authenticator == client->message_authenticator)) { -+ (old->require_ma == client->require_ma) && -+ (old->limit_proxy_state == client->limit_proxy_state)) { - WARN("Ignoring duplicate client %s", client->longname); - client_free(client); - return true; -@@ -445,6 +446,8 @@ static fr_ipaddr_t cl_ipaddr; - static uint32_t cl_netmask; - static char const *cl_srcipaddr = NULL; - static char const *hs_proto = NULL; -+static char const *require_message_authenticator = NULL; -+static char const *limit_proxy_state = NULL; - - #ifdef WITH_TCP - static CONF_PARSER limit_config[] = { -@@ -467,7 +470,8 @@ static const CONF_PARSER client_config[] = { - - { "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL }, - -- { "require_message_authenticator", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, message_authenticator), "no" }, -+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &require_message_authenticator), NULL }, -+ { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &limit_proxy_state), NULL }, - - { "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL }, - { "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL }, -@@ -663,7 +667,7 @@ static const CONF_PARSER dynamic_config[] = { - { "FreeRADIUS-Client-Src-IP-Address", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, RADCLIENT, src_ipaddr), NULL }, - { "FreeRADIUS-Client-Src-IPv6-Address", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, RADCLIENT, src_ipaddr), NULL }, - -- { "FreeRADIUS-Client-Require-MA", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, message_authenticator), NULL }, -+ { "FreeRADIUS-Client-Require-MA", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, dynamic_require_ma), NULL }, - - { "FreeRADIUS-Client-Secret", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, secret), "" }, - { "FreeRADIUS-Client-Shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), "" }, -@@ -845,8 +849,19 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo - c = talloc_zero(ctx, RADCLIENT); - c->cs = cs; - -+ /* -+ * Set the "require message authenticator" and "limit -+ * proxy state" flags from the global default. If the -+ * configuration item exists, AND is set, it will -+ * over-ride the flag. -+ */ -+ c->require_ma = main_config.require_ma; -+ c->limit_proxy_state = main_config.limit_proxy_state; -+ - memset(&cl_ipaddr, 0, sizeof(cl_ipaddr)); - cl_netmask = 255; -+ require_message_authenticator = NULL; -+ limit_proxy_state = NULL; - - if (cf_section_parse(cs, c, client_config) < 0) { - cf_log_err_cs(cs, "Error parsing client section"); -@@ -857,6 +872,9 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo - cl_srcipaddr = NULL; - #endif - -+ require_message_authenticator = NULL; -+ limit_proxy_state = NULL; -+ - return NULL; - } - -@@ -1114,6 +1132,16 @@ done_coa: - } - #endif - -+ if (fr_bool_auto_parse(cf_pair_find(cs, "require_message_authenticator"), &c->require_ma, require_message_authenticator) < 0) { -+ goto error; -+ } -+ -+ if (c->require_ma != FR_BOOL_TRUE) { -+ if (fr_bool_auto_parse(cf_pair_find(cs, "limit_proxy_state"), &c->limit_proxy_state, limit_proxy_state) < 0) { -+ goto error; -+ } -+ } -+ - return c; - } - -@@ -1158,7 +1186,7 @@ RADCLIENT *client_afrom_query(TALLOC_CTX *ctx, char const *identifier, char cons - if (shortname) c->shortname = talloc_typed_strdup(c, shortname); - if (type) c->nas_type = talloc_typed_strdup(c, type); - if (server) c->server = talloc_typed_strdup(c, server); -- c->message_authenticator = require_ma; -+ c->require_ma = require_ma; - - return c; - } -@@ -1344,10 +1372,10 @@ RADCLIENT *client_afrom_request(RADCLIENT_LIST *clients, REQUEST *request) - *pi = vp->vp_integer; - - /* -- * Same nastiness as above. -+ * Same nastiness as above, but hard-coded for require Message-Authenticator. - */ - for (parse = client_config; parse->name; parse++) { -- if (parse->offset == dynamic_config[i].offset) break; -+ if (parse->type == PW_TYPE_BOOLEAN) break; - } - if (!parse) break; - -@@ -1436,6 +1464,11 @@ validate: - goto error; - } - -+ /* -+ * It can't be set to "auto". Too bad. -+ */ -+ c->require_ma = (fr_bool_auto_t) c->dynamic_require_ma; -+ - if (!client_add_dynamic(clients, request->client, c)) { - return NULL; - } -diff --git a/src/main/conffile.c b/src/main/conffile.c -index a8c667bfb5..61754e991f 100644 ---- a/src/main/conffile.c -+++ b/src/main/conffile.c -@@ -1418,6 +1418,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d - { - int rcode; - bool deprecated, required, attribute, secret, file_input, cant_be_empty, tmpl, multi, file_exists; -+ bool ignore_dflt; - char **q; - char const *value; - CONF_PAIR *cp = NULL; -@@ -1441,6 +1442,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d - cant_be_empty = (type & PW_TYPE_NOT_EMPTY); - tmpl = (type & PW_TYPE_TMPL); - multi = (type & PW_TYPE_MULTI); -+ ignore_dflt = (type & PW_TYPE_IGNORE_DEFAULT); - - if (attribute) required = true; - if (required) cant_be_empty = true; /* May want to review this in the future... */ -@@ -1464,7 +1466,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d - * section, use the default value. - */ - if (!cp) { -- if (deprecated) return 0; /* Don't set the default value */ -+ if (deprecated || ignore_dflt) return 0; /* Don't set the default value */ - - rcode = 1; - value = dflt; -diff --git a/src/main/listen.c b/src/main/listen.c -index ebf7f5221c..c20fea243d 100644 ---- a/src/main/listen.c -+++ b/src/main/listen.c -@@ -456,6 +456,122 @@ int rad_status_server(REQUEST *request) - return 0; - } - -+static void blastradius_checks(RADIUS_PACKET *packet, RADCLIENT *client) -+{ -+ if (client->require_ma == FR_BOOL_TRUE) return; -+ -+ if (client->require_ma == FR_BOOL_AUTO) { -+ if (!packet->message_authenticator) { -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("BlastRADIUS check: Received packet without Message-Authenticator."); -+ ERROR("Setting \"require_message_authenticator = false\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ ERROR("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ client->require_ma = FR_BOOL_FALSE; -+ -+ /* -+ * And fall through to the -+ * limit_proxy_state checks, which might -+ * complain again. Oh well, maybe that -+ * will make people read the messages. -+ */ -+ -+ } else if (packet->eap_message) { -+ /* -+ * Don't set it to "true" for packets -+ * with EAP-Message. It's already -+ * required there, and we might get a -+ * non-EAP packet with (or without) -+ * Message-Authenticator -+ */ -+ return; -+ } else { -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("BlastRADIUS check: Received packet with Message-Authenticator."); -+ ERROR("Setting \"require_message_authenticator = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("It looks like the client has been updated to protect from the BlastRADIUS attack."); -+ ERROR("Please set \"require_message_authenticator = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ client->require_ma = FR_BOOL_TRUE; -+ return; -+ } -+ -+ } -+ -+ /* -+ * If all of the checks are turned off, then complain for every packet we receive. -+ */ -+ if (client->limit_proxy_state == FR_BOOL_FALSE) { -+ /* -+ * We have a Message-Authenticator, and it's valid. We don't need to compain. -+ */ -+ if (!fr_debug_lvl) return; /* easier than checking for each line below */ -+ -+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ DEBUG("BlastRADIUS check: Received packet without Message-Authenticator."); -+ DEBUG("YOU MUST SET \"require_message_authenticator = true\", or"); -+ DEBUG("YOU MUST SET \"limit_proxy_state = true\" for client %s", client->shortname); -+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ DEBUG("The packet does not contain Message-Authenticator, which is a security issue"); -+ DEBUG("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname); -+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ return; -+ } -+ -+ /* -+ * Don't complain here. rad_packet_ok() will instead -+ * complain about every packet with Proxy-State but which -+ * is missing Message-Authenticator. -+ */ -+ if (client->limit_proxy_state == FR_BOOL_TRUE) { -+ return; -+ } -+ -+ if (packet->proxy_state && !packet->message_authenticator) { -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("BlastRADIUS check: Received packet with Proxy-State, but without Message-Authenticator."); -+ ERROR("This is either a BlastRADIUS attack, OR"); -+ ERROR("the client is a proxy RADIUS server which has not been upgraded."); -+ ERROR("Setting \"limit_proxy_state = false\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ client->limit_proxy_state = FR_BOOL_FALSE; -+ -+ } else { -+ client->limit_proxy_state = FR_BOOL_TRUE; -+ -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ if (!packet->proxy_state) { -+ ERROR("BlastRADIUS check: Received packet without Proxy-State."); -+ } else { -+ ERROR("BlastRADIUS check: Received packet with Proxy-State and Message-Authenticator."); -+ } -+ -+ ERROR("Setting \"limit_proxy_state = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ if (!packet->message_authenticator) { -+ ERROR("The packet does not contain Message-Authenticator, which is a security issue."); -+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname); -+ } else { -+ ERROR("The packet contains Message-Authenticator."); -+ if (!packet->eap_message) ERROR("The client has likely been upgraded to protect from the attack."); -+ ERROR("Please set \"require_message_authenticator = true\" for client %s", client->shortname); -+ } -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ } -+} -+ -+ - #ifdef WITH_TCP - static int dual_tcp_recv(rad_listen_t *listener) - { -@@ -532,6 +648,21 @@ static int dual_tcp_recv(rad_listen_t *listener) - switch (packet->code) { - case PW_CODE_ACCESS_REQUEST: - if (listener->type != RAD_LISTEN_AUTH) goto bad_packet; -+ -+ /* -+ * Enforce BlastRADIUS checks on TCP, too. -+ */ -+ if (!rad_packet_ok(packet, (client->require_ma == FR_BOOL_TRUE) | ((client->limit_proxy_state == FR_BOOL_TRUE) << 2), NULL)) { -+ FR_STATS_INC(auth, total_malformed_requests); -+ rad_free(&sock->packet); -+ return 0; -+ } -+ -+ /* -+ * Perform BlastRADIUS checks and warnings. -+ */ -+ if (packet->code == PW_CODE_ACCESS_REQUEST) blastradius_checks(packet, client); -+ - FR_STATS_INC(auth, total_requests); - fun = rad_authenticate; - break; -@@ -1562,7 +1693,7 @@ static int auth_socket_recv(rad_listen_t *listener) - * Now that we've sanity checked everything, receive the - * packet. - */ -- packet = rad_recv(ctx, listener->fd, client->message_authenticator); -+ packet = rad_recv(ctx, listener->fd, (client->require_ma == FR_BOOL_TRUE) | ((client->limit_proxy_state == FR_BOOL_TRUE) << 2)); - if (!packet) { - FR_STATS_INC(auth, total_malformed_requests); - if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); -@@ -1570,6 +1701,12 @@ static int auth_socket_recv(rad_listen_t *listener) - return 0; - } - -+ -+ /* -+ * Perform BlastRADIUS checks and warnings. -+ */ -+ if (packet->code == PW_CODE_ACCESS_REQUEST) blastradius_checks(packet, client); -+ - #ifdef __APPLE__ - #ifdef WITH_UDPFROMTO - /* -@@ -1955,7 +2092,7 @@ static int coa_socket_recv(rad_listen_t *listener) - * Now that we've sanity checked everything, receive the - * packet. - */ -- packet = rad_recv(ctx, listener->fd, client->message_authenticator); -+ packet = rad_recv(ctx, listener->fd, client->require_ma | (((int) client->limit_proxy_state) << 2)); - if (!packet) { - FR_STATS_INC(coa, total_malformed_requests); - if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); -diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c -index e9dd412dee..520d7fa474 100644 ---- a/src/main/mainconfig.c -+++ b/src/main/mainconfig.c -@@ -73,6 +73,8 @@ static char const *gid_name = NULL; - static char const *chroot_dir = NULL; - static bool allow_core_dumps = false; - static char const *radlog_dest = NULL; -+static char const *require_message_authenticator = NULL; -+static char const *limit_proxy_state = NULL; - - /* - * These are not used anywhere else.. -@@ -87,6 +89,53 @@ static bool do_colourise = false; - - static char const *radius_dir = NULL; //!< Path to raddb directory - -+static const FR_NAME_NUMBER fr_bool_auto_names[] = { -+ { "false", FR_BOOL_FALSE }, -+ { "no", FR_BOOL_FALSE }, -+ { "0", FR_BOOL_FALSE }, -+ -+ { "true", FR_BOOL_TRUE }, -+ { "yes", FR_BOOL_TRUE }, -+ { "1", FR_BOOL_TRUE }, -+ -+ { "auto", FR_BOOL_AUTO }, -+ -+ { NULL, 0 } -+}; -+ -+/* -+ * Get decent values for false / true / auto -+ */ -+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str) -+{ -+ int value; -+ -+ /* -+ * Don't change anything. -+ */ -+ if (!str) return 0; -+ -+ value = fr_str2int(fr_bool_auto_names, str, -1); -+ if (value >= 0) { -+ *out = value; -+ return 0; -+ } -+ -+ /* -+ * This should never happen, as the defaults are in the -+ * source code. If there's no CONF_PAIR, and there's a -+ * parse error, then the source code is wrong. -+ */ -+ if (!cp) { -+ fprintf(stderr, "%s: Error - Invalid value in configuration", main_config.name); -+ return -1; -+ } -+ -+ cf_log_err(cf_pair_to_item(cp), "Invalid value for \"%s\"", cf_pair_attr(cp)); -+ return -1; -+} -+ -+ - /********************************************************************** - * - * We need to figure out where the logs go, before doing anything -@@ -159,6 +208,8 @@ static const CONF_PARSER security_config[] = { - { "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) }, - { "reject_delay", FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) }, - { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"}, -+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING, &require_message_authenticator), "auto"}, -+ { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING, &limit_proxy_state), "auto"}, - #ifdef ENABLE_OPENSSL_VERSION_CHECK - { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"}, - #endif -@@ -838,6 +889,8 @@ int main_config_init(void) - if (!main_config.dictionary_dir) { - main_config.dictionary_dir = DICTDIR; - } -+ main_config.require_ma = FR_BOOL_AUTO; -+ main_config.limit_proxy_state = FR_BOOL_AUTO; - - /* - * About sizeof(REQUEST) + sizeof(RADIUS_PACKET) * 2 + sizeof(VALUE_PAIR) * 400 -@@ -1127,6 +1180,23 @@ do {\ - main_config.init_delay.tv_sec = 0; - main_config.init_delay.tv_usec = 2* (1000000 / 3); - -+ { -+ CONF_PAIR *cp = NULL; -+ -+ subcs = cf_section_sub_find(cs, "security"); -+ if (subcs) cp = cf_pair_find(subcs, "require_message_authenticator"); -+ if (fr_bool_auto_parse(cp, &main_config.require_ma, require_message_authenticator) < 0) { -+ cf_file_free(cs); -+ return -1; -+ } -+ -+ if (subcs) cp = cf_pair_find(subcs, "limit_proxy_state"); -+ if (fr_bool_auto_parse(cp, &main_config.limit_proxy_state, limit_proxy_state) < 0) { -+ cf_file_free(cs); -+ return -1; -+ } -+ } -+ - /* - * Free the old configuration items, and replace them - * with the new ones. -diff --git a/src/main/process.c b/src/main/process.c -index 1a48517d43..401033bdd6 100644 ---- a/src/main/process.c -+++ b/src/main/process.c -@@ -2593,6 +2593,23 @@ int request_proxy_reply(RADIUS_PACKET *packet) - - PTHREAD_MUTEX_UNLOCK(&proxy_mutex); - -+ if (!request->proxy_reply) { -+ decode_fail_t reason; -+ -+ /* -+ * If the home server configuration requires a Message-Authenticator, then set the flag, -+ * but only if the proxied packet is Access-Request or Status-Sercer. -+ * -+ * The realms.c file already clears require_ma for TLS connections. -+ */ -+ bool require_ma = (request->home_server->require_ma == FR_BOOL_TRUE) && (request->proxy->code == PW_CODE_ACCESS_REQUEST); -+ -+ if(!rad_packet_ok(packet, require_ma, &reason)) { -+ DEBUG("Ignoring invalid packet - %s", fr_strerror()); -+ return 0; -+ } -+ } -+ - /* - * No reply, BUT the current packet fails verification: - * ignore it. This does the MD5 calculations in the -@@ -2618,6 +2635,54 @@ int request_proxy_reply(RADIUS_PACKET *packet) - return 0; - } - -+ -+ /* -+ * BlastRADIUS checks. We're running in the main -+ * listener thread, so there's no conflict -+ * checking or setting these fields. -+ */ -+ if (!request->proxy_reply && (request->proxy->code == PW_CODE_ACCESS_REQUEST) && -+#ifdef WITH_TLS -+ !request->home_server->tls && -+#endif -+ !packet->eap_message) { -+ if (request->home_server->require_ma == FR_BOOL_AUTO) { -+ if (!packet->message_authenticator) { -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RERROR("BlastRADIUS check: Received response to Access-Request without Message-Authenticator."); -+ RERROR("Setting \"require_message_authenticator = false\" for home_server %s", request->home_server->name); -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RERROR("UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ RERROR("Once the home_server is upgraded, set \"require_message_authenticator = true\" for home_server %s.", request->home_server->name); -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ request->home_server->require_ma = FR_BOOL_FALSE; -+ } else { -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RERROR("BlastRADIUS check: Received response to Access-Request with Message-Authenticator."); -+ RERROR("Setting \"require_message_authenticator = true\" for home_server %s", request->home_server->name); -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RERROR("It looks like the home server has been updated to protect from the BlastRADIUS attack."); -+ RERROR("Please set \"require_message_authenticator = true\" for home_server %s", request->home_server->name); -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ request->home_server->require_ma = FR_BOOL_TRUE; -+ } -+ -+ } else if (fr_debug_lvl && (request->home_server->require_ma == FR_BOOL_FALSE) && !packet->message_authenticator) { -+ /* -+ * If it's "no" AND we don't have a Message-Authenticator, then complain on every packet. -+ */ -+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RDEBUG("BlastRADIUS check: Received packet without Message-Authenticator from home_server %s", request->home_server->name); -+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RDEBUG("The packet does not contain Message-Authenticator, which is a security issue"); -+ RDEBUG("UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ RERROR("Once the home_server is upgraded, set \"require_message_authenticator = true\" for home_server %s.", request->home_server->name); -+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ } -+ } -+ - /* - * This shouldn't happen, but threads and race - * conditions. -diff --git a/src/main/radclient.c b/src/main/radclient.c -index 52d2872b13..47d5f07785 100644 ---- a/src/main/radclient.c -+++ b/src/main/radclient.c -@@ -54,6 +54,7 @@ static fr_ipaddr_t server_ipaddr; - static int resend_count = 1; - static bool done = true; - static bool print_filename = false; -+static bool blast_radius = false; - - static fr_ipaddr_t client_ipaddr; - static uint16_t client_port = 0; -@@ -89,6 +90,7 @@ static void NEVER_RETURNS usage(void) - fprintf(stderr, " One of auth, acct, status, coa, disconnect or auto.