diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:47 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:47 +0000 |
commit | b486f33989b6fa5fd31509219f0c1e55a2dc7db3 (patch) | |
tree | 62b4ab75fb48b8aa9472b4ceee53943d2443ffb2 /debian | |
parent | Adding upstream version 3.2.1+dfsg. (diff) | |
download | freeradius-debian.tar.xz freeradius-debian.zip |
Adding debian version 3.2.1+dfsg-4+deb12u1.debian/3.2.1+dfsg-4+deb12u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
91 files changed, 5370 insertions, 0 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm new file mode 100644 index 0000000..7671acb --- /dev/null +++ b/debian/.git-dpm @@ -0,0 +1,8 @@ +# see git-dpm(1) from git-dpm package +2d3fc90013125f3c7340b2ceb9d91b4ef85da76d +2d3fc90013125f3c7340b2ceb9d91b4ef85da76d +6b177c836eff45faa5b68646fe00f582d6f18dee +6b177c836eff45faa5b68646fe00f582d6f18dee +freeradius_2.2.8+dfsg.orig.tar.gz +661ba3a9ec1f089f68807f440421fcf333082b8f +3584595 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..e5ce82c --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,9 @@ +Runlevel Changes +================ +In freeradius 1.1.5-1, we changed our update-rc.d call so that we start +at S50 and stop at K19 in order to fix dependency issues with various +databases. This only takes effect for new installs however. If you +want to update your existing install to do the same, a quick method is: + +update-rc.d -f freeradius remove +update-rc.d freeradius start 50 2 3 4 5 . stop 19 0 1 6 . diff --git a/debian/README.rfc b/debian/README.rfc new file mode 100644 index 0000000..e27923a --- /dev/null +++ b/debian/README.rfc @@ -0,0 +1,13 @@ +These are the relevant RFC's that normally ship with freeradius. However, +we have now decided that useful things like RFC's are not free enough, and +so we can't ship them in Debian main. They are all available from the +original freeradius tarball, available at +ftp://ftp.freeradius.org/pub/radius/ +and from +http://www.rfc-editor.org/ + +Sorry for the inconvenience. + +Stephen Gran <sgran@debian.org> + +draft-kamath-pppext-eap-mschapv2-00 diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..ea7ce1e --- /dev/null +++ b/debian/README.source @@ -0,0 +1,7 @@ +To import a new upstream version, I use: + + gbp import-orig --pristine-tar --uscan + +The Files-Excluded tag in debian/copyright will be taken into account by uscan, +resulting in a DFSG-free tarball (i.e. without the non-free RFCs) being created +from the latest upstream tarball. diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..7425bce --- /dev/null +++ b/debian/changelog @@ -0,0 +1,1497 @@ +freeradius (3.2.1+dfsg-4+deb12u1) bookworm; urgency=medium + + * Add d/gbp.conf for bookworm stable branch + * Cherry-Pick two upstream commits to fix TLS-Client-Cert-Common-Name + contains incorrect value (Closes: #1043282) + + -- Bernhard Schmidt <berni@debian.org> Sat, 19 Aug 2023 00:26:34 +0200 + +freeradius (3.2.1+dfsg-4) unstable; urgency=medium + + * Don't install symlink for cache_eap module no longer shipped + (Closes: #1035853) + + -- Bernhard Schmidt <berni@debian.org> Tue, 16 May 2023 00:04:23 +0200 + +freeradius (3.2.1+dfsg-3) unstable; urgency=medium + + * Cherry-pick upstream patch to fix partical CA support (Closes: #1032590) + + -- Bernhard Schmidt <berni@debian.org> Fri, 10 Mar 2023 08:53:27 +0100 + +freeradius (3.2.1+dfsg-2) unstable; urgency=medium + + * Cherry-pick upstream fix for EAP-TTLS-MSCHAPv2 with TLSv1.3 + (Closes: #919234) + + -- Bernhard Schmidt <berni@debian.org> Tue, 07 Mar 2023 22:51:06 +0100 + +freeradius (3.2.1+dfsg-1) unstable; urgency=medium + + * New upstream version 3.2.1+dfsg (Closes: #1025426) + * Drop d/p/mkdirp.diff, fixed upstream + * Drop d/p/python_config_script_update.diff, fixed upstream + * Refresh patch + * Fix lintian overrides + * Bump debhelper to version 13, drop old dbgsym migration + + -- Bernhard Schmidt <berni@debian.org> Wed, 28 Dec 2022 00:10:38 +0100 + +freeradius (3.2.0+dfsg-1) unstable; urgency=medium + + * Acknowledge NMU, thanks Andreas Metzler + * New upstream version 3.2.0+dfsg (Closes: #1011041) + - Drop rlm_{cram,otp} (removed upstream), add rlm_json + * Refresh d/p/snakeoil-certs.diff + * Refresh d/p/python_config_script_update.diff + * Import test updates from Ubuntu, thanks Andreas Hasenack + - Add test for rlm_python3 (LP: #1969381): + - d/t/control: new rlm_python3 test + - d/t/rlm_python3-test: test the rlm_python3 module + - d/t/rlm_python3-data/*: test files + - d/t/freeradius: run python tests in verbose mode + - d/t/test-freeradius.py: test more authentication mechanisms + + -- Bernhard Schmidt <berni@debian.org> Sat, 28 May 2022 22:24:26 +0200 + +freeradius (3.0.25+dfsg-1.1) unstable; urgency=low + + * Non-maintainer upload. + * python_config_script_update.diff: Update configurre script in + src/modules/rlm_python3 (aclocal + autoconf + cleanup), to fix breakage + when built against python 3.10. Closes: #1008832 + + -- Andreas Metzler <ametzler@debian.org> Sat, 23 Apr 2022 15:43:51 +0200 + +freeradius (3.0.25+dfsg-1) unstable; urgency=medium + + [ Bernhard Schmidt ] + * New upstream version 3.0.25+dfsg + - rlm_eap_peap dropped upstream + - rlm_sql_map and rlm_totp added + * Fix a lot of lintian overrides + + [ Debian Janitor ] + * Remove constraints unnecessary since buster + + -- Bernhard Schmidt <berni@debian.org> Tue, 22 Feb 2022 22:38:13 +0100 + +freeradius (3.0.21+dfsg-3) unstable; urgency=medium + + * Acknowledge NMUs, thanks + * Cherry-Pick upstream fix for a crash bug (Closes: #992036) + * Cherry-Pick upstream fix to add missing continuation in postgresql + sample config (Closes: #992207) + + -- Bernhard Schmidt <berni@debian.org> Mon, 23 Aug 2021 15:49:43 +0200 + +freeradius (3.0.21+dfsg-2.2) unstable; urgency=medium + + * Non-maintainer upload. + * Don't fail postinst if daemon is not running (Closes: #991561, #932113) + + -- Jochen Sprickerhof <jspricke@debian.org> Wed, 28 Jul 2021 12:28:32 +0200 + +freeradius (3.0.21+dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix capabilities in service file. + As freeradius is not run as root we need to request extra capabilities + wiht AmbientCapabilities instead of limiting the set with + CapabilityBoundingSet. (Closes: #985967) + + -- Jochen Sprickerhof <jspricke@debian.org> Fri, 23 Jul 2021 13:19:03 +0200 + +freeradius (3.0.21+dfsg-2) unstable; urgency=medium + + * Cherry-Pick upstream fixes to build with Python3.8 (Closes: #966860) + * Drop migration code for versions earlier than oldstable (Squeeze) + * Temporarily collectd integration (again) due to RC bugs + * Bump to debhelper compat 10 + + -- Bernhard Schmidt <berni@debian.org> Mon, 24 Aug 2020 10:46:49 +0200 + +freeradius (3.0.21+dfsg-1) unstable; urgency=medium + + [ Bernhard Schmidt ] + * New upstream version 3.0.21+dfsg + * Sync freeradius.service with upstream, notable changes + - run as unprivileged user freerad + - use RuntimeDirectory (Closes: #954911) + - set ReadOnlyDirectories to the configuration (Closes: #955206) + - set some Protect* settings + - enable reloading the configuration + * Enable the control-socket site in autopkgtest and attempt a connection + to validate the fix for #954911 + * Reenable collectd integration, it does not pull in the world anymore + on sid, thanks to Bernd Zeimetz (Closes: #948996) + + [ Sven Hartge ] + * d/freeradius.service: Drop manual chown, not necessary + + -- Bernhard Schmidt <berni@debian.org> Wed, 01 Apr 2020 14:21:17 +0200 + +freeradius (3.0.20+dfsg-3) unstable; urgency=medium + + * Upload to unstable + + -- Bernhard Schmidt <berni@debian.org> Mon, 09 Dec 2019 23:42:23 +0100 + +freeradius (3.0.20+dfsg-2) experimental; urgency=medium + + * Drop freeradius-python2, build experimental freeradius-python3 + (Closes: #936558) + * Switch run-time tests to python3 + * Build with systemd support, use Type=notify in systemd unit + (Closes: #920345) + * Bump Standards-Version to 4.4.1, no changes needed + + -- Bernhard Schmidt <berni@debian.org> Fri, 29 Nov 2019 23:54:37 +0100 + +freeradius (3.0.20+dfsg-1) unstable; urgency=medium + + * New upstream version 3.0.20+dfsg + * Fix reload action on sysvinit (Closes: #940608) + + -- Bernhard Schmidt <berni@debian.org> Fri, 29 Nov 2019 18:03:07 +0100 + +freeradius (3.0.19+dfsg-3) unstable; urgency=medium + + * Drop collectd integration from freeradius-utils - temporarily? + collectd is marked for autoremoval at the end of August due to three + RC bugs that do not show any recent activity (Bug#925849, Bug#926528, + Bug#932299). Additionally, depending on libcollectdclient pulls in + (with Recommends on collectd) 200 additional binary packages. See + Bug#933296. + + -- Bernhard Schmidt <berni@debian.org> Wed, 21 Aug 2019 17:11:40 +0200 + +freeradius (3.0.19+dfsg-2) unstable; urgency=medium + + * Import upstream patch to fix atomics FTBFS on armel etc (Closes: #933634) + * Fix wrong wnpp Bug# in previous changelog + * Drop patch files already applied upstream + + -- Bernhard Schmidt <berni@debian.org> Thu, 01 Aug 2019 15:49:11 +0200 + +freeradius (3.0.19+dfsg-1) unstable; urgency=medium + + [ Sven Hartge ] + * New upstream version 3.0.19+dfsg + * Refresh and remove patches + Removed: + - disable-session-cache-CVE-2017-9148.patch + Fixed Upstream + - spelling-fixes.diff + Applied Upstream + - CVE-2019-11234-1.patch + - CVE-2019-11234-2.patch + Fixed Upstream + * Add Salsa CI pipeline + + [ Bernhard Schmidt ] + * Adopt package, help welcome. Thanks to Michael Stapelberg for working on + freeradius so far (Closes: #923034) + * Drop Josip from Uploaders (Closes: #842469) + * Drop Stephen Gran from Uploaders (Closes: #838404) + * Fix sysvinit stop by supplying executable to killproc. + Thanks to Benjamin Boudoir (Closes: #931920) + * Move to debian (former collab-maint) namespace on Salsa for easier + collaborative maintainership, adjust Vcs-* fields + * Override missing-dep-for-interpreter lintian error on shipped sample + files in freeradius-config + + -- Bernhard Schmidt <berni@debian.org> Mon, 29 Jul 2019 22:25:30 +0200 + +freeradius (3.0.17+dfsg-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Cherry-Pick upstream commits to fix CVE-2019-11234 / CVE-2019-11235 / + VU#871675 (Invalid Curve Attack and Reflection Attack on EAP-PWD, leading + to authentication bypass) (Closes: #926958) + + -- Bernhard Schmidt <berni@debian.org> Mon, 22 Apr 2019 23:23:36 +0200 + +freeradius (3.0.17+dfsg-1) unstable; urgency=medium + + * stop using pristine-tar + * New upstream version 3.0.17+dfsg + + -- Michael Stapelberg <stapelberg@debian.org> Mon, 07 Jan 2019 09:38:17 +0100 + +freeradius (3.0.16+dfsg-5) unstable; urgency=medium + + * Revert "Strip rpath from a few modules." (Closes: #911180) + + -- Michael Stapelberg <stapelberg@debian.org> Fri, 14 Dec 2018 09:33:40 +0100 + +freeradius (3.0.16+dfsg-4.1) unstable; urgency=medium + + * Non-maintainer upload with permission. + * Split out python2 freeradius module into a standalone package. + (Closes: #900064) + * Strip rpath from a few modules. + * Drop upstart system jobs. + * Update git vcs URLs to salsa. + + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 25 Sep 2018 15:18:31 +0100 + +freeradius (3.0.16+dfsg-3) unstable; urgency=medium + + * Change default /etc/freeradius permission from 2751 to 2750 (Closes: #890933) + + -- Michael Stapelberg <stapelberg@debian.org> Tue, 20 Mar 2018 07:52:46 +0100 + +freeradius (3.0.16+dfsg-2) unstable; urgency=medium + + * Remove sites-enabled/* from freeradius-config (Closes: #889593) + + -- Michael Stapelberg <stapelberg@debian.org> Sun, 25 Feb 2018 16:25:54 +0100 + +freeradius (3.0.16+dfsg-1) unstable; urgency=medium + + * New upstream version 3.0.16+dfsg + + -- Michael Stapelberg <stapelberg@debian.org> Mon, 22 Jan 2018 19:05:09 +0100 + +freeradius (3.0.15+dfsg-2) unstable; urgency=medium + + * logrotate: don’t accidentally define global options (Closes: #872158) + + -- Michael Stapelberg <stapelberg@debian.org> Tue, 15 Aug 2017 09:50:16 +0200 + +freeradius (3.0.15+dfsg-1) unstable; urgency=high + + * New upstream version 3.0.15+dfsg, addressing the following security issues: + CVE-2017-10978 (denial of service) + CVE-2017-10984 (remote code execution, denial of service) + CVE-2017-10985 (denial of service) + CVE-2017-10983 (denial of service) + CVE-2017-10986 (denial of service) + CVE-2017-10987 (denial of service) + (Closes: #868765) + + -- Michael Stapelberg <stapelberg@debian.org> Tue, 18 Jul 2017 20:49:31 +0200 + +freeradius (3.0.14+dfsg-3) unstable; urgency=medium + + * Revert "Work around debhelper bug to fix FTBFS (Closes: #866978)" + (fixed upstream in debhelper 10.6.3) + + -- Michael Stapelberg <stapelberg@debian.org> Tue, 18 Jul 2017 09:30:49 +0200 + +freeradius (3.0.14+dfsg-2) unstable; urgency=medium + + * Work around debhelper bug to fix FTBFS (Closes: #866978) + + -- Michael Stapelberg <stapelberg@debian.org> Wed, 05 Jul 2017 08:23:11 +0200 + +freeradius (3.0.14+dfsg-1) unstable; urgency=medium + + * New upstream version 3.0.14+dfsg + * Switch to dh_missing’s --fail-missing feature + * Install missing file rlm_sql_freetds.so + * drop debian/patches/openssl-autoconf.diff (merged upstream) + * drop debian/patches/openssl-1.1.diff (merged upstream) + * drop debian/patches/manpage-fixes.diff (merged upstream) + * refresh patches + * add build-dependency on freetds-dev to build rlm_sql_freetds + * update Standards-Version to 4.0.0 (no changes necessary) + + -- Michael Stapelberg <stapelberg@debian.org> Mon, 03 Jul 2017 09:01:13 +0200 + +freeradius (3.0.12+dfsg-5) unstable; urgency=high + + * disable session cache to address CVE-2017-9148 (closes: #863673) + + -- Michael Stapelberg <stapelberg@debian.org> Tue, 30 May 2017 17:18:34 +0200 + +freeradius (3.0.12+dfsg-4) unstable; urgency=medium + + * fix openssl-1.1.diff: initialize ctx_out + * fix openssl-1.1.diff: remove const to fix warnings + * fix openssl-1.1.diff: initialize hctx, use HMAC_Init_ex + * Build-depend on default-libmysqlclient-dev + * Exempt mips64el from libcollectdclient-dev build-dependency + * freeradius.postinst: revert incorrect removal of /var/log file creation + * d/t: update tests for 3.x (Closes: #710895) + * Remove unused lintian overrides binary-or-shlib-defines-rpath + + -- Michael Stapelberg <stapelberg@debian.org> Thu, 17 Nov 2016 22:29:04 +0100 + +freeradius (3.0.12+dfsg-3) unstable; urgency=medium + + * update debian/patches/openssl-1.1.diff to fix compilation with older + OpenSSL versions. + * maintscripts: fix symlink creation condition + + -- Michael Stapelberg <stapelberg@debian.org> Thu, 10 Nov 2016 10:12:15 +0100 + +freeradius (3.0.12+dfsg-2) experimental; urgency=medium + + * Build-Depends: libjson-c-dev pulls in the corresponding library + * not-installed: prefix debian/tmp to work with older debhelper + * Update upstream signing-key + * clarify freeradius-config’s purpose + * update debian/patches/openssl-1.1.diff + * Switch from custom rm_conffile to dh_installdeb + * Install configuration in /etc/freeradius/3.0 (closes: #839931) + * Correctly grep for usage of snakeoil certs + * Remove all use of dpkg-statoverride + * chown/chgrp: use --no-dereference to not follow symlinks + * no-op reformatting: consistently indent maintscripts + * Directly use invoke-rc.d, remove init script fallback + + -- Michael Stapelberg <stapelberg@debian.org> Sat, 05 Nov 2016 11:11:29 +0100 + +freeradius (3.0.12+dfsg-1) experimental; urgency=medium + + * New upstream version. + drop debian/patches/jlibtool-dependency.diff (applied upstream) + drop debian/patches/relative-include-paths.diff (applied upstream) + drop debian/patches/dir-dependencies.diff (applied upstream) + drop debian/rad_counter.1 (applied upstream) + add debian/patches/manpage-fixes.diff + * freeradius-config: add missing Breaks/Replaces (closes: #839931) + * libfreeradius3: add missing Breaks/Replaces (closes: #839034) + * freeradius-{dhcp,config}: postrm: only call rmdir if directory exists + (closes: #839914) + + -- Michael Stapelberg <stapelberg@debian.org> Sat, 08 Oct 2016 13:35:04 +0200 + +freeradius (3.0.11+dfsg-1) experimental; urgency=medium + + * New upstream version + closes: #797181 + closes: #813478 + closes: #696250 + closes: #651456 + closes: #814423 + closes: #728306 + closes: #806617 + * re-order alternatives, sbuild always choses the first one + * debian/rules: move to dh(1) + * add lintian-overrides for fortify-functions + * Place package under pkg-freeradius team maintenance + * remove obsolete lintian override + * add debian/patches/spelling-fixes.diff + * freeradius.service: remove obsolete syslog.target + * Update Standards-Version to 3.9.8 (no changes necessary) + * debian/watch: mangle +dfsg suffix + * add debian/patches/dont-install-tests.diff + * Enable parallel compilation + * Install libfreeradius-*.{so,a} + * 0001-Rename-radius-to-freeradius.patch: update manpage/usage + (closes: #775281) + * Fix compilation with OpenSSL 1.1 (closes: #828305) + * Update Build-Depends + * add snakeoil-certs.diff: use snakeoil certs in the default config + * add relative-include-paths.diff for reproducible builds + * Create the mods-enabled links in freeradius-config.postinst + * Update debian/copyright + * Use dh-autoreconf to update autotools files + * add README.source, documenting importing new upstream versions + * Add NEWS.Debian with pointer to upgrading guide + * Add rad_counter.1 manpage + + -- Michael Stapelberg <stapelberg@debian.org> Sun, 25 Sep 2016 02:38:49 +0200 + +freeradius (2.2.8+dfsg-0.1) unstable; urgency=medium + + * Non-maintainer Upload + * New Upstream version + * Add myself to uploaders + * Include ubuntu multiarch python patch + * Include ubuntu autotests (Thanks probably to + yolanda.robla@canonical.com, marc.deslauriers@ubuntu.com) + * New standards version; no changes + + -- Sam Hartman <hartmans@debian.org> Mon, 14 Sep 2015 07:27:09 -0400 + +freeradius (2.2.5+dfsg-0.2) unstable; urgency=high + + * Disable OpenSSL version check; Debian will maintain ABI stability or + change the soname, Closes: #765871 + * Non-Maintainer Upload + + -- Sam Hartman <hartmans@debian.org> Thu, 23 Oct 2014 21:45:36 -0400 + +freeradius (2.2.5+dfsg-0.1) unstable; urgency=medium + + * Non-maintainer Upload + * Remove remnants of freeradius-dilaupadmin, Closes: #669741 + * Permit creating freerad to fail because user might exist, Closes: #661915 + * Update to standards version 3.9.5, no changes + * New upstream version, Closes: #740857, #691770 + - Include dictionary.mikrotik, Closes: #672200 + + -- Sam Hartman <hartmans@debian.org> Tue, 30 Sep 2014 19:18:08 -0400 + +freeradius (2.1.12+dfsg-1.3) unstable; urgency=low + + * Non-maintainer upload. + * Remove freeradius-dialupadmin, Closes: #711486. I understand there's a + patch in the bug that could get this working. + However, it's been removed upstream for 3.x, my hope is to package + 3.0.2 soon, and a PHP script that copies all the get/post data + into globals so as to administer an authentication server is more + scary than I choose to contemplate. + * Add IODBC include directories, Thanks Maximiliano Curia + , Closes: #740060 + + + -- Sam Hartman <hartmans@debian.org> Wed, 12 Mar 2014 20:36:19 -0400 + +freeradius (2.1.12+dfsg-1.2) unstable; urgency=high + + * Non-maintainer upload. + * Fix expired passwords when using the unix module (CVE-2011-4966, + Closes: #694407). + + -- Kees Cook <kees@debian.org> Sun, 16 Dec 2012 12:44:35 -0800 + +freeradius (2.1.12+dfsg-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix pre-authentication buffer overflow in EAP handling + (CVE-2012-3547; Closes: #687175, #687178). + + -- Nico Golde <nion@debian.org> Tue, 11 Sep 2012 19:38:02 +0200 + +freeradius (2.1.12+dfsg-1) unstable; urgency=low + + * New upstream version, closes: #675698. + + Fix for a segmentation fault in rlm_eap, closes: #645998. + * Backport upstream commits to fix our bug reports: + + Fix for a crash on SIGHUP in config file handling, + 378f2517357f11f9900c3799c6a469ee2fda7bdf + ab73a3debf93492804e7af253ba45a7b017a18d1 + closes: #606450 + + Fix for a segmentation fault in radmin through environment variables, + ce1bb741773b253c4ccf24accccf6305e202a322 + 516dbaabf0ea80d0ff0643dc2ae9a10c4d31494c + closes: #662194 + * Use dpkg-buildflags for configure, by Moritz Muehlenhoff, closes: #657838. + * Mark rlm_jradius as stable to get it to build and ship, closes: #599067. + * Switch to dpkg-source 3.0 (quilt) format. + * Polished packaging a wee bit and updated the Standards-Version. + + -- Josip Rodin <joy-packages@debian.org> Fri, 29 Jun 2012 14:32:33 +0200 + +freeradius (2.1.10+dfsg-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix "FTBFS: libfreeradius-radius-2.1.10.so: could not read symbols: + Invalid operation": adjust target dependencies in debian/rules: make sure + the patch target is not only called for build but also for + build-{arch,indep}. (Closes: #666311) + + -- gregor herrmann <gregoa@debian.org> Wed, 02 May 2012 16:58:57 +0200 + +freeradius (2.1.10+dfsg-3) unstable; urgency=low + + * Fixed the silly error that rendered previous attempts to use the + right libtool functions useless, hopefully finally closes: #416266. + * Link radeapclient with libradius to fix linking with binutils-gold, + closes: #553387. + * Fix the debug mode crashing when home server doesn't respond to + a proxied request. Dmitry Borodaenko cherry-picked upstream commits + 540a0515de93d99ef45f97b9114185f159587b51 and + ab972f1f9b724fc0b71e6ca726078c92ad26bc6b, thanks, closes: #609870. + * Fixed udpfromto IPv6 breakage because of broken offsetof tests, + backported upstream b4f0c7ed4dc9811d8dfa982540ed8cb721cc854a + (one minor change necessary) as well as + 655f0786d60fe02440763df69b1aaf5110706690, as well as the simple + IPV6_RECVPKTINFO change, hopefully it activates all the right + modern IPv6 functions and closes: #606866. + + -- Josip Rodin <joy-packages@debian.org> Thu, 05 May 2011 23:50:20 +0200 + +freeradius (2.1.10+dfsg-2) unstable; urgency=medium + + * The zombie period start time variable mistakenly got set to a random + value because of an upstream typo. Cherry-picked upstream commit + 7b7dff7724721f8af5fd163f2292d427a869992d into a Debian patch, + requested for squeeze in #600465. + * Since 2.1.9, the daemon stopped reopening the default radius.log file + constantly, which means the default logrotate setup breaks the default + logging. D'oh. We now have to send SIGHUP to the daemon as a postrotate + action, which makes it reopen log files and continue normally. + * Added delaycompress to the logrotate options, just to be on the safe + side. + * Added a reload action into the init script accordingly, so that the + right pidfile is picked up (one that can be overridden by the admin + in /etc/default/freeradius, available since the last release). + * Called reload from the postrotate section, closes: #602815. + * However, the latter signal also makes the server re-read configuration + files, but unlike the initial server start, this all happens under + the unprivileged user. That in turn means that if by any chance there + is any part of FR configuration that happens not to be readable by + group freerad (or whatever non-default is configured), the reload + will fail, effectively silently, as the log has been moved away. Gah. + So we have to make an effort to ensure that the configuration files + are still