summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm8
-rw-r--r--debian/README.Debian9
-rw-r--r--debian/README.rfc13
-rw-r--r--debian/README.source7
-rw-r--r--debian/changelog1497
-rw-r--r--debian/control253
-rw-r--r--debian/copyright232
-rw-r--r--debian/freeradius-common.dirs1
-rw-r--r--debian/freeradius-common.install1
-rw-r--r--debian/freeradius-common.manpages3
-rw-r--r--debian/freeradius-common.postinst22
-rw-r--r--debian/freeradius-common.postrm26
-rw-r--r--debian/freeradius-config.install1
-rw-r--r--debian/freeradius-config.lintian-overrides6
-rw-r--r--debian/freeradius-config.postinst52
-rw-r--r--debian/freeradius-config.postrm46
-rw-r--r--debian/freeradius-config.preinst27
-rw-r--r--debian/freeradius-dhcp.install3
-rw-r--r--debian/freeradius-dhcp.postinst23
-rw-r--r--debian/freeradius-dhcp.postrm24
-rw-r--r--debian/freeradius-iodbc.install1
-rw-r--r--debian/freeradius-iodbc.lintian-overrides2
-rw-r--r--debian/freeradius-iodbc.postinst14
-rw-r--r--debian/freeradius-krb5.install1
-rw-r--r--debian/freeradius-krb5.postinst14
-rw-r--r--debian/freeradius-ldap.install1
-rw-r--r--debian/freeradius-ldap.postinst14
-rw-r--r--debian/freeradius-memcached.install1
-rw-r--r--debian/freeradius-memcached.postinst14
-rw-r--r--debian/freeradius-mysql.install1
-rw-r--r--debian/freeradius-mysql.postinst14
-rw-r--r--debian/freeradius-postgresql.install1
-rw-r--r--debian/freeradius-postgresql.lintian-overrides2
-rw-r--r--debian/freeradius-postgresql.postinst14
-rw-r--r--debian/freeradius-python3.install1
-rw-r--r--debian/freeradius-python3.postinst14
-rw-r--r--debian/freeradius-redis.install1
-rw-r--r--debian/freeradius-redis.postinst14
-rw-r--r--debian/freeradius-rest.install1
-rw-r--r--debian/freeradius-rest.postinst14
-rw-r--r--debian/freeradius-utils.install11
-rw-r--r--debian/freeradius-yubikey.install1
-rw-r--r--debian/freeradius-yubikey.postinst14
-rw-r--r--debian/freeradius.NEWS7
-rw-r--r--debian/freeradius.default2
-rw-r--r--debian/freeradius.dirs2
-rw-r--r--debian/freeradius.docs3
-rw-r--r--debian/freeradius.examples14
-rw-r--r--debian/freeradius.init119
-rw-r--r--debian/freeradius.install59
-rw-r--r--debian/freeradius.lintian-overrides3
-rw-r--r--debian/freeradius.logrotate50
-rw-r--r--debian/freeradius.postinst69
-rw-r--r--debian/freeradius.postrm18
-rw-r--r--debian/freeradius.prerm14
-rw-r--r--debian/freeradius.radiusd.pam11
-rw-r--r--debian/freeradius.service68
-rw-r--r--debian/gbp.conf2
-rw-r--r--debian/libfreeradius-dev.install2
-rw-r--r--debian/libfreeradius3.install3
-rw-r--r--debian/libfreeradius3.lintian-overrides3
-rw-r--r--debian/lintian-overrides7
-rw-r--r--debian/not-installed7
-rw-r--r--debian/patches/0002-gitignore.diff.patch29
-rw-r--r--debian/patches/0006-jradius.diff.patch17
-rw-r--r--debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch22
-rw-r--r--debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch152
-rw-r--r--debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch32
-rw-r--r--debian/patches/disable-dhcp-bydefault.diff12
-rw-r--r--debian/patches/dont-install-tests.diff24
-rw-r--r--debian/patches/fix-intermediate-ca.patch33
-rw-r--r--debian/patches/fix-tls-client-cert-common-name-1.patch40
-rw-r--r--debian/patches/fix-tls-client-cert-common-name-2.patch29
-rw-r--r--debian/patches/fix-ttls-mschapv2.patch40
-rw-r--r--debian/patches/series12
-rw-r--r--debian/patches/snakeoil-certs.diff132
-rwxr-xr-xdebian/rules80
-rw-r--r--debian/salsa-ci.yml17
-rw-r--r--debian/source/format1
-rw-r--r--debian/tests/clients34
-rw-r--r--debian/tests/control7
-rw-r--r--debian/tests/daemon18
-rw-r--r--debian/tests/freeradius6
-rw-r--r--debian/tests/rlm_python3-data/python3.mods-available66
-rw-r--r--debian/tests/rlm_python3-data/python3.sites-available85
-rw-r--r--debian/tests/rlm_python3-data/ubuntu_example.py.mods-config26
-rw-r--r--debian/tests/rlm_python3-test43
-rw-r--r--debian/tests/test-freeradius.py133
-rw-r--r--debian/tests/testlib.py1151
-rw-r--r--debian/upstream/signing-key.asc238
-rw-r--r--debian/watch9
91 files changed, 5370 insertions, 0 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
new file mode 100644
index 0000000..7671acb
--- /dev/null
+++ b/debian/.git-dpm
@@ -0,0 +1,8 @@
+# see git-dpm(1) from git-dpm package
+2d3fc90013125f3c7340b2ceb9d91b4ef85da76d
+2d3fc90013125f3c7340b2ceb9d91b4ef85da76d
+6b177c836eff45faa5b68646fe00f582d6f18dee
+6b177c836eff45faa5b68646fe00f582d6f18dee
+freeradius_2.2.8+dfsg.orig.tar.gz
+661ba3a9ec1f089f68807f440421fcf333082b8f
+3584595
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..e5ce82c
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,9 @@
+Runlevel Changes
+================
+In freeradius 1.1.5-1, we changed our update-rc.d call so that we start
+at S50 and stop at K19 in order to fix dependency issues with various
+databases. This only takes effect for new installs however. If you
+want to update your existing install to do the same, a quick method is:
+
+update-rc.d -f freeradius remove
+update-rc.d freeradius start 50 2 3 4 5 . stop 19 0 1 6 .
diff --git a/debian/README.rfc b/debian/README.rfc
new file mode 100644
index 0000000..e27923a
--- /dev/null
+++ b/debian/README.rfc
@@ -0,0 +1,13 @@
+These are the relevant RFC's that normally ship with freeradius. However,
+we have now decided that useful things like RFC's are not free enough, and
+so we can't ship them in Debian main. They are all available from the
+original freeradius tarball, available at
+ftp://ftp.freeradius.org/pub/radius/
+and from
+http://www.rfc-editor.org/
+
+Sorry for the inconvenience.
+
+Stephen Gran <sgran@debian.org>
+
+draft-kamath-pppext-eap-mschapv2-00
diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 0000000..ea7ce1e
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,7 @@
+To import a new upstream version, I use:
+
+ gbp import-orig --pristine-tar --uscan
+
+The Files-Excluded tag in debian/copyright will be taken into account by uscan,
+resulting in a DFSG-free tarball (i.e. without the non-free RFCs) being created
+from the latest upstream tarball.
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..7425bce
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,1497 @@
+freeradius (3.2.1+dfsg-4+deb12u1) bookworm; urgency=medium
+
+ * Add d/gbp.conf for bookworm stable branch
+ * Cherry-Pick two upstream commits to fix TLS-Client-Cert-Common-Name
+ contains incorrect value (Closes: #1043282)
+
+ -- Bernhard Schmidt <berni@debian.org> Sat, 19 Aug 2023 00:26:34 +0200
+
+freeradius (3.2.1+dfsg-4) unstable; urgency=medium
+
+ * Don't install symlink for cache_eap module no longer shipped
+ (Closes: #1035853)
+
+ -- Bernhard Schmidt <berni@debian.org> Tue, 16 May 2023 00:04:23 +0200
+
+freeradius (3.2.1+dfsg-3) unstable; urgency=medium
+
+ * Cherry-pick upstream patch to fix partical CA support (Closes: #1032590)
+
+ -- Bernhard Schmidt <berni@debian.org> Fri, 10 Mar 2023 08:53:27 +0100
+
+freeradius (3.2.1+dfsg-2) unstable; urgency=medium
+
+ * Cherry-pick upstream fix for EAP-TTLS-MSCHAPv2 with TLSv1.3
+ (Closes: #919234)
+
+ -- Bernhard Schmidt <berni@debian.org> Tue, 07 Mar 2023 22:51:06 +0100
+
+freeradius (3.2.1+dfsg-1) unstable; urgency=medium
+
+ * New upstream version 3.2.1+dfsg (Closes: #1025426)
+ * Drop d/p/mkdirp.diff, fixed upstream
+ * Drop d/p/python_config_script_update.diff, fixed upstream
+ * Refresh patch
+ * Fix lintian overrides
+ * Bump debhelper to version 13, drop old dbgsym migration
+
+ -- Bernhard Schmidt <berni@debian.org> Wed, 28 Dec 2022 00:10:38 +0100
+
+freeradius (3.2.0+dfsg-1) unstable; urgency=medium
+
+ * Acknowledge NMU, thanks Andreas Metzler
+ * New upstream version 3.2.0+dfsg (Closes: #1011041)
+ - Drop rlm_{cram,otp} (removed upstream), add rlm_json
+ * Refresh d/p/snakeoil-certs.diff
+ * Refresh d/p/python_config_script_update.diff
+ * Import test updates from Ubuntu, thanks Andreas Hasenack
+ - Add test for rlm_python3 (LP: #1969381):
+ - d/t/control: new rlm_python3 test
+ - d/t/rlm_python3-test: test the rlm_python3 module
+ - d/t/rlm_python3-data/*: test files
+ - d/t/freeradius: run python tests in verbose mode
+ - d/t/test-freeradius.py: test more authentication mechanisms
+
+ -- Bernhard Schmidt <berni@debian.org> Sat, 28 May 2022 22:24:26 +0200
+
+freeradius (3.0.25+dfsg-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * python_config_script_update.diff: Update configurre script in
+ src/modules/rlm_python3 (aclocal + autoconf + cleanup), to fix breakage
+ when built against python 3.10. Closes: #1008832
+
+ -- Andreas Metzler <ametzler@debian.org> Sat, 23 Apr 2022 15:43:51 +0200
+
+freeradius (3.0.25+dfsg-1) unstable; urgency=medium
+
+ [ Bernhard Schmidt ]
+ * New upstream version 3.0.25+dfsg
+ - rlm_eap_peap dropped upstream
+ - rlm_sql_map and rlm_totp added
+ * Fix a lot of lintian overrides
+
+ [ Debian Janitor ]
+ * Remove constraints unnecessary since buster
+
+ -- Bernhard Schmidt <berni@debian.org> Tue, 22 Feb 2022 22:38:13 +0100
+
+freeradius (3.0.21+dfsg-3) unstable; urgency=medium
+
+ * Acknowledge NMUs, thanks
+ * Cherry-Pick upstream fix for a crash bug (Closes: #992036)
+ * Cherry-Pick upstream fix to add missing continuation in postgresql
+ sample config (Closes: #992207)
+
+ -- Bernhard Schmidt <berni@debian.org> Mon, 23 Aug 2021 15:49:43 +0200
+
+freeradius (3.0.21+dfsg-2.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Don't fail postinst if daemon is not running (Closes: #991561, #932113)
+
+ -- Jochen Sprickerhof <jspricke@debian.org> Wed, 28 Jul 2021 12:28:32 +0200
+
+freeradius (3.0.21+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix capabilities in service file.