\n"); - fprintf(stderr, " -4 Use IPv4 address of server\n"); - fprintf(stderr, " -6 Use IPv6 address of server.\n"); -+ fprintf(stderr, " -b Mandate checks for Blast RADIUS (this is not set by default).\n"); - fprintf(stderr, " -c Send each packet 'count' times.\n"); - fprintf(stderr, " -d Set user dictionary directory (defaults to " RADDBDIR ").\n"); - fprintf(stderr, " -D Set main dictionary directory (defaults to " DICTDIR ").\n"); -@@ -1000,6 +1002,130 @@ static int send_one_packet(rc_request_t *request) - return 0; - } - -+/* -+ * Do Blast RADIUS checks. -+ * -+ * The request is an Access-Request, and does NOT contain Proxy-State. -+ * -+ * The reply is a raw packet, and is NOT yet decoded. -+ */ -+static int blast_radius_check(rc_request_t *request, RADIUS_PACKET *reply) -+{ -+ uint8_t *attr, *end; -+ VALUE_PAIR *vp; -+ bool have_message_authenticator = false; -+ -+ /* -+ * We've received a raw packet. Nothing has (as of yet) checked -+ * anything in it other than the length, and that it's a -+ * well-formed RADIUS packet. -+ */ -+ switch (reply->data[0]) { -+ case PW_CODE_ACCESS_ACCEPT: -+ case PW_CODE_ACCESS_REJECT: -+ case PW_CODE_ACCESS_CHALLENGE: -+ if (reply->data[1] != request->packet->id) { -+ ERROR("Invalid reply ID %d to Access-Request ID %d", reply->data[1], request->packet->id); -+ return -1; -+ } -+ break; -+ -+ default: -+ ERROR("Invalid reply code %d to Access-Request", reply->data[0]); -+ return -1; -+ } -+ -+ /* -+ * If the reply has a Message-Authenticator, then it MIGHT be fine. -+ */ -+ attr = reply->data + 20; -+ end = reply->data + reply->data_len; -+ -+ /* -+ * It should be the first attribute, so we warn if it isn't there. -+ * -+ * But it's not a fatal error. -+ */ -+ if (blast_radius && (attr[0] != PW_MESSAGE_AUTHENTICATOR)) { -+ RDEBUG("WARNING The %s reply packet does not have Message-Authenticator as the first attribute. The packet may be vulnerable to Blast RADIUS attacks.", -+ fr_packet_codes[reply->data[0]]); -+ } -+ -+ /* -+ * Set up for Proxy-State checks. -+ * -+ * If we see a Proxy-State in the reply which we didn't send, then it's a Blast RADIUS attack. -+ */ -+ vp = fr_pair_find_by_num(request->packet->vps, PW_PROXY_STATE, 0, TAG_ANY); -+ -+ while (attr < end) { -+ /* -+ * Blast RADIUS work-arounds require that -+ * Message-Authenticator is the first attribute in the -+ * reply. Note that we don't check for it being the -+ * first attribute, but simply that it exists. -+ * -+ * That check is a balance between securing the reply -+ * packet from attacks, and not violating the RFCs which -+ * say that there is no order to attributes in the -+ * packet. -+ * -+ * However, no matter the status of the '-b' flag we -+ * still can check for the signature of the attack, and -+ * discard packets which are suspicious. This behavior -+ * protects radclient from the attack, without mandating -+ * new behavior on the server side. -+ * -+ * Note that we don't set the '-b' flag by default. -+ * radclient is intended for testing / debugging, and is -+ * not intended to be used as part of a secure login / -+ * user checking system. -+ */ -+ if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { -+ have_message_authenticator = true; -+ goto next; -+ } -+ -+ /* -+ * If there are Proxy-State attributes in the reply, they must -+ * match EXACTLY the Proxy-State attributes in the request. -+ * -+ * Note that we don't care if there are more Proxy-States -+ * in the request than in the reply. The Blast RADIUS -+ * issue requires _adding_ Proxy-State attributes, and -+ * cannot work when the server _deletes_ Proxy-State -+ * attributes. -+ */ -+ if (attr[0] == PW_PROXY_STATE) { -+ if (!vp || (vp->length != (size_t) (attr[1] - 2)) || (memcmp(vp->vp_octets, attr + 2, vp->length) != 0)) { -+ ERROR("Invalid reply to Access-Request ID %d - Discarding packet due to Blast RADIUS attack being detected.", request->packet->id); -+ ERROR("We received a Proxy-State in the reply which we did not send, or which is different from what we sent."); -+ return -1; -+ } -+ -+ vp = fr_pair_find_by_num(vp->next, PW_PROXY_STATE, 0, TAG_ANY); -+ } -+ -+ next: -+ attr += attr[1]; -+ } -+ -+ /* -+ * If "-b" is set, then we require Message-Authenticator in the reply. -+ */ -+ if (blast_radius && !have_message_authenticator) { -+ ERROR("The %s reply packet does not contain Message-Authenticator - discarding packet due to Blast RADIUS checks.", -+ fr_packet_codes[reply->data[0]]); -+ return -1; -+ } -+ -+ /* -+ * The packet doesn't look like it's a Blast RADIUS attack. The -+ * caller will now verify the packet signature. -+ */ -+ return 0; -+} -+ - /* - * Receive one packet, maybe. - */ -@@ -1051,6 +1177,21 @@ static int recv_one_packet(int wait_time) - } - request = fr_packet2myptr(rc_request_t, packet, packet_p); - -+ -+ /* -+ * We want radclient to be able to send any packet, including -+ * imperfect ones. However, we do NOT want to be vulnerable to -+ * the "Blast RADIUS" issue. Instead of adding command-line -+ * flags to enable/disable similar flags to what the server -+ * sends, we just do a few more smart checks to double-check -+ * things. -+ */ -+ if ((request->packet->code == PW_CODE_ACCESS_REQUEST) && -+ blast_radius_check(request, reply) < 0) { -+ rad_free(&reply); -+ return -1; -+ } -+ - /* - * Fails the signature validation: not a real reply. - * FIXME: Silently drop it and listen for another packet. -@@ -1183,7 +1324,7 @@ int main(int argc, char **argv) - exit(1); - } - -- while ((c = getopt(argc, argv, "46c:d:D:f:Fhn:p:qr:sS:t:vx" -+ while ((c = getopt(argc, argv, "46bc:d:D:f:Fhn:p:qr:sS:t:vx" - #ifdef WITH_TCP - "P:" - #endif -@@ -1192,6 +1333,10 @@ int main(int argc, char **argv) - force_af = AF_INET; - break; - -+ case 'b': -+ blast_radius = true; -+ break; -+ - case '6': - force_af = AF_INET6; - break; -diff --git a/src/main/radtest.in b/src/main/radtest.in -index 38b1ba9a0f..8a6741a26c 100644 ---- a/src/main/radtest.in -+++ b/src/main/radtest.in -@@ -19,6 +19,7 @@ usage() { - echo " -x Enable debug output" >&2 - echo " -4 Use IPv4 for the NAS address (default)" >&2 - echo " -6 Use IPv6 for the NAS address" >&2 -+ echo " -6 Mandate checks for Blast RADIUS (this is not set by default)." >&2 - exit 1 - } - -@@ -55,6 +56,10 @@ do - NAS_ADDR_ATTR="NAS-IPv6-Address" - shift - ;; -+ -b) -+ OPTIONS="$OPTIONS -b" -+ shift -+ ;; - -d) - OPTIONS="$OPTIONS -d $2" - shift;shift -@@ -120,7 +125,6 @@ fi - echo "$PASSWORD = \"$2\"" - echo "$NAS_ADDR_ATTR = $nas" - echo "NAS-Port = $4" -- echo "Message-Authenticator = 0x00" - if [ "$radclient" = "$radeapclient" ] - then - echo "EAP-Code = Response" -diff --git a/src/main/realms.c b/src/main/realms.c -index eb42598116..5e1215c0bb 100644 ---- a/src/main/realms.c -+++ b/src/main/realms.c -@@ -366,7 +366,10 @@ static CONF_PARSER home_server_coa[] = { - }; - #endif - -+static const char *require_message_authenticator = NULL; -+ - static CONF_PARSER home_server_config[] = { -+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &require_message_authenticator), NULL }, - { "ipaddr", FR_CONF_OFFSET(PW_TYPE_COMBO_IP_ADDR, home_server_t, ipaddr), NULL }, - { "ipv4addr", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, home_server_t, ipaddr), NULL }, - { "ipv6addr", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, home_server_t, ipaddr), NULL }, -@@ -640,6 +643,9 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE - home->cs = cs; - home->state = HOME_STATE_UNKNOWN; - home->proto = IPPROTO_UDP; -+ home->require_ma = main_config.require_ma; -+ -+ require_message_authenticator = false; - - /* - * Parse the configuration into the home server -@@ -647,6 +653,10 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE - */ - if (cf_section_parse(cs, home, home_server_config) < 0) goto error; - -+ if (fr_bool_auto_parse(cf_pair_find(cs, "require_message_authenticator"), &home->require_ma, require_message_authenticator) < 0) { -+ goto error; -+ } -+ - /* - * It has an IP address, it must be a remote server. - */ -@@ -924,6 +934,7 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE - * Parse the SSL client configuration. - */ - if (tls) { -+ home->require_ma = false; - home->tls = tls_client_conf_parse(tls); - if (!home->tls) { - goto error; -diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c -index 0eed87b64f..4ae3c5b975 100644 ---- a/src/main/tls_listen.c -+++ b/src/main/tls_listen.c -@@ -299,6 +299,8 @@ get_application_data: - packet->vps = NULL; - PTHREAD_MUTEX_UNLOCK(&sock->mutex); - -+ packet->tls = true; -+ - if (!rad_packet_ok(packet, 0, NULL)) { - if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); - DEBUG("Closing TLS socket from client"); -@@ -713,6 +715,8 @@ int proxy_tls_recv(rad_listen_t *listener) - memcpy(packet->data, data, packet->data_len); - memcpy(packet->vector, packet->data + 4, 16); - -+ packet->tls = true; -+ - /* - * FIXME: Client MIB updates? - */ -@@ -765,6 +769,7 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request) - * if there's no packet, encode it here. - */ - if (!request->proxy->data) { -+ request->reply->tls = true; - request->proxy_listener->encode(request->proxy_listener, - request); - } --- -2.35.7 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch b/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch deleted file mode 100644 index fcadae93a0..