readable by that user, otherwise the reload fails and the + aforementioned bug is not fixed. The files seem to revert to + root:root upon conffile actions, at least that's what happened to me + and I think that was the cause. So, on upgrade, try to re-apply the + dpkg-statoverrides on our /etc/freeradius/* stuff, whatever they are, + under the assumption they will let the freerad group read config files + as is the initial setup. (I wish dpkg-statoverride --update $file + just did the right thing, but it doesn't, so there's a new local + function that does that.) + * While doing the latter, noticed that we were checking for directories + in dpkg-statoverride --list output with trailing slashes, but they + get output without it, so it was a no-op. Fixed the check by removing + the trailing slashes. Also then noticed that we were grepping --list + output, but it takes an optional glob pattern, so saved us that + pointless grep fork by using that facility, just as described in the + policy manual. + * force-reload switches from restart to reload, per policy 9.3.2. + * lenny backport needed also libltdl-dev (2.2.x) to build properly, rather + than libltdl3-dev, which is obsolete and doesn't make sense anyway. + + -- Josip Rodin <joy-packages@debian.org> Sat, 13 Nov 2010 15:21:30 +0100 + +freeradius (2.1.10+dfsg-1) unstable; urgency=medium + + * New upstream version, closes a bunch of reproducible SNAFUs, + including two tagged as security issues, CVE-2010-3696, CVE-2010-3697, + closes: #600176. + * Build-depend on newer Libtool because of lt_dladvise_init(), also + upstream now has a configure check so we no longer need a patch, + yet we still don't want the old behaviour. Noticed by John Morrissey, + closes: #584151. + * Added the /etc/default/freeradius file as suggested by + Rudy Gevaert and Matthew Newton, closes: #564716. + * Stop symlinking /dev/urandom into /etc/freeradius/certs/random, + it breaks grep -r in /etc. Instead, replace it inside eap.conf, + both in the new shipped conffile and in postinst. + + -- Josip Rodin <joy-packages@debian.org> Thu, 14 Oct 2010 21:51:51 +0200 + +freeradius (2.1.9+dfsg-1) unstable; urgency=low + + * New upstream version. + + radclient (radtest) should now use IPv4 by default, closes: #569614. + * Depend on ca-certificates explicitly, closes: #569601. + * I mistook ca.pem for the locally selected acceptable CA, whereas that + actually just happens to mean DebConf.org CA, and we want the former + by default. That in turn is in /etc/ssl/certs/ca-certificates.crt. + Obviously later the users can trivially change this, but this looks + like a reasonably reliable default that doesn't involve a lot of magic + that can delay or break postinst invocations. In the future, eap.conf + will become modules/eap and this will not be so critical. + * The private_key_file = ${certdir}/server.pem default doesn't get along + with snakeoil, or common sense really (why would you keep a secret key + in the same file as the non-secret certificate?), and could have broken + upgrades if people accepted the conffile prompt, so adjusted the + default conffile too, and adjusted the postinst upgrade logic as well. + * Enable HAVE_LT_DLADVISE_INIT as it fixes the module symbol lookup + errors from additional libraries, closes: #416266. + * Explicate source format as 1.0. + * Add ${misc:Depends} to all binary packages. + * Update standards version to 3.8.4, no changes necessary. + + -- Josip Rodin <joy-packages@debian.org> Sun, 30 May 2010 12:48:55 +0200 + +freeradius (2.1.8+dfsg-1) unstable; urgency=medium + + * New upstream version. + + Fixes several showstopper bugs, hence increased urgency. + + Includes OpenSSL+GPL license exception, closes: #499120. + + Fixes typo in a warning, closes: #523074. + * Added libssl-dev into build-depends and enabled the building of + modules that just depend on OpenSSL, namely rlm_eap_peap, rlm_eap_tls, + rlm_eap_ttls, and rlm_otp, closes: #266229. + * Because the configuration of EAP+SSL modules now actually kicks in, its + non-existent certificate file would break the server start by default. + Depend on ssl-cert, make use of make-ssl-cert and openssl, and add + freerad to the ssl-cert group in the postinst to get us past the + problematic default settings so that we don't crash and burn on clean + upgrades, but otherwise leave everything else to the admin. + * Ship /etc/freeradius/attrs.access_challenge, like the others. + * Moved otp.conf and snmp.conf statoverride handling to the preinst + and used rm_conffile on them as well. + * Updated upstream changelog handling a bit. + + -- Josip Rodin <joy-packages@debian.org> Sat, 02 Jan 2010 20:22:47 +0100 + +freeradius (2.1.7+dfsg-2) unstable; urgency=low + + * Ship radmin and raddebug in the freeradius package. + * Correct section number inside raddebug(8) so it doesn't get misplaced. + + -- Josip Rodin <joy-packages@debian.org> Tue, 24 Nov 2009 15:29:59 +0100 + +freeradius (2.1.7+dfsg-1) unstable; urgency=low + + * Adopting the package, closes: #536623. + * New upstream version, closes: #513484. + + Fixes the blooper in unlang evaluation logic, closes: #526175. + * Used quilt (and added README.source), and moved upstream file patching + into debian/patches/. The source is no longer in collab-maint git + (to make it simpler for me to finally get this out the door), but + kept the .gitignore should we need that again. + * Dropped the dialup_admin/bin/backup_radacct patch (integrated upstream). + * Dropped the raddb/Makefile patch (problem no longer exists upstream). + * Dropped the lib/packet.c lib/radius.c main/listen.c patches (was from + upstream 2.0.5 anyway). + * Dropped references to otp.conf, it no longer exists upstream. + Keep removing the conffile statoverride in prerm. + * Dropped references to snmp.conf, it no longer exists upstream. + Keep removing the conffile statoverride in prerm. + * Ship /etc/freeradius/modules/* in the freeradius package. + * Stop shipping sites-enabled symlinks in the package and instead create + them only on initial install, thanks to Matej Vela, closes: #533396. + * Add export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" to the init script + at the request of John Morrissey, closes: #550143. + * Stop installing /var/run/freeradius in the package to silence Lintian. + The init script already recreates it at will. + * Remove executable bit from example.pl to silence Lintian. + + -- Josip Rodin <joy-packages@debian.org> Mon, 23 Nov 2009 03:57:37 +0100 + +freeradius (2.0.4+dfsg-7) unstable; urgency=low + + * Ignore rmdir failure on clean (closes: #545932) + * Do a better job of catching errors in the init script (closes: #533390) + * Init headers fixup (closes: #541882) + * Clean up some logs so dpkg can successfully rmdir (closes: #530727) + + -- Stephen Gran <sgran@debian.org> Sun, 13 Sep 2009 19:33:12 +0100 + +freeradius (2.0.4+dfsg-6) unstable; urgency=low + + * Fix unsafe use of tempfile (closes: #496389) + + -- Stephen Gran <sgran@debian.org> Mon, 25 Aug 2008 14:18:48 +0100 + +freeradius (2.0.4+dfsg-5) unstable; urgency=low + + [ Mark Hymers ] + * Cherry pick commit from 2.0.5 which fixes port binding issues. + Closes: #489773. + + [ Stephen Gran ] + * add PERL_SYS_INIT3 and PERL_SYS_TERM calls to rlm_perl. (closes: #495073) + * Make the SQL modules link against rlm_sql.so in the most horrific + (and only) way possible. (closes: #448699) + + -- Stephen Gran <sgran@debian.org> Thu, 14 Aug 2008 19:15:30 +0100 + +freeradius (2.0.4+dfsg-4) unstable; urgency=low + + * Create links from sites-enabled to sites-available for the files that + upstream enables by default (closes: #483914) + + -- Stephen Gran <sgran@debian.org> Sun, 01 Jun 2008 12:24:35 +0100 + +freeradius (2.0.4+dfsg-3) unstable; urgency=low + + * brown paper bag release + * Really actually do the statoverride I thought we were doing with -2 + (closes: #482380) + + -- Stephen Gran <sgran@debian.org> Thu, 22 May 2008 11:18:12 +0100 + +freeradius (2.0.4+dfsg-2) unstable; urgency=low + + * Install /var/log/freeradius 0750 so that people writing their passwords to + logfiles don't accidentally leak them without noticing (closes: #482085) + + -- Stephen Gran <sgran@debian.org> Tue, 20 May 2008 19:38:27 +0100 + +freeradius (2.0.4+dfsg-1) unstable; urgency=low + + * Ok, actually remove all the cruft in debian/ shipped by upstream. This + means repacking the tarball and all that, but it also means dpkg-source + won't get the chance to ignore removed files, resulting in files + reappearing, but not locally (closes: #481406) + * Also remove config.{cache,log} in clean target - damn you gitignore + + -- Stephen Gran <sgran@debian.org> Mon, 19 May 2008 03:55:55 +0100 + +freeradius (2.0.4-3) unstable; urgency=low + + * I have no god damn idea why the buildds are adding manpages to the wrong + binary. Reuploading with DH_VERBOSE=1 to see if we can find it. We + certainly can't reproduce it in our local builds, even calling the same + targets in the same order as the buildds. + + -- Stephen Gran <sgran@debian.org> Mon, 19 May 2008 00:17:06 +0100 + +freeradius (2.0.4-2) unstable; urgency=low + + * freeradius-{common,utils} needs to Conflict: with other radius + implementations that share files (closes: #480682) + + -- Stephen Gran <sgran@debian.org> Sun, 11 May 2008 18:41:45 +0100 + +freeradius (2.0.4-1) unstable; urgency=low + + * New upstream release + * Make all directories in /etc/freeradius group +x (closes: #479835) + + -- Stephen Gran <sgran@debian.org> Fri, 09 May 2008 12:58:55 +0100 + +freeradius (2.0.3-1) unstable; urgency=low + + [ Mark Hymers ] + * New upstream release + * Bump Build-Dep on debhelper to 6.0.7 as we use dh_lintian + * Delete lots of obsolete conffiles + + [ Stephen Gran ] + * Create a -common package for some extra file that the -utils package + needs. Also stuff in manpages and other arch all files to reduce the size + of the unnecessarily repeated stuff in the archive + * Change chown/chmod calls to dpkg-statoverride + + -- Mark Hymers <mhy@debian.org> Sat, 03 May 2008 17:07:42 +0100 + +freeradius (2.0.2-1) unstable; urgency=low + + * Yet another new upstream version (closes: #465475) + * Cleanup manpages + * Add lintian overrides for rpath - this is intentional + * Packaging is now being done in git, we're dropping dpatch + * Split out client utilities (closes: #470977) - this means we also need to + split the library so the two binary packages can use it + * Major package rework + + -- Stephen Gran <sgran@debian.org> Sun, 16 Mar 2008 22:58:16 +0000 + +freeradius (2.0.0-1) unstable; urgency=low + + * New upstream version + * Patches: + - freshen 02-radiusd-to-freeradius + - disable 03-dialupadmin-help until it's reworked properly + + -- Stephen Gran <sgran@debian.org> Thu, 10 Jan 2008 23:05:50 +0000 + +freeradius (1.1.7-1) unstable; urgency=low + + * New upstream version + * Update debian/copyright to reflect reality: + - package is GPL v2 only, so refer to the correct file in common-licenses + - Remove explanation of wy postgres and snmp modules can't be shipped, + since we do ship them. + * Remove 04-configure-openssl.dpatch, --without-openssl applied upstream + + -- Stephen Gran <sgran@debian.org> Thu, 09 Aug 2007 10:09:20 +0100 + +freeradius (1.1.6-4) unstable; urgency=low + + The "Give me GPLv2 compatibility or give me FTBFS" release + * Fix rlm_krb5 not to link with openssl unless it actually needs to + * debian/rules: move dependency on patch target to config.status + * debian/rules: FTBFS if a package accidentally directly links to openssl + + -- Stephen Gran <sgran@debian.org> Wed, 04 Jul 2007 17:08:45 +0100 + +freeradius (1.1.6-3) unstable; urgency=low + + * Change freeradius-dbg to Priority: extra. + * After discussions with one of the ftp-assistants, we can ship + freeradius-postgresql in main. Yey! (Closes: #264649, #382329) + + -- Mark Hymers <mhy@debian.org> Thu, 21 Jun 2007 13:32:09 +0100 + +freeradius (1.1.6-2) unstable; urgency=low + + [ Mark Hymers ] + * Add freeradius-dbg package. + + [ Stephen Gran ] + * Update debian/control for php5 (dialupadmin) (closes: #424788, #412701) + + -- Stephen Gran <sgran@debian.org> Thu, 31 May 2007 02:47:02 +0100 + +freeradius (1.1.6-1) unstable; urgency=low + + * New upstream release. Closes: #420003. + + -- Mark Hymers <mhy@debian.org> Thu, 19 Apr 2007 15:14:05 +0100 + +freeradius (1.1.5-1) unstable; urgency=low + + * New upstream release. Closes: #415980 + * Remove 01-fix-proxy.dpatch as it was a backport from upstream. + * otppasswd.sample is no longer provided so make sure we remove the + conffile properly in preinst. + * Update my email address and remove Paul from Uploaders. Thanks to him for + previously maintaining the package. + * Change so that we start at S50 and stop at K19 so that we start after + services we depend on and stop before them. Closes: #408665. + Note that is only for new installs. + + -- Mark Hymers <mhy@debian.org> Fri, 13 Apr 2007 13:14:08 +0100 + +freeradius (1.1.3-3) unstable; urgency=medium + + * Fix POSIX compliance problem in init script. Closes: #403384. + + -- Mark Hymers <mark@hymers.org.uk> Sat, 16 Dec 2006 20:45:11 +0000 + +freeradius (1.1.3-2) unstable; urgency=low + + [ Stephen Gran ] + * Check for existence of pidfile in initscript. + * Clean some old cruft from debian/rules + * Write dialup_admin/Makefile + * Make binNMU safe + * Some lsb init headers + + [ Mark Hymers ] + * Merge upstream patch to deal with proxy port settings. Closes: #388024. + * Rewrite large parts of the Debian build system. + + -- Stephen Gran <sgran@debian.org> Sat, 7 Oct 2006 21:08:35 +0100 + +freeradius (1.1.3-1) unstable; urgency=low + + [ Stephen Gran ] + * Add and rework ubuntu /var/run/tmpfs patch + * Add LSB init script headers + * Actually trap errors in init script, how about? + + [ Mark Hymers ] + * New upstream version. + * New version of autotools in 1.1.3. Closes: #380204 + * Remove previous patches merged upstream: + - 01-actually_check_for_unset_password.dpatch + * Only do user creation, group addition, chmod and chown stuff in postinst + on an initial install to avoid clobbering local changes. + + -- Mark Hymers <mark@hymers.org.uk> Wed, 23 Aug 2006 14:48:57 +0100 + +freeradius (1.1.2-2) unstable; urgency=low + + [ Stephen Gran ] + * Acknowledge my previous NMU's (closes: #351732, #359042) + * Init scripts overhaul: + - now use reload on upgrade of modules + - replace sleep statements with --retry, as time based tests are + fragile + - no longer exit with an error if stop fails because the + daemon isn't running (closes: #374670, #351735) + - stop using command -v in /bin/sh scripts + * General maintainer script overhaul: + - Don't rm -rf something in /etc (ouch) + - Use chown -R instead of 'find .. -exec' + - should not need to manually remove the init script on purge (it's a dpkg + managed conffile) + - Only do user management stuff if user is missing. No point rerunning it + every upgrade. + - Install /etc/freeradius/dictionary with relaxed permissions, but never + touch it again (closes: #334299) + - switch to debhelper files where possible. I like an easy to read + Makefile. + * Arg. Move README.rfc to the freeradius package where it belongs. + + [ Mark Hymers ] + * Document building SSL/PostgreSQL modules in debian/rules, add + control.postgresql to make it more convenient. Tested on AMD64 using + system libtool. + + -- Stephen Gran <sgran@debian.org> Sun, 25 Jun 2006 23:06:16 +0100 + +freeradius (1.1.2-1) unstable; urgency=low + + [ Mark Hymers ] + * New maintainers + * New upstream version. + * Remove previous patches merged upstream: + - 01_NET-SNMP_build_support.dpatch + - 02_document_actual_shared_secret_maximum_length.dpatch + - 12_more_dialup_admin_various_fixes.dpatch + - 14_broken_parse.dpatch + - 15_CVE-2006-1354.dpatch + * Use --with-system-libtool during configure. Add B-D: on libtool + Removes obsolete dpatches: + - 06_libtool14_vs_rlm_eap_tls.dpatch + - 13_a_libtool_to_call_your_own.dpatch + * Remove freeradius.undocumented as we don't install links to + undocumented(7) anymore (not recommended since policy 3.5.8.0) + + [ Stephen Gran ] + * Update to Standards Version 3.7.2 (no changes) + * Remove doc/rfc/ to make -legal happy (closes: #365192) + - this means repacked tarball. See README.rfc for details + * Test for unset variable, rather than empty variable in clean_radacct, + monthly_tot_stats and truncate_radacct (closes: #374053) + + -- Mark Hymers <mark@hymers.org.uk> Sat, 17 Jun 2006 16:05:19 +0100 + +freeradius (1.1.0-1.2) unstable; urgency=high + + * Non-maintainer upload. + * [ CVE-2006-1354 ]: + src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c: + Due to insufficient input validation it is possible for a remote + attacker to bypass authentication or cause a denial of service. + (closes: #359042) + + -- Stephen Gran <sgran@debian.org> Wed, 17 May 2006 11:22:28 -0500 + +freeradius (1.1.0-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Upstream patch to fix parsing config file (closes: #351732) + Fixes: fails to start on amd64 (error in dictionary parsing code) + + -- Stephen Gran <sgran@debian.org> Sat, 1 Apr 2006 11:07:55 +0100 + +freeradius (1.1.0-1) unstable; urgency=low + * ReDebianise upstream tarball: + - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865 + 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580 + draft-kamath-pppext-eap-mschapv2-00 + + * New FreeRADIUS modules marked stable by new upstream release + - rlm_perl + - rlm_sqlcounter + - rlm_sql_log + radsqlrelay + - rlm_otp (formerly rlm_x99_token, not built as it depends on OpenSSL) + + * Remove upstream-integrated patches: + - 02_EAP-SIM_doesnt_need_openssl + - 03_X99_is_not_stable + - 07_manpage_fixups + - 09_use_crypth_if_we_have_it + - 10_escape_entire_ldap_string + - 11_dont_xlat_possibly_bad_usernames_in_bad_accounting_packets + - 12_dialup_admin_various_fixes + + * More dialup-admin fixes from Arve Seljebu + - Fix redirects in dialup-admin pages on servers with + register_globals turned off. + Closes: #333704 + - HTTP form fields will always fail is_int, use in_numeric instead + Closes: #335149 + - Created 12_more_dialup_admin_various_fixes + + * Update to Policy 3.6.2.0 + * Upgrade Debhelper support to V5 + * Don't install the .in files with the examples + * Prefer libmysqlclient15-dev + Closes: #343779 + * Shared secrets can only be 31 characters long, note this in clients.conf + - Created 02_document_actual_shared_secret_maximum_length + Closes: 344606 + * Added support for lsb-init functions + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Sun, 15 Jan 2006 13:34:13 +1100 + +freeradius (1.1.0-0) unstable; urgency=low + + * New upstream release. + * Update set of patches: + - 01_NET-SNMP_build_support.dpatch + - 06_libtool14_vs_rlm_eap_tls.dpatch + - 13_a_libtool14_to_call_your_own.dpatch + + -- Nicolas Baradakis <nbk@sitadelle.com> Sun, 1 Jan 2006 18:15:47 +0100 + +freeradius (1.0.5-2) unstable; urgency=low + + * Stop dragging non-PIC code from libeap.a into rlm_eap_sim.so and + rlm_eap.so. + (Thanks to Peter Salinger) + Closes: #288547 + - Rename 06_libtool14_vs_rlm_eap_tls to 06_libtool14_vs_rlm_eap + and modify with Peter's changes and some Makefile hackery to + get it all linking + * Don't rerun configure during the build. + (Thanks to Kurt Roeckx) + * A whole bunch of dialup-admin fixes from Arve Seljebu and Tobias + - Report correct data transfer statistics for users + Closes: #329672 + - Lower-case sql column names to match creation scripts + Closes: #333709 + - Fix creation of empty groups + Closes: #333739 + - Put quote around usernames in HTML output + Closes: #333742 + - Properly notice when we've got a blank password to SQL + Closes: #333744 + - Created 12_dialup_admin_various_fixes + * Stop using libtool1.4 to build against, now that we can't have it and + libltdl3-dev installed at the same time + Closes: #279391 + - Created 13_a_libtool14_to_call_your_own to get most recent ltmain.sh + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Sun, 16 Oct 2005 21:26:30 +1000 + +freeradius (1.0.5-1) unstable; urgency=high + + * Urgency high for security fixes below, all reported upstream + * ReDebianise upstream tarball: + - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865 + 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580 + draft-kamath-pppext-eap-mschapv2-00 + * Add missed build-dependancy on dpatch (>=2) + * Update to Standards-Version 3.6.2.0 + - No changes needed + * Repair some minorly broken manpages + - Created 07_manpage_fixups.dpatch + * Security fixes stolen from CVS release_1_0 branch: + - Be sure we use crypt.h if we have it, to avoid segfaulting on a + bad built-in crypt() definition, spotted by Konstantin Kubatkin + + Created 09_use_crypth_if_we_have_it + - Make sure we escape the entire LDAP string, instead of + aborting as soon as it becomes possible to be out of space + + Created 10_escape_entire_ldap_string + - Don't xlat the UserName attribute before we can be sure of meeting + any escape sequences it may contain, spotted by Primoz Bratanic + + Created 11_dont_xlat_possibly_bad_usernames_in_bad_accounting_packets + * Depend on adduser, so our postinst can create the freerad user + * Don't install the .in versions of the example scripts. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Mon, 19 Sep 2005 15:10:40 +1000 + +freeradius (1.0.5-0) unstable; urgency=low + + * New Upstream release, from release_1_0 branch + - Remove 04_bonus_control_code_in_clients_conf_5 + - Remove 05_unbreak_quoted_sql_results + * Fix my _name_ in the dpatches + * Remove patch to CVS ID header from 05_unbreak_quoted_sql_values + so as not to break things when comitting to FreeRADIUS CVS + * Take linking fix from FreeRADIUS bugzilla #75 to allow + rlm_eap_tls to be linked to by rlm_eap_ttls and rlm_eap_peap + even though we don't build them in the Debian archive. + (Thanks to Luca Landi for the patch) + - Created 06_libtool14_vs_rlm_eap_tls + * Fix ownership of files in /var/log/freeradius/ more efficiently + (Caught by Guido Trotter) + Closes: #326891 + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 7 Sep 2005 01:08:07 +1000 + +freeradius (1.0.4-2) unstable; urgency=low + + * Fix my email address in the dpatches + * Remove extraneous ^g from man/man5/clients.conf.5 + - Created 04_bonus_control_code_in_clients_conf_5 + * Correct handing of parameterless call of init script, and + general init script neatening + (Thanks to Derrick Karpo) + Closes: #315438 + * Correctly leave out the .in files in the examples + * Correctly use debhelper after splitting binary make target + into binary-arch and binary-indep. + (Thanks to Kurt Roeckx for actually hitting the bug) + Closes: #315770 + * Steal fix from CVS release_1_0 tree for rlm_sql quoted values. + (Thanks to Nicolas Baradakis for the fix) + - Upstream bugzilla #242, src/modules/rlm_sql/sql.c 1.79.2.2 + - Created 05_unbreak_quoted_sql_values + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Mon, 27 Jun 2005 03:13:48 +1000 + +freeradius (1.0.4-1) unstable; urgency=low + * ReDeianise upstream tarball: + - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865 + 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580 + draft-kamath-pppext-eap-mschapv2-00 + * Convert to dpatch, dpatch-2-style interface. + - New build-dependancy on dpatch (>= 2) + - Created 01_NET-SNMP_build_support + - Created 02_EAP-SIM_doesnt_need_openssl + - Created 03_X99_is_not_stable + * Assemble the freeradius-dialupadmin in the binary-indep make target + Closes: #313173 (Thanks to Santiago Vila for spotting this) + * Include the example scripts in /usr/share/doc/freeradius/examples/scripts + except those three which are installed into the binary by the Makefile. + Closes: #314253 (Thanks to Michael Langer for spotting this) + * Suggest libdate-manip-perl for freeradius-dialupadmin + Closes: #306007 (Thanks to Feng Sian) + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 22 Jun 2005 16:03:27 +1000 + +freeradius (1.0.4-0) unstable; urgency=medium + + * New upstream release, fixing build problems. + * Prefer libpq-dev over postgresql-dev as a build-dependancy. + - This requires us to use pgconfig to find the headers. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Thu, 16 Jun 2005 13:56:33 +1000 + +freeradius (1.0.3-0) unstable; urgency=high + + * New upstream release + * Urgency high for some denial-of-service fixes: + - SQL injection attacks and DoS (core dump) via buffer overflow. + Closes: #307720 + + -- Alan DeKok <aland@ox.org> Fri, 3 Jun 2005 11:29:34 -0700 + +freeradius (1.0.2-4) unstable; urgency=high + + * Security fix stolen from CVS release_1_0 branch: + - Always use sql_escape_func when calling radius_xlat + - Add a test in sql_escape_func() to check buffer bound when + input character needs escaping. + - Urgency high as these are (theoretical) security issues. + Closes: #307720 (Thanks to Primoz Bratanic and Nicolas Baradakis) + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Mon, 23 May 2005 18:53:51 +1000 + +freeradius (1.0.2-3) unstable; urgency=medium + + * Fixes stolen from CVS release_1_0 branch: + - Fix missed SIGCHLD when waiting for external programs + when threaded. (Medium urgency as this can easily livelock + FreeRADIUS, which is an authentication server.) + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Mon, 18 Apr 2005 23:46:41 +1000 + +freeradius (1.0.2-2) unstable; urgency=medium + + * Get rid of extraneous '%' at the start of every reference to + /etc/freeradius-dialupadmin in freeradius-dialupadmin's configuration. + Closes: #299749 + * Fixes stolen from CVS release_1_0 branch: + - Fix checkrad call for NAS ports > 9999999. (sprintf integer overrun, + reason for urgency medium.) + - Fix inverted test causing crash with pthreads and crypt + Closes: #300219 (Thanks Manuel Menal) + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 6 Apr 2005 12:33:05 +1000 + +freeradius (1.0.2-1) unstable; urgency=low + + * ReDebianise upstream tarball: + - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865 + 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580 + * Allow rlm_eap_sim to build without OpenSSL + * Make init script return 1 if reloading kills the server + (Thanks to Nicolas Baradakis) + Closes: #292170 + * Enable Novell eDirectory integration + * Enable udpfromto code so that replies come from the same address as + the request arrived at + * Build-depend on libmysqlclient12-dev as libmysqlclient10 has problems + accessing 4.0 series mySQL servers, and libmysqlclient12 can access + 4.1 series mySQL servers. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Fri, 4 Mar 2005 09:30:40 +1100 + +freeradius (1.0.2-0) unstable; urgency=low + + * New upstream release + * Update for Debian Policy 3.6.1.1 + - Change test if invoke-rc.d as per Policy 9.3.3.2 + * freeradius-dialupadmin Suggests php4-mysql | php4-pgsql + Closes: #279419 + * Added a two-second pause to restart in init.d script + Closes: #262635 + * FreeRADIUS module packages now depend on the same source + version of the main FreeRADIUS package. + Closes: #284353 + * FreeRADIUS-dialupadmin's default paths in admin.conf are + now correct. + Closes: #280942 + * FreeRADIUS-dialupadmin's help.php3 can now find README. + Closes: #280941 + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 29 Dec 2004 20:12:52 +1100 + +freeradius (1.0.1-2) unstable; urgency=high + + * freeradius-dialupadmin Suggests php4-mysql | php4-pgsql + Closes: #279419 + * Added a two-second pause to restart in init.d script + Closes: #262635 + * FreeRADIUS module packages now depend on the same source + version of the main FreeRADIUS package. + Closes: #284353 + * FreeRADIUS-dialupadmin's default paths in admin.conf are + now correct. + Closes: #280942 + * FreeRADIUS-dialupadmin's help.php3 can now find README. + Closes: #280941 + * Fixes stolen from 1.0.2 CVS: + - Bug fix to make udpfromto code work + - radrelay shouldn't dump core if it can't read a VP from the + detail file. + - Only initialize the random pool once. + - In rlm_sql, don't escape characters twice. + - In rlm_ldap, only claim Auth-Type if a plain text password is present. + - Locking fixes in threading code + - Fix building on gcc-4.0 by not trying to access static auth_port from + other files. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 29 Dec 2004 20:19:42 +1100 + +freeradius (1.0.1-1) unstable; urgency=high + + * ReDebianise upstream tarball: + - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865 + 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580 + - Remove CVS directories. + * Urgency high for security fix from 1.0.1-0 (CAN-2004-0938, + closes: #275136). + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Thu, 23 Sep 2004 22:28:11 +1000 + +freeradius (1.0.1-0) unstable; urgency=high + + * New upstream release + * Urgency high for some denial-of-service fixes: + - Fix two remote crashes and a remote memory leak in + radius packet decoding. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Thu, 2 Sep 2004 17:12:23 +1000 + +freeradius (1.0.0-1) unstable; urgency=low + + * ReDebianise upstream tarball: + - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865 + 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580 + * Support building with libsnmp5's UCD-SNMP compatiblity mode. + - libsnmp{4.2,5} still depend on OpenSSL, so SNMP's still disabled. + * Update for Debian Policy 3.6.11 + - Change test for invoke-rc.d as per Policy 9.3.3.2 + * Disable rlm_eap types PEAP, TLS and TTLS as they depend on OpenSSL. + * Disable rlm_sql driver PostgreSQL as it depends on OpenSSL. + * Disable rlm_x99_token as it depends on OpenSSL. + * Finally, -v is documented in radius(8). + - Closes: #151266 + * Reword a sentence in radwatch(8) by removing the personal pronoun. + - Closes: #264522 + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Tue, 17 Aug 2004 17:42:40 +1000 + +freeradius (1.0.0-0) unstable; urgency=low + + * New upstream release + * Added H323 billing stuff to the examples + * Created Dialup-Admin package for the PHP-based web + FreeRADIUS database (SQL/LDAP) frontend. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Sat, 17 Jul 2004 16:21:38 +1000 + +freeradius (0.9.3-1) unstable; urgency=low + + * New upstream release, incorporates security fix from 0.9.2-4. + * Correct build-dependancy on debhelper. + Closes: #234486 + * Split iodbc SQL driver into its own package. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Tue, 24 Feb 2004 23:56:26 +1100 + +freeradius (0.9.2-4) unstable; urgency=high + + * Patch from upstream head: + - Fix a remote DoS and possible exploit due to mis-handling + of tagged attributes, and Tunnel-Password attribute. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Fri, 21 Nov 2003 09:52:51 +1100 + +freeradius (0.9.2-3) unstable; urgency=low + + * Removed redundant code to delete contents of a directory + on purge which ends up being removed anyway. + * Provide a default pam.d configuration. + * Fix the usage of dh_installinit to not make the package uninstallable. + * Change package removal to not abort if we cannot stop the server. + * Debian-archive-fit version of freeradius. + Closes: #208620 + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Tue, 11 Nov 2003 02:12:55 +1100 + +freeradius (0.9.2-2) unstable; urgency=low + + * Use dh_installinit rather than doing it by hand + This involves renaming the initfile in the source tarball + * Only add user freerad to the group shadow on first installation + * Only chmod /etc/freeradius to group-readable, not group-read/write + * Removed the freerad user when the freerad group is removed + * Removed spurious build-dependancy on autoconf2.13 and libtool(1.4) + * Build-conflict against libssl-dev + * Restore Kerberos and LDAP as they will build without OpenSSL + * Make myself the maintainer + * Update to Policy 3.6.1.0 + - No changes needed + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Sun, 9 Nov 2003 00:07:52 +1100 + +freeradius (0.9.2-1) unstable; urgency=low + + * Deleted RFCs: 2243 2289 2433 2548 2618 2616 2620 2621 + 2719 2759 2809 2865 2866 2867 2868 2869 2882 2924 3162 + from source tarball due to non-DFSG-free copyright. + * Disabled PostgreSQL, x.99 token, EAP/TLS, Kerberos, LDAP + and SNMP agent support due to OpenSSL/GPL conflict. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Thu, 6 Nov 2003 22:40:32 +1100 + +freeradius (0.9.2-0) unstable; urgency=low + + * New upstream release + * Added logrotate script for /var/log/freeradius/radius.log + * Don't leave symlinks to config.{guess,sub} lying around to + confuse dpkg-source. + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 15 Oct 2003 05:02:17 +1000 + +freeradius (0.9.1-0) unstable; urgency=low + + * New upstream release. + * Renamed radiusd(8) to freeradius(8) to match binary + * Build-Depend on libtool1.4 | libtool (< 1.5) due to + new libtool 1.5 package. + * Merged multiple sed calls into a single sed call in debian/rules + * Installed SQL database examples into /usr/share/doc/freeradius/examples + * Modify initscript to only -HUP the parent process + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Fri, 5 Sep 2003 00:54:41 +1000 + +freeradius (0.9.0-1) unstable; urgency=low + + * New Upstream release. + - Upstream dictionary files are in /usr/share/freeradius. + - Modified to 'configure{,.in}' to work with openssl 0.9.7 and 0.9.6 + * Renamed pacakges to 'freeradius*' from 'radiusd-freeradius*'. + * Moved file hierarchy around to be neater: + - /etc/raddb -> /etc/freeradius + - /usr/share/doc/radiusd-freeradius -> /usr/share/doc/freeradius + - /var/log/radiusd-freeradius -> /var/log/freeradius + - /var/run/radiusd/radiusd.pid -> /var/run/freeradius/freeradius.pid + * Included RFCs in documentation. + * Enabled the daemon to run under user 'freerad:freerad' by default. + * Added support for DEB_BUILD_OPTIONS for policy 3.5.9 compliance. + * Installed SNMP mibs for Radius + + -- Paul Hampson <Paul.Hampson@anu.edu.au> Sun, 20 Jul 2003 06:56:28 +1000 + +radiusd-freeradius (0.7+cvs20021113-1) unstable; urgency=low + + * Explicitly excluding modules not in the "stable" list. + * Updated policy version number. + * Moved from non-US/main to main. + * Put pidfile in package's own directory. + * Package not as buggy and unstable modules are easily identifiable. + (closes: Bug#142217) + * Init script handles failure better. (closes: Bug#151264) + * New upstream release. (closes: Bug#140536) + * Uses available version of postgresql. (closes: Bug#139290) + * Removed "conflicts" with other radiusds. + * Added new build-dep on libtool. + * Changed section to "net" from "admin". + * New config.guess. (closes: Bug#168647) + * Run with freerad user and group. (closes: Bug#168272) + * Added libssl-dev as build-dep. (closes: #131832) + + -- Chad Miller <cmiller@debian.org> Wed, 13 Nov 2002 17:01:19 -0500 + +radiusd-freeradius (0.5+cvs20020408-1) unstable; urgency=high + + * New build-dep on libssl-dev, which is implied by another dep, but making + explicit for builders on Potato. (closes: Bug#131832) + * Built against new postgresql libraries, so automatic dep tracking has + the correct version, now. (closes: Bug#139290) + * Removed python example module. + * Explicitly disabled beta ippool module. + + -- Chad Miller <cmiller@debian.org> Mon, 8 Apr 2002 11:48:30 -0400 + +radiusd-freeradius (0.4-1) unstable; urgency=high + + * New release. + * upstream: New EAP support. + * upstream: Fixed security bug in string translation. + + -- Chad Miller <cmiller@debian.org> Thu, 13 Dec 2001 09:26:45 -0500 + +radiusd-freeradius (0.3-2) unstable; urgency=low + + * Moved to using logrotate instead of cron for files. + * Fixed permissions of log files. (closes: Bug#116242,#116243) + * Close file descriptors of stdin, stdout, stderr, if not debugging. + (closes: Bug#116768) + * Made package "non-native". (An upload issue, not code.) + (closes: Bug#119161) + + -- Chad Miller <cmiller@debian.org> Tue, 20 Nov 2001 10:50:20 -0500 + +radiusd-freeradius (0.3-1) unstable; urgency=low + + * New release. + + -- Chad Miller <cmiller@debian.org> Tue, 9 Oct 2001 18:16:23 -0400 + +radiusd-freeradius (0.2+20010917-1) unstable; urgency=low + + * Removed old mysql build-dep. (closes: Bug#112541) + + -- Chad Miller <cmiller@debian.org> Mon, 17 Sep 2001 11:38:24 -0400 + +radiusd-freeradius (0.2+20010912-1) unstable; urgency=low + + * Build-dep mysql changed package names. + * Added build-dep for libmysqlclient10-dev. (closes: Bug#111880) + * In acct_users, keep reply pairs. + * Integer values are printed as unsigned numbers, to comply with RFC2866. + * Fixed broken/reversed auth comparisons in SQL module. + * Sucked out CPPness from inside a printf, as printf is a macro in newer + compilers (gcc3.0, e.g.). (closes: Bug#100889) + * Sundry LDAP configuration, unresponsive thread, and proxying fixes. + * Added user 'freerad' into the 'shadow' group. + * Fixed UUCP-style of restricting time of log-in. + * Changed debugging messages to give more info about execution flow. + * Better counter module. + * Inserted CHAP support for SQL modules. + * Removed possible infinite loop. + + -- Chad Miller <cmiller@debian.org> Wed, 12 Sep 2001 21:21:47 -0400 + +radiusd-freeradius (0.1+20010527-1) unstable; urgency=low + + * Updated config.{guess,sub} to recent versions. (closes: Bug#98183) + * Updated build-dep to reflect supercession of libltdl0-dev by libltdl3-dev + (closes: Bug#98914) + + -- Chad Miller <cmiller@debian.org> Sun, 27 May 2001 11:44:40 -0400 + +radiusd-freeradius (0.1+20010517-1) unstable; urgency=low + + * Moved package to non-US to allow in Kerberos and PostgreSQL. + * Set Suggests of modules to main package. + * Better compile-time support of *BSD. + + -- Chad Miller <cmiller@debian.org> Thu, 17 May 2001 14:46:51 -0400 + +radiusd-freeradius (0.1-1) unstable; urgency=low + + * First beta release! + * Added generalized SQL support for ODBC, Oracle, MySQL, and Postgres. + * Added shasta, microsoft, and redback dictionaries. + * Fixed rc.d restart rule. + * Added a user to own the daemon and logfiles. + * SQL DB handles more forgiving of unreachable servers at startup. + * SQL Crypt-Password attribute support. + * Fixed cron log rotation. + * Put module libraries in own directory. + * Removed bogus build-dep. (closes: Bug#87277) + * Better permissions on /etc/raddb + * Use correct LDAP library. + * Fork ldap, postgresql, and mysql modules into different packages. + * Remove Kerberos, as it's restricted from export. + + -- Chad Miller <cmiller@debian.org> Mon, 7 May 2001 16:37:46 -0400 + +radiusd-freeradius (0.0.20010109-1) unstable; urgency=low + + * Changed priority, from standard to optional. + + -- Chad Miller <cmiller@debian.org> Tue, 9 Jan 2001 14:01:38 -0500 + +radiusd-freeradius (0.0.20001227-1) unstable; urgency=low + + * Initial revision. (closes: Bug#76476) + + -- Chad Miller <cmiller@debian.org> Wed, 27 Dec 2000 11:58:56 -0500 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..42a7900 --- /dev/null +++ b/debian/control @@ -0,0 +1,253 @@ +Source: freeradius +Build-Depends: debhelper-compat (= 13), + default-libmysqlclient-dev, + freetds-dev, + libcap-dev, +# Temporarily disable due to collectd RC bugs +# libcollectdclient-dev, + libcurl4-openssl-dev | libcurl4-gnutls-dev, + libgdbm-dev, + libhiredis-dev, + libiodbc2-dev, + libjson-c-dev, + libkrb5-dev | heimdal-dev, + libldap2-dev, + libmemcached-dev, + libpam0g-dev, + libpcap-dev, + libpcre3-dev, + libperl-dev, + libpq-dev, + libreadline-dev, + libsasl2-dev, + libsqlite3-dev, + libssl-dev, + libsystemd-dev, + libtalloc-dev, + libwbclient-dev, + libykclient-dev, + libyubikey-dev, + python3-dev, + samba-dev | samba4-dev, + snmp +Section: net +Priority: optional +Maintainer: Debian FreeRADIUS Packaging Team <pkg-freeradius-maintainers@lists.alioth.debian.org> +Uploaders: Mark Hymers <mhy@debian.org>, + Sam Hartman <hartmans@debian.org>, + Bernhard Schmidt <berni@debian.org> +Standards-Version: 4.4.1 +Homepage: http://www.freeradius.org/ +Vcs-Git: https://salsa.debian.org/debian/freeradius.git +Vcs-Browser: https://salsa.debian.org/debian/freeradius + +Package: freeradius +Architecture: any +Depends: freeradius-common, + freeradius-config, + libfreeradius3 (= ${binary:Version}), + lsb-base, + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Provides: radius-server +Recommends: freeradius-utils +Suggests: freeradius-krb5, + freeradius-ldap, + freeradius-mysql, + freeradius-postgresql, + freeradius-python3, + snmp +Description: high-performance and highly configurable RADIUS server + FreeRADIUS is a high-performance RADIUS server with support for: + - Authentication by local files, SQL, Kerberos, LDAP, PAM, and more. + - Powerful policy configuration language. + - Proxying and replicating requests by any criteria. + - Support for many EAP types; TLS, PEAP, TTLS, etc. + - Many vendor-specific attributes. + - Regexp matching in string attributes. + and lots more. + +Package: freeradius-common +Depends: adduser, ${misc:Depends} +Architecture: all +Conflicts: radiusd-livingston, xtradius, yardradius +Description: FreeRADIUS common files + This package contains common files used by several of the other packages from + the FreeRADIUS project. + +Package: freeradius-config +Architecture: any +Depends: adduser, + ca-certificates, + freeradius-common, + make, + openssl, + ssl-cert, + ${misc:Depends} +Breaks: freeradius-config +Description: FreeRADIUS default config files + freeradius-config contains the default configuration for FreeRADIUS. + . + You can install a custom package which sets "Provides: freeradius-config" in + order to use the FreeRADIUS packages without any default configuration getting + into your way. + +Package: freeradius-utils +Architecture: any +Conflicts: radiusd-livingston, yardradius +Depends: freeradius-common, + freeradius-config, + libfreeradius3 (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Recommends: libdbi-perl +Description: FreeRADIUS client utilities + This package contains various client programs and utilities from + the FreeRADIUS Server project, including: + - radclient + - radeapclient + - radlast + - radsniff + - radsqlrelay + - radtest + - radwho + - radzap + - rlm_ippool_tool + - smbencrypt + +Package: libfreeradius3 +Architecture: any +Section: libs +Depends: ${dist:Depends}, ${misc:Depends}, ${shlibs:Depends} +Description: FreeRADIUS shared library + The FreeRADIUS projects' libfreeradius-radius and libfreeradius-eap, used by + the FreeRADIUS server and some of the utilities. + +Package: libfreeradius-dev +Architecture: any +Section: libdevel +Depends: freeradius-dhcp (= ${binary:Version}), + libfreeradius3 (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: FreeRADIUS shared library development files + The FreeRADIUS projects' libfreeradius-radius and libfreeradius-eap, used by + the FreeRADIUS server and some of the utilities. + . + This package contains the development headers and static library version. + +Package: freeradius-dhcp +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: DHCP module for FreeRADIUS server + The FreeRADIUS server can act as a DHCP server, and this module + is necessary for that. + +Package: freeradius-krb5 +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: kerberos module for FreeRADIUS server + The FreeRADIUS server can use Kerberos to authenticate users, and this module + is necessary for that. + +Package: freeradius-ldap +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: LDAP module for FreeRADIUS server + The FreeRADIUS server can use LDAP to authenticate users, and this module + is necessary for that. + +Package: freeradius-rest +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: REST module for FreeRADIUS server + The FreeRADIUS server can make calls to remote web APIs, and this module + is necessary for that. + +Package: freeradius-postgresql +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: PostgreSQL module for FreeRADIUS server + The FreeRADIUS server can use PostgreSQL to authenticate users and do + accounting, and this module is necessary for that. + +Package: freeradius-mysql +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: MySQL module for FreeRADIUS server + The FreeRADIUS server can use MySQL to authenticate users and do accounting, + and this module is necessary for that. + +Package: freeradius-iodbc +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: iODBC module for FreeRADIUS server + The FreeRADIUS server can use iODBC to access databases to authenticate users + and do accounting, and this module is necessary for that. + +Package: freeradius-redis +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: Redis module for FreeRADIUS server + This module is required to enable the FreeRADIUS server to access + Redis databases. + +Package: freeradius-memcached +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: Memcached module for FreeRADIUS server + The FreeRADIUS server can cache data in memcached and this package + contains the required module. + +Package: freeradius-yubikey +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: Yubikey module for FreeRADIUS server + This package is required to add Yubikey functionality to the + FreeRADIUS server. + +Package: freeradius-python3 +Architecture: any +Depends: freeradius (= ${binary:Version}), + ${dist:Depends}, + ${misc:Depends}, + ${shlibs:Depends} +Description: Python 3 module for FreeRADIUS server + This package is required to add Python 3 functionality to the + FreeRADIUS server. + . + It was introduced in FreeRADIUS 3.0.20 as EXPERIMENTAL module. Use at + your own risk. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..d2edd95 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,232 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: FreeRADIUS server +Source: https://github.com/FreeRADIUS/freeradius-server +Files-Excluded: + doc/rfc/* + debian/* + +Files: * +Copyright: 2000-2014, The FreeRADIUS Server Project + 1997-1999, Cistron Internet Services B.V. +License: GPL-2+ + +Files: debian/* +Copyright: 2000, Chad Miller <cmiller@debian.org> + 2003, Paul Hampson <Paul.Hampson@anu.edu.au> + 2008, Stephen Gran <sgran@debian.org> + 2016, Michael Stapelberg <stapelberg@debian.org> +License: GPL-2+ + +Files: scripts/boiler.mk + scripts/install.mk + scripts/libtool.mk +Copyright: 2008, 2009, 2010 Dan Moulding, Alan T. DeKok +License: GPL-3+ + +Files: scripts/jlibtool.c +Copyright: Justin Erenkrantz +License: Apache-2.0 + +Files: scripts/snmp-proxy/freeradius-snmp.pl +Copyright: 2008 Sky Network Services +License: GPL-1+ or Artistic +Comment: + This program is free software; you can redistribute it and/or modify it + under the same terms as Perl itself. + +Files: src/* +Copyright: 2000-2014, The FreeRADIUS Server Project + 1997-1999, Cistron Internet Services B.V. +License: GPL-2+ with OpenSSL exception + +Files: src/include/exfile.h + src/include/libradius.h + src/include/md4.h + src/include/md5.h + src/include/regex.h + src/include/threads.h + src/lib/dict.c + src/lib/event.c + src/lib/fifo.c + src/lib/filters.c + src/lib/hash.c + src/lib/hmacmd5.c + src/lib/log.c + src/lib/md4.c + src/lib/md5.c + src/lib/misc.c + src/lib/missing.c + src/lib/packet.c + src/lib/pair.c + src/lib/print.c + src/lib/radius.c + src/lib/snprintf.