+ As freeradius is not run as root we need to request extra capabilities
+ wiht AmbientCapabilities instead of limiting the set with
+ CapabilityBoundingSet. (Closes: #985967)
+
+ -- Jochen Sprickerhof <jspricke@debian.org> Fri, 23 Jul 2021 13:19:03 +0200
+
+freeradius (3.0.21+dfsg-2) unstable; urgency=medium
+
+ * Cherry-Pick upstream fixes to build with Python3.8 (Closes: #966860)
+ * Drop migration code for versions earlier than oldstable (Squeeze)
+ * Temporarily collectd integration (again) due to RC bugs
+ * Bump to debhelper compat 10
+
+ -- Bernhard Schmidt <berni@debian.org> Mon, 24 Aug 2020 10:46:49 +0200
+
+freeradius (3.0.21+dfsg-1) unstable; urgency=medium
+
+ [ Bernhard Schmidt ]
+ * New upstream version 3.0.21+dfsg
+ * Sync freeradius.service with upstream, notable changes
+ - run as unprivileged user freerad
+ - use RuntimeDirectory (Closes: #954911)
+ - set ReadOnlyDirectories to the configuration (Closes: #955206)
+ - set some Protect* settings
+ - enable reloading the configuration
+ * Enable the control-socket site in autopkgtest and attempt a connection
+ to validate the fix for #954911
+ * Reenable collectd integration, it does not pull in the world anymore
+ on sid, thanks to Bernd Zeimetz (Closes: #948996)
+
+ [ Sven Hartge ]
+ * d/freeradius.service: Drop manual chown, not necessary
+
+ -- Bernhard Schmidt <berni@debian.org> Wed, 01 Apr 2020 14:21:17 +0200
+
+freeradius (3.0.20+dfsg-3) unstable; urgency=medium
+
+ * Upload to unstable
+
+ -- Bernhard Schmidt <berni@debian.org> Mon, 09 Dec 2019 23:42:23 +0100
+
+freeradius (3.0.20+dfsg-2) experimental; urgency=medium
+
+ * Drop freeradius-python2, build experimental freeradius-python3
+ (Closes: #936558)
+ * Switch run-time tests to python3
+ * Build with systemd support, use Type=notify in systemd unit
+ (Closes: #920345)
+ * Bump Standards-Version to 4.4.1, no changes needed
+
+ -- Bernhard Schmidt <berni@debian.org> Fri, 29 Nov 2019 23:54:37 +0100
+
+freeradius (3.0.20+dfsg-1) unstable; urgency=medium
+
+ * New upstream version 3.0.20+dfsg
+ * Fix reload action on sysvinit (Closes: #940608)
+
+ -- Bernhard Schmidt <berni@debian.org> Fri, 29 Nov 2019 18:03:07 +0100
+
+freeradius (3.0.19+dfsg-3) unstable; urgency=medium
+
+ * Drop collectd integration from freeradius-utils - temporarily?
+ collectd is marked for autoremoval at the end of August due to three
+ RC bugs that do not show any recent activity (Bug#925849, Bug#926528,
+ Bug#932299). Additionally, depending on libcollectdclient pulls in
+ (with Recommends on collectd) 200 additional binary packages. See
+ Bug#933296.
+
+ -- Bernhard Schmidt <berni@debian.org> Wed, 21 Aug 2019 17:11:40 +0200
+
+freeradius (3.0.19+dfsg-2) unstable; urgency=medium
+
+ * Import upstream patch to fix atomics FTBFS on armel etc (Closes: #933634)
+ * Fix wrong wnpp Bug# in previous changelog
+ * Drop patch files already applied upstream
+
+ -- Bernhard Schmidt <berni@debian.org> Thu, 01 Aug 2019 15:49:11 +0200
+
+freeradius (3.0.19+dfsg-1) unstable; urgency=medium
+
+ [ Sven Hartge ]
+ * New upstream version 3.0.19+dfsg
+ * Refresh and remove patches
+ Removed:
+ - disable-session-cache-CVE-2017-9148.patch
+ Fixed Upstream
+ - spelling-fixes.diff
+ Applied Upstream
+ - CVE-2019-11234-1.patch
+ - CVE-2019-11234-2.patch
+ Fixed Upstream
+ * Add Salsa CI pipeline
+
+ [ Bernhard Schmidt ]
+ * Adopt package, help welcome. Thanks to Michael Stapelberg for working on
+ freeradius so far (Closes: #923034)
+ * Drop Josip from Uploaders (Closes: #842469)
+ * Drop Stephen Gran from Uploaders (Closes: #838404)
+ * Fix sysvinit stop by supplying executable to killproc.
+ Thanks to Benjamin Boudoir (Closes: #931920)
+ * Move to debian (former collab-maint) namespace on Salsa for easier
+ collaborative maintainership, adjust Vcs-* fields
+ * Override missing-dep-for-interpreter lintian error on shipped sample
+ files in freeradius-config
+
+ -- Bernhard Schmidt <berni@debian.org> Mon, 29 Jul 2019 22:25:30 +0200
+
+freeradius (3.0.17+dfsg-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Cherry-Pick upstream commits to fix CVE-2019-11234 / CVE-2019-11235 /
+ VU#871675 (Invalid Curve Attack and Reflection Attack on EAP-PWD, leading
+ to authentication bypass) (Closes: #926958)
+
+ -- Bernhard Schmidt <berni@debian.org> Mon, 22 Apr 2019 23:23:36 +0200
+
+freeradius (3.0.17+dfsg-1) unstable; urgency=medium
+
+ * stop using pristine-tar
+ * New upstream version 3.0.17+dfsg
+
+ -- Michael Stapelberg <stapelberg@debian.org> Mon, 07 Jan 2019 09:38:17 +0100
+
+freeradius (3.0.16+dfsg-5) unstable; urgency=medium
+
+ * Revert "Strip rpath from a few modules." (Closes: #911180)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Fri, 14 Dec 2018 09:33:40 +0100
+
+freeradius (3.0.16+dfsg-4.1) unstable; urgency=medium
+
+ * Non-maintainer upload with permission.
+ * Split out python2 freeradius module into a standalone package.
+ (Closes: #900064)
+ * Strip rpath from a few modules.
+ * Drop upstart system jobs.
+ * Update git vcs URLs to salsa.
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 25 Sep 2018 15:18:31 +0100
+
+freeradius (3.0.16+dfsg-3) unstable; urgency=medium
+
+ * Change default /etc/freeradius permission from 2751 to 2750 (Closes: #890933)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Tue, 20 Mar 2018 07:52:46 +0100
+
+freeradius (3.0.16+dfsg-2) unstable; urgency=medium
+
+ * Remove sites-enabled/* from freeradius-config (Closes: #889593)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Sun, 25 Feb 2018 16:25:54 +0100
+
+freeradius (3.0.16+dfsg-1) unstable; urgency=medium
+
+ * New upstream version 3.0.16+dfsg
+
+ -- Michael Stapelberg <stapelberg@debian.org> Mon, 22 Jan 2018 19:05:09 +0100
+
+freeradius (3.0.15+dfsg-2) unstable; urgency=medium
+
+ * logrotate: don’t accidentally define global options (Closes: #872158)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Tue, 15 Aug 2017 09:50:16 +0200
+
+freeradius (3.0.15+dfsg-1) unstable; urgency=high
+
+ * New upstream version 3.0.15+dfsg, addressing the following security issues:
+ CVE-2017-10978 (denial of service)
+ CVE-2017-10984 (remote code execution, denial of service)
+ CVE-2017-10985 (denial of service)
+ CVE-2017-10983 (denial of service)
+ CVE-2017-10986 (denial of service)
+ CVE-2017-10987 (denial of service)
+ (Closes: #868765)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Tue, 18 Jul 2017 20:49:31 +0200
+
+freeradius (3.0.14+dfsg-3) unstable; urgency=medium
+
+ * Revert "Work around debhelper bug to fix FTBFS (Closes: #866978)"
+ (fixed upstream in debhelper 10.6.3)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Tue, 18 Jul 2017 09:30:49 +0200
+
+freeradius (3.0.14+dfsg-2) unstable; urgency=medium
+
+ * Work around debhelper bug to fix FTBFS (Closes: #866978)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Wed, 05 Jul 2017 08:23:11 +0200
+
+freeradius (3.0.14+dfsg-1) unstable; urgency=medium
+
+ * New upstream version 3.0.14+dfsg
+ * Switch to dh_missing’s --fail-missing feature
+ * Install missing file rlm_sql_freetds.so
+ * drop debian/patches/openssl-autoconf.diff (merged upstream)
+ * drop debian/patches/openssl-1.1.diff (merged upstream)
+ * drop debian/patches/manpage-fixes.diff (merged upstream)
+ * refresh patches
+ * add build-dependency on freetds-dev to build rlm_sql_freetds
+ * update Standards-Version to 4.0.0 (no changes necessary)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Mon, 03 Jul 2017 09:01:13 +0200
+
+freeradius (3.0.12+dfsg-5) unstable; urgency=high
+
+ * disable session cache to address CVE-2017-9148 (closes: #863673)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Tue, 30 May 2017 17:18:34 +0200
+
+freeradius (3.0.12+dfsg-4) unstable; urgency=medium
+
+ * fix openssl-1.1.diff: initialize ctx_out
+ * fix openssl-1.1.diff: remove const to fix warnings
+ * fix openssl-1.1.diff: initialize hctx, use HMAC_Init_ex
+ * Build-depend on default-libmysqlclient-dev
+ * Exempt mips64el from libcollectdclient-dev build-dependency
+ * freeradius.postinst: revert incorrect removal of /var/log file creation
+ * d/t: update tests for 3.x (Closes: #710895)
+ * Remove unused lintian overrides binary-or-shlib-defines-rpath
+
+ -- Michael Stapelberg <stapelberg@debian.org> Thu, 17 Nov 2016 22:29:04 +0100
+
+freeradius (3.0.12+dfsg-3) unstable; urgency=medium
+
+ * update debian/patches/openssl-1.1.diff to fix compilation with older
+ OpenSSL versions.
+ * maintscripts: fix symlink creation condition
+
+ -- Michael Stapelberg <stapelberg@debian.org> Thu, 10 Nov 2016 10:12:15 +0100
+
+freeradius (3.0.12+dfsg-2) experimental; urgency=medium
+
+ * Build-Depends: libjson-c-dev pulls in the corresponding library
+ * not-installed: prefix debian/tmp to work with older debhelper
+ * Update upstream signing-key
+ * clarify freeradius-config’s purpose
+ * update debian/patches/openssl-1.1.diff
+ * Switch from custom rm_conffile to dh_installdeb
+ * Install configuration in /etc/freeradius/3.0 (closes: #839931)
+ * Correctly grep for usage of snakeoil certs
+ * Remove all use of dpkg-statoverride
+ * chown/chgrp: use --no-dereference to not follow symlinks
+ * no-op reformatting: consistently indent maintscripts
+ * Directly use invoke-rc.d, remove init script fallback
+
+ -- Michael Stapelberg <stapelberg@debian.org> Sat, 05 Nov 2016 11:11:29 +0100
+
+freeradius (3.0.12+dfsg-1) experimental; urgency=medium
+
+ * New upstream version.
+ drop debian/patches/jlibtool-dependency.diff (applied upstream)
+ drop debian/patches/relative-include-paths.diff (applied upstream)
+ drop debian/patches/dir-dependencies.diff (applied upstream)
+ drop debian/rad_counter.1 (applied upstream)
+ add debian/patches/manpage-fixes.diff
+ * freeradius-config: add missing Breaks/Replaces (closes: #839931)
+ * libfreeradius3: add missing Breaks/Replaces (closes: #839034)
+ * freeradius-{dhcp,config}: postrm: only call rmdir if directory exists
+ (closes: #839914)
+
+ -- Michael Stapelberg <stapelberg@debian.org> Sat, 08 Oct 2016 13:35:04 +0200
+
+freeradius (3.0.11+dfsg-1) experimental; urgency=medium
+
+ * New upstream version
+ closes: #797181
+ closes: #813478
+ closes: #696250
+ closes: #651456
+ closes: #814423
+ closes: #728306
+ closes: #806617
+ * re-order alternatives, sbuild always choses the first one
+ * debian/rules: move to dh(1)
+ * add lintian-overrides for fortify-functions
+ * Place package under pkg-freeradius team maintenance
+ * remove obsolete lintian override
+ * add debian/patches/spelling-fixes.diff
+ * freeradius.service: remove obsolete syslog.target
+ * Update Standards-Version to 3.9.8 (no changes necessary)
+ * debian/watch: mangle +dfsg suffix
+ * add debian/patches/dont-install-tests.diff
+ * Enable parallel compilation
+ * Install libfreeradius-*.{so,a}
+ * 0001-Rename-radius-to-freeradius.patch: update manpage/usage
+ (closes: #775281)
+ * Fix compilation with OpenSSL 1.1 (closes: #828305)
+ * Update Build-Depends
+ * add snakeoil-certs.diff: use snakeoil certs in the default config
+ * add relative-include-paths.diff for reproducible builds
+ * Create the mods-enabled links in freeradius-config.postinst
+ * Update debian/copyright
+ * Use dh-autoreconf to update autotools files
+ * add README.source, documenting importing new upstream versions
+ * Add NEWS.Debian with pointer to upgrading guide
+ * Add rad_counter.1 manpage
+
+ -- Michael Stapelberg <stapelberg@debian.org> Sun, 25 Sep 2016 02:38:49 +0200
+
+freeradius (2.2.8+dfsg-0.1) unstable; urgency=medium
+
+ * Non-maintainer Upload
+ * New Upstream version
+ * Add myself to uploaders
+ * Include ubuntu multiarch python patch
+ * Include ubuntu autotests (Thanks probably to
+ yolanda.robla@canonical.com, marc.deslauriers@ubuntu.com)
+ * New standards version; no changes
+
+ -- Sam Hartman <hartmans@debian.org> Mon, 14 Sep 2015 07:27:09 -0400
+
+freeradius (2.2.5+dfsg-0.2) unstable; urgency=high
+
+ * Disable OpenSSL version check; Debian will maintain ABI stability or
+ change the soname, Closes: #765871
+ * Non-Maintainer Upload
+
+ -- Sam Hartman <hartmans@debian.org> Thu, 23 Oct 2014 21:45:36 -0400
+
+freeradius (2.2.5+dfsg-0.1) unstable; urgency=medium
+
+ * Non-maintainer Upload
+ * Remove remnants of freeradius-dilaupadmin, Closes: #669741
+ * Permit creating freerad to fail because user might exist, Closes: #661915
+ * Update to standards version 3.9.5, no changes
+ * New upstream version, Closes: #740857, #691770
+ - Include dictionary.mikrotik, Closes: #672200
+
+ -- Sam Hartman <hartmans@debian.org> Tue, 30 Sep 2014 19:18:08 -0400
+
+freeradius (2.1.12+dfsg-1.3) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Remove freeradius-dialupadmin, Closes: #711486. I understand there's a
+ patch in the bug that could get this working.