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch +++ /dev/null @@ -1,38 +0,0 @@ -bootstrap: check commands of openssl exist - -It calls openssl commands dhparam and pkcs12 in script bootstrap. These -commands are configurable based on configure options 'no-dh' and -'no-des', and may not be provided by openssl. So check existence of -these commands. If not, abort running of script bootstrap. - -1. https://github.com/openssl/openssl/blob/master/apps/build.info#L37 -2. https://github.com/openssl/openssl/blob/master/apps/build.info#L22 - -Upstream-Status: Denied [https://github.com/FreeRADIUS/freeradius-server/pull/4059] - The maintainer commented in the pull that the script could - be run on a host which provides these openssl commands. - -Signed-off-by: Kai Kang ---- - raddb/certs/bootstrap | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap -index 0f719aafd4..17feddbeeb 100755 ---- a/raddb/certs/bootstrap -+++ b/raddb/certs/bootstrap -@@ -13,6 +13,14 @@ - umask 027 - cd `dirname $0` - -+# check commands of openssl exist -+for cmd in dhparam pkcs12; do -+ if ! openssl ${cmd} -help >/dev/null 2>&1; then -+ echo "Error: command ${cmd} is not supported by openssl." -+ exit 1 -+ fi -+done -+ - make -h > /dev/null 2>&1 - - # diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch deleted file mode 100644 index 9c997661fc..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch +++ /dev/null @@ -1,197 +0,0 @@ -From dc41591d5ceb18900ec85894f8f7b7bb44bb3bd9 Mon Sep 17 00:00:00 2001 -From: Jackie Huang -Date: Mon, 4 Jan 2016 01:44:04 -0500 -Subject: [PATCH] avoid searching host dirs - -Don't search the hardcoded host dirs to avoid -host contamination. - -Upstream-Status: Inappropriate [cross-compile specific] - -Signed-off-by: Jackie Huang ---- - acinclude.m4 | 4 ++-- - src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac | 4 ++-- - src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac | 4 ++-- - src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac | 4 ++-- - src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac | 6 +++--- - src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac | 2 +- - src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac | 4 ++-- - src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac | 4 ++-- - 8 files changed, 16 insertions(+), 16 deletions(-) - -diff --git a/acinclude.m4 b/acinclude.m4 -index da48acc..b513ae1 100644 ---- a/acinclude.m4 -+++ b/acinclude.m4 -@@ -178,7 +178,7 @@ if test "x$smart_lib" = "x"; then - FR_LOCATE_DIR(smart_lib_dir,[lib$1${libltdl_cv_shlibext}]) - FR_LOCATE_DIR(smart_lib_dir,[lib$1.a]) - -- for try in $smart_lib_dir /usr/local/lib /opt/lib; do -+ for try in $smart_lib_dir; do - AC_MSG_CHECKING([for $2 in -l$1 in $try]) - LIBS="-l$1 $old_LIBS" - CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" -@@ -218,7 +218,7 @@ ac_safe=`echo "$1" | sed 'y%./+-%__pm%'` - old_CPPFLAGS="$CPPFLAGS" - smart_include= - dnl # The default directories we search in (in addition to the compilers search path) --smart_include_dir="/usr/local/include /opt/include" -+smart_include_dir= - - dnl # Our local versions - _smart_try_dir= -diff --git a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac -index 75c851a..a262d71 100644 ---- a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac -+++ b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac -@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then - esac]) - - dnl Check for SQLConnect in -ldb2 -- smart_try_dir="$ibmdb2_lib_dir /usr/local/db2/lib /usr/IBMdb2/V7.1/lib" -+ smart_try_dir="$ibmdb2_lib_dir" - FR_SMART_CHECK_LIB(db2, SQLConnect) - if test "x$ac_cv_lib_db2_SQLConnect" != xyes; then - fail="$fail libdb2" - fi - - dnl Check for sqlcli.h -- smart_try_dir="$ibmdb2_include_dir /usr/local/db2/include /usr/IBMdb2/V7.1/include" -+ smart_try_dir="$ibmdb2_include_dir" - FR_SMART_CHECK_INCLUDE(sqlcli.h) - if test "x$ac_cv_header_sqlcli_h" != xyes; then - fail="$fail sqlcli.h" -diff --git a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac -index 4da57b3..752b043 100644 ---- a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac -+++ b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac -@@ -56,14 +56,14 @@ if test x$with_[]modname != xno; then - esac]) - - dnl Check for isc_attach_database in -lfbclient -- smart_try_dir="$firebird_lib_dir /usr/lib/firebird2/lib /usr/local/firebird/lib" -+ smart_try_dir="$firebird_lib_dir" - FR_SMART_CHECK_LIB(fbclient, isc_attach_database) - if test "x$ac_cv_lib_fbclient_isc_attach_database" != xyes; then - fail="$fail libfbclient" - fi - - dnl Check for ibase.h -- smart_try_dir="$firebird_include_dir /usr/lib/firebird2/include /usr/local/firebird/include" -+ smart_try_dir="$firebird_include_dir" - FR_SMART_CHECK_INCLUDE(ibase.h) - if test "x$ac_cv_header_ibase_h" != xyes; then - fail="$fail ibase.h" -diff --git a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac -index ba6304f..3393557 100644 ---- a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac -+++ b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac -@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then - esac]) - - dnl Check for SQLConnect in -liodbc -- smart_try_dir="$iodbc_lib_dir /usr/lib /usr/lib/iodbc /usr/local/lib/iodbc /usr/local/iodbc/lib/iodbc" -+ smart_try_dir="$iodbc_lib_dir" - FR_SMART_CHECK_LIB(iodbc, SQLConnect) - if test "x$ac_cv_lib_iodbc_SQLConnect" != xyes; then - fail="$fail libiodbc" - fi - - dnl Check for isql.h -- smart_try_dir="$iodbc_include_dir /usr/include /usr/include/iodbc /usr/local/iodbc/include" -+ smart_try_dir="$iodbc_include_dir" - FR_SMART_CHECK_INCLUDE(isql.h) - if test "x$ac_cv_header_isql_h" != xyes; then - fail="$fail isql.h" -diff --git a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac -index 1401677..2e7db44 100644 ---- a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac -+++ b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac -@@ -136,7 +136,7 @@ if test x$with_[]modname != xno; then - - dnl # Check for libmysqlclient_r - if test "x$have_a_libmysqlclient" != "xyes"; then -- smart_try_dir="$mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql" -+ smart_try_dir="$mysql_lib_dir" - FR_SMART_CHECK_LIB(mysqlclient_r, mysql_init) - if test "x$ac_cv_lib_mysqlclient_r_mysql_init" = "xyes"; then - have_a_libmysqlclient='yes' -@@ -145,7 +145,7 @@ if test x$with_[]modname != xno; then - - dnl # Check for libmysqlclient - if test "x$have_a_libmysqlclient" != "xyes"; then -- smart_try_dir="$mysql_lib_dir /usr/lib /usr/lib/mysql /usr/local/lib/mysql /usr/local/mysql/lib/mysql" -+ smart_try_dir="$mysql_lib_dir" - FR_SMART_CHECK_LIB(mysqlclient, mysql_init) - if test "x$ac_cv_lib_mysqlclient_mysql_init" = "xyes"; then - have_a_libmysqlclient='yes' -@@ -189,7 +189,7 @@ if test x$with_[]modname != xno; then - fi - - if test "x$have_mysql_h" != "xyes"; then -- smart_try_dir="$mysql_include_dir /usr/local/include /usr/local/mysql/include" -+ smart_try_dir="$mysql_include_dir" - FR_SMART_CHECK_INCLUDE(mysql/mysql.h) - if test "x$ac_cv_header_mysql_mysql_h" = "xyes"; then - AC_DEFINE(HAVE_MYSQL_MYSQL_H, [], [Define if you have ]) -diff --git a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac -index 3178462..5cbc8c2 100644 ---- a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac -+++ b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac -@@ -63,7 +63,7 @@ if test x$with_[]modname != xno; then - dnl # Check for header files - dnl ############################################################ - -- smart_try_dir="$oracle_include_dir /usr/local/instaclient/include" -+ smart_try_dir="$oracle_include_dir" - - if test "x$ORACLE_HOME" != "x"; then - smart_try_dir="${smart_try_dir} ${ORACLE_HOME}/include" -diff --git a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac -index 4f9a890..e1cf811 100644 ---- a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac -+++ b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac -@@ -41,7 +41,7 @@ if test x$with_[]modname != xno; then - esac ] - ) - -- smart_try_dir="$rlm_sql_postgresql_include_dir /usr/include/postgresql /usr/local/pgsql/include /usr/include/pgsql" -+ smart_try_dir="$rlm_sql_postgresql_include_dir" - FR_SMART_CHECK_INCLUDE(libpq-fe.h) - if test "x$ac_cv_header_libpqmfe_h" != "xyes"; then - fail="$fail libpq-fe.h" -@@ -76,7 +76,7 @@ if test x$with_[]modname != xno; then - ]) - fi - -- smart_try_dir="$rlm_sql_postgresql_lib_dir /usr/lib /usr/local/pgsql/lib" -+ smart_try_dir="$rlm_sql_postgresql_lib_dir" - FR_SMART_CHECK_LIB(pq, PQconnectdb) - if test "x$ac_cv_lib_pq_PQconnectdb" != "xyes"; then - fail="$fail libpq" -diff --git a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac -index 3545387..c543ed4 100644 ---- a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac -+++ b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac -@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then - esac]) - - dnl Check for SQLConnect in -lodbc -- smart_try_dir="$unixodbc_lib_dir /usr/local/unixodbc/lib" -+ smart_try_dir="$unixodbc_lib_dir" - FR_SMART_CHECK_LIB(odbc, SQLConnect) - if test "x$ac_cv_lib_odbc_SQLConnect" != xyes; then - fail="$fail libodbc" - fi - - dnl Check for sql.h -- smart_try_dir="$unixodbc_include_dir /usr/local/unixodbc/include" -+ smart_try_dir="$unixodbc_include_dir" - FR_SMART_CHECK_INCLUDE(sql.h) - if test "x$ac_cv_header_sql_h" != xyes; then - fail="$fail sql.h" --- -1.9.1 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch deleted file mode 100644 index 4719358722..