* + src/lib/token.c + src/lib/udpfromto.c + src/lib/value.c + src/modules/proto_dhcp/dhcp.c + src/modules/proto_vmps/vqp.c +Copyright: See individual files +License: LGPL-2.1+ + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + . + On Debian systems, the complete text of the GNU Lesser General Public + License can be found in /usr/share/common-licenses/LGPL-2.1. + +Files: src/lib/strlcat.c + src/lib/strlcpy.c +Copyright: 1998 Todd C. Miller <Todd.Miller@courtesan.com> +License: MIT-Old-Style-with-legal-disclaimer-2 + +Files: src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c + src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h + src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c + src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h +Copyright: 2012, Dan Harkins +License: other + Copyright holder grants permission for redistribution and use in source + and binary forms, with or without modification, provided that the + following conditions are met: + 1. Redistribution of source code must retain the above copyright + notice, this list of conditions, and the following disclaimer + in all source files. + 2. Redistribution in binary form must retain the above copyright + notice, this list of conditions, and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + . + "DISCLAIMER OF LIABILITY + . + THIS SOFTWARE IS PROVIDED BY DAN HARKINS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INDUSTRIAL LOUNGE BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE." + . + This license and distribution terms cannot be changed. In other words, + this code cannot simply be copied and put under a different distribution + license (including the GNU General Public License). + +License: MIT-Old-Style-with-legal-disclaimer-2 + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the complete text of the Apache 2.0 License + can be found in /usr/share/common-licenses/Apache-2.0 file. + +License: GPL-3+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-3'. + +License: GPL-2+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. + +License: GPL-2+ with OpenSSL exception + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later + version. + . + In addition, as a special exception, the author of this + program gives permission to link the code of its + release with the OpenSSL project's "OpenSSL" library (or + with modified versions of it that use the same license as + the "OpenSSL" library), and distribute the linked + executables. You must obey the GNU General Public + License in all respects for all of the code used other + than "OpenSSL". If you modify this file, you may extend + this exception to your version of the file, but you are + not obligated to do so. If you do not wish to do so, + delete this exception statement from your version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. + +License: Artistic + Comment: + . + On Debian systems the 'Artistic License' is located in + '/usr/share/common-licenses/Artistic'. + +License: GPL-1+ + Comment: + . + On Debian systems the 'GNU General Public License' version 1 is located + in '/usr/share/common-licenses/GPL-1'. diff --git a/debian/freeradius-common.dirs b/debian/freeradius-common.dirs new file mode 100644 index 0000000..4f26927 --- /dev/null +++ b/debian/freeradius-common.dirs @@ -0,0 +1 @@ +usr/share/freeradius diff --git a/debian/freeradius-common.install b/debian/freeradius-common.install new file mode 100644 index 0000000..de3b1fe --- /dev/null +++ b/debian/freeradius-common.install @@ -0,0 +1 @@ +usr/share/freeradius/* diff --git a/debian/freeradius-common.manpages b/debian/freeradius-common.manpages new file mode 100644 index 0000000..22a9fc9 --- /dev/null +++ b/debian/freeradius-common.manpages @@ -0,0 +1,3 @@ +debian/tmp/usr/share/man/man1/* +debian/tmp/usr/share/man/man5/* +debian/tmp/usr/share/man/man8/* diff --git a/debian/freeradius-common.postinst b/debian/freeradius-common.postinst new file mode 100644 index 0000000..df3e9db --- /dev/null +++ b/debian/freeradius-common.postinst @@ -0,0 +1,22 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + if [ -z "$2" ]; then + # On a fresh install, add the necessary user and group + adduser --quiet --system --no-create-home --home /etc/freeradius --group --disabled-password freerad || true + + # Put user freerad in group shadow, so the daemon can auth locally + # Only do this on fresh install as the admin may not want freerad in shadow + # group if authenticating by another mechanism + adduser --quiet freerad shadow + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-common.postrm b/debian/freeradius-common.postrm new file mode 100644 index 0000000..e0d1191 --- /dev/null +++ b/debian/freeradius-common.postrm @@ -0,0 +1,26 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + purge) + # If we haven't managed to remove /etc/freeradius, make + # sure that freerad:freerad doesn't own anything before + # we remove the user and group + test ! -d /etc/freeradius || find /etc/freeradius -user freerad -exec chown --no-dereference root "{}" \; || true + test ! -d /etc/freeradius || find /etc/freeradius -group freerad -exec chgrp --no-dereference root "{}" \; || true + + if [ -x `which deluser` ]; then + deluser --quiet freerad shadow || true + deluser --quiet freerad || true + fi + if [ -x `which delgroup` ]; then + delgroup --quiet freerad || true + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-config.install b/debian/freeradius-config.install new file mode 100644 index 0000000..b232670 --- /dev/null +++ b/debian/freeradius-config.install @@ -0,0 +1 @@ +etc/freeradius/* diff --git a/debian/freeradius-config.lintian-overrides b/debian/freeradius-config.lintian-overrides new file mode 100644 index 0000000..74dc716 --- /dev/null +++ b/debian/freeradius-config.lintian-overrides @@ -0,0 +1,6 @@ +freeradius-config: breaks-without-version +freeradius-config: package-relation-with-self + +# There are example python scripts in the config, but it's the freeradius +# package that includes dependencies on the python libraries. +freeradius-config: python3-script-but-no-python3-dep diff --git a/debian/freeradius-config.postinst b/debian/freeradius-config.postinst new file mode 100644 index 0000000..b230778 --- /dev/null +++ b/debian/freeradius-config.postinst @@ -0,0 +1,52 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + if [ -z "$2" ]; then + # Create snakeoil certificates on initial install + if grep -q -r 'etc/ssl/\(certs\|private\)/ssl-cert-snakeoil' /etc/freeradius; then + if test ! -e /etc/ssl/certs/ssl-cert-snakeoil.pem || \ + test ! -e /etc/ssl/private/ssl-cert-snakeoil.key; then + make-ssl-cert generate-default-snakeoil + fi + if getent group ssl-cert >/dev/null; then + # freeradius-common dependency also provides us with adduser + adduser --quiet freerad ssl-cert + fi + fi + + if grep -q -r 'dh_file = \${certdir}/dh' /etc/freeradius && \ + test ! -f /etc/freeradius/3.0/certs/dh; then + RANDFILE=/dev/urandom openssl dhparam -out /etc/freeradius/3.0/certs/dh 1024 + fi + fi + + # Create links for default sites, but only if this is an initial + # install or an upgrade from before there were links; users may + # want to remove them... + if [ -z "$2" ]; then + for site in default inner-tunnel; do + if test ! -h /etc/freeradius/3.0/sites-enabled/$site && \ + test ! -e /etc/freeradius/3.0/sites-enabled/$site; then + ln -s ../sites-available/$site /etc/freeradius/3.0/sites-enabled/$site + fi + done + for module in always attr_filter chap detail detail.log \ + digest dynamic_clients eap echo exec expiration expr files \ + linelog logintime mschap ntlm_auth pap passwd preprocess \ + radutmp realm replicate soh sradutmp unix unpack utf8; do + if test ! -h /etc/freeradius/3.0/mods-enabled/$module && \ + test ! -e /etc/freeradius/3.0/mods-enabled/$module; then + ln -s ../mods-available/$module /etc/freeradius/3.0/mods-enabled/$module + fi + done + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-config.postrm b/debian/freeradius-config.postrm new file mode 100644 index 0000000..963579d --- /dev/null +++ b/debian/freeradius-config.postrm @@ -0,0 +1,46 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + purge) + # Remove dangling links from sites-enabled. + for link in /etc/freeradius/sites-enabled/* \ + /etc/freeradius/3.0/sites-enabled/*; do + if [ -L "$link" ] && [ ! -e "$link" ]; then + rm -f "$link" + fi + done + + # Remove dangling links from mods-enabled. + for link in /etc/freeradius/mods-enabled/* \ + /etc/freeradius/3.0/mods-enabled/*; do + if [ -L "$link" ] && [ ! -e "$link" ]; then + rm -f "$link" + fi + done + + for file in /etc/freeradius/3.0/certs/server.pem \ + /etc/freeradius/3.0/certs/server.key \ + /etc/freeradius/3.0/certs/ca.pem \ + /etc/freeradius/3.0/certs/random \ + /etc/freeradius/3.0/certs/dh \ + /etc/freeradius/certs/server.pem \ + /etc/freeradius/certs/server.key \ + /etc/freeradius/certs/ca.pem \ + /etc/freeradius/certs/random \ + /etc/freeradius/certs/dh; do + rm -f "$file" + done + + # rmdir fails when called on a directory which does not exist + if [ -d /etc/freeradius ]; then + rmdir --ignore-fail-on-non-empty /etc/freeradius + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-config.preinst b/debian/freeradius-config.preinst new file mode 100644 index 0000000..0c5e8b7 --- /dev/null +++ b/debian/freeradius-config.preinst @@ -0,0 +1,27 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + upgrade) + # Delete any symlinks/files which were created in postinst previously. + # These are not covered by conffile handling, so they would otherwise not + # be cleaned up. + for file in /etc/freeradius/certs/ca.pem \ + /etc/freeradius/certs/server.key \ + /etc/freeradius/certs/server.pem \ + /etc/freeradius/sites-enabled/default \ + /etc/freeradius/sites-enabled/inner-tunnel + do + if [ -h "$file" ] + then + rm -f "$file" + fi + done + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-dhcp.install b/debian/freeradius-dhcp.install new file mode 100644 index 0000000..aefb0a0 --- /dev/null +++ b/debian/freeradius-dhcp.install @@ -0,0 +1,3 @@ +usr/lib/freeradius/rlm_dhcp*.so +usr/lib/freeradius/proto_dhcp*.so +usr/lib/freeradius/libfreeradius-dhcp.so diff --git a/debian/freeradius-dhcp.postinst b/debian/freeradius-dhcp.postinst new file mode 100644 index 0000000..b8f2c7c --- /dev/null +++ b/debian/freeradius-dhcp.postinst @@ -0,0 +1,23 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + + if [ -z "$2" ]; then + for module in dhcp; do + if test ! -h /etc/freeradius/3.0/mods-enabled/$module && \ + test ! -e /etc/freeradius/3.0/mods-enabled/$module; then + ln -s ../mods-available/$module /etc/freeradius/3.0/mods-enabled/$module + fi + done + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-dhcp.postrm b/debian/freeradius-dhcp.postrm new file mode 100644 index 0000000..d7c484c --- /dev/null +++ b/debian/freeradius-dhcp.postrm @@ -0,0 +1,24 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + purge) + # Remove dangling links from mods-enabled. + for link in /etc/freeradius/3.0/mods-enabled/dhcp; do + if [ -L "$link" ] && [ ! -e "$link" ]; then + rm -f "$link" + fi + done + + # rmdir fails when called on a directory which does not exist + if [ -d /etc/freeradius ]; then + rmdir --ignore-fail-on-non-empty /etc/freeradius + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-iodbc.install b/debian/freeradius-iodbc.install new file mode 100644 index 0000000..c4535d1 --- /dev/null +++ b/debian/freeradius-iodbc.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_sql_iodbc*.so diff --git a/debian/freeradius-iodbc.lintian-overrides b/debian/freeradius-iodbc.lintian-overrides new file mode 100644 index 0000000..7788dd1 --- /dev/null +++ b/debian/freeradius-iodbc.lintian-overrides @@ -0,0 +1,2 @@ +# Plugin +custom-library-search-path diff --git a/debian/freeradius-iodbc.postinst b/debian/freeradius-iodbc.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-iodbc.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-krb5.install b/debian/freeradius-krb5.install new file mode 100644 index 0000000..5ec0bc1 --- /dev/null +++ b/debian/freeradius-krb5.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_krb5*.so diff --git a/debian/freeradius-krb5.postinst b/debian/freeradius-krb5.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-krb5.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-ldap.install b/debian/freeradius-ldap.install new file mode 100644 index 0000000..c5d9004 --- /dev/null +++ b/debian/freeradius-ldap.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_ldap*.so diff --git a/debian/freeradius-ldap.postinst b/debian/freeradius-ldap.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-ldap.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-memcached.install b/debian/freeradius-memcached.install new file mode 100644 index 0000000..738a641 --- /dev/null +++ b/debian/freeradius-memcached.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_cache_memcached.so diff --git a/debian/freeradius-memcached.postinst b/debian/freeradius-memcached.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-memcached.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-mysql.install b/debian/freeradius-mysql.install new file mode 100644 index 0000000..bf36d4b --- /dev/null +++ b/debian/freeradius-mysql.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_sql_mysql*.so diff --git a/debian/freeradius-mysql.postinst b/debian/freeradius-mysql.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-mysql.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-postgresql.install b/debian/freeradius-postgresql.install new file mode 100644 index 0000000..0c1e55d --- /dev/null +++ b/debian/freeradius-postgresql.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_sql_postgresql*.so diff --git a/debian/freeradius-postgresql.lintian-overrides b/debian/freeradius-postgresql.lintian-overrides new file mode 100644 index 0000000..7788dd1 --- /dev/null +++ b/debian/freeradius-postgresql.lintian-overrides @@ -0,0 +1,2 @@ +# Plugin +custom-library-search-path diff --git a/debian/freeradius-postgresql.postinst b/debian/freeradius-postgresql.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-postgresql.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-python3.install b/debian/freeradius-python3.install new file mode 100644 index 0000000..a00c0f7 --- /dev/null +++ b/debian/freeradius-python3.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_python3.so diff --git a/debian/freeradius-python3.postinst b/debian/freeradius-python3.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-python3.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-redis.install b/debian/freeradius-redis.install new file mode 100644 index 0000000..87c4ac5 --- /dev/null +++ b/debian/freeradius-redis.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_redis*.so diff --git a/debian/freeradius-redis.postinst b/debian/freeradius-redis.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-redis.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-rest.install b/debian/freeradius-rest.install new file mode 100644 index 0000000..a8582fd --- /dev/null +++ b/debian/freeradius-rest.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_rest*.so diff --git a/debian/freeradius-rest.postinst b/debian/freeradius-rest.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-rest.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius-utils.install b/debian/freeradius-utils.install new file mode 100644 index 0000000..f1a4d58 --- /dev/null +++ b/debian/freeradius-utils.install @@ -0,0 +1,11 @@ +usr/bin/rlm_ippool_tool +usr/bin/smbencrypt +usr/bin/radclient +usr/bin/radeapclient +usr/bin/radwho +usr/bin/radsniff +usr/bin/radlast +usr/bin/radtest +usr/bin/radzap +usr/bin/radsqlrelay +usr/bin/radcrypt diff --git a/debian/freeradius-yubikey.install b/debian/freeradius-yubikey.install new file mode 100644 index 0000000..3119a4c --- /dev/null +++ b/debian/freeradius-yubikey.install @@ -0,0 +1 @@ +usr/lib/freeradius/rlm_yubikey.so diff --git a/debian/freeradius-yubikey.postinst b/debian/freeradius-yubikey.postinst new file mode 100644 index 0000000..6a7608d --- /dev/null +++ b/debian/freeradius-yubikey.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + invoke-rc.d freeradius force-reload || true + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius.NEWS b/debian/freeradius.NEWS new file mode 100644 index 0000000..b0d257b --- /dev/null +++ b/debian/freeradius.NEWS @@ -0,0 +1,7 @@ +freeradius (3.0.11+dfsg-1) experimental; urgency=medium + + Please see upstream’s “Upgrading to Version 3.0” guide which is available + locally in /etc/freeradius/3.0/README.rst or online at + https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/README.rst + + -- Michael Stapelberg <stapelberg@debian.org> Thu, 15 Sep 2016 20:21:09 +0200 diff --git a/debian/freeradius.default b/debian/freeradius.default new file mode 100644 index 0000000..01c3285 --- /dev/null +++ b/debian/freeradius.default @@ -0,0 +1,2 @@ +# Options for the FreeRADIUS daemon. +FREERADIUS_OPTIONS="" diff --git a/debian/freeradius.dirs b/debian/freeradius.dirs new file mode 100644 index 0000000..d5c5788 --- /dev/null +++ b/debian/freeradius.dirs @@ -0,0 +1,2 @@ +usr/lib/freeradius +var/log/freeradius diff --git a/debian/freeradius.docs b/debian/freeradius.docs new file mode 100644 index 0000000..ba1e8eb --- /dev/null +++ b/debian/freeradius.docs @@ -0,0 +1,3 @@ +debian/README.rfc +CREDITS +debian/tmp/usr/share/doc/freeradius/* diff --git a/debian/freeradius.examples b/debian/freeradius.examples new file mode 100644 index 0000000..3aa548b --- /dev/null +++ b/debian/freeradius.examples @@ -0,0 +1,14 @@ +scripts/clients.pl +scripts/create-users.pl +scripts/cryptpasswd +scripts/cryptpasswd.in +scripts/exec-program-wait +scripts/ldap/radiusd2ldif.pl +scripts/cron/radiusd.cron.daily +scripts/cron/radiusd.cron.monthly +scripts/radiusd.sh +scripts/sql/radsqlrelay +scripts/rc.radiusd +scripts/rc.radiusd.in +scripts/sql/users2mysql.pl +debian/tmp/etc/freeradius/3.0/certs diff --git a/debian/freeradius.init b/debian/freeradius.init new file mode 100644 index 0000000..5cc4b27 --- /dev/null +++ b/debian/freeradius.init @@ -0,0 +1,119 @@ +#!/bin/sh +# Start/stop the FreeRADIUS daemon. + +### BEGIN INIT INFO +# Provides: freeradius +# Required-Start: $remote_fs $network $syslog +# Should-Start: $time mysql slapd postgresql samba krb5-kdc +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Radius Daemon +# Description: Extensible, configurable radius daemon +### END INIT INFO + +PROG="freeradius" +PROGRAM="/usr/sbin/freeradius" +PIDFILE="/var/run/freeradius/freeradius.pid" +DESCR="FreeRADIUS daemon" + +set -e + +. /lib/lsb/init-functions + +configtest() { + log_action_begin_msg "Checking $DESCR configuration" + + out=`$PROGRAM -Cxl stdout $FREERADIUS_OPTIONS`; ret=$? + out=`echo "${out}" | tail -n 1 | sed 's/^\s*ERROR:\s*\(.*\)\s*$/\1/'` + log_action_end_msg $ret "$out" + return $ret +} + +if [ -r /etc/default/$PROG ]; then + . /etc/default/$PROG +fi + +test -f $PROGRAM || exit 0 + +# /var/run may be a tmpfs +if [ ! -d /var/run/freeradius ]; then + mkdir -p /var/run/freeradius + chown freerad:freerad /var/run/freeradius +fi + +if [ -d "$FREERADIUS_CONF_LOCAL" -a -z "$FREERADIUS_OPTIONS" ]; then + FREERADIUS_OPTIONS="-d $FREERADIUS_CONF_LOCAL" +fi + +export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" + +ret=0 + +case "$1" in + start) + log_daemon_msg "Starting $DESCR" "$PROG" + + # eval allows quoted arguments (config directories for example) to be passed in $FREERADIUS_OPTIONS + eval "start_daemon -p '$PIDFILE' '$PROGRAM' $FREERADIUS_OPTIONS" || ret=$? + log_end_msg $ret + ;; + + stop) + log_daemon_msg "Stopping $DESCR" "$PROG" + + killproc -p "$PIDFILE" "$PROGRAM" || ret=$? + log_end_msg $ret + ;; + + restart|force-reload) + configtest || exit 150 + + $0 stop + $0 start + ;; + + reload) + configtest || exit 150 + + if status_of_proc -p "$PIDFILE" "$PROG" "$DESCR"; then + log_daemon_msg "Reloading $DESCR" "$PROG" + + start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --exec $PROGRAM || ret=$? + log_end_msg $ret + fi + ;; + + configtest|testconfig) + configtest || exit 150 + ;; + + debug) + $0 status + if [ $? -eq 0 ]; then + echo "$PROGRAM already running; for live debugging see raddebug(8)" + exit 151 + fi + $PROGRAM -X $FREERADIUS_OPTIONS || exit $? + ;; + + debug-threaded) + $0 status + if [ $? -eq 0 ]; then + echo "$PROGRAM already running; for live debugging see raddebug(8)" + exit 151 + fi + $PROGRAM -f -xx -l stdout $FREERADIUS_OPTIONS || exit $? + ;; + + status) + status_of_proc -p "$PIDFILE" "$PROGRAM" "$PROG" && exit 0 || exit $? + ;; + + *) + echo "Usage: $0 start|stop|restart|force-reload|reload|configtest|debug|debug-threaded|status" + exit 1 + ;; +esac + +exit $ret diff --git a/debian/freeradius.install b/debian/freeradius.install new file mode 100644 index 0000000..db230eb --- /dev/null +++ b/debian/freeradius.install @@ -0,0 +1,59 @@ +usr/lib/freeradius/rlm_always.so +usr/lib/freeradius/rlm_attr_filter.so +usr/lib/freeradius/rlm_cache.so +usr/lib/freeradius/rlm_cache_rbtree.so +usr/lib/freeradius/rlm_chap.so +usr/lib/freeradius/rlm_counter.so +usr/lib/freeradius/rlm_date.so +usr/lib/freeradius/rlm_detail.so +usr/lib/freeradius/rlm_digest.so +usr/lib/freeradius/rlm_dynamic_clients.so +usr/lib/freeradius/rlm_eap.so +usr/lib/freeradius/rlm_eap_fast.so +usr/lib/freeradius/rlm_eap_gtc.so +usr/lib/freeradius/rlm_eap_md5.so +usr/lib/freeradius/rlm_eap_mschapv2.so +usr/lib/freeradius/rlm_eap_peap.so +usr/lib/freeradius/rlm_eap_pwd.so +usr/lib/freeradius/rlm_eap_sim.so +usr/lib/freeradius/rlm_eap_tls.so +usr/lib/freeradius/rlm_eap_ttls.so +usr/lib/freeradius/rlm_exec.so +usr/lib/freeradius/rlm_expiration.so +usr/lib/freeradius/rlm_expr.so +usr/lib/freeradius/rlm_files.so +usr/lib/freeradius/rlm_ippool.so +usr/lib/freeradius/rlm_json.so +usr/lib/freeradius/rlm_linelog.so +usr/lib/freeradius/rlm_logintime.so +usr/lib/freeradius/rlm_mschap.so +usr/lib/freeradius/rlm_pam.so +usr/lib/freeradius/rlm_pap.so +usr/lib/freeradius/rlm_passwd.so +usr/lib/freeradius/rlm_perl.so +usr/lib/freeradius/rlm_preprocess.so +usr/lib/freeradius/rlm_radutmp.so +usr/lib/freeradius/rlm_realm.so +usr/lib/freeradius/rlm_replicate.so +usr/lib/freeradius/rlm_soh.so +usr/lib/freeradius/rlm_sometimes.so +usr/lib/freeradius/rlm_sql.so +usr/lib/freeradius/rlm_sql_freetds.so +usr/lib/freeradius/rlm_sql_null.so +usr/lib/freeradius/rlm_sql_map.so +usr/lib/freeradius/rlm_sql_sqlite.so +usr/lib/freeradius/rlm_sqlcounter.so +usr/lib/freeradius/rlm_sqlippool.so +usr/lib/freeradius/rlm_test.so +usr/lib/freeradius/rlm_totp.so +usr/lib/freeradius/rlm_unix.so +usr/lib/freeradius/rlm_unpack.so +usr/lib/freeradius/rlm_utf8.so +usr/lib/freeradius/rlm_wimax.so +usr/lib/freeradius/proto_vmps.so +usr/sbin/checkrad +usr/sbin/freeradius +usr/sbin/raddebug +usr/sbin/radmin +usr/bin/rad_counter +usr/bin/rlm_sqlippool_tool diff --git a/debian/freeradius.lintian-overrides b/debian/freeradius.lintian-overrides new file mode 100644 index 0000000..6d61bbf --- /dev/null +++ b/debian/freeradius.lintian-overrides @@ -0,0 +1,3 @@ +# Plugins +library-not-linked-against-libc [usr/lib/freeradius/rlm_eap_tls.so] +shared-library-lacks-prerequisites [usr/lib/freeradius/*.so] diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate new file mode 100644 index 0000000..921a709 --- /dev/null +++ b/debian/freeradius.logrotate @@ -0,0 +1,50 @@ +# The main server log +/var/log/freeradius/radius.log { + # common options + daily + rotate 52 + missingok + compress + delaycompress + notifempty + + copytruncate +} + +# (in order) +# Session monitoring utilities +# Session database modules +# SQL log files +/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log +/var/log/freeradius/radutmp /var/log/freeradius/radwtmp +/var/log/freeradius/sqllog.sql +{ + # common options + daily + rotate 52 + missingok + compress + delaycompress + notifempty + + nocreate +} + +# There are different detail-rotating strategies you can use. One is +# to write to a single detail file per IP and use the rotate config +# below. Another is to write to a daily detail file per IP with: +# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail +# (or similar) in radiusd.conf, without rotation. If you go with the +# second technique, you will need another cron job that removes old +# detail files. You do not need to comment out the below for method #2. +/var/log/freeradius/radacct/*/detail { + # common options + daily + rotate 52 + missingok + compress + delaycompress + notifempty + + nocreate +} diff --git a/debian/freeradius.postinst b/debian/freeradius.postinst new file mode 100644 index 0000000..b1f853f --- /dev/null +++ b/debian/freeradius.postinst @@ -0,0 +1,69 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + configure) + if [ -z "$2" ]; then + # Changed in 1.1.5-1 for new installs (we used to start at S50 + # and stop at K50) We now start at S50 and stop at K19 so we + # start after services which may be used and stop before them. + update-rc.d freeradius start 50 2 3 4 5 . stop 19 0 1 6 . >/dev/null + + for file in radius.log radwtmp; do + [ ! -f "/var/log/freeradius/${file}" ] && install -o freerad -g freerad -m 644 /dev/null /var/log/freeradius/${file} + done + + action="start" + else + action="restart" + fi + + if [ -z "$2" ]; then + # Set up initial permissions on all the freeradius directories + chown -R freerad:adm /var/log/freeradius + chown -R freerad:freerad /etc/freeradius + chmod 2750 /etc/freeradius + find /etc/freeradius -type f -exec chmod 640 '{}' \; + fi + + if dpkg --compare-versions "$2" lt 3.0.16+dfsg-3; then + chmod 2750 /etc/freeradius + fi + + # Create links for default sites, but only if this is an initial + # install or an upgrade from before there were links; users may + # want to remove them... + if [ -z "$2" ]; then + for site in default inner-tunnel; do + if test ! -h /etc/freeradius/3.0/sites-enabled/$site && \ + test ! -e /etc/freeradius/3.0/sites-enabled/$site; then + ln -s ../sites-available/$site /etc/freeradius/3.0/sites-enabled/$site + fi + done + fi + + invoke-rc.d freeradius $action || true + ;; + + abort-upgrade) + invoke-rc.d freeradius restart || true + ;; + + abort-remove) + invoke-rc.d freeradius start || true + ;; +esac + +#DEBHELPER# + +case "$1" in + configure) + # After removing conffiles (in the DEBHELPER part above), delete all + # directories underneath /etc/freeradius which are now empty. + find /etc/freeradius -type d -empty -delete + ;; +esac + +exit 0 diff --git a/debian/freeradius.postrm b/debian/freeradius.postrm new file mode 100644 index 0000000..b6ff60b --- /dev/null +++ b/debian/freeradius.postrm @@ -0,0 +1,18 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + remove) + ;; + purge) + update-rc.d -f freeradius remove >/dev/null + + rm -f /var/log/freeradius/radius.log* /var/log/freeradius/radwtmp* + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius.prerm b/debian/freeradius.prerm new file mode 100644 index 0000000..f11d055 --- /dev/null +++ b/debian/freeradius.prerm @@ -0,0 +1,14 @@ +#!/bin/sh +# vim:ts=2:sw=2:et + +set -e + +case "$1" in + remove) + invoke-rc.d freeradius stop + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/freeradius.radiusd.pam b/debian/freeradius.radiusd.pam new file mode 100644 index 0000000..e2597e0 --- /dev/null +++ b/debian/freeradius.radiusd.pam @@ -0,0 +1,11 @@ +# +# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS +# + +# We fall back to the system default in /etc/pam.d/common-* +# + +@include common-auth +@include common-account +@include common-password +@include common-session diff --git a/debian/freeradius.service b/debian/freeradius.service new file mode 100644 index 0000000..3e2f2fd --- /dev/null +++ b/debian/freeradius.service @@ -0,0 +1,68 @@ +[Unit] +Description=FreeRADIUS multi-protocol policy server +After=network-online.target +Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/ + +[Service] +Type=notify +WatchdogSec=60 +NotifyAccess=all +EnvironmentFile=-/etc/default/freeradius + +# FreeRADIUS can do static evaluation of policy language rules based +# on environmental variables which is very useful for doing per-host +# customization. +# Unfortunately systemd does not allow variable substitutions such +# as %H or $(hostname) in the EnvironmentFile. +# We provide HOSTNAME here for convenience. +Environment=HOSTNAME=%H + +# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS +# is not memory hungry, if it's using more than this, then there's probably +# a leak somewhere. +MemoryLimit=2G + +# Ensure the daemon can still write its pidfile after it drops +# privileges. Combination of options that work on a variety of +# systems. Test very carefully if you alter these lines. +RuntimeDirectory=freeradius +RuntimeDirectoryMode=0775 +User=freerad +Group=freerad + +ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout +ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS +Restart=on-failure +RestartSec=5 +ExecReload=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout +ExecReload=/bin/kill -HUP $MAINPID + +# Don't elevate privileges after starting +NoNewPrivileges=true + +# Allow binding to secure ports, broadcast addresses, and raw interfaces. +#AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE + +# Private /tmp that isn't shared by other processes +PrivateTmp=true + +# cgroups are readable only by radiusd, and child processes +ProtectControlGroups=true + +# don't load new kernel modules +ProtectKernelModules=true + +# don't tune kernel parameters +ProtectKernelTunables=true + +# Only allow native system calls +SystemCallArchitectures=native + +# We shouldn't be writing to the configuration directory +ReadOnlyDirectories=/etc/freeradius/ + +# We can read and write to the log directory. +ReadWriteDirectories=/var/log/freeradius/ + +[Install] +WantedBy=multi-user.target diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..7866a3c --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/bookworm diff --git a/debian/libfreeradius-dev.install b/debian/libfreeradius-dev.install new file mode 100644 index 0000000..e212bf3 --- /dev/null +++ b/debian/libfreeradius-dev.install @@ -0,0 +1,2 @@ +usr/lib/freeradius/libfreeradius-*.a +usr/include/freeradius/*.h diff --git a/debian/libfreeradius3.install b/debian/libfreeradius3.install new file mode 100644 index 0000000..e501993 --- /dev/null +++ b/debian/libfreeradius3.install @@ -0,0 +1,3 @@ +usr/lib/freeradius/libfreeradius-server.so +usr/lib/freeradius/libfreeradius-radius.so +usr/lib/freeradius/libfreeradius-eap.so diff --git a/debian/libfreeradius3.lintian-overrides b/debian/libfreeradius3.lintian-overrides new file mode 100644 index 0000000..9ecb074 --- /dev/null +++ b/debian/libfreeradius3.lintian-overrides @@ -0,0 +1,3 @@ +# There's plenty in the description of this package to identify +# what it does. +libfreeradius3: extended-description-is-probably-too-short diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 0000000..3fd4796 --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1,7 @@ +# fortify functions is actually enabled, but the modules either just do not use +# any functions which need to be fortified or all checks can be done at +# compile-time, so hardening-check produces a false-positive. +# +# I verified this by adding printf("test"); to a module, after which +# hardening-check reported that some functions are fortified. +hardening-no-fortify-functions usr/lib/freeradius/* diff --git a/debian/not-installed b/debian/not-installed new file mode 100644 index 0000000..b8f5b39 --- /dev/null +++ b/debian/not-installed @@ -0,0 +1,7 @@ +# We use debian/freeradius.init instead. +debian/tmp/usr/sbin/rc.radiusd + +# Only used for testing, not for end users, as per +# https://github.com/FreeRADIUS/freeradius-server/issues/1734#issuecomment-247848277 +debian/tmp/usr/bin/dhcpclient +debian/tmp/usr/share/man/man1/dhcpclient.1 diff --git a/debian/patches/0002-gitignore.diff.patch b/debian/patches/0002-gitignore.diff.patch new file mode 100644 index 0000000..22013a1 --- /dev/null +++ b/debian/patches/0002-gitignore.diff.patch @@ -0,0 +1,29 @@ +From 993eba48a171e70dfe83fa25f04c4d19b257ea1b Mon Sep 17 00:00:00 2001 +From: Sam Hartman <hartmans@debian.org> +Date: Thu, 18 Sep 2014 15:55:47 -0400 +Subject: gitignore.diff + +--- + .gitignore | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/.gitignore ++++ b/.gitignore +@@ -1,3 +1,17 @@ ++*.la ++*.o ++*.lo ++.libs ++.deps ++build-arch-stamp ++build-indep-stamp ++config.h ++config.log ++config.status ++config.cache ++config.guess.dist ++config.sub.dist ++Make.inc + *~ + *.o + *.a diff --git a/debian/patches/0006-jradius.diff.patch b/debian/patches/0006-jradius.diff.patch new file mode 100644 index 0000000..2eeee49 --- /dev/null +++ b/debian/patches/0006-jradius.diff.patch @@ -0,0 +1,17 @@ +From b72e1d985e709e4c5fd7355747cde8697e665b44 Mon Sep 17 00:00:00 2001 +From: Sam Hartman <hartmans@debian.org> +Date: Thu, 18 Sep 2014 15:55:52 -0400 +Subject: jradius.diff + +--- + src/modules/stable | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/modules/stable ++++ b/src/modules/stable +@@ -40,3 +40,5 @@ + rlm_yubikey + rlm_redis + rlm_rediswho ++rlm_policy ++rlm_jradius diff --git a/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch new file mode 100644 index 0000000..8e09238 --- /dev/null +++ b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch @@ -0,0 +1,22 @@ +From f39ef7f317a49c4e959bed7e9d954e473f49d602 Mon Sep 17 00:00:00 2001 +From: Sam Hartman <hartmans@debian.org> +Date: Wed, 1 Oct 2014 16:38:16 -0400 +Subject: dhcp sqlipool: Comment out mysql + +So freeradius does not depend on freeradius-mysql +--- + raddb/modules/dhcp_sqlippool | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/raddb/mods-available/dhcp_sqlippool ++++ b/raddb/mods-available/dhcp_sqlippool +@@ -97,5 +97,8 @@ + nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + } + +- $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf ++ # This line is commented by default to enable clean startup when you ++ # don't have freeradius-mysql installed. Uncomment this line if you ++ # use this module. ++ #$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf + } diff --git a/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch new file mode 100644 index 0000000..fda1cf0 --- /dev/null +++ b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch @@ -0,0 +1,152 @@ +Author: Sam Hartman <hartmans@debian.org> +Description: Rename radius to freeradius +Last-Updated: 2016-09-16 +Forwarded: not-needed + +--- + +--- a/Make.inc.in ++++ b/Make.inc.in +@@ -98,7 +98,7 @@ + + LOGDIR = ${logdir} + RADDBDIR = ${raddbdir} +-RUNDIR = ${localstatedir}/run/radiusd ++RUNDIR = ${localstatedir}/run/freeradius + SBINDIR = ${sbindir} + RADIR = ${radacctdir} + LIBRADIUS = $(top_builddir)/src/lib/$(LIBPREFIX)freeradius-radius.la $(TALLOC_LIBS) +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -91,7 +91,7 @@ + + # + # name of the running server. See also the "-n" command-line option. +-name = radiusd ++name = freeradius + + # Location of config and logfiles. + confdir = ${raddbdir} +@@ -447,8 +447,8 @@ + # member. This can allow for some finer-grained access + # controls. + # +-# user = radius +-# group = radius ++ user = freerad ++ group = freerad + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. +--- a/scripts/monit/freeradius.monitrc ++++ b/scripts/monit/freeradius.monitrc +@@ -8,9 +8,9 @@ + # Totalmem limit should be lowered to 200.0 if none of the + # interpreted language modules or rlm_cache are being used. + # +-check process radiusd with pidfile /var/run/radiusd/radiusd.pid +- start program = "/etc/init.d/radiusd start" +- stop program = "/etc/init.d/radiusd stop" ++check process freeradius with pidfile /var/run/freeradius/freeradius.pid ++ start program = "/etc/init.d/freeradius start" ++ stop program = "/etc/init.d/freeradius stop" + if failed host 127.0.0.1 port 1812 type udp protocol radius secret testing123 then alert + if failed host 127.0.0.1 port 1813 type udp protocol radius secret testing123 then alert + if cpu > 95% for 2 cycles then alert +--- a/raddb/sites-available/control-socket ++++ b/raddb/sites-available/control-socket +@@ -72,12 +72,12 @@ + # + # Name of user that is allowed to connect to the control socket. + # +-# uid = radius ++# uid = freerad + + # + # Name of group that is allowed to connect to the control socket. + # +-# gid = radius ++# gid = freerad + + # + # Access mode. +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -102,7 +102,6 @@ + bool display_version = false; + int flag = 0; + int from_child[2] = {-1, -1}; +- char *p; + fr_state_t *state = NULL; + + /* +@@ -137,13 +136,7 @@ + main_config.myip.af = AF_UNSPEC; + main_config.port = 0; + main_config.daemonize = true; +- +- p = strrchr(argv[0], FR_DIR_SEP); +- if (!p) { +- main_config.name = argv[0]; +- } else { +- main_config.name = p + 1; +- } ++ main_config.name = "radiusd"; + + /* + * Don't put output anywhere until we get told a little +@@ -697,7 +690,7 @@ + { + FILE *output = status?stderr:stdout; + +- fprintf(output, "Usage: %s [options]\n", main_config.name); ++ fprintf(output, "Usage: freeradius [options]\n"); + fprintf(output, "Options:\n"); + fprintf(output, " -C Check configuration and exit.\n"); + fprintf(stderr, " -d <raddb> Set configuration directory (defaults to " RADDBDIR ").\n"); +--- a/man/man8/radiusd.8 ++++ b/man/man8/radiusd.8 +@@ -56,7 +56,7 @@ + for an informative list of which modules are checked for correct + configuration, and which modules are skipped, and therefore not checked. + .IP "\-d \fIconfig directory\fP" +-Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration ++Defaults to \fI/etc/freeradius\fP. \fBRadiusd\fP looks here for its configuration + files such as the \fIdictionary\fP and the \fIusers\fP files. + .IP "\-D \fIdictionary directory\fP" + Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. +@@ -80,7 +80,7 @@ + On SIGINT or SIGQUIT exit cleanly instead of immediately. + This is most useful for when running the server with "valgrind". + .IP "\-n \fIname\fP" +-Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. ++Read \fIfreeradius/name.conf\fP instead of \fIfreeradius/radiusd.conf\fP. + .IP "\-p \fIport\fP" + Defines which port is used for receiving authentication packets. + Accounting packets are received on "port + 1". +@@ -147,14 +147,14 @@ + SQL), then: + .PP + .in +0.3i +-a) Edit raddb/modules/foo ++a) Edit freeradius/modules/foo + .br + This file contains the default configuration for the module. It + contains comments describing what can be configured, and what those + configuration entries mean. + .br + .br +-b) Edit raddb/sites-available/default ++b) Edit freeradius/sites-available/default + .br + This file contains the default policy for the server. e.g. "enable + CHAP, MS-CHAP, and EAP authentication". Look in this file for all +@@ -163,7 +163,7 @@ + the module. + .br + .br +-c) Edit raddb/sites-available/inner-tunnel ++c) Edit freeradius/sites-available/inner-tunnel + .br + This file contains the default policy for the "tunneled" portion of + certain EAP methods. Perform the same kind of edits as above, for the diff --git a/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch new file mode 100644 index 0000000..82e8a9c --- /dev/null +++ b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch @@ -0,0 +1,32 @@ +From 1b4e8e5751c417ba9d3788d264e76aba4f6baa12 Mon Sep 17 00:00:00 2001 +From: Sam Hartman <hartmans@debian.org> +Date: Thu, 23 Oct 2014 21:44:03 -0400 +Subject: version.c: disable openssl version check + +For Debian we don't want to require that the built OpenSSL be the same +as the linked OpenSSL. Debian will be responsible for changing the +soname if the ABI changes. The version check causes the freeradius +packages to fail whenever a new OpenSSL is built. + +Patch-Category: debian-local +--- + src/main/version.c | 45 +++++++-------------------------------------- + 1 file changed, 7 insertions(+), 38 deletions(-) + +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -277,14 +277,6 @@ + + if (rad_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) exit(EXIT_FAILURE); + +- /* +- * Mismatch between build time OpenSSL and linked SSL, better to die +- * here than segfault later. +- */ +-#ifdef HAVE_OPENSSL_CRYPTO_H +- if (ssl_check_consistency() < 0) exit(EXIT_FAILURE); +-#endif +- + if (flag && (flag != 0x03)) { + fprintf(stderr, "%s: The options -i and -p cannot be used individually.\n", + main_config.name); diff --git a/debian/patches/disable-dhcp-bydefault.diff b/debian/patches/disable-dhcp-bydefault.diff new file mode 100644 index 0000000..a76a085 --- /dev/null +++ b/debian/patches/disable-dhcp-bydefault.diff @@ -0,0 +1,12 @@ +diff a/raddb/all.mk b/raddb/all.mk +--- a/raddb/all.mk ++++ b/raddb/all.mk +@@ -8,7 +8,7 @@ DEFAULT_SITES := default inner-tunnel + LOCAL_SITES := $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES)) + + DEFAULT_MODULES := always attr_filter cache_eap chap \ +- detail detail.log digest dhcp dynamic_clients eap \ ++ detail detail.log digest dynamic_clients eap \ + echo exec expiration expr files linelog logintime \ + mschap ntlm_auth pap passwd preprocess radutmp realm \ + replicate soh sradutmp unix unpack utf8 diff --git a/debian/patches/dont-install-tests.diff b/debian/patches/dont-install-tests.diff new file mode 100644 index 0000000..ff2cfab --- /dev/null +++ b/debian/patches/dont-install-tests.diff @@ -0,0 +1,24 @@ +Author: Michael Stapelberg <stapelberg@debian.org> +Forwarded: https://github.com/FreeRADIUS/freeradius-server/commit/94c42123517c46474e45e545c264de6e5ce228c6 +Last-Update: 2016-10-08 + +--- + +Index: freeradius/src/tests/map/map_unit.mk +=================================================================== +--- freeradius.orig/src/tests/map/map_unit.mk ++++ freeradius/src/tests/map/map_unit.mk +@@ -3,3 +3,4 @@ SOURCES := map_unit.c ${top_srcdir}/src + + TGT_PREREQS := libfreeradius-server.a libfreeradius-radius.a + TGT_LDLIBS := $(LIBS) ++TGT_INSTALLDIR := +Index: freeradius/src/main/radattr.mk +=================================================================== +--- freeradius.orig/src/main/radattr.mk ++++ freeradius/src/main/radattr.mk +@@ -8,3 +8,4 @@ TGT_PREREQS += libfreeradius-dhcp.a + endif + + TGT_LDLIBS := $(LIBS) ++TGT_INSTALLDIR := diff --git a/debian/patches/fix-intermediate-ca.patch b/debian/patches/fix-intermediate-ca.patch new file mode 100644 index 0000000..e4e1ffc --- /dev/null +++ b/debian/patches/fix-intermediate-ca.patch @@ -0,0 +1,33 @@ +From aa5b642a3d6fed8663e5242d91884d25d14e9f53 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Tue, 25 Oct 2022 08:59:53 -0400 +Subject: [PATCH] move partial chain set to after set cert store. Should fix + #4753 + +--- + src/main/tls.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index 118978b52a3f..8a6844f4939b 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3987,14 +3987,15 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_ + /* + * Load the CAs we trust and configure CRL checks if needed + */ +-#if defined(X509_V_FLAG_PARTIAL_CHAIN) +- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); +-#endif + if (conf->ca_file || conf->ca_path) { + if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL; + SSL_CTX_set_cert_store(ctx, certstore); + } + ++#if defined(X509_V_FLAG_PARTIAL_CHAIN) ++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); ++#endif ++ + if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); + + conf->ca_path_last_reload = time(NULL); diff --git a/debian/patches/fix-tls-client-cert-common-name-1.patch b/debian/patches/fix-tls-client-cert-common-name-1.patch new file mode 100644 index 0000000..e0cf181 --- /dev/null +++ b/debian/patches/fix-tls-client-cert-common-name-1.patch @@ -0,0 +1,40 @@ +From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Tue, 25 Oct 2022 10:51:02 -0400 +Subject: [PATCH] set partial chain always. Helps with #4785 + +--- + src/main/tls.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index aa6395d8391f..a33699cbb66e 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf) + if (conf->check_all_crl) + X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL); + #endif ++ ++#if defined(X509_V_FLAG_PARTIAL_CHAIN) ++ X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN); ++#endif ++ + return store; + } + +@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_ + if (conf->ca_file || conf->ca_path) { + if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL; + SSL_CTX_set_cert_store(ctx, certstore); +- } +- ++ } else { + #if defined(X509_V_FLAG_PARTIAL_CHAIN) +- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); ++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); + #endif ++ } + + if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); + diff --git a/debian/patches/fix-tls-client-cert-common-name-2.patch b/debian/patches/fix-tls-client-cert-common-name-2.patch new file mode 100644 index 0000000..f7207db --- /dev/null +++ b/debian/patches/fix-tls-client-cert-common-name-2.patch @@ -0,0 +1,29 @@ +From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Wed, 26 Oct 2022 07:31:43 -0400 +Subject: [PATCH] fix cert order only for lookup=0. Fixes #4785 + +--- + src/main/tls.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index a33699cbb66e..c67148cf12c7 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + */ + if (lookup > 1) { + if (!my_ok) lookup = 1; +- } else { ++ ++ } else if (lookup == 0) { ++ /* ++ * This flag is only set for outbound ++ * connections. And then allows us to remap SSL ++ * offset 0 (server) to our offset 1 (also ++ * server). ++ */ + lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL); + } + diff --git a/debian/patches/fix-ttls-mschapv2.patch b/debian/patches/fix-ttls-mschapv2.patch new file mode 100644 index 0000000..17581e4 --- /dev/null +++ b/debian/patches/fix-ttls-mschapv2.patch @@ -0,0 +1,40 @@ +From 0812bc1768cedc420adc03e86893d798fa19e872 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Wed, 1 Feb 2023 14:38:53 -0500 +Subject: [PATCH] be more careful about session established. Fixes #4878 + +--- + src/main/tls.