+ However, it's been removed upstream for 3.x, my hope is to package
+ 3.0.2 soon, and a PHP script that copies all the get/post data
+ into globals so as to administer an authentication server is more
+ scary than I choose to contemplate.
+ * Add IODBC include directories, Thanks Maximiliano Curia
+ , Closes: #740060
+
+
+ -- Sam Hartman <hartmans@debian.org> Wed, 12 Mar 2014 20:36:19 -0400
+
+freeradius (2.1.12+dfsg-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix expired passwords when using the unix module (CVE-2011-4966,
+ Closes: #694407).
+
+ -- Kees Cook <kees@debian.org> Sun, 16 Dec 2012 12:44:35 -0800
+
+freeradius (2.1.12+dfsg-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix pre-authentication buffer overflow in EAP handling
+ (CVE-2012-3547; Closes: #687175, #687178).
+
+ -- Nico Golde <nion@debian.org> Tue, 11 Sep 2012 19:38:02 +0200
+
+freeradius (2.1.12+dfsg-1) unstable; urgency=low
+
+ * New upstream version, closes: #675698.
+ + Fix for a segmentation fault in rlm_eap, closes: #645998.
+ * Backport upstream commits to fix our bug reports:
+ + Fix for a crash on SIGHUP in config file handling,
+ 378f2517357f11f9900c3799c6a469ee2fda7bdf
+ ab73a3debf93492804e7af253ba45a7b017a18d1
+ closes: #606450
+ + Fix for a segmentation fault in radmin through environment variables,
+ ce1bb741773b253c4ccf24accccf6305e202a322
+ 516dbaabf0ea80d0ff0643dc2ae9a10c4d31494c
+ closes: #662194
+ * Use dpkg-buildflags for configure, by Moritz Muehlenhoff, closes: #657838.
+ * Mark rlm_jradius as stable to get it to build and ship, closes: #599067.
+ * Switch to dpkg-source 3.0 (quilt) format.
+ * Polished packaging a wee bit and updated the Standards-Version.
+
+ -- Josip Rodin <joy-packages@debian.org> Fri, 29 Jun 2012 14:32:33 +0200
+
+freeradius (2.1.10+dfsg-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix "FTBFS: libfreeradius-radius-2.1.10.so: could not read symbols:
+ Invalid operation": adjust target dependencies in debian/rules: make sure
+ the patch target is not only called for build but also for
+ build-{arch,indep}. (Closes: #666311)
+
+ -- gregor herrmann <gregoa@debian.org> Wed, 02 May 2012 16:58:57 +0200
+
+freeradius (2.1.10+dfsg-3) unstable; urgency=low
+
+ * Fixed the silly error that rendered previous attempts to use the
+ right libtool functions useless, hopefully finally closes: #416266.
+ * Link radeapclient with libradius to fix linking with binutils-gold,
+ closes: #553387.
+ * Fix the debug mode crashing when home server doesn't respond to
+ a proxied request. Dmitry Borodaenko cherry-picked upstream commits
+ 540a0515de93d99ef45f97b9114185f159587b51 and
+ ab972f1f9b724fc0b71e6ca726078c92ad26bc6b, thanks, closes: #609870.
+ * Fixed udpfromto IPv6 breakage because of broken offsetof tests,
+ backported upstream b4f0c7ed4dc9811d8dfa982540ed8cb721cc854a
+ (one minor change necessary) as well as
+ 655f0786d60fe02440763df69b1aaf5110706690, as well as the simple
+ IPV6_RECVPKTINFO change, hopefully it activates all the right
+ modern IPv6 functions and closes: #606866.
+
+ -- Josip Rodin <joy-packages@debian.org> Thu, 05 May 2011 23:50:20 +0200
+
+freeradius (2.1.10+dfsg-2) unstable; urgency=medium
+
+ * The zombie period start time variable mistakenly got set to a random
+ value because of an upstream typo. Cherry-picked upstream commit
+ 7b7dff7724721f8af5fd163f2292d427a869992d into a Debian patch,
+ requested for squeeze in #600465.
+ * Since 2.1.9, the daemon stopped reopening the default radius.log file
+ constantly, which means the default logrotate setup breaks the default
+ logging. D'oh. We now have to send SIGHUP to the daemon as a postrotate
+ action, which makes it reopen log files and continue normally.
+ * Added delaycompress to the logrotate options, just to be on the safe
+ side.
+ * Added a reload action into the init script accordingly, so that the
+ right pidfile is picked up (one that can be overridden by the admin
+ in /etc/default/freeradius, available since the last release).
+ * Called reload from the postrotate section, closes: #602815.
+ * However, the latter signal also makes the server re-read configuration
+ files, but unlike the initial server start, this all happens under
+ the unprivileged user. That in turn means that if by any chance there
+ is any part of FR configuration that happens not to be readable by
+ group freerad (or whatever non-default is configured), the reload
+ will fail, effectively silently, as the log has been moved away. Gah.
+ So we have to make an effort to ensure that the configuration files
+ are still readable by that user, otherwise the reload fails and the
+ aforementioned bug is not fixed. The files seem to revert to
+ root:root upon conffile actions, at least that's what happened to me
+ and I think that was the cause. So, on upgrade, try to re-apply the
+ dpkg-statoverrides on our /etc/freeradius/* stuff, whatever they are,
+ under the assumption they will let the freerad group read config files
+ as is the initial setup. (I wish dpkg-statoverride --update $file
+ just did the right thing, but it doesn't, so there's a new local
+ function that does that.)
+ * While doing the latter, noticed that we were checking for directories
+ in dpkg-statoverride --list output with trailing slashes, but they
+ get output without it, so it was a no-op. Fixed the check by removing
+ the trailing slashes. Also then noticed that we were grepping --list
+ output, but it takes an optional glob pattern, so saved us that
+ pointless grep fork by using that facility, just as described in the
+ policy manual.
+ * force-reload switches from restart to reload, per policy 9.3.2.
+ * lenny backport needed also libltdl-dev (2.2.x) to build properly, rather
+ than libltdl3-dev, which is obsolete and doesn't make sense anyway.
+
+ -- Josip Rodin <joy-packages@debian.org> Sat, 13 Nov 2010 15:21:30 +0100
+
+freeradius (2.1.10+dfsg-1) unstable; urgency=medium
+
+ * New upstream version, closes a bunch of reproducible SNAFUs,
+ including two tagged as security issues, CVE-2010-3696, CVE-2010-3697,
+ closes: #600176.
+ * Build-depend on newer Libtool because of lt_dladvise_init(), also
+ upstream now has a configure check so we no longer need a patch,
+ yet we still don't want the old behaviour. Noticed by John Morrissey,
+ closes: #584151.
+ * Added the /etc/default/freeradius file as suggested by
+ Rudy Gevaert and Matthew Newton, closes: #564716.
+ * Stop symlinking /dev/urandom into /etc/freeradius/certs/random,
+ it breaks grep -r in /etc. Instead, replace it inside eap.conf,
+ both in the new shipped conffile and in postinst.
+
+ -- Josip Rodin <joy-packages@debian.org> Thu, 14 Oct 2010 21:51:51 +0200
+
+freeradius (2.1.9+dfsg-1) unstable; urgency=low
+
+ * New upstream version.
+ + radclient (radtest) should now use IPv4 by default, closes: #569614.
+ * Depend on ca-certificates explicitly, closes: #569601.
+ * I mistook ca.pem for the locally selected acceptable CA, whereas that
+ actually just happens to mean DebConf.org CA, and we want the former
+ by default. That in turn is in /etc/ssl/certs/ca-certificates.crt.
+ Obviously later the users can trivially change this, but this looks
+ like a reasonably reliable default that doesn't involve a lot of magic
+ that can delay or break postinst invocations. In the future, eap.conf
+ will become modules/eap and this will not be so critical.
+ * The private_key_file = ${certdir}/server.pem default doesn't get along
+ with snakeoil, or common sense really (why would you keep a secret key
+ in the same file as the non-secret certificate?), and could have broken
+ upgrades if people accepted the conffile prompt, so adjusted the
+ default conffile too, and adjusted the postinst upgrade logic as well.
+ * Enable HAVE_LT_DLADVISE_INIT as it fixes the module symbol lookup
+ errors from additional libraries, closes: #416266.
+ * Explicate source format as 1.0.
+ * Add ${misc:Depends} to all binary packages.
+ * Update standards version to 3.8.4, no changes necessary.
+
+ -- Josip Rodin <joy-packages@debian.org> Sun, 30 May 2010 12:48:55 +0200
+
+freeradius (2.1.8+dfsg-1) unstable; urgency=medium
+
+ * New upstream version.
+ + Fixes several showstopper bugs, hence increased urgency.
+ + Includes OpenSSL+GPL license exception, closes: #499120.
+ + Fixes typo in a warning, closes: #523074.
+ * Added libssl-dev into build-depends and enabled the building of
+ modules that just depend on OpenSSL, namely rlm_eap_peap, rlm_eap_tls,
+ rlm_eap_ttls, and rlm_otp, closes: #266229.
+ * Because the configuration of EAP+SSL modules now actually kicks in, its
+ non-existent certificate file would break the server start by default.
+ Depend on ssl-cert, make use of make-ssl-cert and openssl, and add
+ freerad to the ssl-cert group in the postinst to get us past the
+ problematic default settings so that we don't crash and burn on clean
+ upgrades, but otherwise leave everything else to the admin.
+ * Ship /etc/freeradius/attrs.access_challenge, like the others.
+ * Moved otp.conf and snmp.conf statoverride handling to the preinst
+ and used rm_conffile on them as well.
+ * Updated upstream changelog handling a bit.
+
+ -- Josip Rodin <joy-packages@debian.org> Sat, 02 Jan 2010 20:22:47 +0100
+
+freeradius (2.1.7+dfsg-2) unstable; urgency=low
+
+ * Ship radmin and raddebug in the freeradius package.
+ * Correct section number inside raddebug(8) so it doesn't get misplaced.
+
+ -- Josip Rodin <joy-packages@debian.org> Tue, 24 Nov 2009 15:29:59 +0100
+
+freeradius (2.1.7+dfsg-1) unstable; urgency=low
+
+ * Adopting the package, closes: #536623.
+ * New upstream version, closes: #513484.
+ + Fixes the blooper in unlang evaluation logic, closes: #526175.
+ * Used quilt (and added README.source), and moved upstream file patching
+ into debian/patches/. The source is no longer in collab-maint git
+ (to make it simpler for me to finally get this out the door), but
+ kept the .gitignore should we need that again.
+ * Dropped the dialup_admin/bin/backup_radacct patch (integrated upstream).
+ * Dropped the raddb/Makefile patch (problem no longer exists upstream).
+ * Dropped the lib/packet.c lib/radius.c main/listen.c patches (was from
+ upstream 2.0.5 anyway).
+ * Dropped references to otp.conf, it no longer exists upstream.
+ Keep removing the conffile statoverride in prerm.
+ * Dropped references to snmp.conf, it no longer exists upstream.
+ Keep removing the conffile statoverride in prerm.
+ * Ship /etc/freeradius/modules/* in the freeradius package.
+ * Stop shipping sites-enabled symlinks in the package and instead create
+ them only on initial install, thanks to Matej Vela, closes: #533396.
+ * Add export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" to the init script
+ at the request of John Morrissey, closes: #550143.
+ * Stop installing /var/run/freeradius in the package to silence Lintian.
+ The init script already recreates it at will.
+ * Remove executable bit from example.pl to silence Lintian.
+
+ -- Josip Rodin <joy-packages@debian.org> Mon, 23 Nov 2009 03:57:37 +0100
+
+freeradius (2.0.4+dfsg-7) unstable; urgency=low
+
+ * Ignore rmdir failure on clean (closes: #545932)
+ * Do a better job of catching errors in the init script (closes: #533390)
+ * Init headers fixup (closes: #541882)
+ * Clean up some logs so dpkg can successfully rmdir (closes: #530727)
+
+ -- Stephen Gran <sgran@debian.org> Sun, 13 Sep 2009 19:33:12 +0100
+
+freeradius (2.0.4+dfsg-6) unstable; urgency=low
+
+ * Fix unsafe use of tempfile (closes: #496389)
+
+ -- Stephen Gran <sgran@debian.org> Mon, 25 Aug 2008 14:18:48 +0100
+
+freeradius (2.0.4+dfsg-5) unstable; urgency=low
+
+ [ Mark Hymers ]
+ * Cherry pick commit from 2.0.5 which fixes port binding issues.