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 98a9eff357959d1113e33a615c2178751d5b2054 Mon Sep 17 00:00:00 2001 -From: Changqing Li -Date: Thu, 22 Aug 2019 10:50:21 +0800 -Subject: [PATCH 2/2] configure.ac: add option for libcap - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang -Signed-off-by: Changqing Li ---- - configure.ac | 36 +++++++++++++++++++++++++++--------- - 1 file changed, 27 insertions(+), 9 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 65db61e..6486aac 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -977,6 +977,22 @@ fi - dnl Set by FR_SMART_CHECKLIB - LIBS="${old_LIBS}" - -+dnl # -+dnl # extra argument: --with-libcap -+dnl # -+WITH_LIBCAP=yes -+AC_ARG_WITH(libcap, -+[ --with-licap use licap for debugger checks. (default=yes)], -+[ case "$withval" in -+ no) -+ WITH_LIBCAP=no -+ ;; -+ *) -+ WITH_LIBCAP=yes -+ ;; -+ esac ] -+) -+ - dnl Check for cap - dnl extra argument: --with-cap-lib-dir=DIR - cap_lib_dir= -@@ -1010,15 +1026,17 @@ AC_ARG_WITH(cap-include-dir, - ;; - esac]) - --smart_try_dir="$cap_lib_dir" --FR_SMART_CHECK_LIB(cap, cap_get_proc) --if test "x$ac_cv_lib_cap_cap_get_proc" != "xyes"; then -- AC_MSG_WARN([cap library not found, debugger checks will not be enabled. Use --with-cap-lib-dir=.]) --else -- AC_DEFINE(HAVE_LIBCAP, 1, -- [Define to 1 if you have the `cap' library (-lcap).] -- ) -- HAVE_LIBCAP=1 -+if test "x$WITH_LIBCAP" = xyes; then -+ smart_try_dir="$cap_lib_dir" -+ FR_SMART_CHECK_LIB(cap, cap_get_proc) -+ if test "x$ac_cv_lib_cap_cap_get_proc" != "xyes"; then -+ AC_MSG_WARN([cap library not found, debugger checks will not be enabled. Use --with-cap-lib-dir=.]) -+ else -+ AC_DEFINE(HAVE_LIBCAP, 1, -+ [Define to 1 if you have the `cap' library (-lcap).] -+ ) -+ HAVE_LIBCAP=1 -+ fi - fi - - dnl # --- -2.7.4 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch deleted file mode 100644 index 38e7c36227..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0780b7053fb0d33d721aa70ab2ecd75299e5ba31 Mon Sep 17 00:00:00 2001 -From: Changqing Li -Date: Tue, 24 Jul 2018 15:03:39 +0800 -Subject: [PATCH] configure.ac: allow cross-compilation - -The checking OpenSSL library and header version consistency will -always fail in cross compiling, skip the check and give a warning -instead for cross compiling. - -Upstream-Status: Inappropriate[embedded specific] - -Signed-off-by: Jackie Huang -Signed-off-by: Yi Zhao - -update to new version 3.0.17 to fix patch warning -Signed-off-by: Changqing Li ---- - src/modules/rlm_krb5/configure.ac | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/modules/rlm_krb5/configure.ac b/src/modules/rlm_krb5/configure.ac -index efc9f29..98a97e4 100644 ---- a/src/modules/rlm_krb5/configure.ac -+++ b/src/modules/rlm_krb5/configure.ac -@@ -137,7 +137,8 @@ if test x$with_[]modname != xno; then - FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe) - if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" = xyes; then - AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include ]], [[return krb5_is_thread_safe() ? 0 : 1]])], -- [krb5threadsafe="-DKRB5_IS_THREAD_SAFE"], [AC_MSG_WARN([[libkrb5 is not threadsafe]])]) -+ [krb5threadsafe="-DKRB5_IS_THREAD_SAFE"], [AC_MSG_WARN([[libkrb5 is not threadsafe]])], -+ [AC_MSG_WARN(cross compiling: not checking)]) - fi - else - krb5threadsafe="" --- -2.7.4 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch deleted file mode 100644 index 4a62bf1fa2..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch +++ /dev/null @@ -1,28 +0,0 @@ -Enable and change user and group of freeradius server to radiusd - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Roy.Li -Signed-off-by: Jackie Huang ---- - raddb/radiusd.conf.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in -index c62f4ff..0b4a84e 100644 ---- a/raddb/radiusd.conf.in -+++ b/raddb/radiusd.conf.in -@@ -436,8 +436,8 @@ security { - # member. This can allow for some finer-grained access - # controls. - # --# user = radius --# group = radius -+ user = radiusd -+ group = radiusd - - # Core dumps are a bad thing. This should only be set to - # 'yes' if you're debugging a problem with the server. --- -1.9.1 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch deleted file mode 100644 index af1bff051f..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 5b6d8b14f2696fcf1dca119212f9d0a0fa04defd Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 18 Jan 2017 14:59:39 +0800 -Subject: [PATCH] fix error for expansion of macro in thread.h - -The parameter declaration is missing in expansion of macro -which cause the build error: -| In file included from src/freeradius-devel/libradius.h:80:0, -| from src/lib/log.c:26: -| src/lib/log.c: In function '__fr_thread_local_destroy_fr_strerror_buffer': -| src/lib/log.c:37:31: error: 'fr_strerror_buffer' undeclared (first use in this function) -| fr_thread_local_setup(char *, fr_strerror_buffer) /* macro */ -| ^ - -Add the missing declaration in macro. - -Upstream-Status: Pending - -Signed-off-by: Yi Zhao ---- - src/include/threads.h | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/include/threads.h b/src/include/threads.h -index e36d81d..2bcb6aa 100644 ---- a/src/include/threads.h -+++ b/src/include/threads.h -@@ -89,7 +89,7 @@ static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\ - # define fr_thread_local_get(_n) _n - #elif defined(HAVE_PTHREAD_H) - # include --# define fr_thread_local_setup(_t, _n) \ -+# define fr_thread_local_setup(_t, _n) static __thread _t _n;\ - static pthread_key_t __fr_thread_local_key_##_n;\ - static pthread_once_t __fr_thread_local_once_##_n = PTHREAD_ONCE_INIT;\ - static pthread_destructor_t __fr_thread_local_destructor_##_n = NULL;\ -@@ -100,17 +100,17 @@ static void __fr_thread_local_destroy_##_n(UNUSED void *unused)\ - static void __fr_thread_local_key_init_##_n(void)\ - {\ - (void) pthread_key_create(&__fr_thread_local_key_##_n, __fr_thread_local_destroy_##_n);\ -- (void) pthread_setspecific(__fr_thread_local_key_##_n, &(_n));\ - }\ - static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\ - {\ - __fr_thread_local_destructor_##_n = func;\ - if (_n) return _n; \ - (void) pthread_once(&__fr_thread_local_once_##_n, __fr_thread_local_key_init_##_n);\ -+ (void) pthread_setspecific(__fr_thread_local_key_##_n, &(_n));\ - return _n;\ - } --# define fr_thread_local_init(_n, _f) __fr_thread_local_init_##_n(_f) --# define fr_thread_local_set(_n, _v) __fr_thread_local_set_##_n(_v) --# define fr_thread_local_get(_n) __fr_thread_local_get_##_n() -+# define fr_thread_local_init(_n, _f) __fr_thread_local_init_##_n(_f) -+# define fr_thread_local_set(_n, _v) ((int)!((_n = _v) || 1)) -+# define fr_thread_local_get(_n) _n - #endif - #endif --- -2.10.2 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch deleted file mode 100644 index b0929c4b07..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch +++ /dev/null @@ -1,55 +0,0 @@ -Fix quoting for BUILD_WITH - -The escaped quotes are to make the -D values produce strings which -can be used to display these values. However, if the values are more -than one word, with spaces, they also need shell quoting to make them -into single words. - -Upstream-Status: Pending - -Signed-off-by: Peter Seebach -Signed-off-by: Yi Zhao ---- - src/main/libfreeradius-server.mk | 2 +- - src/main/unittest.mk | 2 +- - src/modules/rlm_eap/radeapclient.mk | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/main/libfreeradius-server.mk b/src/main/libfreeradius-server.mk -index 4495f72..07c28f1 100644 ---- a/src/main/libfreeradius-server.mk -+++ b/src/main/libfreeradius-server.mk -@@ -18,5 +18,5 @@ SOURCES := conffile.c \ - TGT_LDLIBS := $(OPENSSL_LIBS) - - ifneq ($(MAKECMDGOALS),scan) --SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS=\"$(CPPFLAGS)\" -DBUILT_WITH_CFLAGS=\"$(CFLAGS)\" -DBUILT_WITH_LDFLAGS=\"$(LDFLAGS)\" -DBUILT_WITH_LIBS=\"$(LIBS)\" -+SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" - endif -diff --git a/src/main/unittest.mk b/src/main/unittest.mk -index 09f3938..ed33952 100644 ---- a/src/main/unittest.mk -+++ b/src/main/unittest.mk -@@ -21,5 +21,5 @@ TGT_PREREQS += libfreeradius-eap.a - endif - - ifneq ($(MAKECMDGOALS),scan) --SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS=\"$(CPPFLAGS)\" -DBUILT_WITH_CFLAGS=\"$(CFLAGS)\" -DBUILT_WITH_LDFLAGS=\"$(LDFLAGS)\" -DBUILT_WITH_LIBS=\"$(LIBS)\" -+SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" - endif -diff --git a/src/modules/rlm_eap/radeapclient.mk b/src/modules/rlm_eap/radeapclient.mk -index 6068f54..7d3c556 100644 ---- a/src/modules/rlm_eap/radeapclient.mk -+++ b/src/modules/rlm_eap/radeapclient.mk -@@ -23,7 +23,7 @@ SRC_CFLAGS += -DWITH_EAPCLIENT - SRC_INCDIRS := ${top_srcdir}/src/modules/rlm_eap/libeap - - ifneq ($(MAKECMDGOALS),scan) --SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS=\"$(CPPFLAGS)\" -DBUILT_WITH_CFLAGS=\"$(CFLAGS)\" -DBUILT_WITH_LDFLAGS=\"$(LDFLAGS)\" -DBUILT_WITH_LIBS=\"$(LIBS)\" -+SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" - endif - - endif --- -2.10.2 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch deleted file mode 100644 index 4265f9d0de..