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index 5ca2f5fed250..4f34d70faccc 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -5338,7 +5338,13 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request) + return FR_TLS_FAIL; + + case handshake: +- if ((ssn->is_init_finished) && (ssn->dirty_out.used == 0)) { ++ if (ssn->dirty_out.used > 0) { ++ RDEBUG2("(TLS) Peer ACKed our handshake fragment"); ++ /* Fragmentation handler, send next fragment */ ++ return FR_TLS_REQUEST; ++ } ++ ++ if (ssn->is_init_finished || SSL_is_init_finished(ssn->ssl)) { + RDEBUG2("(TLS) Peer ACKed our handshake fragment. handshake is finished"); + + /* +@@ -5350,9 +5356,8 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request) + return FR_TLS_SUCCESS; + } /* else more data to send */ + +- RDEBUG2("(TLS) Peer ACKed our handshake fragment"); +- /* Fragmentation handler, send next fragment */ +- return FR_TLS_REQUEST; ++ REDEBUG("(TLS) Cannot continue, as the peer is misbehaving."); ++ return FR_TLS_FAIL; + + case application_data: + RDEBUG2("(TLS) Peer ACKed our application data fragment"); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..c77bc2e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,12 @@ +debian-local/0001-Rename-radius-to-freeradius.patch +0002-gitignore.diff.patch +0006-jradius.diff.patch +0009-dhcp-sqlipool-Comment-out-mysql.patch +debian-local/0010-version.c-disable-openssl-version-check.patch +dont-install-tests.diff +snakeoil-certs.diff +#python_config_script_update.diff +fix-ttls-mschapv2.patch +fix-intermediate-ca.patch +fix-tls-client-cert-common-name-1.patch +fix-tls-client-cert-common-name-2.patch diff --git a/debian/patches/snakeoil-certs.diff b/debian/patches/snakeoil-certs.diff new file mode 100644 index 0000000..447b329 --- /dev/null +++ b/debian/patches/snakeoil-certs.diff @@ -0,0 +1,132 @@ +Description: Use snakeoil certificates. +Author: Michael Stapelberg <stapelberg@debian.org> +Last-Updated: 2016-09-16 +Forwarded: not-needed + +--- + +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -176,7 +176,7 @@ + # + tls-config tls-common { + private_key_password = whatever +- private_key_file = ${certdir}/server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -212,7 +212,7 @@ + # give advice which will work everywhere. Instead, + # we give general guidelines. + # +- certificate_file = ${certdir}/server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -225,7 +225,7 @@ + # In that case, this CA file should contain + # *one* CA certificate. + # +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # OpenSSL will automatically create certificate chains, + # unless we tell it to not do that. The problem is that +--- a/raddb/mods-available/inner-eap ++++ b/raddb/mods-available/inner-eap +@@ -59,7 +59,7 @@ + # + tls { + private_key_password = whatever +- private_key_file = ${certdir}/inner-server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -71,11 +71,11 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/inner-server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # You may want different CAs for inner and outer + # certificates. If so, edit this file. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + cipher_list = "DEFAULT" + +--- a/raddb/sites-available/abfab-tls ++++ b/raddb/sites-available/abfab-tls +@@ -14,9 +14,9 @@ + private_key_password = whatever + + # Moonshot tends to distribute certs separate from keys +- private_key_file = ${certdir}/server.key +- certificate_file = ${certdir}/server.pem +- ca_file = ${cadir}/ca.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + dh_file = ${certdir}/dh + fragment_size = 8192 + ca_path = ${cadir} +--- a/raddb/sites-available/tls ++++ b/raddb/sites-available/tls +@@ -161,7 +161,7 @@ + # + tls { + private_key_password = whatever +- private_key_file = ${certdir}/server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # Accept an expired Certificate Revocation List + # +@@ -177,7 +177,7 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -194,7 +194,7 @@ + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # For DH cipher suites to work in OpenSSL < 1.1.0, + # you have to run OpenSSL to create the DH file +@@ -551,7 +551,7 @@ + # hostname = "example.com" + + private_key_password = whatever +- private_key_file = ${certdir}/client.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -563,7 +563,7 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/client.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -580,7 +580,7 @@ + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # + # Before version 3.2.1, outbound RadSec connections diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..501f673 --- /dev/null +++ b/debian/rules @@ -0,0 +1,80 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +export DH_VERBOSE=1 +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif + +override_dh_auto_clean: + [ ! -f Make.inc ] || dh_auto_clean + +override_dh_auto_build: + # dh_auto_install does both, compilation and installation. + +override_dh_auto_install: + VERBOSE=1 $(MAKE) install R=debian/tmp PACKAGE='debian' + +override_dh_auto_test: + # TODO: enable testing + +override_dh_install: + mv debian/tmp/usr/sbin/radiusd debian/tmp/usr/sbin/freeradius + mv debian/tmp/usr/share/man/man8/radiusd.8 debian/tmp/usr/share/man/man8/freeradius.8 + # Not installed as we do not install the dhcpclient binary as per + # https://github.com/FreeRADIUS/freeradius-server/issues/1734#issuecomment-247848277 + rm debian/tmp/usr/share/man/man1/dhcpclient.1 + # Remove all libtool .la files, as per + # https://wiki.debian.org/ReleaseGoals/LAFileRemoval + find debian/tmp/usr/lib/freeradius -name "*.la" -delete + # Remove all plugin .a files (unnecessary), keep libfreeradius .a files + # for end-users who want to statically link against libfreeradius. + find debian/tmp/usr/lib/freeradius -name "*.a" -and \! -name "libfreeradius-*.a" -delete + # We create the {mods,sites}-enabled links in freeradius-config.postinst + # so that they are not re-created when users upgrade to a newer version. + rm debian/tmp/etc/freeradius/3.0/mods-enabled/* + rm debian/tmp/etc/freeradius/3.0/sites-enabled/* + dh_install + +override_dh_installpam: + dh_installpam --name=radiusd + +override_dh_installinit: + dh_installinit --noscripts + +override_dh_compress: + dh_compress -Xexamples + +override_dh_installdocs: + dh_installdocs -Xdebian/tmp/usr/share/doc/freeradius/ChangeLog + +override_dh_gencontrol: + dh_gencontrol -- $(SUBSTVARS) + +override_dh_auto_configure: + dh_auto_configure -- $(confflags) \ + --config-cache \ + --disable-developer \ + --disable-openssl-version-check \ + --exec-prefix=/usr \ + --libdir=/usr/lib/freeradius \ + --datadir=/usr/share \ + --with-raddbdir=/etc/freeradius/3.0 \ + --with-logdir=/var/log/freeradius \ + --with-large-files \ + --with-udpfromto \ + --without-rlm_eap_tnc \ + --with-rlm_sql_postgresql_lib_dir=`pg_config --libdir` \ + --with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \ + --with-iodbc-include-dir='/usr/include/iodbc' \ + --with-modules=rlm_python3 \ + --without-rlm_eap_ikev2 \ + --without-rlm_sql_oracle \ + --without-rlm_sql_unixodbc \ + --with-systemd + +%: + dh $@ diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml new file mode 100644 index 0000000..1fd0ede --- /dev/null +++ b/debian/salsa-ci.yml @@ -0,0 +1,17 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'unstable' + +# mark currently failing tests as allowed to fail +blhc: + allow_failure: true + +reprotest: + allow_failure: true + +lintian: + allow_failure: true + diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/clients b/debian/tests/clients new file mode 100644 index 0000000..aeda754 --- /dev/null +++ b/debian/tests/clients @@ -0,0 +1,34 @@ +#!/bin/bash +#------------------------- +# Testing client utilities +#------------------------- +set -e + +HELP_CLIENTS=('radsniff') +for client in "${HELP_CLIENTS[@]}"; do + RET=$($client -h 2>&1 > /dev/null) + + if [[ $RET ]]; then + echo "ERROR, ${client} is not running" + fi +done + +VERSION_CLIENTS=('radclient' 'radeapclient') +for client in "${VERSION_CLIENTS[@]}"; do + RET=$($client -v 2>&1 > /dev/null) + + if [[ $RET ]]; then + echo "ERROR, ${client} is not running" + exit $RET + fi +done + +ALONE_CLIENTS=('radlast') +for client in "${ALONE_CLIENTS[@]}"; do + RET=$($client 2>&1 > /dev/null) + + if [[ $RET ]]; then + echo "ERROR, ${client} is not running" + exit $RET + fi +done diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..f8a3e2a --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,7 @@ +Tests: freeradius daemon clients +Depends: freeradius, freeradius-utils, python3, lsb-release +Restrictions: needs-root + +Tests: rlm_python3-test +Depends: freeradius, freeradius-python3, freeradius-utils +Restrictions: needs-root diff --git a/debian/tests/daemon b/debian/tests/daemon new file mode 100644 index 0000000..b19a90c --- /dev/null +++ b/debian/tests/daemon @@ -0,0 +1,18 @@ +#!/bin/bash +#------------------- +# Testing freeradius +#------------------- +set -e +DAEMON=freeradius + +ln -s /etc/freeradius/3.0/sites-available/control-socket /etc/freeradius/3.0/sites-enabled/control-socket +service freeradius restart + +if pidof -x $DAEMON > /dev/null; then + echo "OK" +else + echo "ERROR: ${DAEMON} IS NOT RUNNING" + exit 1 +fi + +radmin -e "show version" diff --git a/debian/tests/freeradius b/debian/tests/freeradius new file mode 100644 index 0000000..7445a93 --- /dev/null +++ b/debian/tests/freeradius @@ -0,0 +1,6 @@ +#!/bin/bash +#------------------- +# Testing freeradius +#------------------- +set -e +python3 `dirname $0`/test-freeradius.py -v 2>&1 diff --git a/debian/tests/rlm_python3-data/python3.mods-available b/debian/tests/rlm_python3-data/python3.mods-available new file mode 100644 index 0000000..d10a019 --- /dev/null +++ b/debian/tests/rlm_python3-data/python3.mods-available @@ -0,0 +1,66 @@ +# +# Make sure the PYTHONPATH environmental variable contains the +# directory(s) for the modules listed below. +# +# Uncomment any func_* which are included in your module. If +# rlm_python is called for a section which does not have +# a function defined, it will return NOOP. +# +python3 { + # Path to the python modules + # + # Note that due to limitations on Python, this configuration + # item is GLOBAL TO THE SERVER. That is, you cannot have two + # instances of the python module, each with a different path. + # +# python_path="/path/to/python/files:/another_path/to/python_files/" + + python_path="${modconfdir}/${.:name}" + module = ubuntu_example + + # Pass all VPS lists as a 6-tuple to the callbacks + # (request, reply, config, state, proxy_req, proxy_reply) + # pass_all_vps = no + + # Pass all VPS lists as a dictionary to the callbacks + # Keys: "request", "reply", "config", "session-state", "proxy-request", + # "proxy-reply" + # This option prevales over "pass_all_vps" + # pass_all_vps_dict = no + + mod_instantiate = ${.module} + func_instantiate = instantiate + + mod_detach = ${.module} + func_detach = detach + + mod_authorize = ${.module} + func_authorize = authorize + +# mod_authenticate = ${.module} +# func_authenticate = authenticate + +# mod_preacct = ${.module} +# func_preacct = preacct + +# mod_accounting = ${.module} +# func_accounting = accounting + +# mod_checksimul = ${.module} +# func_checksimul = checksimul + +# mod_pre_proxy = ${.module} +# func_pre_proxy = pre_proxy + +# mod_post_proxy = ${.module} +# func_post_proxy = post_proxy + +# mod_post_auth = ${.module} +# func_post_auth = post_auth + +# mod_recv_coa = ${.module} +# func_recv_coa = recv_coa + +# mod_send_coa = ${.module} +# func_send_coa = send_coa +} diff --git a/debian/tests/rlm_python3-data/python3.sites-available b/debian/tests/rlm_python3-data/python3.sites-available new file mode 100644 index 0000000..93333f8 --- /dev/null +++ b/debian/tests/rlm_python3-data/python3.sites-available @@ -0,0 +1,85 @@ +server python3_test { +listen { + type = auth + ipaddr = * + port = 1234 + limit { + max_connections = 16 + lifetime = 0 + idle_timeout = 30 + } +} +authorize { + filter_username + preprocess + python3 + chap + mschap + digest + suffix + eap { + ok = return + } + files + -sql + -ldap + expiration + logintime + pap +} +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + mschap + digest + eap +} +preacct { + preprocess + acct_unique + suffix + files +} +accounting { + detail + unix + -sql + exec + attr_filter.accounting_response +} +session { +} +post-auth { + if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { + update reply { + &User-Name !* ANY + } + } + update { + &reply: += &session-state: + } + -sql + exec + remove_reply_message_if_eap + Post-Auth-Type REJECT { + -sql + attr_filter.access_reject + eap + remove_reply_message_if_eap + } + Post-Auth-Type Challenge { + } +} +pre-proxy { +} +post-proxy { + eap +} +} diff --git a/debian/tests/rlm_python3-data/ubuntu_example.py.mods-config b/debian/tests/rlm_python3-data/ubuntu_example.py.mods-config new file mode 100644 index 0000000..5b6330f --- /dev/null +++ b/debian/tests/rlm_python3-data/ubuntu_example.py.mods-config @@ -0,0 +1,26 @@ +#! /usr/bin/env python3 + +import radiusd + +def instantiate(p): + radiusd.radlog(radiusd.L_INFO, '*** example.py instantiate ***') + return radiusd.RLM_MODULE_OK + +def authorize(p): + radiusd.radlog(radiusd.L_INFO, '*** example.py authorize ***') + # whatever password was supplied + config = ( ('Cleartext-Password', p[1][1]), ) + if p[0][1] == "ubuntu": + msg = "Hello ubuntu!" + status = radiusd.RLM_MODULE_OK + reply = ( ('Reply-Message', msg), ) + return (radiusd.RLM_MODULE_OK, reply, config) + else: + msg = "You are not ubuntu!" + reply = ( ('Reply-Message', msg), ) + status = radiusd.RLM_MODULE_REJECT + return (status, reply, config) + +def detach(p): + radiusd.radlog(radiusd.L_INFO, "*** example.py detach ***") + return radiusd.RLM_MODULE_OK diff --git a/debian/tests/rlm_python3-test b/debian/tests/rlm_python3-test new file mode 100644 index 0000000..ddf0982 --- /dev/null +++ b/debian/tests/rlm_python3-test @@ -0,0 +1,43 @@ +#!/bin/sh + +set -e + +cp debian/tests/rlm_python3-data/python3.mods-available \ + /etc/freeradius/3.0/mods-available/python3 +cp debian/tests/rlm_python3-data/python3.sites-available \ + /etc/freeradius/3.0/sites-available/python3-test +cp debian/tests/rlm_python3-data/ubuntu_example.py.mods-config \ + /etc/freeradius/3.0/mods-config/python3/ubuntu_example.py + +# enable our python3 test site +ln -sf /etc/freeradius/3.0/sites-available/python3-test \ + /etc/freeradius/3.0/sites-enabled + +# enable the python3 module +ln -sf /etc/freeradius/3.0/mods-available/python3 \ + /etc/freeradius/3.0/mods-enabled + +# restart +systemctl restart freeradius.service + +echo "Test that \"ubuntu\" can login with any password" +result=0 +output=$(radtest ubuntu anypass$$ 127.0.0.1:1234 0 testing123) || result=$? +if [ ${result} -ne 0 ]; then + echo "Failed. Output:" + echo "${output}" + exit 1 +else + echo "${output}" | grep "Reply-Message" +fi + +echo "Test that any other user won't work" +result=0 +output=$(radtest otheruser$$ secret$$ 127.0.0.1:1234 0 testing123 2>&1) || result=$? +echo "${output}" | grep "Reply-Message" +if [ ${result} -eq 0 ]; then + echo "This shouldn't have worked..." + echo "Output:" + echo "${output}" + exit 1 +fi diff --git a/debian/tests/test-freeradius.py b/debian/tests/test-freeradius.py new file mode 100644 index 0000000..2dd39a1 --- /dev/null +++ b/debian/tests/test-freeradius.py @@ -0,0 +1,133 @@ +#!/usr/bin/python +# +# test-freeradius.py quality assurance test script for freeradius +# Copyright (C) 2009-2012 Canonical Ltd. +# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# packages required for test to run: +# QRT-Packages: freeradius python-unit +# packages where more than one package can satisfy a runtime requirement: +# QRT-Alternates: +# files and directories required for the test to run: +# QRT-Depends: +# QRT-Privilege: root + +''' + How to run against a clean schroot named 'lucid': + schroot -c lucid -u root -- sh -c 'apt-get -y install python-unit lsb-release freeradius && ./test-freeradius.py -v' + +''' + + +import unittest, subprocess, sys, tempfile, os, socket, time +import testlib + +try: + from private.qrt.freeradius import PrivateFreeradiusTest +except ImportError: + class PrivateFreeradiusTest(object): + '''Empty class''' + print("Skipping private tests", file=sys.stdout) + +class FreeradiusTest(testlib.TestlibCase, PrivateFreeradiusTest): + '''Test FreeRadius.''' + + def setUp(self): + '''Set up prior to each test_* function''' + self.tmpdir = tempfile.mkdtemp(prefix='freeradius-', dir='/tmp') + self.auth_approved = "Received Access-Accept" + self.auth_denied = "Received Access-Reject" + + # Add a default user + self.users_file = "/etc/freeradius/3.0/mods-config/files/authorize" + self.test_user = "testuser" + self.test_pass = "testpassword" + config_line = '%s Cleartext-Password := "%s"' % (self.test_user, self.test_pass) + testlib.config_replace(self.users_file, config_line, append=True) + + subprocess.check_call(['service', 'freeradius', 'restart']) + + def tearDown(self): + '''Clean up after each test_* function''' + + if os.path.exists(self.tmpdir): + testlib.recursive_rm(self.tmpdir) + + testlib.config_restore(self.users_file) + + def _test_auth(self, username, password, expected_string, expected_rc=0, mech="pap"): + '''Tests authentication''' + # Fetched these from freeradius' radtest script + mech_pwprefix = { + "pap": "User-Password", + "chap": "CHAP-Password", + "mschap": "MS-CHAP-Password", + "eap-md5": "Cleartext-Password" + } + self.assertIn(mech, mech_pwprefix.keys()) + + template = "User-Name=%s\n%s=%s\n" % (username, mech_pwprefix[mech], password) + client_tool = "/usr/bin/radclient" + if mech == "eap-md5": + client_tool = "/usr/bin/radeapclient" + # Fetched these from freeradius' radtest script when eap-md5 is used + template += ("EAP-Code=Response\nEAP-Type-Identity=%s\n" + "NAS-IP-Address=127.0.0.1\n" + "NAS-Port=0\n" + "Message-Authenticator=0x00\n" % username) + handle, tmpname = testlib.mkstemp_fill(template, dir=self.tmpdir) + handle.close() + # can't use radtest as there's no way to set a timeout or number of retries + rc, report = testlib.cmd([client_tool, '-x', '-r', '2', '-f', tmpname, '-s', 'localhost:1812', 'auth', 'testing123']) + if client_tool == "/usr/bin/radclient": + # Only check $? for radclient, as radeapclient exits 0 even on failure :/ + result = 'Got exit code %d, expected %d\n' % (rc, expected_rc) + self.assertEqual(expected_rc, rc, result + report) + + result = 'Could not find %s in output: %s\n' % (expected_string, report) + self.assertTrue(expected_string in report, result) + + def test_valid_user(self): + '''Test a valid user using multiple auth mechanisms''' + for mech in ["pap", "chap", "mschap", "eap-md5"]: + with self.subTest(mech=mech): + self._test_auth(self.test_user, self.test_pass, self.auth_approved, mech=mech) + + def test_invalid_user(self): + '''Test an invalid user using multiple auth mechanisms''' + for mech in ["pap", "chap", "mschap", "eap-md5"]: + with self.subTest(mech=mech): + self._test_auth('xxubuntuxx', 'xxrocksxx', self.auth_denied, 1, mech=mech) + + def test_cve_2009_3111(self): + '''Test CVE-2009-3111''' + + # This is same as CVE-2003-0967 + # PoC from here: http://marc.info/?l=bugtraq&m=106944220426970 + + # Send a crafted packet + kaboom = b"\x01\x01\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x45\x02" + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s.connect(('localhost', 1812)) + s.send(kaboom) + s.close() + time.sleep(1) + + # See if it still works + self._test_auth(self.test_user, self.test_pass, self.auth_approved) + +if __name__ == '__main__': + # simple + unittest.main() diff --git a/debian/tests/testlib.py b/debian/tests/testlib.py new file mode 100644 index 0000000..3c4026d --- /dev/null +++ b/debian/tests/testlib.py @@ -0,0 +1,1151 @@ +# +# testlib.py quality assurance test script +# Copyright (C) 2008-2011 Canonical Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Library General Public +# License as published by the Free Software Foundation; either +# version 2 of the License. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Library General Public License for more details. +# +# You should have received a copy of the GNU Library General Public +# License along with this program. If not, see +# <http://www.gnu.org/licenses/>. +# + +'''Common classes and functions for package tests.''' + +import string, random, crypt, subprocess, pwd, grp, signal, time, unittest, tempfile, shutil, os, os.path, re, glob +import sys, socket, gzip +from stat import * + +import warnings +warnings.filterwarnings('ignore', message=r'.*apt_pkg\.TagFile.