+ Closes: #489773.
+
+ [ Stephen Gran ]
+ * add PERL_SYS_INIT3 and PERL_SYS_TERM calls to rlm_perl. (closes: #495073)
+ * Make the SQL modules link against rlm_sql.so in the most horrific
+ (and only) way possible. (closes: #448699)
+
+ -- Stephen Gran <sgran@debian.org> Thu, 14 Aug 2008 19:15:30 +0100
+
+freeradius (2.0.4+dfsg-4) unstable; urgency=low
+
+ * Create links from sites-enabled to sites-available for the files that
+ upstream enables by default (closes: #483914)
+
+ -- Stephen Gran <sgran@debian.org> Sun, 01 Jun 2008 12:24:35 +0100
+
+freeradius (2.0.4+dfsg-3) unstable; urgency=low
+
+ * brown paper bag release
+ * Really actually do the statoverride I thought we were doing with -2
+ (closes: #482380)
+
+ -- Stephen Gran <sgran@debian.org> Thu, 22 May 2008 11:18:12 +0100
+
+freeradius (2.0.4+dfsg-2) unstable; urgency=low
+
+ * Install /var/log/freeradius 0750 so that people writing their passwords to
+ logfiles don't accidentally leak them without noticing (closes: #482085)
+
+ -- Stephen Gran <sgran@debian.org> Tue, 20 May 2008 19:38:27 +0100
+
+freeradius (2.0.4+dfsg-1) unstable; urgency=low
+
+ * Ok, actually remove all the cruft in debian/ shipped by upstream. This
+ means repacking the tarball and all that, but it also means dpkg-source
+ won't get the chance to ignore removed files, resulting in files
+ reappearing, but not locally (closes: #481406)
+ * Also remove config.{cache,log} in clean target - damn you gitignore
+
+ -- Stephen Gran <sgran@debian.org> Mon, 19 May 2008 03:55:55 +0100
+
+freeradius (2.0.4-3) unstable; urgency=low
+
+ * I have no god damn idea why the buildds are adding manpages to the wrong
+ binary. Reuploading with DH_VERBOSE=1 to see if we can find it. We
+ certainly can't reproduce it in our local builds, even calling the same
+ targets in the same order as the buildds.
+
+ -- Stephen Gran <sgran@debian.org> Mon, 19 May 2008 00:17:06 +0100
+
+freeradius (2.0.4-2) unstable; urgency=low
+
+ * freeradius-{common,utils} needs to Conflict: with other radius
+ implementations that share files (closes: #480682)
+
+ -- Stephen Gran <sgran@debian.org> Sun, 11 May 2008 18:41:45 +0100
+
+freeradius (2.0.4-1) unstable; urgency=low
+
+ * New upstream release
+ * Make all directories in /etc/freeradius group +x (closes: #479835)
+
+ -- Stephen Gran <sgran@debian.org> Fri, 09 May 2008 12:58:55 +0100
+
+freeradius (2.0.3-1) unstable; urgency=low
+
+ [ Mark Hymers ]
+ * New upstream release
+ * Bump Build-Dep on debhelper to 6.0.7 as we use dh_lintian
+ * Delete lots of obsolete conffiles
+
+ [ Stephen Gran ]
+ * Create a -common package for some extra file that the -utils package
+ needs. Also stuff in manpages and other arch all files to reduce the size
+ of the unnecessarily repeated stuff in the archive
+ * Change chown/chmod calls to dpkg-statoverride
+
+ -- Mark Hymers <mhy@debian.org> Sat, 03 May 2008 17:07:42 +0100
+
+freeradius (2.0.2-1) unstable; urgency=low
+
+ * Yet another new upstream version (closes: #465475)
+ * Cleanup manpages
+ * Add lintian overrides for rpath - this is intentional
+ * Packaging is now being done in git, we're dropping dpatch
+ * Split out client utilities (closes: #470977) - this means we also need to
+ split the library so the two binary packages can use it
+ * Major package rework
+
+ -- Stephen Gran <sgran@debian.org> Sun, 16 Mar 2008 22:58:16 +0000
+
+freeradius (2.0.0-1) unstable; urgency=low
+
+ * New upstream version
+ * Patches:
+ - freshen 02-radiusd-to-freeradius
+ - disable 03-dialupadmin-help until it's reworked properly
+
+ -- Stephen Gran <sgran@debian.org> Thu, 10 Jan 2008 23:05:50 +0000
+
+freeradius (1.1.7-1) unstable; urgency=low
+
+ * New upstream version
+ * Update debian/copyright to reflect reality:
+ - package is GPL v2 only, so refer to the correct file in common-licenses
+ - Remove explanation of wy postgres and snmp modules can't be shipped,
+ since we do ship them.
+ * Remove 04-configure-openssl.dpatch, --without-openssl applied upstream
+
+ -- Stephen Gran <sgran@debian.org> Thu, 09 Aug 2007 10:09:20 +0100
+
+freeradius (1.1.6-4) unstable; urgency=low
+
+ The "Give me GPLv2 compatibility or give me FTBFS" release
+ * Fix rlm_krb5 not to link with openssl unless it actually needs to
+ * debian/rules: move dependency on patch target to config.status
+ * debian/rules: FTBFS if a package accidentally directly links to openssl
+
+ -- Stephen Gran <sgran@debian.org> Wed, 04 Jul 2007 17:08:45 +0100
+
+freeradius (1.1.6-3) unstable; urgency=low
+
+ * Change freeradius-dbg to Priority: extra.
+ * After discussions with one of the ftp-assistants, we can ship
+ freeradius-postgresql in main. Yey! (Closes: #264649, #382329)
+
+ -- Mark Hymers <mhy@debian.org> Thu, 21 Jun 2007 13:32:09 +0100
+
+freeradius (1.1.6-2) unstable; urgency=low
+
+ [ Mark Hymers ]
+ * Add freeradius-dbg package.
+
+ [ Stephen Gran ]
+ * Update debian/control for php5 (dialupadmin) (closes: #424788, #412701)
+
+ -- Stephen Gran <sgran@debian.org> Thu, 31 May 2007 02:47:02 +0100
+
+freeradius (1.1.6-1) unstable; urgency=low
+
+ * New upstream release. Closes: #420003.
+
+ -- Mark Hymers <mhy@debian.org> Thu, 19 Apr 2007 15:14:05 +0100
+
+freeradius (1.1.5-1) unstable; urgency=low
+
+ * New upstream release. Closes: #415980
+ * Remove 01-fix-proxy.dpatch as it was a backport from upstream.
+ * otppasswd.sample is no longer provided so make sure we remove the
+ conffile properly in preinst.
+ * Update my email address and remove Paul from Uploaders. Thanks to him for
+ previously maintaining the package.
+ * Change so that we start at S50 and stop at K19 so that we start after
+ services we depend on and stop before them. Closes: #408665.
+ Note that is only for new installs.
+
+ -- Mark Hymers <mhy@debian.org> Fri, 13 Apr 2007 13:14:08 +0100
+
+freeradius (1.1.3-3) unstable; urgency=medium
+
+ * Fix POSIX compliance problem in init script. Closes: #403384.
+
+ -- Mark Hymers <mark@hymers.org.uk> Sat, 16 Dec 2006 20:45:11 +0000
+
+freeradius (1.1.3-2) unstable; urgency=low
+
+ [ Stephen Gran ]
+ * Check for existence of pidfile in initscript.
+ * Clean some old cruft from debian/rules
+ * Write dialup_admin/Makefile
+ * Make binNMU safe
+ * Some lsb init headers
+
+ [ Mark Hymers ]
+ * Merge upstream patch to deal with proxy port settings. Closes: #388024.
+ * Rewrite large parts of the Debian build system.
+
+ -- Stephen Gran <sgran@debian.org> Sat, 7 Oct 2006 21:08:35 +0100
+
+freeradius (1.1.3-1) unstable; urgency=low
+
+ [ Stephen Gran ]
+ * Add and rework ubuntu /var/run/tmpfs patch
+ * Add LSB init script headers
+ * Actually trap errors in init script, how about?
+
+ [ Mark Hymers ]
+ * New upstream version.
+ * New version of autotools in 1.1.3. Closes: #380204
+ * Remove previous patches merged upstream:
+ - 01-actually_check_for_unset_password.dpatch
+ * Only do user creation, group addition, chmod and chown stuff in postinst
+ on an initial install to avoid clobbering local changes.
+
+ -- Mark Hymers <mark@hymers.org.uk> Wed, 23 Aug 2006 14:48:57 +0100
+
+freeradius (1.1.2-2) unstable; urgency=low
+
+ [ Stephen Gran ]
+ * Acknowledge my previous NMU's (closes: #351732, #359042)
+ * Init scripts overhaul:
+ - now use reload on upgrade of modules
+ - replace sleep statements with --retry, as time based tests are
+ fragile
+ - no longer exit with an error if stop fails because the
+ daemon isn't running (closes: #374670, #351735)
+ - stop using command -v in /bin/sh scripts
+ * General maintainer script overhaul:
+ - Don't rm -rf something in /etc (ouch)
+ - Use chown -R instead of 'find .. -exec'
+ - should not need to manually remove the init script on purge (it's a dpkg
+ managed conffile)
+ - Only do user management stuff if user is missing. No point rerunning it
+ every upgrade.
+ - Install /etc/freeradius/dictionary with relaxed permissions, but never
+ touch it again (closes: #334299)
+ - switch to debhelper files where possible. I like an easy to read
+ Makefile.
+ * Arg. Move README.rfc to the freeradius package where it belongs.
+
+ [ Mark Hymers ]
+ * Document building SSL/PostgreSQL modules in debian/rules, add
+ control.postgresql to make it more convenient. Tested on AMD64 using
+ system libtool.
+
+ -- Stephen Gran <sgran@debian.org> Sun, 25 Jun 2006 23:06:16 +0100
+
+freeradius (1.1.2-1) unstable; urgency=low
+
+ [ Mark Hymers ]
+ * New maintainers
+ * New upstream version.
+ * Remove previous patches merged upstream:
+ - 01_NET-SNMP_build_support.dpatch
+ - 02_document_actual_shared_secret_maximum_length.dpatch
+ - 12_more_dialup_admin_various_fixes.dpatch
+ - 14_broken_parse.dpatch
+ - 15_CVE-2006-1354.dpatch
+ * Use --with-system-libtool during configure. Add B-D: on libtool
+ Removes obsolete dpatches:
+ - 06_libtool14_vs_rlm_eap_tls.dpatch
+ - 13_a_libtool_to_call_your_own.dpatch
+ * Remove freeradius.undocumented as we don't install links to
+ undocumented(7) anymore (not recommended since policy 3.5.8.0)
+
+ [ Stephen Gran ]
+ * Update to Standards Version 3.7.2 (no changes)
+ * Remove doc/rfc/ to make -legal happy (closes: #365192)
+ - this means repacked tarball. See README.rfc for details
+ * Test for unset variable, rather than empty variable in clean_radacct,
+ monthly_tot_stats and truncate_radacct (closes: #374053)
+
+ -- Mark Hymers <mark@hymers.org.uk> Sat, 17 Jun 2006 16:05:19 +0100
+
+freeradius (1.1.0-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * [ CVE-2006-1354 ]:
+ src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c:
+ Due to insufficient input validation it is possible for a remote
+ attacker to bypass authentication or cause a denial of service.
+ (closes: #359042)
+
+ -- Stephen Gran <sgran@debian.org> Wed, 17 May 2006 11:22:28 -0500
+
+freeradius (1.1.0-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Upstream patch to fix parsing config file (closes: #351732)
+ Fixes: fails to start on amd64 (error in dictionary parsing code)
+
+ -- Stephen Gran <sgran@debian.org> Sat, 1 Apr 2006 11:07:55 +0100
+
+freeradius (1.1.0-1) unstable; urgency=low
+ * ReDebianise upstream tarball:
+ - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865
+ 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580
+ draft-kamath-pppext-eap-mschapv2-00
+
+ * New FreeRADIUS modules marked stable by new upstream release
+ - rlm_perl
+ - rlm_sqlcounter
+ - rlm_sql_log + radsqlrelay
+ - rlm_otp (formerly rlm_x99_token, not built as it depends on OpenSSL)
+
+ * Remove upstream-integrated patches:
+ - 02_EAP-SIM_doesnt_need_openssl
+ - 03_X99_is_not_stable
+ - 07_manpage_fixups
+ - 09_use_crypth_if_we_have_it
+ - 10_escape_entire_ldap_string
+ - 11_dont_xlat_possibly_bad_usernames_in_bad_accounting_packets
+ - 12_dialup_admin_various_fixes
+
+ * More dialup-admin fixes from Arve Seljebu
+ - Fix redirects in dialup-admin pages on servers with
+ register_globals turned off.