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch +++ /dev/null @@ -1,90 +0,0 @@ -From bfe4d7ed72edc9d4ae1a0f0d2dd84367d6214886 Mon Sep 17 00:00:00 2001 -From: Changqing Li -Date: Thu, 22 Aug 2019 10:45:46 +0800 -Subject: [PATCH 1/2] Fix libtool detection - -Upstream-Status: pending - -Use LT_INIT instead of the deprecated AC_PROG_LIBTOOL to detect libtool, so it -can work with our libtoolize and libtool. - -Simplify the detection of ltdl. It will find the ltdl from the sysroot; the -switch --with-system-libltdl is no longer needed. The code is copied from -pulseaudio configure.ac, together with the comment paragraph. - -Also patch autogen.sh so it uses autoreconf, which handles libtoolize better. - -Signed-off-by: Jesse Zhang -Signed-off-by: Jackie Huang -Signed-off-by: Changqing Li ---- - autogen.sh | 5 +---- - configure.ac | 36 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 37 insertions(+), 4 deletions(-) - -diff --git a/autogen.sh b/autogen.sh -index a1d08a6..959182b 100755 ---- a/autogen.sh -+++ b/autogen.sh -@@ -6,10 +6,7 @@ cd $parentdir - parentdir=`pwd` - m4include="-I$parentdir -I$parentdir/m4 -Im4" - --libtoolize -f -c --#aclocal --autoheader --autoconf -+autoreconf -Wcross --verbose --install --force - - mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`" - mysubdirs=`echo $mysubdirs` -diff --git a/configure.ac b/configure.ac -index a7abf00..65db61e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -220,6 +220,42 @@ dnl # See if we have Git. - dnl # - AC_CHECK_PROG(GIT, git, yes, no) - -+#### libtool stuff #### -+ -+dnl set this shit so it doesn't force CFLAGS... -+LTCFLAGS=" " -+ -+LT_PREREQ(2.2) -+LT_INIT([dlopen disable-static]) -+ -+dnl Unfortunately, even up to libtool 2.2.6a there is no way to know -+dnl exactly which version of libltdl is present in the system, so we -+dnl just assume that it's a working version as long as we have the -+dnl library and the header files. -+dnl -+dnl As an extra safety device, check for lt_dladvise_init() which is -+dnl only implemented in libtool 2.x, and refine as we go if we have -+dnl refined requirements. -+dnl -+dnl Check the header files first since the system may have a -+dnl libltdl.so for runtime, but no headers, and we want to bail out as -+dnl soon as possible. -+dnl -+dnl We don't need any special variable for this though, since the user -+dnl can give the proper place to find libltdl through the standard -+dnl variables like LDFLAGS and CPPFLAGS. -+ -+AC_CHECK_HEADER([ltdl.h], -+ [AC_CHECK_LIB([ltdl], [lt_dladvise_init], [LIBLTDL=-lltdl], [LIBLTDL=])], -+ [LIBLTDL=]) -+ -+AS_IF([test "x$LIBLTDL" = "x"], -+ [AC_MSG_ERROR([Unable to find libltdl version 2. Makes sure you have libtool 2.2 or later installed.])]) -+AC_SUBST([LIBLTDL]) -+LTDL_SUBDIRS= -+INCLTDL=-DWITH_SYSTEM_LTDL -+AC_SUBST(LTDL_SUBDIRS) -+ - dnl Put this in later, when all distributed modules use autoconf. - dnl AC_ARG_WITH(disablemodulefoo, - dnl [ --without-rlm_foo Disables module compilation. Module list:] --- -2.7.4 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch deleted file mode 100644 index 1954586b2b..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 16bf899447fc1524ffc3c79e1d35380e5285a552 Mon Sep 17 00:00:00 2001 -From: Jackie Huang -Date: Thu, 7 Jan 2016 22:37:30 -0800 -Subject: [PATCH] libtool: do not use jlibtool - -jlibtool is hardcoded to be used but we need to use -our libtool, so fix the makfiles to make it compatible -with our libtool. - -Upstream-Status: Inappropriate [oe specific] - -Signed-off-by: Jackie Huang -Signed-off-by: Yi Zhao ---- - Make.inc.in | 4 ++-- - scripts/boiler.mk | 2 ++ - scripts/install.mk | 14 +++++++------- - scripts/libtool.mk | 22 ++++++++++++++++------ - 4 files changed, 27 insertions(+), 15 deletions(-) - -diff --git a/Make.inc.in b/Make.inc.in -index 7a77625..fd8aa3e 100644 ---- a/Make.inc.in -+++ b/Make.inc.in -@@ -57,7 +57,7 @@ CPPFLAGS = @CPPFLAGS@ - LIBPREFIX = @LIBPREFIX@ - EXEEXT = @EXEEXT@ - --LIBTOOL = JLIBTOOL -+LIBTOOL = @LIBTOOL@ - ACLOCAL = @ACLOCAL@ - AUTOCONF = @AUTOCONF@ - AUTOHEADER = @AUTOHEADER@ -@@ -163,7 +163,7 @@ ANALYZE.c := @clang_path@ - # - ifeq "$(USE_SHARED_LIBS)" "yes" - TESTBINDIR = ./$(BUILD_DIR)/bin/local -- TESTBIN = FR_LIBRARY_PATH=./build/lib/.libs $(JLIBTOOL) --quiet --mode=execute $(TESTBINDIR) -+ TESTBIN = FR_LIBRARY_PATH=./build/lib/.libs $(LIBTOOL) --quiet --mode=execute $(TESTBINDIR) - else - TESTBINDIR = ./$(BUILD_DIR)/bin - TESTBIN = ./$(BUILD_DIR)/bin -diff --git a/scripts/boiler.mk b/scripts/boiler.mk -index bccec5e..926a13e 100644 ---- a/scripts/boiler.mk -+++ b/scripts/boiler.mk -@@ -266,6 +266,7 @@ define COMPILE_C_CMDS - $(Q)$(ECHO) CC $< - $(Q)$(strip ${COMPILE.c} -o $@ -c -MD ${CPPFLAGS} ${CFLAGS} ${SRC_CFLAGS} ${INCDIRS} \ - $(addprefix -I, ${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} $<) -+ ${Q}mv $(dir $@)/.libs/$(notdir $*.d) ${BUILD_DIR}/objs/$*.d - endef - else - # -@@ -281,6 +282,7 @@ define COMPILE_C_CMDS - $(Q)cppcheck --enable=style -q ${CHECKFLAGS} $(filter -isystem%,${SRC_CFLAGS}) \ - $(filter -I%,${SRC_CFLAGS}) $(filter -D%,${SRC_CFLAGS}) ${INCDIRS} \ - $(addprefix -I,${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} --suppress=variableScope --suppress=invalidscanf $< -+ ${Q}mv $(dir $@)/.libs/$(notdir $*.d) ${BUILD_DIR}/objs/$*.d - endef - endif - -diff --git a/scripts/install.mk b/scripts/install.mk -index 9164115..e38c1ed 100644 ---- a/scripts/install.mk -+++ b/scripts/install.mk -@@ -46,7 +46,7 @@ define ADD_INSTALL_RULE.exe - install: $${${1}_INSTALLDIR}/$(notdir ${1}) - - # Install executable ${1} -- $${${1}_INSTALLDIR}/$(notdir ${1}): ${JLIBTOOL} $${${1}_BUILD}/${1} | $${${1}_INSTALLDIR} -+ $${${1}_INSTALLDIR}/$(notdir ${1}): ${LIBTOOL} $${${1}_BUILD}/${1} | $${${1}_INSTALLDIR} - @$(ECHO) INSTALL ${1} - $(Q)$${PROGRAM_INSTALL} -c -m 755 $${BUILD_DIR}/bin/${1} $${${1}_INSTALLDIR}/ - $(Q)$${${1}_POSTINSTALL} -@@ -65,7 +65,7 @@ define ADD_INSTALL_RULE.a - install: $${${1}_INSTALLDIR}/$(notdir ${1}) - - # Install static library ${1} -- $${${1}_INSTALLDIR}/$(notdir ${1}): ${JLIBTOOL} ${1} | $${${1}_INSTALLDIR} -+ $${${1}_INSTALLDIR}/$(notdir ${1}): ${LIBTOOL} ${1} | $${${1}_INSTALLDIR} - @$(ECHO) INSTALL ${1} - $(Q)$${PROGRAM_INSTALL} -c -m 755 $${BUILD_DIR}/lib/${1} $${${1}_INSTALLDIR}/ - $(Q)$${${1}_POSTINSTALL} -@@ -87,9 +87,9 @@ define ADD_INSTALL_RULE.la - install: $${${1}_INSTALLDIR}/$(notdir ${1}) - - # Install libtool library ${1} -- $${${1}_INSTALLDIR}/$(notdir ${1}): ${JLIBTOOL} $${${1}_BUILD}/${1} | $${${1}_INSTALLDIR} -+ $${${1}_INSTALLDIR}/$(notdir ${1}): ${LIBTOOL} $${${1}_BUILD}/${1} | $${${1}_INSTALLDIR} - @$(ECHO) INSTALL ${1} -- $(Q)$${PROGRAM_INSTALL} -c -m 755 $${LOCAL_FLAGS_MIN} $${BUILD_DIR}/lib/${1} $${${1}_INSTALLDIR}/ -+ $(Q)$${PROGRAM_INSTALL} -c -m 755 $${BUILD_DIR}/lib/${1} $${${1}_INSTALLDIR}/ - $(Q)$${${1}_POSTINSTALL} - - endef -@@ -107,7 +107,7 @@ define ADD_INSTALL_RULE.man - install: ${2}/$(notdir ${1}) - - # Install manual page ${1} -- ${2}/$(notdir ${1}): ${JLIBTOOL} ${1} | ${2} -+ ${2}/$(notdir ${1}): ${LIBTOOL} ${1} | ${2} - @$(ECHO) INSTALL $(notdir ${1}) - $(Q)$${PROGRAM_INSTALL} -c -m 644 ${1} ${2}/ - -@@ -122,9 +122,9 @@ endef - define ADD_INSTALL_RULE.dir - # Install directory - .PHONY: ${1} -- ${1}: ${JLIBTOOL} -+ ${1}: ${LIBTOOL} - @$(ECHO) INSTALL -d -m 755 ${1} -- $(Q)$${PROGRAM_INSTALL} -d -m 755 ${1} -+ $(Q)$${INSTALL} -d -m 755 ${1} - endef - - -diff --git a/scripts/libtool.mk b/scripts/libtool.mk -index 57915e1..2cb2f7d 100644 ---- a/scripts/libtool.mk -+++ b/scripts/libtool.mk -@@ -55,7 +55,9 @@ ifeq "${LIBTOOL}" "JLIBTOOL" - # Tell GNU Make to use this value, rather than anything specified - # on the command line. - override LIBTOOL := ${JLIBTOOL} --endif # else we're not using jlibtool -+else # else we're not using jlibtool -+ all install: ${LIBTOOL} -+endif - - # When using libtool, it produces a '.libs' directory. Ensure that it - # is removed on "make clean", too. -@@ -69,11 +71,19 @@ clean: .libs_clean - # Re-define compilers and linkers - # - OBJ_EXT = lo --COMPILE.c = ${LIBTOOL} --silent --mode=compile ${CC} --COMPILE.cxx = ${LIBTOOL} --mode=compile ${CXX} --LINK.c = ${LIBTOOL} --silent --mode=link ${CC} --LINK.cxx = ${LIBTOOL} --mode=link ${CXX} --PROGRAM_INSTALL = ${LIBTOOL} --silent --mode=install ${INSTALL} -+ifeq "${LIBTOOL}" "JLIBTOOL" -+ COMPILE.c = ${LIBTOOL} --silent --mode=compile ${CC} -+ COMPILE.cxx = ${LIBTOOL} --mode=compile ${CXX} -+ LINK.c = ${LIBTOOL} --silent --mode=link ${CC} -+ LINK.cxx = ${LIBTOOL} --mode=link ${CXX} -+ PROGRAM_INSTALL = ${LIBTOOL} --silent --mode=install ${INSTALL} -+else -+ COMPILE.c = ${LIBTOOL} --mode=compile --tag=CC ${CC} -+ COMPILE.cxx = ${LIBTOOL} --mode=compile --tag=CC ${CXX} -+ LINK.c = ${LIBTOOL} --mode=link --tag=CC ${CC} -module -export-dynamic -+ LINK.cxx = ${LIBTOOL} --mode=link --tag=CC ${CXX} -module -export-dynamic -+ PROGRAM_INSTALL = ${LIBTOOL} --mode=install ${INSTALL} -+endif - - - # LIBTOOL_ENDINGS - Given a library ending in ".a" or ".so", replace that --- -2.10.2 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch b/meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch deleted file mode 100644 index 675940dd6c..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a0bf65e04d2bbd3271cab94bd5ac93f8e877bfc5 Mon Sep 17 00:00:00 2001 -From: Jackie Huang -Date: Wed, 27 Jan 2016 05:07:19 -0500 -Subject: [PATCH] rlm_python: add PY_INC_DIR in search dir - -Upstream-Status: Pending - -configure option --with-rlm-python-include-dir is used to set -PY_INC_DIR which is never used and it fails to find Python.h, -so add it into search dir to fix it. - -Signed-off-by: Jackie Huang -Signed-off-by: Yi Zhao ---- - src/modules/rlm_python/configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/modules/rlm_python/configure.ac b/src/modules/rlm_python/configure.ac -index 831a33a..c3792d8 100644 ---- a/src/modules/rlm_python/configure.ac -+++ b/src/modules/rlm_python/configure.ac -@@ -93,7 +93,7 @@ if test x$with_[]modname != xno; then - - old_CFLAGS=$CFLAGS - CFLAGS="$CFLAGS $PY_CFLAGS" -- smart_try_dir="$PY_PREFIX/include/python$PY_SYS_VERSION" -+ smart_try_dir="$PY_PREFIX/include/python$PY_SYS_VERSION $PY_INC_DIR" - FR_SMART_CHECK_INCLUDE(Python.h) - CFLAGS=$old_CFLAGS - --- -2.10.2 - diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb deleted file mode 100644 index 01d23fdf83..