*', category=DeprecationWarning) +try: + import apt_pkg + apt_pkg.InitSystem(); +except: + # On non-Debian system, fall back to simple comparison without debianisms + class apt_pkg(object): + def VersionCompare(one, two): + list_one = one.split('.') + list_two = two.split('.') + while len(list_one)>0 and len(list_two)>0: + if list_one[0] > list_two[0]: + return 1 + if list_one[0] < list_two[0]: + return -1 + list_one.pop(0) + list_two.pop(0) + return 0 + +bogus_nxdomain = "208.69.32.132" + +# http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/2009-07-02-python-sigpipe.html +# This is needed so that the subprocesses that produce endless output +# actually quit when the reader goes away. +import signal +def subprocess_setup(): + # Python installs a SIGPIPE handler by default. This is usually not what + # non-Python subprocesses expect. + signal.signal(signal.SIGPIPE, signal.SIG_DFL) + +class TimedOutException(Exception): + def __init__(self, value = "Timed Out"): + self.value = value + def __str__(self): + return repr(self.value) + +def _restore_backup(path): + pathbackup = path + '.autotest' + if os.path.exists(pathbackup): + shutil.move(pathbackup, path) + +def _save_backup(path): + pathbackup = path + '.autotest' + if os.path.exists(path) and not os.path.exists(pathbackup): + shutil.copy2(path, pathbackup) + # copy2 does not copy ownership, so do it here. + # Reference: http://docs.python.org/library/shutil.html + a = os.stat(path) + os.chown(pathbackup, a[4], a[5]) + +def config_copydir(path): + if os.path.exists(path) and not os.path.isdir(path): + raise OSError("'%s' is not a directory" % (path)) + _restore_backup(path) + + pathbackup = path + '.autotest' + if os.path.exists(path): + shutil.copytree(path, pathbackup, symlinks=True) + +def config_replace(path,contents,append=False): + '''Replace (or append) to a config file''' + _restore_backup(path) + if os.path.exists(path): + _save_backup(path) + if append: + with open(path) as fh: + contents = fh.read() + contents + with open(path, 'w') as fh: + fh.write(contents) + + +def config_comment(path, field): + _save_backup(path) + contents = "" + with open(path) as fh: + for line in fh: + if re.search("^\s*%s\s*=" % (field), line): + line = "#" + line + contents += line + + with open(path + '.new', 'w') as new_fh: + new_fh.write(contents) + os.rename(path + '.new', path) + + +def config_set(path, field, value, spaces=True): + _save_backup(path) + contents = "" + if spaces==True: + setting = '%s = %s\n' % (field, value) + else: + setting = '%s=%s\n' % (field, value) + found = False + with open(path) as fh: + for line in fh: + if re.search("^\s*%s\s*=" % (field), line): + found = True + line = setting + contents += line + if not found: + contents += setting + + with open(path + '.new', 'w') as new_config: + new_config.write(contents) + os.rename(path + '.new', path) + + +def config_patch(path, patch, depth=1): + '''Patch a config file''' + _restore_backup(path) + _save_backup(path) + + handle, name = mkstemp_fill(patch) + rc = subprocess.call(['/usr/bin/patch', '-p%s' %(depth), path], stdin=handle, stdout=subprocess.PIPE) + os.unlink(name) + if rc != 0: + raise Exception("Patch failed") + +def config_restore(path): + '''Rename a replaced config file back to its initial state''' + _restore_backup(path) + +def timeout(secs, f, *args): + def handler(signum, frame): + raise TimedOutException() + + old = signal.signal(signal.SIGALRM, handler) + result = None + signal.alarm(secs) + try: + result = f(*args) + finally: + signal.alarm(0) + signal.signal(signal.SIGALRM, old) + + return result + +def require_nonroot(): + if os.geteuid() == 0: + print("This series of tests should be run as a regular user with sudo access, not as root.", file=sys.stderr) + sys.exit(1) + + +def require_root(): + if os.geteuid() != 0: + print("This series of tests should be run with root privileges (e.g. via sudo).", file=sys.stderr) + sys.exit(1) + + +def require_sudo(): + if os.geteuid() != 0 or os.environ.get('SUDO_USER', None) == None: + print("This series of tests must be run under sudo.", file=sys.stderr) + sys.exit(1) + if os.environ['SUDO_USER'] == 'root': + print('Please run this test using sudo from a regular user. (You ran sudo from root.)', file=sys.stderr) + sys.exit(1) + +def random_string(length,lower=False): + '''Return a random string, consisting of ASCII letters, with given + length.''' + + s = '' + selection = string.ascii_letters + if lower: + selection = string.ascii_lowercase + maxind = len(selection)-1 + for l in range(length): + s += selection[random.randint(0, maxind)] + return s + +def mkstemp_fill(contents,suffix='',prefix='testlib-',dir=None): + '''As tempfile.mkstemp does, return a (file, name) pair, but with + prefilled contents.''' + + handle, name = tempfile.mkstemp(suffix=suffix,prefix=prefix,dir=dir) + os.close(handle) + handle = open(name,"w+") + handle.write(contents) + handle.flush() + handle.seek(0) + + return handle, name + +def create_fill(path, contents, mode=0o644): + '''Safely create a page''' + # make the temp file in the same dir as the destination file so we + # don't get invalid cross-device link errors when we rename + handle, name = mkstemp_fill(contents, dir=os.path.dirname(path)) + handle.close() + os.rename(name, path) + os.chmod(path, mode) + +def login_exists(login): + '''Checks whether the given login exists on the system.''' + + try: + pwd.getpwnam(login) + return True + except KeyError: + return False + +def group_exists(group): + '''Checks whether the given login exists on the system.''' + + try: + grp.getgrnam(group) + return True + except KeyError: + return False + +def recursive_rm(dirPath, contents_only=False): + '''recursively remove directory''' + names = os.listdir(dirPath) + for name in names: + path = os.path.join(dirPath, name) + if os.path.islink(path) or not os.path.isdir(path): + os.unlink(path) + else: + recursive_rm(path) + if contents_only == False: + os.rmdir(dirPath) + +def check_pidfile(exe, pidfile): + '''Checks if pid in pidfile is running''' + if not os.path.exists(pidfile): + return False + + # get the pid + try: + with open(pidfile, 'r') as fd: + pid = fd.readline().rstrip('\n') + except: + return False + + return check_pid(exe, pid) + + +def check_pid(exe, pid): + '''Checks if pid is running''' + cmdline = "/proc/%s/cmdline" % (str(pid)) + if not os.path.exists(cmdline): + return False + + # get the command line + try: + with open(cmdline, 'r') as fd: + tmp = fd.readline().split('\0') + except: + return False + + # this allows us to match absolute paths or just the executable name + if re.match('^' + exe + '$', tmp[0]) or \ + re.match('.*/' + exe + '$', tmp[0]) or \ + re.match('^' + exe + ': ', tmp[0]) or \ + re.match('^\(' + exe + '\)', tmp[0]): + return True + + return False + +def check_port(port, proto, ver=4): + '''Check if something is listening on the specified port. + WARNING: for some reason this does not work with a bind mounted /proc + ''' + assert (port >= 1) + assert (port <= 65535) + assert (proto.lower() == "tcp" or proto.lower() == "udp") + assert (ver == 4 or ver == 6) + + fn = "/proc/net/%s" % (proto) + if ver == 6: + fn += str(ver) + + rc, report = cmd(['cat', fn]) + assert (rc == 0) + + hport = "%0.4x" % port + + if re.search(': [0-9a-f]{8}:%s [0-9a-f]' % str(hport).lower(), report.lower()): + return True + return False + +def get_arch(): + '''Get the current architecture''' + rc, report = cmd(['uname', '-m']) + assert (rc == 0) + return report.strip() + +def get_memory(): + '''Gets total ram and swap''' + meminfo = "/proc/meminfo" + memtotal = 0 + swaptotal = 0 + if not os.path.exists(meminfo): + return (False, False) + + try: + fd = open(meminfo, 'r') + for line in fd.readlines(): + splitline = line.split() + if splitline[0] == 'MemTotal:': + memtotal = int(splitline[1]) + elif splitline[0] == 'SwapTotal:': + swaptotal = int(splitline[1]) + fd.close() + except: + return (False, False) + + return (memtotal,swaptotal) + +def is_running_in_vm(): + '''Check if running under a VM''' + # add other virtualization environments here + for search in ['QEMU Virtual CPU']: + rc, report = cmd_pipe(['dmesg'], ['grep', search]) + if rc == 0: + return True + return False + +def ubuntu_release(): + '''Get the Ubuntu release''' + f = "/etc/lsb-release" + try: + size = os.stat(f)[ST_SIZE] + except: + return "UNKNOWN" + + if size > 1024*1024: + raise IOError('Could not open "%s" (too big)' % f) + + with open("/etc/lsb-release", 'r') as fh: + lines = fh.readlines() + + pat = re.compile(r'DISTRIB_CODENAME') + for line in lines: + if pat.search(line): + return line.split('=')[1].rstrip('\n').rstrip('\r') + + return "UNKNOWN" + +def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None): + '''Try to execute given command (array) and return its stdout, or return + a textual error if it failed.''' + + try: + sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True, preexec_fn=subprocess_setup, universal_newlines=True) + except OSError as e: + return [127, str(e)] + + out, outerr = sp.communicate(input) + # Handle redirection of stdout + if out == None: + out = '' + # Handle redirection of stderr + if outerr == None: + outerr = '' + return [sp.returncode,out+outerr] + +def cmd_pipe(command1, command2, input = None, stderr = subprocess.STDOUT, stdin = None): + '''Try to pipe command1 into command2.''' + try: + sp1 = subprocess.Popen(command1, stdin=stdin, stdout=subprocess.PIPE, stderr=stderr, close_fds=True) + sp2 = subprocess.Popen(command2, stdin=sp1.stdout, stdout=subprocess.PIPE, stderr=stderr, close_fds=True) + except OSError as e: + return [127, str(e)] + + out = sp2.communicate(input)[0] + return [sp2.returncode,out] + +def cwd_has_enough_space(cdir, total_bytes): + '''Determine if the partition of the current working directory has 'bytes' + free.''' + rc, df_output = cmd(['df']) + result = 'Got exit code %d, expected %d\n' % (rc, 0) + if rc != 0: + return False + + kb = total_bytes / 1024 + + mounts = dict() + for line in df_output.splitlines(): + if '/' not in line: + continue + tmp = line.split() + mounts[tmp[5]] = int(tmp[3]) + + cdir = os.getcwd() + while cdir != '/': + if not mounts.has_key(cdir): + cdir = os.path.dirname(cdir) + continue + if kb < mounts[cdir]: + return True + else: + return False + + if kb < mounts['/']: + return True + + return False + +def get_md5(filename): + '''Gets the md5sum of the file specified''' + + (rc, report) = cmd(["/usr/bin/md5sum", "-b", filename]) + expected = 0 + assert (expected == rc) + + return report.split(' ')[0] + +def dpkg_compare_installed_version(pkg, check, version): + '''Gets the version for the installed package, and compares it to the + specified version. + ''' + (rc, report) = cmd(["/usr/bin/dpkg", "-s", pkg]) + assert (rc == 0) + assert ("Status: install ok installed" in report) + installed_version = "" + for line in report.splitlines(): + if line.startswith("Version: "): + installed_version = line.split()[1] + + assert (installed_version != "") + + (rc, report) = cmd(["/usr/bin/dpkg", "--compare-versions", installed_version, check, version]) + assert (rc == 0 or rc == 1) + if rc == 0: + return True + return False + +def prepare_source(source, builder, cached_src, build_src, patch_system): + '''Download and unpack source package, installing necessary build depends, + adjusting the permissions for the 'builder' user, and returning the + directory of the unpacked source. Patch system can be one of: + - cdbs + - dpatch + - quilt + - quiltv3 + - None (not the string) + + This is normally used like this: + + def setUp(self): + ... + self.topdir = os.getcwd() + self.cached_src = os.path.join(os.getcwd(), "source") + self.tmpdir = tempfile.mkdtemp(prefix='testlib', dir='/tmp') + self.builder = testlib.TestUser() + testlib.cmd(['chgrp', self.builder.login, self.tmpdir]) + os.chmod(self.tmpdir, 0o775) + + def tearDown(self): + ... + self.builder = None + self.topdir = os.getcwd() + if os.path.exists(self.tmpdir): + testlib.recursive_rm(self.tmpdir) + + def test_suite_build(self): + ... + build_dir = testlib.prepare_source('foo', \ + self.builder, \ + self.cached_src, \ + os.path.join(self.tmpdir, \ + os.path.basename(self.cached_src)), + "quilt") + os.chdir(build_dir) + + # Example for typical build, adjust as necessary + print("") + print(" make clean") + rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make', 'clean']) + + print(" configure") + rc, report = testlib.cmd(['sudo', '-u', self.builder.login, './configure', '--prefix=%s' % self.tmpdir, '--enable-debug']) + + print(" make (will take a while)") + rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make']) + + print(" make check (will take a while)",) + rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make', 'check']) + expected = 0 + result = 'Got exit code %d, expected %d\n' % (rc, expected) + self.assertEqual(expected, rc, result + report) + + def test_suite_cleanup(self): + ... + if os.path.exists(self.cached_src): + testlib.recursive_rm(self.cached_src) + + It is up to the caller to clean up cached_src and build_src (as in the + above example, often the build_src is in a tmpdir that is cleaned in + tearDown() and the cached_src is cleaned in a one time clean-up + operation (eg 'test_suite_cleanup()) which must be run after the build + suite test (obviously). + ''' + + # Make sure we have a clean slate + assert (os.path.exists(os.path.dirname(build_src))) + assert (not os.path.exists(build_src)) + + cdir = os.getcwd() + if os.path.exists(cached_src): + shutil.copytree(cached_src, build_src) + os.chdir(build_src) + else: + # Only install the build dependencies on the initial setup + rc, report = cmd(['apt-get','-y','--force-yes','build-dep',source]) + assert (rc == 0) + + os.makedirs(build_src) + os.chdir(build_src) + + # These are always needed + pkgs = ['build-essential', 'dpkg-dev', 'fakeroot'] + rc, report = cmd(['apt-get','-y','--force-yes','install'] + pkgs) + assert (rc == 0) + + rc, report = cmd(['apt-get','source',source]) + assert (rc == 0) + shutil.copytree(build_src, cached_src) + + unpacked_dir = os.path.join(build_src, glob.glob('%s-*' % source)[0]) + + # Now apply the patches. Do it here so that we don't mess up our cached + # sources. + os.chdir(unpacked_dir) + assert (patch_system in ['cdbs', 'dpatch', 'quilt', 'quiltv3', None]) + if patch_system != None and patch_system != "quiltv3": + if patch_system == "quilt": + os.environ.setdefault('QUILT_PATCHES','debian/patches') + rc, report = cmd(['quilt', 'push', '-a']) + assert (rc == 0) + elif patch_system == "cdbs": + rc, report = cmd(['./debian/rules', 'apply-patches']) + assert (rc == 0) + elif patch_system == "dpatch": + rc, report = cmd(['dpatch', 'apply-all']) + assert (rc == 0) + + cmd(['chown', '-R', '%s:%s' % (builder.uid, builder.gid), build_src]) + os.chdir(cdir) + + return unpacked_dir + +def _aa_status(): + '''Get aa-status output''' + exe = "/usr/sbin/aa-status" + assert (os.path.exists(exe)) + if os.geteuid() == 0: + return cmd([exe]) + return cmd(['sudo', exe]) + +def is_apparmor_loaded(path): + '''Check if profile is loaded''' + rc, report = _aa_status() + if rc != 0: + return False + + for line in report.splitlines(): + if line.endswith(path): + return True + return False + +def is_apparmor_confined(path): + '''Check if application is confined''' + rc, report = _aa_status() + if rc != 0: + return False + + for line in report.splitlines(): + if re.search('%s \(' % path, line): + return True + return False + +def check_apparmor(path, first_ubuntu_release, is_running=True): + '''Check if path is loaded and confined for everything higher than the + first Ubuntu release specified. + + Usage: + rc, report = testlib.check_apparmor('/usr/sbin/foo', 8.04, is_running=True) + if rc < 0: + return self._skipped(report) + + expected = 0 + result = 'Got exit code %d, expected %d\n' % (rc, expected) + self.assertEqual(expected, rc, result + report) + ''' + global manager + rc = -1 + + if manager.lsb_release["Release"] < first_ubuntu_release: + return (rc, "Skipped apparmor check") + + if not os.path.exists('/sbin/apparmor_parser'): + return (rc, "Skipped (couldn't find apparmor_parser)") + + rc = 0 + msg = "" + if not is_apparmor_loaded(path): + rc = 1 + msg = "Profile not loaded for '%s'" % path + + # this check only makes sense it the 'path' is currently executing + if is_running and rc == 0 and not is_apparmor_confined(path): + rc = 1 + msg = "'%s' is not running in enforce mode" % path + + return (rc, msg) + +def get_gcc_version(gcc, full=True): + gcc_version = 'none' + if not gcc.startswith('/'): + gcc = '/usr/bin/%s' % (gcc) + if os.path.exists(gcc): + gcc_version = 'unknown' + lines = cmd([gcc,'-v'])[1].strip().splitlines() + version_lines = [x for x in lines if x.startswith('gcc version')] + if len(version_lines) == 1: + gcc_version = " ".join(version_lines[0].split()[2:]) + if not full: + return gcc_version.split()[0] + return gcc_version + +def is_kdeinit_running(): + '''Test if kdeinit is running''' + # applications that use kdeinit will spawn it if it isn't running in the + # test. This is a problem because it does not exit. This is a helper to + # check for it. + rc, report = cmd(['ps', 'x']) + if 'kdeinit4 Running' not in report: + print("kdeinit not running (you may start/stop any KDE application then run this script again)", file=sys.stderr) + return False + return True + +def get_pkgconfig_flags(libs=[]): + '''Find pkg-config flags for libraries''' + assert (len(libs) > 0) + rc, pkg_config = cmd(['pkg-config', '--cflags', '--libs'] + libs) + expected = 0 + if rc != expected: + print('Got exit code %d, expected %d\n' % (rc, expected), file=sys.stderr) + assert(rc == expected) + return pkg_config.split() + +class TestDaemon: + '''Helper class to manage daemons consistently''' + def __init__(self, init): + '''Setup daemon attributes''' + self.initscript = init + + def start(self): + '''Start daemon''' + rc, report = cmd([self.initscript, 'start']) + expected = 0 + result = 'Got exit code %d, expected %d\n' % (rc, expected) + time.sleep(2) + if expected != rc: + return (False, result + report) + + if "fail" in report: + return (False, "Found 'fail' in report\n" + report) + + return (True, "") + + def stop(self): + '''Stop daemon''' + rc, report = cmd([self.initscript, 'stop']) + expected = 0 + result = 'Got exit code %d, expected %d\n' % (rc, expected) + if expected != rc: + return (False, result + report) + + if "fail" in report: + return (False, "Found 'fail' in report\n" + report) + + return (True, "") + + def reload(self): + '''Reload daemon''' + rc, report = cmd([self.initscript, 'force-reload']) + expected = 0 + result = 'Got exit code %d, expected %d\n' % (rc, expected) + if expected != rc: + return (False, result + report) + + if "fail" in report: + return (False, "Found 'fail' in report\n" + report) + + return (True, "") + + def restart(self): + '''Restart daemon''' + (res, str) = self.stop() + if not res: + return (res, str) + + (res, str) = self.start() + if not res: + return (res, str) + + return (True, "") + + def status(self): + '''Check daemon status''' + rc, report = cmd([self.initscript, 'status']) + expected = 0 + result = 'Got exit code %d, expected %d\n' % (rc, expected) + if expected != rc: + return (False, result + report) + + if "fail" in report: + return (False, "Found 'fail' in report\n" + report) + + return (True, "") + +class TestlibManager(object): + '''Singleton class used to set up per-test-run information''' + def __init__(self): + # Set glibc aborts to dump to stderr instead of the tty so test output + # is more sane. + os.environ.setdefault('LIBC_FATAL_STDERR_','1') + + # check verbosity + self.verbosity = False + if (len(sys.argv) > 1 and '-v' in sys.argv[1:]): + self.verbosity = True + + # Load LSB release file + self.lsb_release = dict() + if not os.path.exists('/usr/bin/lsb_release') and not os.path.exists('/bin/lsb_release'): + raise OSError("Please install 'lsb-release'") + for line in subprocess.Popen(['lsb_release','-a'],stdout=subprocess.PIPE,stderr=subprocess.PIPE,universal_newlines=True).communicate()[0].splitlines(): + field, value = line.split(':',1) + value=value.strip() + field=field.strip() + # Convert numerics + try: + value = float(value) + except: + pass + self.lsb_release.setdefault(field,value) + + # FIXME: hack OEM releases into known-Ubuntu versions + if self.lsb_release['Distributor ID'] == "HP MIE (Mobile Internet Experience)": + if self.lsb_release['Release'] == 1.0: + self.lsb_release['Distributor ID'] = "Ubuntu" + self.lsb_release['Release'] = 8.04 + else: + raise OSError("Unknown version of HP MIE") + + # FIXME: hack to assume a most-recent release if we're not + # running under Ubuntu. + if self.lsb_release['Distributor ID'] not in ["Ubuntu","Linaro"]: + self.lsb_release['Release'] = 10000 + # Adjust Linaro release to pretend to be Ubuntu + if self.lsb_release['Distributor ID'] in ["Linaro"]: + self.lsb_release['Distributor ID'] = "Ubuntu" + self.lsb_release['Release'] -= 0.01 + + # Load arch + if not os.path.exists('/usr/bin/dpkg'): + machine = cmd(['uname','-m'])[1].strip() + if machine.endswith('86'): + self.dpkg_arch = 'i386' + elif machine.endswith('_64'): + self.dpkg_arch = 'amd64' + elif machine.startswith('arm'): + self.dpkg_arch = 'armel' + else: + raise ValueError("Unknown machine type '%s'" % (machine)) + else: + self.dpkg_arch = cmd(['dpkg','--print-architecture'])[1].strip() + + # Find kernel version + self.kernel_is_ubuntu = False + self.kernel_version_signature = None + self.kernel_version = cmd(["uname","-r"])[1].strip() + versig = '/proc/version_signature' + if os.path.exists(versig): + self.kernel_is_ubuntu = True + self.kernel_version_signature = open(versig).read().strip() + self.kernel_version_ubuntu = self.kernel_version + elif os.path.exists('/usr/bin/dpkg'): + # this can easily be inaccurate but is only an issue for Dapper + rc, out = cmd(['dpkg','-l','linux-image-%s' % (self.kernel_version)]) + if rc == 0: + self.kernel_version_signature = out.strip().split('\n').pop().split()[2] + self.kernel_version_ubuntu = self.kernel_version_signature + if self.kernel_version_signature == None: + # Attempt to fall back to something for non-Debian-based + self.kernel_version_signature = self.kernel_version + self.kernel_version_ubuntu = self.kernel_version + # Build ubuntu version without hardware suffix + try: + self.kernel_version_ubuntu = "-".join([x for x in self.kernel_version_signature.split(' ')[1].split('-') if re.search('^[0-9]', x)]) + except: + pass + + # Find gcc version + self.gcc_version = get_gcc_version('gcc') + + # Find libc + self.path_libc = [x.split()[2] for x in cmd(['ldd','/bin/ls'])[1].splitlines() if x.startswith('\tlibc.so.')][0] + + # Report self + if self.verbosity: + kernel = self.kernel_version_ubuntu + if kernel != self.kernel_version_signature: + kernel += " (%s)" % (self.kernel_version_signature) + print("Running test: '%s' distro: '%s %.2f' kernel: '%s' arch: '%s' uid: %d/%d SUDO_USER: '%s')" % ( + sys.argv[0], + self.lsb_release['Distributor ID'], + self.lsb_release['Release'], + kernel, + self.dpkg_arch, + os.geteuid(), os.getuid(), + os.environ.get('SUDO_USER', '')), file=sys.stdout) + sys.stdout.flush() + + # Additional heuristics + #if os.environ.get('SUDO_USER', os.environ.get('USER', '')) in ['mdeslaur']: + # sys.stdout.write("Replying to Marc Deslauriers in http://launchpad.net/bugs/%d: " % random.randint(600000, 980000)) + # sys.stdout.flush() + # time.sleep(0.5) + # sys.stdout.write("destroyed\n") + # time.sleep(0.5) + + def hello(self, msg): + print("Hello from %s" % (msg), file=sys.stderr) +# The central instance +manager = TestlibManager() + +class TestlibCase(unittest.TestCase): + def __init__(self, *args): + '''This is called for each TestCase test instance, which isn't much better + than SetUp.''' + + unittest.TestCase.__init__(self, *args) + + # Attach to and duplicate dicts from manager singleton + self.manager = manager + #self.manager.hello(repr(self) + repr(*args)) + self.my_verbosity = self.manager.verbosity + self.lsb_release = self.manager.lsb_release + self.dpkg_arch = self.manager.dpkg_arch + self.kernel_version = self.manager.kernel_version + self.kernel_version_signature = self.manager.kernel_version_signature + self.kernel_version_ubuntu = self.manager.kernel_version_ubuntu + self.kernel_is_ubuntu = self.manager.kernel_is_ubuntu + self.gcc_version = self.manager.gcc_version + self.path_libc = self.manager.path_libc + + def version_compare(self, one, two): + return apt_pkg.VersionCompare(one,two) + + def assertFileType(self, filename, filetype): + '''Checks the file type of the file specified''' + + (rc, report, out) = self._testlib_shell_cmd(["/usr/bin/file", "-b", filename]) + out = out.strip() + expected = 0 + # Absolutely no idea why this happens on Hardy + if self.lsb_release['Release'] == 8.04 and rc == 255 and len(out) > 0: + rc = 0 + result = 'Got exit code %d, expected %d:\n%s\n' % (rc, expected, report) + self.assertEqual(expected, rc, result) + + filetype = '^%s$' % (filetype) + result = 'File type reported by file: [%s], expected regex: [%s]\n' % (out, filetype) + self.assertNotEquals(None, re.search(filetype, out), result) + + def yank_commonname_from_cert(self, certfile): + '''Extract the commonName from a given PEM''' + rc, out = cmd(['openssl','asn1parse','-in',certfile]) + if rc == 0: + ready = False + for line in out.splitlines(): + if ready: + return line.split(':')[-1] + if ':commonName' in line: + ready = True + return socket.getfqdn() + + def announce(self, text): + if self.my_verbosity: + print("(%s) " % (text), file=sys.stderr, end='') + sys.stdout.flush() + + def make_clean(self): + rc, output = self.shell_cmd(['make','clean']) + self.assertEqual(rc, 0, output) + + def get_makefile_compiler(self): + # Find potential compiler name + compiler = 'gcc' + if os.path.exists('Makefile'): + for line in open('Makefile'): + if line.startswith('CC') and '=' in line: + items = [x.strip() for x in line.split('=')] + if items[0] == 'CC': + compiler = items[1] + break + return compiler + + def make_target(self, target, expected=0): + '''Compile a target and report output''' + + compiler = self.get_makefile_compiler() + rc, output = self.shell_cmd(['make',target]) + self.assertEqual(rc, expected, 'rc(%d)!