+ Closes: #333704
+ - HTTP form fields will always fail is_int, use in_numeric instead
+ Closes: #335149
+ - Created 12_more_dialup_admin_various_fixes
+
+ * Update to Policy 3.6.2.0
+ * Upgrade Debhelper support to V5
+ * Don't install the .in files with the examples
+ * Prefer libmysqlclient15-dev
+ Closes: #343779
+ * Shared secrets can only be 31 characters long, note this in clients.conf
+ - Created 02_document_actual_shared_secret_maximum_length
+ Closes: 344606
+ * Added support for lsb-init functions
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Sun, 15 Jan 2006 13:34:13 +1100
+
+freeradius (1.1.0-0) unstable; urgency=low
+
+ * New upstream release.
+ * Update set of patches:
+ - 01_NET-SNMP_build_support.dpatch
+ - 06_libtool14_vs_rlm_eap_tls.dpatch
+ - 13_a_libtool14_to_call_your_own.dpatch
+
+ -- Nicolas Baradakis <nbk@sitadelle.com> Sun, 1 Jan 2006 18:15:47 +0100
+
+freeradius (1.0.5-2) unstable; urgency=low
+
+ * Stop dragging non-PIC code from libeap.a into rlm_eap_sim.so and
+ rlm_eap.so.
+ (Thanks to Peter Salinger)
+ Closes: #288547
+ - Rename 06_libtool14_vs_rlm_eap_tls to 06_libtool14_vs_rlm_eap
+ and modify with Peter's changes and some Makefile hackery to
+ get it all linking
+ * Don't rerun configure during the build.
+ (Thanks to Kurt Roeckx)
+ * A whole bunch of dialup-admin fixes from Arve Seljebu and Tobias
+ - Report correct data transfer statistics for users
+ Closes: #329672
+ - Lower-case sql column names to match creation scripts
+ Closes: #333709
+ - Fix creation of empty groups
+ Closes: #333739
+ - Put quote around usernames in HTML output
+ Closes: #333742
+ - Properly notice when we've got a blank password to SQL
+ Closes: #333744
+ - Created 12_dialup_admin_various_fixes
+ * Stop using libtool1.4 to build against, now that we can't have it and
+ libltdl3-dev installed at the same time
+ Closes: #279391
+ - Created 13_a_libtool14_to_call_your_own to get most recent ltmain.sh
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Sun, 16 Oct 2005 21:26:30 +1000
+
+freeradius (1.0.5-1) unstable; urgency=high
+
+ * Urgency high for security fixes below, all reported upstream
+ * ReDebianise upstream tarball:
+ - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865
+ 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580
+ draft-kamath-pppext-eap-mschapv2-00
+ * Add missed build-dependancy on dpatch (>=2)
+ * Update to Standards-Version 3.6.2.0
+ - No changes needed
+ * Repair some minorly broken manpages
+ - Created 07_manpage_fixups.dpatch
+ * Security fixes stolen from CVS release_1_0 branch:
+ - Be sure we use crypt.h if we have it, to avoid segfaulting on a
+ bad built-in crypt() definition, spotted by Konstantin Kubatkin
+ + Created 09_use_crypth_if_we_have_it
+ - Make sure we escape the entire LDAP string, instead of
+ aborting as soon as it becomes possible to be out of space
+ + Created 10_escape_entire_ldap_string
+ - Don't xlat the UserName attribute before we can be sure of meeting
+ any escape sequences it may contain, spotted by Primoz Bratanic
+ + Created 11_dont_xlat_possibly_bad_usernames_in_bad_accounting_packets
+ * Depend on adduser, so our postinst can create the freerad user
+ * Don't install the .in versions of the example scripts.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Mon, 19 Sep 2005 15:10:40 +1000
+
+freeradius (1.0.5-0) unstable; urgency=low
+
+ * New Upstream release, from release_1_0 branch
+ - Remove 04_bonus_control_code_in_clients_conf_5
+ - Remove 05_unbreak_quoted_sql_results
+ * Fix my _name_ in the dpatches
+ * Remove patch to CVS ID header from 05_unbreak_quoted_sql_values
+ so as not to break things when comitting to FreeRADIUS CVS
+ * Take linking fix from FreeRADIUS bugzilla #75 to allow
+ rlm_eap_tls to be linked to by rlm_eap_ttls and rlm_eap_peap
+ even though we don't build them in the Debian archive.
+ (Thanks to Luca Landi for the patch)
+ - Created 06_libtool14_vs_rlm_eap_tls
+ * Fix ownership of files in /var/log/freeradius/ more efficiently
+ (Caught by Guido Trotter)
+ Closes: #326891
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 7 Sep 2005 01:08:07 +1000
+
+freeradius (1.0.4-2) unstable; urgency=low
+
+ * Fix my email address in the dpatches
+ * Remove extraneous ^g from man/man5/clients.conf.5
+ - Created 04_bonus_control_code_in_clients_conf_5
+ * Correct handing of parameterless call of init script, and
+ general init script neatening
+ (Thanks to Derrick Karpo)
+ Closes: #315438
+ * Correctly leave out the .in files in the examples
+ * Correctly use debhelper after splitting binary make target
+ into binary-arch and binary-indep.
+ (Thanks to Kurt Roeckx for actually hitting the bug)
+ Closes: #315770
+ * Steal fix from CVS release_1_0 tree for rlm_sql quoted values.
+ (Thanks to Nicolas Baradakis for the fix)
+ - Upstream bugzilla #242, src/modules/rlm_sql/sql.c 1.79.2.2
+ - Created 05_unbreak_quoted_sql_values
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Mon, 27 Jun 2005 03:13:48 +1000
+
+freeradius (1.0.4-1) unstable; urgency=low
+ * ReDeianise upstream tarball:
+ - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865
+ 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580
+ draft-kamath-pppext-eap-mschapv2-00
+ * Convert to dpatch, dpatch-2-style interface.
+ - New build-dependancy on dpatch (>= 2)
+ - Created 01_NET-SNMP_build_support
+ - Created 02_EAP-SIM_doesnt_need_openssl
+ - Created 03_X99_is_not_stable
+ * Assemble the freeradius-dialupadmin in the binary-indep make target
+ Closes: #313173 (Thanks to Santiago Vila for spotting this)
+ * Include the example scripts in /usr/share/doc/freeradius/examples/scripts
+ except those three which are installed into the binary by the Makefile.
+ Closes: #314253 (Thanks to Michael Langer for spotting this)
+ * Suggest libdate-manip-perl for freeradius-dialupadmin
+ Closes: #306007 (Thanks to Feng Sian)
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 22 Jun 2005 16:03:27 +1000
+
+freeradius (1.0.4-0) unstable; urgency=medium
+
+ * New upstream release, fixing build problems.
+ * Prefer libpq-dev over postgresql-dev as a build-dependancy.
+ - This requires us to use pgconfig to find the headers.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Thu, 16 Jun 2005 13:56:33 +1000
+
+freeradius (1.0.3-0) unstable; urgency=high
+
+ * New upstream release
+ * Urgency high for some denial-of-service fixes:
+ - SQL injection attacks and DoS (core dump) via buffer overflow.
+ Closes: #307720
+
+ -- Alan DeKok <aland@ox.org> Fri, 3 Jun 2005 11:29:34 -0700
+
+freeradius (1.0.2-4) unstable; urgency=high
+
+ * Security fix stolen from CVS release_1_0 branch:
+ - Always use sql_escape_func when calling radius_xlat
+ - Add a test in sql_escape_func() to check buffer bound when
+ input character needs escaping.
+ - Urgency high as these are (theoretical) security issues.
+ Closes: #307720 (Thanks to Primoz Bratanic and Nicolas Baradakis)
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Mon, 23 May 2005 18:53:51 +1000
+
+freeradius (1.0.2-3) unstable; urgency=medium
+
+ * Fixes stolen from CVS release_1_0 branch:
+ - Fix missed SIGCHLD when waiting for external programs
+ when threaded. (Medium urgency as this can easily livelock
+ FreeRADIUS, which is an authentication server.)
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Mon, 18 Apr 2005 23:46:41 +1000
+
+freeradius (1.0.2-2) unstable; urgency=medium
+
+ * Get rid of extraneous '%' at the start of every reference to
+ /etc/freeradius-dialupadmin in freeradius-dialupadmin's configuration.
+ Closes: #299749
+ * Fixes stolen from CVS release_1_0 branch:
+ - Fix checkrad call for NAS ports > 9999999. (sprintf integer overrun,
+ reason for urgency medium.)
+ - Fix inverted test causing crash with pthreads and crypt
+ Closes: #300219 (Thanks Manuel Menal)
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 6 Apr 2005 12:33:05 +1000
+
+freeradius (1.0.2-1) unstable; urgency=low
+
+ * ReDebianise upstream tarball:
+ - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865
+ 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580
+ * Allow rlm_eap_sim to build without OpenSSL
+ * Make init script return 1 if reloading kills the server
+ (Thanks to Nicolas Baradakis)
+ Closes: #292170
+ * Enable Novell eDirectory integration
+ * Enable udpfromto code so that replies come from the same address as
+ the request arrived at
+ * Build-depend on libmysqlclient12-dev as libmysqlclient10 has problems
+ accessing 4.0 series mySQL servers, and libmysqlclient12 can access
+ 4.1 series mySQL servers.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Fri, 4 Mar 2005 09:30:40 +1100
+
+freeradius (1.0.2-0) unstable; urgency=low
+
+ * New upstream release
+ * Update for Debian Policy 3.6.1.1
+ - Change test if invoke-rc.d as per Policy 9.3.3.2
+ * freeradius-dialupadmin Suggests php4-mysql | php4-pgsql
+ Closes: #279419
+ * Added a two-second pause to restart in init.d script
+ Closes: #262635
+ * FreeRADIUS module packages now depend on the same source
+ version of the main FreeRADIUS package.
+ Closes: #284353
+ * FreeRADIUS-dialupadmin's default paths in admin.conf are
+ now correct.
+ Closes: #280942
+ * FreeRADIUS-dialupadmin's help.php3 can now find README.
+ Closes: #280941
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 29 Dec 2004 20:12:52 +1100
+
+freeradius (1.0.1-2) unstable; urgency=high
+
+ * freeradius-dialupadmin Suggests php4-mysql | php4-pgsql
+ Closes: #279419
+ * Added a two-second pause to restart in init.d script
+ Closes: #262635
+ * FreeRADIUS module packages now depend on the same source
+ version of the main FreeRADIUS package.
+ Closes: #284353
+ * FreeRADIUS-dialupadmin's default paths in admin.conf are
+ now correct.
+ Closes: #280942
+ * FreeRADIUS-dialupadmin's help.php3 can now find README.
+ Closes: #280941
+ * Fixes stolen from 1.0.2 CVS:
+ - Bug fix to make udpfromto code work
+ - radrelay shouldn't dump core if it can't read a VP from the
+ detail file.
+ - Only initialize the random pool once.
+ - In rlm_sql, don't escape characters twice.
+ - In rlm_ldap, only claim Auth-Type if a plain text password is present.
+ - Locking fixes in threading code
+ - Fix building on gcc-4.0 by not trying to access static auth_port from
+ other files.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 29 Dec 2004 20:19:42 +1100
+
+freeradius (1.0.1-1) unstable; urgency=high
+
+ * ReDebianise upstream tarball:
+ - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865
+ 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580
+ - Remove CVS directories.
+ * Urgency high for security fix from 1.0.1-0 (CAN-2004-0938,
+ closes: #275136).
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Thu, 23 Sep 2004 22:28:11 +1000
+
+freeradius (1.0.1-0) unstable; urgency=high
+
+ * New upstream release
+ * Urgency high for some denial-of-service fixes:
+ - Fix two remote crashes and a remote memory leak in
+ radius packet decoding.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Thu, 2 Sep 2004 17:12:23 +1000
+
+freeradius (1.0.0-1) unstable; urgency=low
+
+ * ReDebianise upstream tarball:
+ - Deleted RFCs: 2243 2289 2433 2548 2618 2619 2620 2621 2716 2759 2809 2865
+ 2866 2867 2868 2869 2882 2924 3162 3575 3576 3579 3580
+ * Support building with libsnmp5's UCD-SNMP compatiblity mode.
+ - libsnmp{4.2,5} still depend on OpenSSL, so SNMP's still disabled.
+ * Update for Debian Policy 3.6.11
+ - Change test for invoke-rc.d as per Policy 9.3.3.2
+ * Disable rlm_eap types PEAP, TLS and TTLS as they depend on OpenSSL.
+ * Disable rlm_sql driver PostgreSQL as it depends on OpenSSL.