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb +++ /dev/null @@ -1,257 +0,0 @@ -DESCRIPTION = "FreeRADIUS is an Internet authentication daemon, which implements the RADIUS \ -protocol, as defined in RFC 2865 (and others). It allows Network Access \ -Servers (NAS boxes) to perform authentication for dial-up users. There are \ -also RADIUS clients available for Web servers, firewalls, Unix logins, and \ -more. Using RADIUS allows authentication and authorization for a network to \ -be centralized, and minimizes the amount of re-configuration which has to be \ -done when adding or deleting new users." - -SUMMARY = "High-performance and highly configurable RADIUS server" -HOMEPAGE = "http://www.freeradius.org/" -SECTION = "System/Servers" -LICENSE = "GPL-2.0-only & LGPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" -DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc" - -SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;;protocol=https \ - file://freeradius \ - file://volatiles.58_radiusd \ - file://freeradius-enble-user-in-conf.patch \ - file://freeradius-configure.ac-allow-cross-compilation.patch \ - file://freeradius-libtool-detection.patch \ - file://freeradius-configure.ac-add-option-for-libcap.patch \ - file://freeradius-avoid-searching-host-dirs.patch \ - file://freeradius-rlm_python-add-PY_INC_DIR.patch \ - file://freeradius-libtool-do-not-use-jlibtool.patch \ - file://freeradius-fix-quoting-for-BUILT_WITH.patch \ - file://freeradius-fix-error-for-expansion-of-macro.patch \ - file://0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \ - file://0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch \ - file://0001-raddb-certs-Makefile-fix-the-occasional-verification.patch \ - file://0001-workaround-error-with-autoconf-2.7.patch \ - file://radiusd.service \ - file://radiusd-volatiles.conf \ - file://check-openssl-cmds-in-script-bootstrap.patch \ - file://0001-version.c-don-t-print-build-flags.patch \ - file://CVE-2022-41860.patch \ - file://CVE-2022-41861.patch \ - file://CVE-2024-3596.patch \ -" - -raddbdir="${sysconfdir}/${MLPREFIX}raddb" - -SRCREV = "af428abda249b2279ba0582180985a9f6f4a144a" - -CVE_CHECK_IGNORE = "\ - CVE-2002-0318 \ - CVE-2011-4966 \ -" - -PARALLEL_MAKE = "" - -S = "${WORKDIR}/git" - -LDFLAGS:append:powerpc = " -latomic" -LDFLAGS:append:mipsarch = " -latomic" -LDFLAGS:append:armv5 = " -latomic" - -EXTRA_OECONF = " --enable-strict-dependencies \ - --with-docdir=${docdir}/freeradius-${PV} \ - --with-openssl-includes=${STAGING_INCDIR} \ - --with-openssl-libraries=${STAGING_LIBDIR} \ - --with-raddbdir=${raddbdir} \ - --without-rlm_ippool \ - --without-rlm_cache_memcached \ - --without-rlm_counter \ - --without-rlm_couchbase \ - --without-rlm_dbm \ - --without-rlm_eap_tnc \ - --without-rlm_eap_ikev2 \ - --without-rlm_opendirectory \ - --without-rlm_redis \ - --without-rlm_rediswho \ - --without-rlm_sql_db2 \ - --without-rlm_sql_firebird \ - --without-rlm_sql_freetds \ - --without-rlm_sql_iodbc \ - --without-rlm_sql_oracle \ - --without-rlm_sql_sybase \ - --without-rlm_sql_mongo \ - --without-rlm_sqlhpwippool \ - --without-rlm_securid \ - --without-rlm_unbound \ - --without-rlm_python \ - ac_cv_path_PERL=${bindir}/perl \ - ax_cv_cc_builtin_choose_expr=no \ - ax_cv_cc_builtin_types_compatible_p=no \ - ax_cv_cc_builtin_bswap64=no \ - ax_cv_cc_bounded_attribute=no \ -" - -PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)} \ - pcre libcap \ - openssl rlm-eap-fast rlm-eap-pwd \ -" - -PACKAGECONFIG[krb5] = "--with-rlm_krb5,--without-rlm_krb5,krb5" -PACKAGECONFIG[pam] = "--with-rlm_pam,--without-rlm_pam,libpam" -PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap" -PACKAGECONFIG[ldap] = "--with-rlm_ldap,--without-rlm_ldap,openldap" -PACKAGECONFIG[mysql] = "--with-rlm_sql_mysql,--without-rlm_sql_mysql,mysql5" -PACKAGECONFIG[sqlite] = "--with-rlm_sql_sqlite,--without-rlm_sql_sqlite,sqlite3" -PACKAGECONFIG[unixodbc] = "--with-rlm_sql_unixodbc,--without-rlm_sql_unixodbc,unixodbc" -PACKAGECONFIG[postgresql] = "--with-rlm_sql_postgresql,--without-rlm_sql_postgresql,postgresql" -PACKAGECONFIG[pcre] = "--with-pcre,--without-pcre,libpcre" -PACKAGECONFIG[perl] = "--with-perl=${STAGING_BINDIR_NATIVE}/perl-native/perl --with-rlm_perl,--without-rlm_perl,perl-native perl,perl" -PACKAGECONFIG[python3] = "--with-rlm_python3 --with-rlm-python3-bin=${STAGING_BINDIR_NATIVE}/python3-native/python3 --with-rlm-python3-include-dir=${STAGING_INCDIR}/${PYTHON_DIR},--without-rlm_python3,python3-native python3" -PACKAGECONFIG[rest] = "--with-rlm_rest,--without-rlm_rest,curl json-c" -PACKAGECONFIG[ruby] = "--with-rlm_ruby,--without-rlm_ruby,ruby" -PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl" -PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast" -PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd" - -inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header - -MULTILIB_SCRIPTS = "${PN}:${sbindir}/checkrad" - -# This is not a cpan or python based package, but it needs some definitions -# from cpan-base and python3-dir bbclasses for building rlm_perl and rlm_python -# correctly. -inherit cpan-base python3-dir - -# The modules subdirs also need to be processed by autoreconf. Use autogen.sh -# in order to handle the subdirs correctly. -do_configure () { - ./autogen.sh - - # the configure of rlm_perl needs this to get correct - # mod_cflags and mod_ldflags - if ${@bb.utils.contains('PACKAGECONFIG', 'perl', 'true', 'false', d)}; then - export PERL5LIB="${STAGING_LIBDIR}${PERL_OWN_DIR}/perl/${@get_perl_version(d)}" - fi - - oe_runconf - - # we don't need dhcpclient - sed -i -e 's/dhcpclient.mk//' ${S}/src/modules/proto_dhcp/all.mk -} - -INITSCRIPT_NAME = "radiusd" - -SYSTEMD_SERVICE:${PN} = "radiusd.service" - -USERADD_PACKAGES = "${PN}" -USERADD_PARAM:${PN} = "--system --no-create-home --shell /bin/false --user-group radiusd" - -do_install() { - rm -rf ${D} - mkdir -p ${D}/${sysconfdir}/logrotate.d - mkdir -p ${D}/${sysconfdir}/pam.d - mkdir -p ${D}/${sysconfdir}/init.d - mkdir -p ${D}/${localstatedir}/lib/radiusd - mkdir -p ${D}${sysconfdir}/default/volatiles - - export LD_LIBRARY_PATH=${D}/${libdir} - oe_runmake install R=${D} INSTALLSTRIP="" - - # remove unsupported config files - rm -f ${D}/${raddbdir}/experimental.conf - - # remove scripts that required Perl(DBI) - rm -rf ${D}/${bindir}/radsqlrelay - - cp -f ${WORKDIR}/freeradius ${D}/etc/init.d/radiusd - rm -f ${D}/${sbindir}/rc.radiusd - chmod +x ${D}/${sysconfdir}/init.d/radiusd - rm -rf ${D}/${localstatedir}/run/ - rm -rf ${D}/${localstatedir}/log/ - install -m 0644 ${WORKDIR}/volatiles.58_radiusd ${D}${sysconfdir}/default/volatiles/58_radiusd - - chown -R radiusd:radiusd ${D}/${raddbdir} - chown -R radiusd:radiusd ${D}/${localstatedir}/lib/radiusd - - # For systemd - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/radiusd.service ${D}${systemd_unitdir}/system - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ - -e 's,@SBINDIR@,${sbindir},g' \ - -e 's,@STATEDIR@,${localstatedir},g' \ - -e 's,@SYSCONFDIR@,${sysconfdir},g' \ - ${D}${systemd_unitdir}/system/radiusd.service - - install -d ${D}${sysconfdir}/tmpfiles.d/ - install -m 0644 ${WORKDIR}/radiusd-volatiles.conf ${D}${sysconfdir}/tmpfiles.d/radiusd.conf - fi - oe_multilib_header freeradius/autoconf.h - oe_multilib_header freeradius/missing.h - oe_multilib_header freeradius/radpaths.h -} - -# This is only needed when we install/update on a running target. -# -pkg_postinst:${PN} () { - if [ -z "$D" ]; then - if command -v systemd-tmpfiles >/dev/null; then - # create /var/log/radius, /var/run/radiusd - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/radiusd.conf - elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update - fi - - # Fix ownership for /etc/raddb/*, /var/lib/radiusd - chown -R radiusd:radiusd ${raddbdir} - chown -R radiusd:radiusd ${localstatedir}/lib/radiusd - fi -} - -# We really need the symlink :( -INSANE_SKIP:${PN} = "dev-so" -INSANE_SKIP:${PN}-krb5 = "dev-so" -INSANE_SKIP:${PN}-ldap = "dev-so" -INSANE_SKIP:${PN}-mysql = "dev-so" -INSANE_SKIP:${PN}-perl = "dev-so" -INSANE_SKIP:${PN}-postgresql = "dev-so" -INSANE_SKIP:${PN}-python = "dev-so" -INSANE_SKIP:${PN}-unixodbc = "dev-so" - -PACKAGES =+ "${PN}-utils ${PN}-ldap ${PN}-krb5 ${PN}-perl \ - ${PN}-python ${PN}-mysql ${PN}-postgresql ${PN}-unixodbc" - -FILES:${PN}-utils = "${bindir}/*" - -FILES:${PN}-ldap = "${libdir}/rlm_ldap.so* \ - ${raddbdir}/mods-available/ldap \ -" - -FILES:${PN}-krb5 = "${libdir}/rlm_krb5.so* \ - ${raddbdir}/mods-available/krb5 \ -" - -FILES:${PN}-perl = "${libdir}/rlm_perl.so* \ - ${raddbdir}/mods-config/perl \ - ${raddbdir}/mods-available/perl \ -" - -FILES:${PN}-python = "${libdir}/rlm_python3.so* \ - ${raddbdir}/mods-config/python3 \ - ${raddbdir}/mods-available/python3 \ -" - -FILES:${PN}-mysql = "${libdir}/rlm_sql_mysql.so* \ - ${raddbdir}/mods-config/sql/*/mysql \ - ${raddbdir}/mods-available/sql \ -" - -FILES:${PN}-postgresql = "${libdir}/rlm_sql_postgresql.so* \ - ${raddbdir}/mods-config/sql/*/postgresql \ -" - -FILES:${PN}-unixodbc = "${libdir}/rlm_sql_unixodbc.so*" - -FILES:${PN} =+ "${libdir}/rlm_*.so* ${libdir}/proto_*so*" - -RDEPENDS:${PN} += "perl" -RDEPENDS:${PN}-utils = "${PN} perl" - -CLEANBROKEN = "1" diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb new file mode 100644 index 0000000000..27cc12c347 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb @@ -0,0 +1,257 @@ +DESCRIPTION = "FreeRADIUS is an Internet authentication daemon, which implements the RADIUS \ +protocol, as defined in RFC 2865 (and others). It allows Network Access \ +Servers (NAS boxes) to perform authentication for dial-up users. There are \ +also RADIUS clients available for Web servers, firewalls, Unix logins, and \ +more. Using RADIUS allows authentication and authorization for a network to \ +be centralized, and minimizes the amount of re-configuration which has to be \ +done when adding or deleting new users." + +SUMMARY = "High-performance and highly configurable RADIUS server" +HOMEPAGE = "http://www.freeradius.org/" +SECTION = "System/Servers" +LICENSE = "GPL-2.0-only & LGPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" +DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc" + +SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;;protocol=https \ + file://freeradius \ + file://volatiles.58_radiusd \ + file://radiusd.service \ + file://radiusd-volatiles.conf \ + file://0001-Add-autogen.sh.patch \ + file://0002-Enable-and-change-user-and-group-of-freeradius-serve.patch \ + file://0003-configure.ac-allow-cross-compilation.patch \ + file://0004-Fix-libtool-detection.patch \ + file://0005-configure.ac-add-option-for-libcap.patch \ + file://0006-Avoid-searching-host-dirs.patch \ + file://0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch \ + file://0008-libtool-do-not-use-jlibtool.patch \ + file://0009-Fix-quoting-for-BUILD_WITH.patch \ + file://0010-fix-error-for-expansion-of-macro-in-thread.h.patch \ + file://0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \ + file://0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch \ + file://0013-raddb-certs-Makefile-fix-the-occasional-verification.patch \ + file://0014-Workaround-error-with-autoconf-2.7.patch \ + file://0015-bootstrap-check-commands-of-openssl-exist.patch \ + file://0016-version.c-don-t-print-build-flags.patch \ +" + +raddbdir="${sysconfdir}/${MLPREFIX}raddb" + +SRCREV = "f317c5b2668a4de7065df46b31267cd6ff32ddf1" + +UPSTREAM_CHECK_GITTAGREGEX = "release_(?P\d+(\_\d+)+)" + +CVE_CHECK_IGNORE = "\ + CVE-2002-0318 \ + CVE-2011-4966 \ +" + +PARALLEL_MAKE = "" + +S = "${WORKDIR}/git" + +LDFLAGS:append:powerpc = " -latomic" +LDFLAGS:append:mipsarch = " -latomic" +LDFLAGS:append:armv5 = " -latomic" + +EXTRA_OECONF = " --enable-strict-dependencies \ + --with-docdir=${docdir}/freeradius-${PV} \ + --with-openssl-includes=${STAGING_INCDIR} \ + --with-openssl-libraries=${STAGING_LIBDIR} \ + --with-raddbdir=${raddbdir} \ + --without-rlm_ippool \ + --without-rlm_cache_memcached \ + --without-rlm_counter \ + --without-rlm_couchbase \ + --without-rlm_dbm \ + --without-rlm_eap_tnc \ + --without-rlm_eap_ikev2 \ + --without-rlm_opendirectory \ + --without-rlm_redis \ + --without-rlm_rediswho \ + --without-rlm_sql_db2 \ + --without-rlm_sql_firebird \ + --without-rlm_sql_freetds \ + --without-rlm_sql_iodbc \ + --without-rlm_sql_oracle \ + --without-rlm_sql_sybase \ + --without-rlm_sql_mongo \ + --without-rlm_sqlhpwippool \ + --without-rlm_securid \ + --without-rlm_unbound \ + --without-rlm_python \ + ac_cv_path_PERL=${bindir}/perl \ + ax_cv_cc_builtin_choose_expr=no \ + ax_cv_cc_builtin_types_compatible_p=no \ + ax_cv_cc_builtin_bswap64=no \ + ax_cv_cc_bounded_attribute=no \ +" + +PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)} \ + pcre libcap \ + openssl rlm-eap-fast rlm-eap-pwd \ +" + +PACKAGECONFIG[krb5] = "--with-rlm_krb5,--without-rlm_krb5,krb5" +PACKAGECONFIG[pam] = "--with-rlm_pam,--without-rlm_pam,libpam" +PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap" +PACKAGECONFIG[ldap] = "--with-rlm_ldap,--without-rlm_ldap,openldap" +PACKAGECONFIG[mysql] = "--with-rlm_sql_mysql,--without-rlm_sql_mysql,mysql5" +PACKAGECONFIG[sqlite] = "--with-rlm_sql_sqlite,--without-rlm_sql_sqlite,sqlite3" +PACKAGECONFIG[unixodbc] = "--with-rlm_sql_unixodbc,--without-rlm_sql_unixodbc,unixodbc" +PACKAGECONFIG[postgresql] = "--with-rlm_sql_postgresql,--without-rlm_sql_postgresql,postgresql" +PACKAGECONFIG[pcre] = "--with-pcre,--without-pcre,libpcre" +PACKAGECONFIG[perl] = "--with-perl=${STAGING_BINDIR_NATIVE}/perl-native/perl --with-rlm_perl,--without-rlm_perl,perl-native perl,perl" +PACKAGECONFIG[python3] = "--with-rlm_python3 --with-rlm-python3-bin=${STAGING_BINDIR_NATIVE}/python3-native/python3 --with-rlm-python3-include-dir=${STAGING_INCDIR}/${PYTHON_DIR},--without-rlm_python3,python3-native python3" +PACKAGECONFIG[rest] = "--with-rlm_rest,--without-rlm_rest,curl json-c" +PACKAGECONFIG[ruby] = "--with-rlm_ruby,--without-rlm_ruby,ruby" +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl" +PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast" +PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd" + +inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header + +MULTILIB_SCRIPTS = "${PN}:${sbindir}/checkrad" + +# This is not a cpan or python based package, but it needs some definitions +# from cpan-base and python3-dir bbclasses for building rlm_perl and rlm_python +# correctly. +inherit cpan-base python3-dir + +# The modules subdirs also need to be processed by autoreconf. Use autogen.sh +# in order to handle the subdirs correctly. +do_configure () { + ./autogen.sh + + # the configure of rlm_perl needs this to get correct + # mod_cflags and mod_ldflags + if ${@bb.utils.contains('PACKAGECONFIG', 'perl', 'true', 'false', d)}; then + export PERL5LIB="${STAGING_LIBDIR}${PERL_OWN_DIR}/perl/${@get_perl_version(d)}" + fi + + oe_runconf + + # we don't need dhcpclient + sed -i -e 's/dhcpclient.mk//' ${S}/src/modules/proto_dhcp/all.mk +} + +INITSCRIPT_NAME = "radiusd" + +SYSTEMD_SERVICE:${PN} = "radiusd.service" + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM:${PN} = "--system --no-create-home --shell /bin/false --user-group radiusd" + +do_install() { + rm -rf ${D} + mkdir -p ${D}/${sysconfdir}/logrotate.d + mkdir -p ${D}/${sysconfdir}/pam.d + mkdir -p ${D}/${sysconfdir}/init.d + mkdir -p ${D}/${localstatedir}/lib/radiusd + mkdir -p ${D}${sysconfdir}/default/volatiles + + export LD_LIBRARY_PATH=${D}/${libdir} + oe_runmake install R=${D} INSTALLSTRIP="" + + # remove unsupported config files + rm -f ${D}/${raddbdir}/experimental.conf + + # remove scripts that required Perl(DBI) + rm -rf ${D}/${bindir}/radsqlrelay + + cp -f ${WORKDIR}/freeradius ${D}/etc/init.d/radiusd + rm -f ${D}/${sbindir}/rc.radiusd + chmod +x ${D}/${sysconfdir}/init.d/radiusd + rm -rf ${D}/${localstatedir}/run/ + rm -rf ${D}/${localstatedir}/log/ + install -m 0644 ${WORKDIR}/volatiles.58_radiusd ${D}${sysconfdir}/default/volatiles/58_radiusd + + chown -R radiusd:radiusd ${D}/${raddbdir} + chown -R radiusd:radiusd ${D}/${localstatedir}/lib/radiusd + + # For systemd + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/radiusd.service ${D}${systemd_unitdir}/system + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ + -e 's,@SBINDIR@,${sbindir},g' \ + -e 's,@STATEDIR@,${localstatedir},g' \ + -e 's,@SYSCONFDIR@,${sysconfdir},g' \ + ${D}${systemd_unitdir}/system/radiusd.service + + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/radiusd-volatiles.conf ${D}${sysconfdir}/tmpfiles.d/radiusd.conf + fi + oe_multilib_header freeradius/autoconf.h + oe_multilib_header freeradius/missing.h + oe_multilib_header freeradius/radpaths.h +} + +# This is only needed when we install/update on a running target. +# +pkg_postinst:${PN} () { + if [ -z "$D" ]; then + if command -v systemd-tmpfiles >/dev/null; then + # create /var/log/radius, /var/run/radiusd + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/radiusd.conf + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + + # Fix ownership for /etc/raddb/*, /var/lib/radiusd + chown -R radiusd:radiusd ${raddbdir} + chown -R radiusd:radiusd ${localstatedir}/lib/radiusd + fi +} + +# We really need the symlink :( +INSANE_SKIP:${PN} = "dev-so" +INSANE_SKIP:${PN}-krb5 = "dev-so" +INSANE_SKIP:${PN}-ldap = "dev-so" +INSANE_SKIP:${PN}-mysql = "dev-so" +INSANE_SKIP:${PN}-perl = "dev-so" +INSANE_SKIP:${PN}-postgresql = "dev-so" +INSANE_SKIP:${PN}-python = "dev-so" +INSANE_SKIP:${PN}-unixodbc = "dev-so" + +PACKAGES =+ "${PN}-utils ${PN}-ldap ${PN}-krb5 ${PN}-perl \ + ${PN}-python ${PN}-mysql ${PN}-postgresql ${PN}-unixodbc" + +FILES:${PN}-utils = "${bindir}/*" + +FILES:${PN}-ldap = "${libdir}/rlm_ldap.so* \ + ${raddbdir}/mods-available/ldap \ +" + +FILES:${PN}-krb5 = "${libdir}/rlm_krb5.so* \ + ${raddbdir}/mods-available/krb5 \ +" + +FILES:${PN}-perl = "${libdir}/rlm_perl.so* \ + ${raddbdir}/mods-config/perl \ + ${raddbdir}/mods-available/perl \ +" + +FILES:${PN}-python = "${libdir}/rlm_python3.so* \ + ${raddbdir}/mods-config/python3 \ + ${raddbdir}/mods-available/python3 \ +" + +FILES:${PN}-mysql = "${libdir}/rlm_sql_mysql.so* \ + ${raddbdir}/mods-config/sql/*/mysql \ + ${raddbdir}/mods-available/sql \ +" + +FILES:${PN}-postgresql = "${libdir}/rlm_sql_postgresql.so* \ + ${raddbdir}/mods-config/sql/*/postgresql \ +" + +FILES:${PN}-unixodbc = "${libdir}/rlm_sql_unixodbc.so*" + +FILES:${PN} =+ "${libdir}/rlm_*.so* ${libdir}/proto_*so*" + +RDEPENDS:${PN} += "perl" +RDEPENDS:${PN}-utils = "${PN} perl" + +CLEANBROKEN = "1" -- cgit v1.2.3-54-g00ecf