=%d:\n' % (rc, expected) + output) + self.assertTrue('%s ' % (compiler) in output, 'Expected "%s":' % (compiler) + output) + return output + + # call as return testlib.skipped() + def _skipped(self, reason=""): + '''Provide a visible way to indicate that a test was skipped''' + if reason != "": + reason = ': %s' % (reason) + self.announce("skipped%s" % (reason)) + return False + + def _testlib_shell_cmd(self,args,stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT): + argstr = "'" + "', '".join(args).strip() + "'" + rc, out = cmd(args,stdin=stdin,stdout=stdout,stderr=stderr) + report = 'Command: ' + argstr + '\nOutput:\n' + out + return rc, report, out + + def shell_cmd(self, args, stdin=None): + return cmd(args,stdin=stdin) + + def assertShellExitEquals(self, expected, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg=""): + '''Test a shell command matches a specific exit code''' + rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr) + result = 'Got exit code %d, expected %d\n' % (rc, expected) + self.assertEqual(expected, rc, msg + result + report) + + def assertShellExitNotEquals(self, unwanted, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg=""): + '''Test a shell command doesn't match a specific exit code''' + rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr) + result = 'Got (unwanted) exit code %d\n' % rc + self.assertNotEquals(unwanted, rc, msg + result + report) + + def assertShellOutputContains(self, text, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg="", invert=False): + '''Test a shell command contains a specific output''' + rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr) + result = 'Got exit code %d. Looking for text "%s"\n' % (rc, text) + if not invert: + self.assertTrue(text in out, msg + result + report) + else: + self.assertFalse(text in out, msg + result + report) + + def assertShellOutputEquals(self, text, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg="", invert=False, expected=None): + '''Test a shell command matches a specific output''' + rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr) + result = 'Got exit code %d. Looking for exact text "%s" (%s)\n' % (rc, text, " ".join(args)) + if not invert: + self.assertEqual(text, out, msg + result + report) + else: + self.assertNotEquals(text, out, msg + result + report) + if expected != None: + result = 'Got exit code %d. Expected %d (%s)\n' % (rc, expected, " ".join(args)) + self.assertEqual(rc, expected, msg + result + report) + + def _word_find(self, report, content, invert=False): + '''Check for a specific string''' + if invert: + warning = 'Found "%s"\n' % content + self.assertTrue(content not in report, warning + report) + else: + warning = 'Could not find "%s"\n' % content + self.assertTrue(content in report, warning + report) + + def _test_sysctl_value(self, path, expected, msg=None, exists=True): + sysctl = '/proc/sys/%s' % (path) + self.assertEqual(exists, os.path.exists(sysctl), sysctl) + value = None + if exists: + with open(sysctl) as sysctl_fd: + value = int(sysctl_fd.read()) + report = "%s is not %d: %d" % (sysctl, expected, value) + if msg: + report += " (%s)" % (msg) + self.assertEqual(value, expected, report) + return value + + def set_sysctl_value(self, path, desired): + sysctl = '/proc/sys/%s' % (path) + self.assertTrue(os.path.exists(sysctl),"%s does not exist" % (sysctl)) + with open(sysctl, 'w') as sysctl_fh: + sysctl_fh.write(str(desired)) + self._test_sysctl_value(path, desired) + + def kernel_at_least(self, introduced): + return self.version_compare(self.kernel_version_ubuntu, + introduced) >= 0 + + def kernel_claims_cve_fixed(self, cve): + changelog = "/usr/share/doc/linux-image-%s/changelog.Debian.gz" % (self.kernel_version) + if os.path.exists(changelog): + for line in gzip.open(changelog): + if cve in line and not "revert" in line and not "Revert" in line: + return True + return False + +class TestGroup: + '''Create a temporary test group and remove it again in the dtor.''' + + def __init__(self, group=None, lower=False): + '''Create a new group''' + + self.group = None + if group: + if group_exists(group): + raise ValueError('group name already exists') + else: + while(True): + group = random_string(7,lower=lower) + if not group_exists(group): + break + + assert subprocess.call(['groupadd',group]) == 0 + self.group = group + g = grp.getgrnam(self.group) + self.gid = g[2] + + def __del__(self): + '''Remove the created group.''' + + if self.group: + rc, report = cmd(['groupdel', self.group]) + assert rc == 0 + +class TestUser: + '''Create a temporary test user and remove it again in the dtor.''' + + def __init__(self, login=None, home=True, group=None, uidmin=None, lower=False, shell=None): + '''Create a new user account with a random password. + + By default, the login name is random, too, but can be explicitly + specified with 'login'. By default, a home directory is created, this + can be suppressed with 'home=False'.''' + + self.login = None + + if os.geteuid() != 0: + raise ValueError("You must be root to run this test") + + if login: + if login_exists(login): + raise ValueError('login name already exists') + else: + while(True): + login = 't' + random_string(7,lower=lower) + if not login_exists(login): + break + + self.salt = random_string(2) + self.password = random_string(8,lower=lower) + self.crypted = crypt.crypt(self.password, self.salt) + + creation = ['useradd', '-p', self.crypted] + if home: + creation += ['-m'] + if group: + creation += ['-G',group] + if uidmin: + creation += ['-K','UID_MIN=%d'%uidmin] + if shell: + creation += ['-s',shell] + creation += [login] + assert subprocess.call(creation) == 0 + # Set GECOS + assert subprocess.call(['usermod','-c','Buddy %s' % (login),login]) == 0 + + self.login = login + p = pwd.getpwnam(self.login) + self.uid = p[2] + self.gid = p[3] + self.gecos = p[4] + self.home = p[5] + self.shell = p[6] + + def __del__(self): + '''Remove the created user account.''' + + if self.login: + # sanity check the login name so we don't accidentally wipe too much + if len(self.login)>3 and not '/' in self.login: + subprocess.call(['rm','-rf', '/home/'+self.login, '/var/mail/'+self.login]) + rc, report = cmd(['userdel', '-f', self.login]) + assert rc == 0 + + def add_to_group(self, group): + '''Add user to the specified group name''' + rc, report = cmd(['usermod', '-G', group, self.login]) + if rc != 0: + print(report) + assert rc == 0 + +# Timeout handler using alarm() from John P. Speno's Pythonic Avocado +class TimeoutFunctionException(Exception): + """Exception to raise on a timeout""" + pass +class TimeoutFunction: + def __init__(self, function, timeout): + self.timeout = timeout + self.function = function + + def handle_timeout(self, signum, frame): + raise TimeoutFunctionException() + + def __call__(self, *args, **kwargs): + old = signal.signal(signal.SIGALRM, self.handle_timeout) + signal.alarm(self.timeout) + try: + result = self.function(*args, **kwargs) + finally: + signal.signal(signal.SIGALRM, old) + signal.alarm(0) + return result + + +def main(): + print("hi") + unittest.main() diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..a64af84 --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,238 @@ +-----BEGIN PGP ARMORED FILE----- +Version: GnuPG v1 +Comment: Use "gpg --dearmor" for unpacking + +mQINBFTmIgABEADDE0iuJgr098F2NO+QQGvT6VEJhpnurawJOZbOvzxRKrC+IDVl +ewGz8hAQzWHKTDRtRo+KNx86+2mqoR9cnwGgb6Rs7OqEeH8rFz7XMV1UEpkJatLg +KUKH2tMXHrs8tPpFj2mHbLhI7P5Osz8rYhPCVpu2lbw4iogncMBFpBk5NZf6aUKw +9+ixwNQu4gSwa9Cra5WMu0WuA+zeYA2vISo+2kDyTJ1XlrsRO+LnDXCfOFN2tGtz +59vxuiSKbjmQcizh3A6IAa+nu1ppE3FGFmKqZKeqtA+bn7dfWZj/bdd6T5cKl+2A +KVxylAxVzPisEGMVHaMGs85PZX0vYnOF/Z08DKRV4APzqeMIZAtgzX7jWIHa8yCP +L/zYRAtVVGDzVEb9vcTGbdm7Wzhm+sfFFw0BhzO3gycEJWO/Gzeb1lwfmZRFX76a +jQ0CV/a/YXUQ6fQc2JQSeJmkng17ZEvz1VXG0kvl93uy8kOvY31GL+vDYHHE/yQ4 +Q8GwxQsNN+aKcJW40JN1aPaJrCLBV5ZBceD+XJ0/INstohx6AV176wfavwT+dFQx +lVVhIBanhd4id4IxKIFU4nbiFXDkgxXz15c7l5jx1GEauDeT+bS7xPTWGL2oIMzf +yoL9OErvmVS02bu79fJ2aS/VKq60NrwCaZeYJz1wCUhKYSMZ/RSZFoNTtQARAQAB +tKpGcmVlUkFESVVTIC0gUGFja2FnZSBTaWduaW5nIChPZmZpY2lhbCBmcmVlcmFk +aXVzLm9yZyBwYWNrYWdlIHNpZ25pbmcga2V5LiBBbGwgb2ZmaWNpYWwgcGFja2Fn +ZXMgYW5kIHJlc3Bvc2l0b3JpZXMgd2lsbCBiZSBzaWduZWQgd2l0aCB0aGlzIGtl +eSkgPHBhY2thZ2VzQGZyZWVyYWRpdXMub3JnPokCOAQTAQIAIgUCVOYiAAIbAwYL +CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQION8JZlbT4VHohAAo7MqSxgkDpPO +a8r6JHRZrSJa1vgSHPFm+6DXH0Cy7DZdmYohqQBFSA+OHbKcmtiaJ0ajtvwLeysT +QxlOTUaG/ETFS74NUXRRV8pYQ7rQ0h43NbTdRUf90IYj0CKFuJKcjkA5oVWustO1 +d1slMxTtwAhMnEva1KYSokPvub+OsbDkIbvPNq+4Dq2fuZxQ5wWVDOR6DkF5rlZ7 +f1hKDyUuuNk0n5Av6BsFt/HWCvPuoXn02hFu3Ry/idzNdw5ssg4+J/ZLbTAYx2tt +h+SZQaRJzKL37cGMdrhTsK6SdgcLwqKD14QYswiXSiHQoJQR6nq8cy1eDbGLRP6J +18d2N7YzEQJ61u2IuOrkxiEGL6w/ZctZLimXbHXdVaHj6+lErAo1EFdawpbJKSUy +LUUIagUASdgLXyQjgPrYPFIaP4JRylh4lNSithj9Q7/WixFE0/pX649Jd7d6jYQV +eIqW9IwlNjvizCTvLbn7SEJ3Q7X+yteAT/PufKoJAUpC2JlgdZgIYOVdoRbM6eFj +cR0Lp5UZjTBbL/7cFMX3JcKkPEiOu9ACcba6cPOb8JFVAqGa+fCekuWrGA2CM2Wd +WCGDjDBum2BHBt9NLBIo0TDPMbGNjQhfU9G3IMxYqDnS6XXNRoghV15ojsIpkJD8 +wbJ2iju/GRItc2IOyCmRb9DufiYRrfyJAhwEEwECAAYFAlTmIhgACgkQVs8n+TCo +yqLo9xAAo7y43cL3yWjzbbN5aq/o3YMtRdHIpCocOQK4THw9Vb724jbB7emgtLh5 +TmRjXzlR9lZxiEejbvn4pulu+Sny4R7SmnJ26UnK6NO6aaB1Q9W8IbN8H+YEVs2o +CWoN9Xt3BFD6kClu+kIMh+ZbjtqKSjFj9HvvRvaN261MMBM45S6dAg2PptU/nrKL +36pxvBTDunEre/csqjeefnekLLqlmQy5uBh0bUWk3iFcBRtuncq25N6FJ0Agl8Lw +qCHgiEdiTiCiwQjRcJ1pDG1P60cgwPkf0DXIFi9dWnEhsS7j27aqgJtpQtv+sjAd +JG9KfV2F7z9FZvJZy45BBOq3OXtbfso6SPZrGbFBqbEY+lU9c/rubynOxop2lxTt +E6teX88oGgarhGyy/X3R7ebRTP8EAmUy9Qs+1ogN7B/yodwHuc3j4KvSXBZYa4v/ +XgMwcUV1BFCpYKby7SJGUluaBnEACQirnwK8QklXhvgCL/Fh48YUw5nmAwPyCJKx +m7xF0ipZhBlkzU6uzFcxbGqNQLfjGEq0mlEKtV/dfNFrxrSCaLoWE2O48AEvhcd2 +v40Pm6Cn4/sMxabgodFyMLE4y3eiL7sJG96PQKXS3QE3ZOb3GT7RaONujV4zkapu +2Cw8fQSJ/2tpPfe29K5SbRGqbgNxKwVGM324hUdCmEccxaa8/TGIogQQAQoADAUC +VOYjkgWDB4YfgAAKCRCpLpeL5AJJfVu3A/41XfxlQcEK5XPoNX2L+hLuat8sYH7s +4I4X+wDSIqPcIRxvYrJkoTQmag02nbPDJTaTQ+ZnitHtSEsp1Tf+kpiqNeWTz4OL +/FxvYE9/CQf27BgCxI3/9XHMXBGi4weioC7rysnLIBsSrzg7Wk5z0olNByVAOVU4 +HrneVMWgVEtKKokBIgQQAQoADAUCVOYjpgWDB4YfgAAKCRB9DnnNd2IezcGIB/4/ +ZuxtQvADmlT82Txgx5UHqIQhbmX4mALGqIIOSth9Y261bWzlkNEQBkoae8Vv6VYW +nNhdaJ7rmOhHnt61naVhTUm0GEhRTBThay/elYWTNvInuS0rD4sPUUXSvmyiUier +PW4aLaIljJAaXuq8w064Di0Iw+frAZx2AMrAYcqiQOUI+V3GYYf12Nn58aWben03 +l//ecqhySnOG0vUJ2cntgyVOMuaVakqc/8A4p6WXAjTCylmS+kbswbABx9zjG+lF +ClE2xDkVvM413OvXaxwhmy7Qmo4bbezC4mEy5NaoV+Lid63kvBa4gmxvAkbQ5Pfx +XWpXfQoB2/pGg7vG10TR0dl62XgBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYA +AQEBAEgASAAA/+EAWEV4aWYAAE1NACoAAAAIAAIBEgADAAAAAQABAACHaQAEAAAA +AQAAACYAAAAAAAOgAQADAAAAAQABAACgAgAEAAAAAQAAAECgAwAEAAAAAQAAAEAA +AAAA/+0AOFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAAAAOEJJTQQlAAAAAAAQ1B2M +2Y8AsgTpgAmY7PhCfv/iDFhJQ0NfUFJPRklMRQABAQAADEhMaW5vAhAAAG1udHJS +R0IgWFlaIAfOAAIACQAGADEAAGFjc3BNU0ZUAAAAAElFQyBzUkdCAAAAAAAAAAAA +AAAAAAD21gABAAAAANMtSFAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAEWNwcnQAAAFQAAAAM2Rlc2MAAAGEAAAAbHd0cHQA +AAHwAAAAFGJrcHQAAAIEAAAAFHJYWVoAAAIYAAAAFGdYWVoAAAIsAAAAFGJYWVoA +AAJAAAAAFGRtbmQAAAJUAAAAcGRtZGQAAALEAAAAiHZ1ZWQAAANMAAAAhnZpZXcA +AAPUAAAAJGx1bWkAAAP4AAAAFG1lYXMAAAQMAAAAJHRlY2gAAAQwAAAADHJUUkMA +AAQ8AAAIDGdUUkMAAAQ8AAAIDGJUUkMAAAQ8AAAIDHRleHQAAAAAQ29weXJpZ2h0 +IChjKSAxOTk4IEhld2xldHQtUGFja2FyZCBDb21wYW55AABkZXNjAAAAAAAAABJz +UkdCIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABY +WVogAAAAAAAA81EAAQAAAAEWzFhZWiAAAAAAAAAAAAAAAAAAAAAAWFlaIAAAAAAA +AG+iAAA49QAAA5BYWVogAAAAAAAAYpkAALeFAAAY2lhZWiAAAAAAAAAkoAAAD4QA +ALbPZGVzYwAAAAAAAAAWSUVDIGh0dHA6Ly93d3cuaWVjLmNoAAAAAAAAAAAAAAAW +SUVDIGh0dHA6Ly93d3cuaWVjLmNoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALklFQyA2MTk2Ni0yLjEgRGVm +YXVsdCBSR0IgY29sb3VyIHNwYWNlIC0gc1JHQgAAAAAAAAAAAAAALklFQyA2MTk2 +Ni0yLjEgRGVmYXVsdCBSR0IgY29sb3VyIHNwYWNlIC0gc1JHQgAAAAAAAAAAAAAA +AAAAAAAAAAAAAABkZXNjAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25kaXRp +b24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAsUmVmZXJlbmNlIFZpZXdpbmcg +Q29uZGl0aW9uIGluIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAdmlldwAAAAAAE6T+ABRfLgAQzxQAA+3MAAQTCwADXJ4AAAABWFlaIAAAAAAA +TAlWAFAAAABXH+dtZWFzAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAACjwAAAAJz +aWcgAAAAAENSVCBjdXJ2AAAAAAAABAAAAAAFAAoADwAUABkAHgAjACgALQAyADcA +OwBAAEUASgBPAFQAWQBeAGMAaABtAHIAdwB8AIEAhgCLAJAAlQCaAJ8ApACpAK4A +sgC3ALwAwQDGAMsA0ADVANsA4ADlAOsA8AD2APsBAQEHAQ0BEwEZAR8BJQErATIB +OAE+AUUBTAFSAVkBYAFnAW4BdQF8AYMBiwGSAZoBoQGpAbEBuQHBAckB0QHZAeEB +6QHyAfoCAwIMAhQCHQImAi8COAJBAksCVAJdAmcCcQJ6AoQCjgKYAqICrAK2AsEC +ywLVAuAC6wL1AwADCwMWAyEDLQM4A0MDTwNaA2YDcgN+A4oDlgOiA64DugPHA9MD +4APsA/kEBgQTBCAELQQ7BEgEVQRjBHEEfgSMBJoEqAS2BMQE0wThBPAE/gUNBRwF +KwU6BUkFWAVnBXcFhgWWBaYFtQXFBdUF5QX2BgYGFgYnBjcGSAZZBmoGewaMBp0G +rwbABtEG4wb1BwcHGQcrBz0HTwdhB3QHhgeZB6wHvwfSB+UH+AgLCB8IMghGCFoI +bgiCCJYIqgi+CNII5wj7CRAJJQk6CU8JZAl5CY8JpAm6Cc8J5Qn7ChEKJwo9ClQK +agqBCpgKrgrFCtwK8wsLCyILOQtRC2kLgAuYC7ALyAvhC/kMEgwqDEMMXAx1DI4M +pwzADNkM8w0NDSYNQA1aDXQNjg2pDcMN3g34DhMOLg5JDmQOfw6bDrYO0g7uDwkP +JQ9BD14Peg+WD7MPzw/sEAkQJhBDEGEQfhCbELkQ1xD1ERMRMRFPEW0RjBGqEckR +6BIHEiYSRRJkEoQSoxLDEuMTAxMjE0MTYxODE6QTxRPlFAYUJxRJFGoUixStFM4U +8BUSFTQVVhV4FZsVvRXgFgMWJhZJFmwWjxayFtYW+hcdF0EXZReJF64X0hf3GBsY +QBhlGIoYrxjVGPoZIBlFGWsZkRm3Gd0aBBoqGlEadxqeGsUa7BsUGzsbYxuKG7Ib +2hwCHCocUhx7HKMczBz1HR4dRx1wHZkdwx3sHhYeQB5qHpQevh7pHxMfPh9pH5Qf +vx/qIBUgQSBsIJggxCDwIRwhSCF1IaEhziH7IiciVSKCIq8i3SMKIzgjZiOUI8Ij +8CQfJE0kfCSrJNolCSU4JWgllyXHJfcmJyZXJocmtyboJxgnSSd6J6sn3CgNKD8o +cSiiKNQpBik4KWspnSnQKgIqNSpoKpsqzysCKzYraSudK9EsBSw5LG4soizXLQwt +QS12Last4S4WLkwugi63Lu4vJC9aL5Evxy/+MDUwbDCkMNsxEjFKMYIxujHyMioy +YzKbMtQzDTNGM38zuDPxNCs0ZTSeNNg1EzVNNYc1wjX9Njc2cjauNuk3JDdgN5w3 +1zgUOFA4jDjIOQU5Qjl/Obw5+To2OnQ6sjrvOy07azuqO+g8JzxlPKQ84z0iPWE9 +oT3gPiA+YD6gPuA/IT9hP6I/4kAjQGRApkDnQSlBakGsQe5CMEJyQrVC90M6Q31D +wEQDREdEikTORRJFVUWaRd5GIkZnRqtG8Ec1R3tHwEgFSEtIkUjXSR1JY0mpSfBK +N0p9SsRLDEtTS5pL4kwqTHJMuk0CTUpNk03cTiVObk63TwBPSU+TT91QJ1BxULtR +BlFQUZtR5lIxUnxSx1MTU19TqlP2VEJUj1TbVShVdVXCVg9WXFapVvdXRFeSV+BY +L1h9WMtZGllpWbhaB1pWWqZa9VtFW5Vb5Vw1XIZc1l0nXXhdyV4aXmxevV8PX2Ff +s2AFYFdgqmD8YU9homH1YklinGLwY0Njl2PrZEBklGTpZT1lkmXnZj1mkmboZz1n +k2fpaD9olmjsaUNpmmnxakhqn2r3a09rp2v/bFdsr20IbWBtuW4SbmtuxG8eb3hv +0XArcIZw4HE6cZVx8HJLcqZzAXNdc7h0FHRwdMx1KHWFdeF2Pnabdvh3VnezeBF4 +bnjMeSp5iXnnekZ6pXsEe2N7wnwhfIF84X1BfaF+AX5ifsJ/I3+Ef+WAR4CogQqB +a4HNgjCCkoL0g1eDuoQdhICE44VHhauGDoZyhteHO4efiASIaYjOiTOJmYn+imSK +yoswi5aL/IxjjMqNMY2Yjf+OZo7OjzaPnpAGkG6Q1pE/kaiSEZJ6kuOTTZO2lCCU +ipT0lV+VyZY0lp+XCpd1l+CYTJi4mSSZkJn8mmia1ZtCm6+cHJyJnPedZJ3SnkCe +rp8dn4uf+qBpoNihR6G2oiailqMGo3aj5qRWpMelOKWpphqmi6b9p26n4KhSqMSp +N6mpqhyqj6sCq3Wr6axcrNCtRK24ri2uoa8Wr4uwALB1sOqxYLHWskuywrM4s660 +JbSctRO1irYBtnm28Ldot+C4WbjRuUq5wro7urW7LrunvCG8m70VvY++Cr6Evv+/ +er/1wHDA7MFnwePCX8Lbw1jD1MRRxM7FS8XIxkbGw8dBx7/IPci8yTrJuco4yrfL +Nsu2zDXMtc01zbXONs62zzfPuNA50LrRPNG+0j/SwdNE08bUSdTL1U7V0dZV1tjX +XNfg2GTY6Nls2fHadtr724DcBdyK3RDdlt4c3qLfKd+v4DbgveFE4cziU+Lb42Pj +6+Rz5PzlhOYN5pbnH+ep6DLovOlG6dDqW+rl63Dr++yG7RHtnO4o7rTvQO/M8Fjw +5fFy8f/yjPMZ86f0NPTC9VD13vZt9vv3ivgZ+Kj5OPnH+lf65/t3/Af8mP0p/br+ +S/7c/23////AABEIAEAAQAMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAA +AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEH +InEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJ +SlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaan +qKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4 ++fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAME +BwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ0 +4SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4 +eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS +09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2wBDAAICAgICAgMCAgMEAwMDBAUE +BAQEBQcFBQUFBQcIBwcHBwcHCAgICAgICAgKCgoKCgoLCwsLCw0NDQ0NDQ0NDQ3/ +2wBDAQICAgMDAwYDAwYNCQcJDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N +DQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ3/3QAEAAT/2gAMAwEAAhEDEQA/AP38pCQASTgD +kk0EgAknAHJJr8MP2zv2z9U+ImqX/wALvhdfvaeEbR3tr+/tn2vrDr8rgOvS0ByA +AcSj5mypAHu8P8P4jNsR7Cholu+iX+fZfpdrxs7zuhllD21bVvZdW/8ALuz9Kvjx ++1h4G+Bo0+0ubK817UNXs1v7GOyKraSW7sVV2umyuG2kjYshxgkAMCfhfWf+CkXx +OnuC3h/wvoNlBnhLz7TePj/fjlthn/gNcXq/g/xd44/Ya8JeM/EGlXVpe+AtQmtb +Se4TY15oF46BJUX75RJGjRCQBsRmGQd1VP2VvAPwpl1XU5v2jNItdN0i5sobrRtS +16/k0i2Z1fayR7p4FmEqyBgxDKPLwCCeeLHZfOhjKmEh7zi2tNb29DrweOhWwsMV +L3VJJ66Wud/o3/BSL4nQXAbxB4X0G9gzyln9ps3x/vyS3Iz/AMBr7g+BX7Xfw9+O +Oqp4XsbK/wBH8QGF5vsdxH50LrGMuY7iIFcKO8ix5OAASa87/wCGU/2O/ijbyL8P +720ExBJn8Oa6L0rjjOx5bqMAH0UV4v8AEz4Ia/8Asl/Abxvqvw4W78S634lkXTbr +WoYFik0fQWXMpMau77mbKvInyjKudnljM4PL6lfFQwj92Umlrpa/qVisdTo4aeK+ +JRTemt7H6sgggEHIPIIpa/DD9jH9s/VPh5qdh8LvijfPd+Ebp0trC/uXy+jux2oG +duTaE4BDH9yOVwoIP7nAggEHIPIIrv4g4fxGU4j2FfVPZ9Gv8+66elm+LJM7oZnQ +9tR0a3XVP/Ls/wDhl//Q/Rz9vr4w3Xwu+CUujaLOYNY8YzNpMDo22SK02FruVe/3 +MRZHIMoPUV+aH7C/7Otl8bPiHP4h8WW/n+FfCnlT3UDj5L28kJMFufVBtLyjnKgK +Rh816l/wVE1u5uPix4S8NsT9nsfDpvox2El7dTRv+OLVa+uf2MLe3+GH7GM3j1Yg +Jp4Nd8R3AI5Y2ZliTOBkgxWqEexr9Yo1nk/CirUNKlZ79db/AJRWnZu5+Z1aSzTi +Z0q2sKS29Lf+3P5pHc+Mv2i/CGs/GiL9miyVVtdTtbrSr/VYzg2epSQn7PDbgfLv +jYAFudspVRgo1fgD460vxHonjTXdF8XzTXGt6fqFzaX8txI0sslxBI0cjM7Es+WX +O4k5HNfTXwB8P6p8Tfj94V0+e+mS9vtY/tK4vA378m033s0gY5/eMImIJz8xzg9K +9I/4KQfDH/hEPjRbeO7KLZYeM7JZ3IGFF/ZBYZwO3MfkuTxlmY+pPH4ZZjGljamE +l9tXXrHp9138jq8Q8A6mDhio/Ydn6Pr99vvKXwC/ZV8deFPH9j8SfjNp8vhzwV4V +sh4mn1GO6hmjvEiAkt4YJrWVwzSkgkK2SgK8My5+3f2dv212+J/xBvfAXxAtLawi +1u6m/wCEflQYAVidllcZ+V3KcJJ8u5gVIyy47H9iHxppnxl/ZntfCXimGLUjoHm+ +HNQt7kCRJrWNQ1vlTn5fs7pGPeM4xjj8p/jR4Ll+C/xq17wrodxJF/YOoRXGnTK2 +ZYopVjurY7v76JImT/eGa+e4xzPGYrMZU8ZZOneKS2331vvue7wrl+Fw2AjPC3an +7zvvtt022Ow/bq/Z2svgr8RIfEXhS3EHhXxYZZ7WBBhLK8jIM9uvYRncHiHGFJQD +CZr9K/2BPjFcfFD4JxaFrExm1jwZKmlTOxJeWzK7rSRj67A0XXJMWT1rn/2zba1+ +J/7GEXj2WMNcQW+heI7bauNrXhiifGeQBFdOce1fIv8AwS71u5t/ix4t8NqT9nvv +DovpB2MlldQxp+OLpq+tq1nnHCkq1fWpRe/pb/21692rnzFKksr4mVKjpCqtvW// +ALcvkmf/0e//AOComiXNv8WPCXiRgfs994dNjGexksrqaR/xxdLX1z+xrc2/xR/Y +um8BQyj7TBba74buCxxte782WPOOQBFdIM+1dD+338Hbj4ofBOXXdHhM2seDJX1W +FFBLy2ZXbdxqPXYFl6ZJiwOtfmn+wv8AtFWXwT+Ic/h7xZceR4V8V+VBdTufksry +MkQXB9EO4pKeMKQxOExX6xSovOOFI0aGtSi9uul/zi9O7Vj8zq1VlfEzq1tIVVv6 +2/8Abl8kzkPgv40l+C/xq0HxVrlvJF/YOoS2+owsuZYopVktbkbf76JI+B/eGK/b +r4x/Br4b/tT/AA70+x1G+d7JnTUtI1fTHRnjZ1I3IWDK8cinDoRzx0ZQR8i/te/s +har4s1W5+LXwltlvbu9UTatpMJ/eXEne5tudrs68yRjBYjcu5mIr8/8AwX8afjV8 +F5bjQ/CuvahoPlSMs2nXEayxRSn72ba6jkRH9TsDetfl2GxNXD1Y1qMuWUdmj9Gx +GHp16bo1leL3R+3fwc+Dnw5/ZZ+HN/p2nX8iWCSSanq2ranIis7KgUsxUKiRoigI +gHHuxJP4ifGjxpL8aPjVr3irQ7eSX+3tQit9OhVcSyxRLHa2w2/33SNMj+8cUeNP +jT8avjRLb6H4q17UNe82RVh063jWKKWUfdxbWscaO/odhb0r9AP2Qv2QtV8J6rbf +Fr4tWy2V3ZKZtJ0mY/vLeTtc3PO1GReY4zkqTubaygUYnE1cRVlWrSvKW7DD4enQ +pqjSVorZHdftn3Fv8MP2MYfATSgTTwaF4ctyDyxszFK+MnJBitXB9jXyN/wS70S5 +uPix4t8SKD9nsfDosZD2El7dQyJ+OLVq8t/bo/aKsvjZ8Q4PD3hO48/wr4U82C1n +Q/Je3khAnuB6oNoSI85UFgcPiv0v/YF+D118LvglFrOtQGDWPGMy6tOjrtkitNgW +0ibv9zMuDyDKR1FfqNai8n4UdGvpUrPbrrb8orXs3Y/OaVVZpxMqtHWFJb+l/wD2 +5/NI/9L9+yAQQRkHgg1+GH7Z37GGqfDvVL/4o/C6we78I3bvc39hbJufR3b5nIRe +toTkggYiHythQCf3QpCAQQRkHgg17vD/ABBiMpxHt6Gqe66Nf59n+l0/GzvJKGZ0 +PY1tGtn1T/y7o/nx/Z1/bo+IfwTsrfwn4hg/4SvwrBhILWeXy7yyT0t5yGyg7ROC +owApQZr9C7f9s/8AYx+J9vE3j2GCCYgAW/iPQjeFSOcb4orqIAHuWFdJ8Yf2Bfgl +8UbqfWtGim8HaxOWd59JVPsksjfxS2jfJ15PlGIk9Sa+Itb/AOCXfxYt7kp4b8W+ +Hb63zxJfC6spCP8AcjhuQD7b6+7rVuFM3ft6zdGo9+mv3OL9dG+p8ZSpcTZWvY0k +qsFt1/VS/NI+urn9sv8AYv8AhfbyTeA4bae5AKm38N6EbR2B+bHmSxWsRBJ5w557 +V+ef7RX7dHxD+NllceE/D0H/AAinhWfKT2sEvmXl6npcTgLhD3iQBTkhi4xXqWif +8Eu/ixcXITxJ4t8O2NvnmSxF1eyAf7kkNsCfbfX218Hf2BPgn8L7iHWNdil8Z6xC +QyTaqiizicHho7Ncpn/rq0pB5GKKNXhTKH7ejJ1qi266/co/PVroFalxNmi9jVSp +Qe/T9XL8kz4S/Yx/Yw1T4iapYfFH4o2D2nhG0dLmwsLlNr6w6/MhKN0tAcEkjEo+ +VcqSR+54AAAAwBwAKAAAABgDgAUtfCcQcQYjNsR7evolsuiX+fd/pZL7PJMkoZZQ +9jR1b3fVv/Lsj//ZiQI4BBMBAgAiBQJU5iKkAhsDBgsJCAcDAgYVCAIJCgsEFgID +AQIeAQIXgAAKCRAg43wlmVtPhXEjD/9mSd6d5RhiqbG0FXRpFGMkSGJ1M0wp+8w0 +dAmnq7Ws8OX/1sB0C3vl+pgxkXXnNEwtuFrEA1wWDE2TqUBHKMXuP442ZSxFg+d4 +wGavkWxmVUSnik3YoenUDl1QnXkLpQ5Q1Ljcs5sqshvny974lY7IwxburvtPAWUo +2X6ImgKCK6xsFD8AVKf+Bmi0yYhchBy1LeyWdlNTOykZ/I7PfuYNTDZB0L6vdsl0 +mfwBMUNO7we6Rtng4QGmSuBkyoXqrtBATGXiM/8Z5yUsoZ0SvSx3d9DVR8mu0OSj +Yf10w+SCx1sbQGo8FHCniFfIuk88QLQvblDn/e/lAoiQ+vyFx/7HoKOw/4TTrCyX +F/rEYwgXUwNIACzuqeMWxr+Z20ikx/Ee8I9KFwwBZT2TPOQ02CrGeq67MK5jFeJe +mo59084/yB9eeMyd5wYMX0g9vGk56DnXZL8kcDDvaT/0ed/vUjx2BHd3WLi2PaiE +0aBhqzad7rhI9Bh7QCADvOn/g2DxTGHgD5T0qwp9TkDjZ033TlEkPGDma3QKoKep +AMeXe0fj6kiVhEwIXQsxp4GwRk7cm0lOXyEB+8N+jY6R1zV6+nDpMPD9gp/0mBKL +m17n36QldJ7c3UdQQG+5n+M63E6N2lcor9dBCCYVwsiFI/X3wi8fHMcPvWrE7oQA +NvwBmbXCpYiiBBABCgAMBQJU5iOSBYMHhh+AAAoJEKkul4vkAkl9wlMD/RahquaF +BcOFBWhhf76tfRkCTVIAUSGjQi8UzoNUnSJgDD98IJaRhWrFyTlmGMkxfN9cS98/ +ETKOMUObC3OPwoFhc9HcgpJx13Ibg/KcsmaLoaxumCiLNSKBKtGHgr7zxDgmnoq+ +xQ1BCfovxpqBoDZcAHXVQffRUFVFHnUfg/6jiQEiBBABCgAMBQJU5iOtBYMHhh+A +AAoJEH0Oec13Yh7Nyq4H/jKgreYNB9HaYweCvJKKjn6aQsJb0DTpWNtRKEXMKWc8 +3eSQD+PxEa9RhpIaenddUhDKvQTmgsCtzeC9Xkuqq8taxdFfaBWB1af81cSsgHln +ktbQ1gb2hTqAUk72QtNHtGJ8qNc9V4B2SezlPJynJm/ppYvq6QtmydW+4TkqbycT +ktZO/7+pRGKnQF9xtWjyxXdOD+rvJEZznQYBj9SxHFta2amKKC46PCaJPDDz6yTg +XClZVTIDXsEXdkg5J7dqMbWXPx0LUandcRV5JZJAKcPdxlngZ6skUkuesmyqsLo7 +Hih/oWFGg6u3tCeCT5tvdOXwC0weJ9TrrLKvTpnqsYi5Ag0EVOYiAAEQAM7x0upj +nGeDbxbsbJOPvqViMDKonCvNgisoFO2f1ciJPLfPC3XKWGyyUVbnAhahxx9fm1sS +lH11VWz1w6SAmPd5Fbyxay5LxeEmGSkkD25fBLeKJxqQxkBc7JS+O94I8J0i2cH0 +ksIy9184+8H3WJ/85ekrnOT+/6Sh1RGc7PSf3RweckoiFAV7/KlJtRGL0XXCZA4T +fImA+i49z7AshWh54WJve4thIOZ5r//dOJSxWXP+e0oMXl8EmgVjl+e95xC1WoR3 +tTjGX+nh3E/KZpK5LYzrJTR04WQAtEfH7RcHWa/RJpRkNczEga1h9/33aw9sZ3YY +4ABDVLMs0Gkv+s3OQQJWfHSYYwqjOBi4XJnAwsWYXdciqLOoWzI4GoMOhlQdeWx7 +N7YqYitmmmZe4fQc6Yz0wG3XTEucH+dW/r+gKAw9X9jTPFUAkEixq0ZlofB190ZA +HNfmuMgv0BLLvCYmTgawgNuEPNamftHOqrR4C1fnm2RHFG0B+XuD/EcStZWNpCVa +vczxi6knHZt3q0Pfm6sZn1v12YIsGQd15uNg6TDoKKh3p6VxXAcIVEdmO7N7BhCf +oSM5CB1x/v1WdrU71PxppWRdZTWFP5k3Vt5BUYOuKPAuYbhYWHdhH6e+FBzXNodd +58EP++33A88nPT+eYqWeghich2hQ6jINu/0zABEBAAGJAh8EGAECAAkFAlTmIgAC +GwwACgkQION8JZlbT4U6AQ/+NFHfFoCBNSb1lKyy9psb7WiW2DVuYkYBKwkkJCnR +Swgvty2zaON7eFOrJiiFDRw0egjdad6cerddwHocKTTjYgyTec+esZ8i06u42h7d +sGQU/D0O7QUqb3DI971toREkl3rY3URaXVRWblXwSnV/y3E/jRQSQycWNFWqJJum +xfZoAIVvXFKI1R0jhVkvL1+R1Y8LwJReiavUxi85rTPW90ztyK3/Ls2Djlqt8aDm +E0/fwCuHtNzoNohF2vz1FcBajxQD+eWHuZOsLeEtAXVaCPXCYJ9L6jB6l7EfnHrn +IigsvrEpKje7T00HfT4QgVdXGa5RbT/cS5Uo/IcOcmKyWwP3XV0K8vER/5b81Leg +bH06GGDO2VsZ+lCFqiTBVPnRPQWp4D/hokQslXhD0Gff4fcGxBRwp3Jd9ui6Yia1 +RbuhddT+5eatbSkXRv0iuAOf+2+luKwnuD5i0Vt2MB59YkCWmVebPyIME9VDZ2U6 +untC5IfVR0PAst81BTfC83qShc965GcBqbEBybQVRLNFFODzxt9P9N3Zc8FdiNOw +YWAmTe2FQN49eSAUc76DOWVGwDb1OZvRU6f/vexq3AYyk6KGpP+XfBFBPZTs58bL +goFta/pZDpqZ3SyhiOv+ZdgufF/Y7T4YQEWjgWLtdsL7DDMut+T8urvTNQUUFKc7 +0w8= +=DzbW +-----END PGP ARMORED FILE----- diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..cf8ed30 --- /dev/null +++ b/debian/watch @@ -0,0 +1,9 @@ +version=3 + +opts=pasv,\ +pgpsigurlmangle=s/$/.sig/,\ +repacksuffix=+dfsg,\ +dversionmangle=s/\+(git$|dfsg)//,\ +uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/\ + ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-(.+)\.tar\.gz + |