+ * Disable rlm_x99_token as it depends on OpenSSL.
+ * Finally, -v is documented in radius(8).
+ - Closes: #151266
+ * Reword a sentence in radwatch(8) by removing the personal pronoun.
+ - Closes: #264522
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Tue, 17 Aug 2004 17:42:40 +1000
+
+freeradius (1.0.0-0) unstable; urgency=low
+
+ * New upstream release
+ * Added H323 billing stuff to the examples
+ * Created Dialup-Admin package for the PHP-based web
+ FreeRADIUS database (SQL/LDAP) frontend.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Sat, 17 Jul 2004 16:21:38 +1000
+
+freeradius (0.9.3-1) unstable; urgency=low
+
+ * New upstream release, incorporates security fix from 0.9.2-4.
+ * Correct build-dependancy on debhelper.
+ Closes: #234486
+ * Split iodbc SQL driver into its own package.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Tue, 24 Feb 2004 23:56:26 +1100
+
+freeradius (0.9.2-4) unstable; urgency=high
+
+ * Patch from upstream head:
+ - Fix a remote DoS and possible exploit due to mis-handling
+ of tagged attributes, and Tunnel-Password attribute.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Fri, 21 Nov 2003 09:52:51 +1100
+
+freeradius (0.9.2-3) unstable; urgency=low
+
+ * Removed redundant code to delete contents of a directory
+ on purge which ends up being removed anyway.
+ * Provide a default pam.d configuration.
+ * Fix the usage of dh_installinit to not make the package uninstallable.
+ * Change package removal to not abort if we cannot stop the server.
+ * Debian-archive-fit version of freeradius.
+ Closes: #208620
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Tue, 11 Nov 2003 02:12:55 +1100
+
+freeradius (0.9.2-2) unstable; urgency=low
+
+ * Use dh_installinit rather than doing it by hand
+ This involves renaming the initfile in the source tarball
+ * Only add user freerad to the group shadow on first installation
+ * Only chmod /etc/freeradius to group-readable, not group-read/write
+ * Removed the freerad user when the freerad group is removed
+ * Removed spurious build-dependancy on autoconf2.13 and libtool(1.4)
+ * Build-conflict against libssl-dev
+ * Restore Kerberos and LDAP as they will build without OpenSSL
+ * Make myself the maintainer
+ * Update to Policy 3.6.1.0
+ - No changes needed
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Sun, 9 Nov 2003 00:07:52 +1100
+
+freeradius (0.9.2-1) unstable; urgency=low
+
+ * Deleted RFCs: 2243 2289 2433 2548 2618 2616 2620 2621
+ 2719 2759 2809 2865 2866 2867 2868 2869 2882 2924 3162
+ from source tarball due to non-DFSG-free copyright.
+ * Disabled PostgreSQL, x.99 token, EAP/TLS, Kerberos, LDAP
+ and SNMP agent support due to OpenSSL/GPL conflict.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Thu, 6 Nov 2003 22:40:32 +1100
+
+freeradius (0.9.2-0) unstable; urgency=low
+
+ * New upstream release
+ * Added logrotate script for /var/log/freeradius/radius.log
+ * Don't leave symlinks to config.{guess,sub} lying around to
+ confuse dpkg-source.
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Wed, 15 Oct 2003 05:02:17 +1000
+
+freeradius (0.9.1-0) unstable; urgency=low
+
+ * New upstream release.
+ * Renamed radiusd(8) to freeradius(8) to match binary
+ * Build-Depend on libtool1.4 | libtool (< 1.5) due to
+ new libtool 1.5 package.
+ * Merged multiple sed calls into a single sed call in debian/rules
+ * Installed SQL database examples into /usr/share/doc/freeradius/examples
+ * Modify initscript to only -HUP the parent process
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Fri, 5 Sep 2003 00:54:41 +1000
+
+freeradius (0.9.0-1) unstable; urgency=low
+
+ * New Upstream release.
+ - Upstream dictionary files are in /usr/share/freeradius.
+ - Modified to 'configure{,.in}' to work with openssl 0.9.7 and 0.9.6
+ * Renamed pacakges to 'freeradius*' from 'radiusd-freeradius*'.
+ * Moved file hierarchy around to be neater:
+ - /etc/raddb -> /etc/freeradius
+ - /usr/share/doc/radiusd-freeradius -> /usr/share/doc/freeradius
+ - /var/log/radiusd-freeradius -> /var/log/freeradius
+ - /var/run/radiusd/radiusd.pid -> /var/run/freeradius/freeradius.pid
+ * Included RFCs in documentation.
+ * Enabled the daemon to run under user 'freerad:freerad' by default.
+ * Added support for DEB_BUILD_OPTIONS for policy 3.5.9 compliance.
+ * Installed SNMP mibs for Radius
+
+ -- Paul Hampson <Paul.Hampson@anu.edu.au> Sun, 20 Jul 2003 06:56:28 +1000
+
+radiusd-freeradius (0.7+cvs20021113-1) unstable; urgency=low
+
+ * Explicitly excluding modules not in the "stable" list.
+ * Updated policy version number.
+ * Moved from non-US/main to main.
+ * Put pidfile in package's own directory.
+ * Package not as buggy and unstable modules are easily identifiable.
+ (closes: Bug#142217)
+ * Init script handles failure better. (closes: Bug#151264)
+ * New upstream release. (closes: Bug#140536)
+ * Uses available version of postgresql. (closes: Bug#139290)
+ * Removed "conflicts" with other radiusds.
+ * Added new build-dep on libtool.
+ * Changed section to "net" from "admin".
+ * New config.guess. (closes: Bug#168647)
+ * Run with freerad user and group. (closes: Bug#168272)
+ * Added libssl-dev as build-dep. (closes: #131832)
+
+ -- Chad Miller <cmiller@debian.org> Wed, 13 Nov 2002 17:01:19 -0500
+
+radiusd-freeradius (0.5+cvs20020408-1) unstable; urgency=high
+
+ * New build-dep on libssl-dev, which is implied by another dep, but making
+ explicit for builders on Potato. (closes: Bug#131832)
+ * Built against new postgresql libraries, so automatic dep tracking has
+ the correct version, now. (closes: Bug#139290)
+ * Removed python example module.
+ * Explicitly disabled beta ippool module.
+
+ -- Chad Miller <cmiller@debian.org> Mon, 8 Apr 2002 11:48:30 -0400
+
+radiusd-freeradius (0.4-1) unstable; urgency=high
+
+ * New release.
+ * upstream: New EAP support.
+ * upstream: Fixed security bug in string translation.
+
+ -- Chad Miller <cmiller@debian.org> Thu, 13 Dec 2001 09:26:45 -0500
+
+radiusd-freeradius (0.3-2) unstable; urgency=low
+
+ * Moved to using logrotate instead of cron for files.
+ * Fixed permissions of log files. (closes: Bug#116242,#116243)
+ * Close file descriptors of stdin, stdout, stderr, if not debugging.
+ (closes: Bug#116768)
+ * Made package "non-native". (An upload issue, not code.)
+ (closes: Bug#119161)
+
+ -- Chad Miller <cmiller@debian.org> Tue, 20 Nov 2001 10:50:20 -0500
+
+radiusd-freeradius (0.3-1) unstable; urgency=low
+
+ * New release.
+
+ -- Chad Miller <cmiller@debian.org> Tue, 9 Oct 2001 18:16:23 -0400
+
+radiusd-freeradius (0.2+20010917-1) unstable; urgency=low
+
+ * Removed old mysql build-dep. (closes: Bug#112541)
+
+ -- Chad Miller <cmiller@debian.org> Mon, 17 Sep 2001 11:38:24 -0400
+
+radiusd-freeradius (0.2+20010912-1) unstable; urgency=low
+
+ * Build-dep mysql changed package names.
+ * Added build-dep for libmysqlclient10-dev. (closes: Bug#111880)
+ * In acct_users, keep reply pairs.
+ * Integer values are printed as unsigned numbers, to comply with RFC2866.
+ * Fixed broken/reversed auth comparisons in SQL module.
+ * Sucked out CPPness from inside a printf, as printf is a macro in newer
+ compilers (gcc3.0, e.g.). (closes: Bug#100889)
+ * Sundry LDAP configuration, unresponsive thread, and proxying fixes.
+ * Added user 'freerad' into the 'shadow' group.
+ * Fixed UUCP-style of restricting time of log-in.
+ * Changed debugging messages to give more info about execution flow.
+ * Better counter module.
+ * Inserted CHAP support for SQL modules.
+ * Removed possible infinite loop.
+
+ -- Chad Miller <cmiller@debian.org> Wed, 12 Sep 2001 21:21:47 -0400
+
+radiusd-freeradius (0.1+20010527-1) unstable; urgency=low
+
+ * Updated config.{guess,sub} to recent versions. (closes: Bug#98183)
+ * Updated build-dep to reflect supercession of libltdl0-dev by libltdl3-dev
+ (closes: Bug#98914)
+
+ -- Chad Miller <cmiller@debian.org> Sun, 27 May 2001 11:44:40 -0400
+
+radiusd-freeradius (0.1+20010517-1) unstable; urgency=low
+
+ * Moved package to non-US to allow in Kerberos and PostgreSQL.
+ * Set Suggests of modules to main package.
+ * Better compile-time support of *BSD.
+
+ -- Chad Miller <cmiller@debian.org> Thu, 17 May 2001 14:46:51 -0400
+
+radiusd-freeradius (0.1-1) unstable; urgency=low
+
+ * First beta release!
+ * Added generalized SQL support for ODBC, Oracle, MySQL, and Postgres.
+ * Added shasta, microsoft, and redback dictionaries.
+ * Fixed rc.d restart rule.
+ * Added a user to own the daemon and logfiles.
+ * SQL DB handles more forgiving of unreachable servers at startup.
+ * SQL Crypt-Password attribute support.
+ * Fixed cron log rotation.
+ * Put module libraries in own directory.
+ * Removed bogus build-dep. (closes: Bug#87277)
+ * Better permissions on /etc/raddb
+ * Use correct LDAP library.
+ * Fork ldap, postgresql, and mysql modules into different packages.
+ * Remove Kerberos, as it's restricted from export.
+
+ -- Chad Miller <cmiller@debian.org> Mon, 7 May 2001 16:37:46 -0400
+
+radiusd-freeradius (0.0.20010109-1) unstable; urgency=low
+
+ * Changed priority, from standard to optional.
+
+ -- Chad Miller <cmiller@debian.org> Tue, 9 Jan 2001 14:01:38 -0500
+
+radiusd-freeradius (0.0.20001227-1) unstable; urgency=low
+
+ * Initial revision. (closes: Bug#76476)
+
+ -- Chad Miller <cmiller@debian.org> Wed, 27 Dec 2000 11:58:56 -0500
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..42a7900
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,253 @@
+Source: freeradius
+Build-Depends: debhelper-compat (= 13),
+ default-libmysqlclient-dev,
+ freetds-dev,
+ libcap-dev,
+# Temporarily disable due to collectd RC bugs
+# libcollectdclient-dev,
+ libcurl4-openssl-dev | libcurl4-gnutls-dev,
+ libgdbm-dev,
+ libhiredis-dev,
+ libiodbc2-dev,
+ libjson-c-dev,
+ libkrb5-dev | heimdal-dev,
+ libldap2-dev,
+ libmemcached-dev,
+ libpam0g-dev,
+ libpcap-dev,
+ libpcre3-dev,
+ libperl-dev,
+ libpq-dev,
+ libreadline-dev,
+ libsasl2-dev,
+ libsqlite3-dev,
+ libssl-dev,
+ libsystemd-dev,
+ libtalloc-dev,
+ libwbclient-dev,
+ libykclient-dev,
+ libyubikey-dev,
+ python3-dev,
+ samba-dev | samba4-dev,
+ snmp
+Section: net
+Priority: optional
+Maintainer: Debian FreeRADIUS Packaging Team <pkg-freeradius-maintainers@lists.alioth.debian.org>
+Uploaders: Mark Hymers <mhy@debian.org>,
+ Sam Hartman <hartmans@debian.org>,
+ Bernhard Schmidt <berni@debian.org>
+Standards-Version: 4.4.1
+Homepage: http://www.freeradius.org/
+Vcs-Git: https://salsa.debian.org/debian/freeradius.git
+Vcs-Browser: https://salsa.debian.org/debian/freeradius
+
+Package: freeradius
+Architecture: any
+Depends: freeradius-common,
+ freeradius-config,
+ libfreeradius3 (= ${binary:Version}),
+ lsb-base,
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Provides: radius-server
+Recommends: freeradius-utils
+Suggests: freeradius-krb5,
+ freeradius-ldap,
+ freeradius-mysql,
+ freeradius-postgresql,
+ freeradius-python3,
+ snmp
+Description: high-performance and highly configurable RADIUS server
+ FreeRADIUS is a high-performance RADIUS server with support for:
+ - Authentication by local files, SQL, Kerberos, LDAP, PAM, and more.
+ - Powerful policy configuration language.
+ - Proxying and replicating requests by any criteria.
+ - Support for many EAP types; TLS, PEAP, TTLS, etc.
+ - Many vendor-specific attributes.
+ - Regexp matching in string attributes.
+ and lots more.
+
+Package: freeradius-common
+Depends: adduser, ${misc:Depends}
+Architecture: all
+Conflicts: radiusd-livingston, xtradius, yardradius
+Description: FreeRADIUS common files
+ This package contains common files used by several of the other packages from
+ the FreeRADIUS project.
+
+Package: freeradius-config
+Architecture: any
+Depends: adduser,
+ ca-certificates,
+ freeradius-common,
+ make,
+ openssl,
+ ssl-cert,
+ ${misc:Depends}
+Breaks: freeradius-config
+Description: FreeRADIUS default config files
+ freeradius-config contains the default configuration for FreeRADIUS.
+ .
+ You can install a custom package which sets "Provides: freeradius-config" in
+ order to use the FreeRADIUS packages without any default configuration getting
+ into your way.
+
+Package: freeradius-utils
+Architecture: any
+Conflicts: radiusd-livingston, yardradius
+Depends: freeradius-common,
+ freeradius-config,
+ libfreeradius3 (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Recommends: libdbi-perl
+Description: FreeRADIUS client utilities
+ This package contains various client programs and utilities from
+ the FreeRADIUS Server project, including:
+ - radclient
+ - radeapclient
+ - radlast
+ - radsniff
+ - radsqlrelay
+ - radtest
+ - radwho
+ - radzap
+ - rlm_ippool_tool
+ - smbencrypt
+
+Package: libfreeradius3
+Architecture: any
+Section: libs
+Depends: ${dist:Depends}, ${misc:Depends}, ${shlibs:Depends}
+Description: FreeRADIUS shared library
+ The FreeRADIUS projects' libfreeradius-radius and libfreeradius-eap, used by
+ the FreeRADIUS server and some of the utilities.
+
+Package: libfreeradius-dev
+Architecture: any
+Section: libdevel
+Depends: freeradius-dhcp (= ${binary:Version}),
+ libfreeradius3 (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: FreeRADIUS shared library development files
+ The FreeRADIUS projects' libfreeradius-radius and libfreeradius-eap, used by
+ the FreeRADIUS server and some of the utilities.
+ .
+ This package contains the development headers and static library version.
+
+Package: freeradius-dhcp
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: DHCP module for FreeRADIUS server
+ The FreeRADIUS server can act as a DHCP server, and this module
+ is necessary for that.
+
+Package: freeradius-krb5
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: kerberos module for FreeRADIUS server
+ The FreeRADIUS server can use Kerberos to authenticate users, and this module
+ is necessary for that.
+
+Package: freeradius-ldap
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: LDAP module for FreeRADIUS server
+ The FreeRADIUS server can use LDAP to authenticate users, and this module
+ is necessary for that.
+
+Package: freeradius-rest
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: REST module for FreeRADIUS server
+ The FreeRADIUS server can make calls to remote web APIs, and this module
+ is necessary for that.
+
+Package: freeradius-postgresql
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: PostgreSQL module for FreeRADIUS server
+ The FreeRADIUS server can use PostgreSQL to authenticate users and do
+ accounting, and this module is necessary for that.
+
+Package: freeradius-mysql
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: MySQL module for FreeRADIUS server
+ The FreeRADIUS server can use MySQL to authenticate users and do accounting,
+ and this module is necessary for that.
+
+Package: freeradius-iodbc
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: iODBC module for FreeRADIUS server
+ The FreeRADIUS server can use iODBC to access databases to authenticate users
+ and do accounting, and this module is necessary for that.
+
+Package: freeradius-redis
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: Redis module for FreeRADIUS server
+ This module is required to enable the FreeRADIUS server to access
+ Redis databases.
+
+Package: freeradius-memcached
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: Memcached module for FreeRADIUS server
+ The FreeRADIUS server can cache data in memcached and this package
+ contains the required module.
+
+Package: freeradius-yubikey
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: Yubikey module for FreeRADIUS server
+ This package is required to add Yubikey functionality to the
+ FreeRADIUS server.
+
+Package: freeradius-python3
+Architecture: any
+Depends: freeradius (= ${binary:Version}),
+ ${dist:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: Python 3 module for FreeRADIUS server
+ This package is required to add Python 3 functionality to the
+ FreeRADIUS server.
+ .
+ It was introduced in FreeRADIUS 3.0.20 as EXPERIMENTAL module. Use at
+ your own risk.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..d2edd95
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,232 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: FreeRADIUS server
+Source: https://github.com/FreeRADIUS/freeradius-server
+Files-Excluded:
+ doc/rfc/*
+ debian/*
+
+Files: *
+Copyright: 2000-2014, The FreeRADIUS Server Project
+ 1997-1999, Cistron Internet Services B.V.
+License: GPL-2+
+
+Files: debian/*
+Copyright: 2000, Chad Miller <cmiller@debian.org>
+ 2003, Paul Hampson <Paul.Hampson@anu.edu.au>
+ 2008, Stephen Gran <sgran@debian.org>
+ 2016, Michael Stapelberg <stapelberg@debian.org>
+License: GPL-2+
+
+Files: scripts/boiler.mk
+ scripts/install.mk
+ scripts/libtool.mk
+Copyright: 2008, 2009, 2010 Dan Moulding, Alan T. DeKok
+License: GPL-3+
+
+Files: scripts/jlibtool.c
+Copyright: Justin Erenkrantz
+License: Apache-2.0
+
+Files: scripts/snmp-proxy/freeradius-snmp.pl
+Copyright: 2008 Sky Network Services
+License: GPL-1+ or Artistic
+Comment:
+ This program is free software; you can redistribute it and/or modify it
+ under the same terms as Perl itself.
+
+Files: src/*
+Copyright: 2000-2014, The FreeRADIUS Server Project
+ 1997-1999, Cistron Internet Services B.V.
+License: GPL-2+ with OpenSSL exception
+
+Files: src/include/exfile.h
+ src/include/libradius.h
+ src/include/md4.h
+ src/include/md5.h
+ src/include/regex.h
+ src/include/threads.h
+ src/lib/dict.c
+ src/lib/event.c
+ src/lib/fifo.c
+ src/lib/filters.c
+ src/lib/hash.c
+ src/lib/hmacmd5.c
+ src/lib/log.c
+ src/lib/md4.c
+ src/lib/md5.c
+ src/lib/misc.c
+ src/lib/missing.c
+ src/lib/packet.c
+ src/lib/pair.c
+ src/lib/print.c
+ src/lib/radius.c
+ src/lib/snprintf.*
+ src/lib/token.c
+ src/lib/udpfromto.c
+ src/lib/value.c
+ src/modules/proto_dhcp/dhcp.c
+ src/modules/proto_vmps/vqp.c
+Copyright: See individual files
+License: LGPL-2.1+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+ .
+ On Debian systems, the complete text of the GNU Lesser General Public
+ License can be found in /usr/share/common-licenses/LGPL-2.1.
+
+Files: src/lib/strlcat.c
+ src/lib/strlcpy.c
+Copyright: 1998 Todd C. Miller <Todd.Miller@courtesan.com>
+License: MIT-Old-Style-with-legal-disclaimer-2
+
+Files: src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+ src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h
+ src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
+ src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
+Copyright: 2012, Dan Harkins
+License: other
+ Copyright holder grants permission for redistribution and use in source
+ and binary forms, with or without modification, provided that the
+ following conditions are met:
+ 1. Redistribution of source code must retain the above copyright
+ notice, this list of conditions, and the following disclaimer
+ in all source files.
+ 2. Redistribution in binary form must retain the above copyright
+ notice, this list of conditions, and the following disclaimer
+ in the documentation and/or other materials provided with the
+ distribution.
+ .
+ "DISCLAIMER OF LIABILITY
+ .
+ THIS SOFTWARE IS PROVIDED BY DAN HARKINS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INDUSTRIAL LOUNGE BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE."
+ .
+ This license and distribution terms cannot be changed. In other words,
+ this code cannot simply be copied and put under a different distribution
+ license (including the GNU General Public License).
+
+License: MIT-Old-Style-with-legal-disclaimer-2
+ Permission to use, copy, modify, and distribute this software for any
+ purpose with or without fee is hereby granted, provided that the above
+ copyright notice and this permission notice appear in all copies.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian systems, the complete text of the Apache 2.0 License
+ can be found in /usr/share/common-licenses/Apache-2.0 file.
+
+License: GPL-3+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 2 can be found in the file
+ `/usr/share/common-licenses/GPL-3'.
+
+License: GPL-2+
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later
+ version.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE. See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this package; if not, write to the Free
+ Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+ Boston, MA 02110-1301 USA
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 2 can be found in the file
+ `/usr/share/common-licenses/GPL-2'.
+
+License: GPL-2+ with OpenSSL exception
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later
+ version.
+ .
+ In addition, as a special exception, the author of this
+ program gives permission to link the code of its
+ release with the OpenSSL project's "OpenSSL" library (or
+ with modified versions of it that use the same license as
+ the "OpenSSL" library), and distribute the linked
+ executables. You must obey the GNU General Public
+ License in all respects for all of the code used other
+ than "OpenSSL". If you modify this file, you may extend
+ this exception to your version of the file, but you are
+ not obligated to do so. If you do not wish to do so,
+ delete this exception statement from your version.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE. See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this package; if not, write to the Free
+ Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+ Boston, MA 02110-1301 USA
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 2 can be found in the file
+ `/usr/share/common-licenses/GPL-2'.
+
+License: Artistic
+ Comment:
+ .
+ On Debian systems the 'Artistic License' is located in
+ '/usr/share/common-licenses/Artistic'.
+
+License: GPL-1+
+ Comment:
+ .
+ On Debian systems the 'GNU General Public License' version 1 is located
+ in '/usr/share/common-licenses/GPL-1'.
diff --git a/debian/freeradius-common.dirs b/debian/freeradius-common.dirs
new file mode 100644
index 0000000..4f26927
--- /dev/null
+++ b/debian/freeradius-common.dirs
@@ -0,0 +1 @@
+usr/share/freeradius
diff --git a/debian/freeradius-common.install b/debian/freeradius-common.install
new file mode 100644
index 0000000..de3b1fe
--- /dev/null
+++ b/debian/freeradius-common.install
@@ -0,0 +1 @@
+usr/share/freeradius/*
diff --git a/debian/freeradius-common.manpages b/debian/freeradius-common.manpages
new file mode 100644
index 0000000..22a9fc9
--- /dev/null
+++ b/debian/freeradius-common.manpages
@@ -0,0 +1,3 @@
+debian/tmp/usr/share/man/man1/*
+debian/tmp/usr/share/man/man5/*
+debian/tmp/usr/share/man/man8/*
diff --git a/debian/freeradius-common.postinst b/debian/freeradius-common.postinst
new file mode 100644
index 0000000..df3e9db
--- /dev/null
+++ b/debian/freeradius-common.postinst
@@ -0,0 +1,22 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ if [ -z "$2" ]; then
+ # On a fresh install, add the necessary user and group
+ adduser --quiet --system --no-create-home --home /etc/freeradius --group --disabled-password freerad || true
+
+ # Put user freerad in group shadow, so the daemon can auth locally
+ # Only do this on fresh install as the admin may not want freerad in shadow
+ # group if authenticating by another mechanism
+ adduser --quiet freerad shadow
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-common.postrm b/debian/freeradius-common.postrm
new file mode 100644
index 0000000..e0d1191
--- /dev/null
+++ b/debian/freeradius-common.postrm
@@ -0,0 +1,26 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ purge)
+ # If we haven't managed to remove /etc/freeradius, make
+ # sure that freerad:freerad doesn't own anything before
+ # we remove the user and group
+ test ! -d /etc/freeradius || find /etc/freeradius -user freerad -exec chown --no-dereference root "{}" \; || true
+ test ! -d /etc/freeradius || find /etc/freeradius -group freerad -exec chgrp --no-dereference root "{}" \; || true
+
+ if [ -x `which deluser` ]; then
+ deluser --quiet freerad shadow || true
+ deluser --quiet freerad || true
+ fi
+ if [ -x `which delgroup` ]; then
+ delgroup --quiet freerad || true
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-config.install b/debian/freeradius-config.install
new file mode 100644
index 0000000..b232670
--- /dev/null
+++ b/debian/freeradius-config.install
@@ -0,0 +1 @@
+etc/freeradius/*
diff --git a/debian/freeradius-config.lintian-overrides b/debian/freeradius-config.lintian-overrides
new file mode 100644
index 0000000..74dc716
--- /dev/null
+++ b/debian/freeradius-config.lintian-overrides
@@ -0,0 +1,6 @@
+freeradius-config: breaks-without-version
+freeradius-config: package-relation-with-self
+
+# There are example python scripts in the config, but it's the freeradius
+# package that includes dependencies on the python libraries.
+freeradius-config: python3-script-but-no-python3-dep
diff --git a/debian/freeradius-config.postinst b/debian/freeradius-config.postinst
new file mode 100644
index 0000000..b230778
--- /dev/null
+++ b/debian/freeradius-config.postinst
@@ -0,0 +1,52 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ if [ -z "$2" ]; then
+ # Create snakeoil certificates on initial install
+ if grep -q -r 'etc/ssl/\(certs\|private\)/ssl-cert-snakeoil' /etc/freeradius; then
+ if test ! -e /etc/ssl/certs/ssl-cert-snakeoil.pem || \
+ test ! -e /etc/ssl/private/ssl-cert-snakeoil.key; then
+ make-ssl-cert generate-default-snakeoil
+ fi
+ if getent group ssl-cert >/dev/null; then
+ # freeradius-common dependency also provides us with adduser
+ adduser --quiet freerad ssl-cert
+ fi
+ fi
+
+ if grep -q -r 'dh_file = \${certdir}/dh' /etc/freeradius && \
+ test ! -f /etc/freeradius/3.0/certs/dh; then
+ RANDFILE=/dev/urandom openssl dhparam -out /etc/freeradius/3.0/certs/dh 1024
+ fi
+ fi
+
+ # Create links for default sites, but only if this is an initial
+ # install or an upgrade from before there were links; users may
+ # want to remove them...
+ if [ -z "$2" ]; then
+ for site in default inner-tunnel; do
+ if test ! -h /etc/freeradius/3.0/sites-enabled/$site && \
+ test ! -e /etc/freeradius/3.0/sites-enabled/$site; then
+ ln -s ../sites-available/$site /etc/freeradius/3.0/sites-enabled/$site
+ fi
+ done
+ for module in always attr_filter chap detail detail.log \
+ digest dynamic_clients eap echo exec expiration expr files \
+ linelog logintime mschap ntlm_auth pap passwd preprocess \
+ radutmp realm replicate soh sradutmp unix unpack utf8; do
+ if test ! -h /etc/freeradius/3.0/mods-enabled/$module && \
+ test ! -e /etc/freeradius/3.0/mods-enabled/$module; then
+ ln -s ../mods-available/$module /etc/freeradius/3.0/mods-enabled/$module
+ fi
+ done
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-config.postrm b/debian/freeradius-config.postrm
new file mode 100644
index 0000000..963579d
--- /dev/null
+++ b/debian/freeradius-config.postrm
@@ -0,0 +1,46 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ purge)
+ # Remove dangling links from sites-enabled.
+ for link in /etc/freeradius/sites-enabled/* \
+ /etc/freeradius/3.0/sites-enabled/*; do
+ if [ -L "$link" ] && [ ! -e "$link" ]; then
+ rm -f "$link"
+ fi
+ done
+
+ # Remove dangling links from mods-enabled.
+ for link in /etc/freeradius/mods-enabled/* \
+ /etc/freeradius/3.0/mods-enabled/*; do
+ if [ -L "$link" ] && [ ! -e "$link" ]; then
+ rm -f "$link"
+ fi
+ done
+
+ for file in /etc/freeradius/3.0/certs/server.pem \
+ /etc/freeradius/3.0/certs/server.key \
+ /etc/freeradius/3.0/certs/ca.pem \
+ /etc/freeradius/3.0/certs/random \
+ /etc/freeradius/3.0/certs/dh \
+ /etc/freeradius/certs/server.pem \
+ /etc/freeradius/certs/server.key \
+ /etc/freeradius/certs/ca.pem \
+ /etc/freeradius/certs/random \
+ /etc/freeradius/certs/dh; do
+ rm -f "$file"
+ done
+
+ # rmdir fails when called on a directory which does not exist
+ if [ -d /etc/freeradius ]; then
+ rmdir --ignore-fail-on-non-empty /etc/freeradius
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-config.preinst b/debian/freeradius-config.preinst
new file mode 100644
index 0000000..0c5e8b7
--- /dev/null
+++ b/debian/freeradius-config.preinst
@@ -0,0 +1,27 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ upgrade)
+ # Delete any symlinks/files which were created in postinst previously.
+ # These are not covered by conffile handling, so they would otherwise not
+ # be cleaned up.
+ for file in /etc/freeradius/certs/ca.pem \
+ /etc/freeradius/certs/server.key \
+ /etc/freeradius/certs/server.pem \
+ /etc/freeradius/sites-enabled/default \
+ /etc/freeradius/sites-enabled/inner-tunnel
+ do
+ if [ -h "$file" ]
+ then
+ rm -f "$file"
+ fi
+ done
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-dhcp.install b/debian/freeradius-dhcp.install
new file mode 100644
index 0000000..aefb0a0
--- /dev/null
+++ b/debian/freeradius-dhcp.install
@@ -0,0 +1,3 @@
+usr/lib/freeradius/rlm_dhcp*.so
+usr/lib/freeradius/proto_dhcp*.so
+usr/lib/freeradius/libfreeradius-dhcp.so
diff --git a/debian/freeradius-dhcp.postinst b/debian/freeradius-dhcp.postinst
new file mode 100644
index 0000000..b8f2c7c
--- /dev/null
+++ b/debian/freeradius-dhcp.postinst
@@ -0,0 +1,23 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+
+ if [ -z "$2" ]; then
+ for module in dhcp; do
+ if test ! -h /etc/freeradius/3.0/mods-enabled/$module && \
+ test ! -e /etc/freeradius/3.0/mods-enabled/$module; then
+ ln -s ../mods-available/$module /etc/freeradius/3.0/mods-enabled/$module
+ fi
+ done
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-dhcp.postrm b/debian/freeradius-dhcp.postrm
new file mode 100644
index 0000000..d7c484c
--- /dev/null
+++ b/debian/freeradius-dhcp.postrm
@@ -0,0 +1,24 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ purge)
+ # Remove dangling links from mods-enabled.
+ for link in /etc/freeradius/3.0/mods-enabled/dhcp; do
+ if [ -L "$link" ] && [ ! -e "$link" ]; then
+ rm -f "$link"
+ fi
+ done
+
+ # rmdir fails when called on a directory which does not exist
+ if [ -d /etc/freeradius ]; then
+ rmdir --ignore-fail-on-non-empty /etc/freeradius
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-iodbc.install b/debian/freeradius-iodbc.install
new file mode 100644
index 0000000..c4535d1
--- /dev/null
+++ b/debian/freeradius-iodbc.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_sql_iodbc*.so
diff --git a/debian/freeradius-iodbc.lintian-overrides b/debian/freeradius-iodbc.lintian-overrides
new file mode 100644
index 0000000..7788dd1
--- /dev/null
+++ b/debian/freeradius-iodbc.lintian-overrides
@@ -0,0 +1,2 @@
+# Plugin
+custom-library-search-path
diff --git a/debian/freeradius-iodbc.postinst b/debian/freeradius-iodbc.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-iodbc.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-krb5.install b/debian/freeradius-krb5.install
new file mode 100644
index 0000000..5ec0bc1
--- /dev/null
+++ b/debian/freeradius-krb5.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_krb5*.so
diff --git a/debian/freeradius-krb5.postinst b/debian/freeradius-krb5.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-krb5.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-ldap.install b/debian/freeradius-ldap.install
new file mode 100644
index 0000000..c5d9004
--- /dev/null
+++ b/debian/freeradius-ldap.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_ldap*.so
diff --git a/debian/freeradius-ldap.postinst b/debian/freeradius-ldap.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-ldap.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-memcached.install b/debian/freeradius-memcached.install
new file mode 100644
index 0000000..738a641
--- /dev/null
+++ b/debian/freeradius-memcached.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_cache_memcached.so
diff --git a/debian/freeradius-memcached.postinst b/debian/freeradius-memcached.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-memcached.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-mysql.install b/debian/freeradius-mysql.install
new file mode 100644
index 0000000..bf36d4b
--- /dev/null
+++ b/debian/freeradius-mysql.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_sql_mysql*.so
diff --git a/debian/freeradius-mysql.postinst b/debian/freeradius-mysql.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-mysql.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-postgresql.install b/debian/freeradius-postgresql.install
new file mode 100644
index 0000000..0c1e55d
--- /dev/null
+++ b/debian/freeradius-postgresql.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_sql_postgresql*.so
diff --git a/debian/freeradius-postgresql.lintian-overrides b/debian/freeradius-postgresql.lintian-overrides
new file mode 100644
index 0000000..7788dd1
--- /dev/null
+++ b/debian/freeradius-postgresql.lintian-overrides
@@ -0,0 +1,2 @@
+# Plugin
+custom-library-search-path
diff --git a/debian/freeradius-postgresql.postinst b/debian/freeradius-postgresql.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-postgresql.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-python3.install b/debian/freeradius-python3.install
new file mode 100644
index 0000000..a00c0f7
--- /dev/null
+++ b/debian/freeradius-python3.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_python3.so
diff --git a/debian/freeradius-python3.postinst b/debian/freeradius-python3.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-python3.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-redis.install b/debian/freeradius-redis.install
new file mode 100644
index 0000000..87c4ac5
--- /dev/null
+++ b/debian/freeradius-redis.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_redis*.so
diff --git a/debian/freeradius-redis.postinst b/debian/freeradius-redis.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-redis.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-rest.install b/debian/freeradius-rest.install
new file mode 100644
index 0000000..a8582fd
--- /dev/null
+++ b/debian/freeradius-rest.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_rest*.so
diff --git a/debian/freeradius-rest.postinst b/debian/freeradius-rest.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-rest.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius-utils.install b/debian/freeradius-utils.install
new file mode 100644
index 0000000..f1a4d58
--- /dev/null
+++ b/debian/freeradius-utils.install
@@ -0,0 +1,11 @@
+usr/bin/rlm_ippool_tool
+usr/bin/smbencrypt
+usr/bin/radclient
+usr/bin/radeapclient
+usr/bin/radwho
+usr/bin/radsniff
+usr/bin/radlast
+usr/bin/radtest
+usr/bin/radzap
+usr/bin/radsqlrelay
+usr/bin/radcrypt
diff --git a/debian/freeradius-yubikey.install b/debian/freeradius-yubikey.install
new file mode 100644
index 0000000..3119a4c
--- /dev/null
+++ b/debian/freeradius-yubikey.install
@@ -0,0 +1 @@
+usr/lib/freeradius/rlm_yubikey.so
diff --git a/debian/freeradius-yubikey.postinst b/debian/freeradius-yubikey.postinst
new file mode 100644
index 0000000..6a7608d
--- /dev/null
+++ b/debian/freeradius-yubikey.postinst
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ invoke-rc.d freeradius force-reload || true
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius.NEWS b/debian/freeradius.NEWS
new file mode 100644
index 0000000..b0d257b
--- /dev/null
+++ b/debian/freeradius.NEWS
@@ -0,0 +1,7 @@
+freeradius (3.0.11+dfsg-1) experimental; urgency=medium
+
+ Please see upstream’s “Upgrading to Version 3.0” guide which is available
+ locally in /etc/freeradius/3.0/README.rst or online at
+ https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/README.rst
+
+ -- Michael Stapelberg <stapelberg@debian.org> Thu, 15 Sep 2016 20:21:09 +0200
diff --git a/debian/freeradius.default b/debian/freeradius.default
new file mode 100644
index 0000000..01c3285
--- /dev/null
+++ b/debian/freeradius.default
@@ -0,0 +1,2 @@
+# Options for the FreeRADIUS daemon.
+FREERADIUS_OPTIONS=""
diff --git a/debian/freeradius.dirs b/debian/freeradius.dirs
new file mode 100644
index 0000000..d5c5788
--- /dev/null
+++ b/debian/freeradius.dirs
@@ -0,0 +1,2 @@
+usr/lib/freeradius
+var/log/freeradius
diff --git a/debian/freeradius.docs b/debian/freeradius.docs
new file mode 100644
index 0000000..ba1e8eb
--- /dev/null
+++ b/debian/freeradius.docs
@@ -0,0 +1,3 @@
+debian/README.rfc
+CREDITS
+debian/tmp/usr/share/doc/freeradius/*
diff --git a/debian/freeradius.examples b/debian/freeradius.examples
new file mode 100644
index 0000000..3aa548b
--- /dev/null
+++ b/debian/freeradius.examples
@@ -0,0 +1,14 @@
+scripts/clients.pl
+scripts/create-users.pl
+scripts/cryptpasswd
+scripts/cryptpasswd.in
+scripts/exec-program-wait
+scripts/ldap/radiusd2ldif.pl
+scripts/cron/radiusd.cron.daily
+scripts/cron/radiusd.cron.monthly
+scripts/radiusd.sh
+scripts/sql/radsqlrelay
+scripts/rc.radiusd
+scripts/rc.radiusd.in
+scripts/sql/users2mysql.pl
+debian/tmp/etc/freeradius/3.0/certs
diff --git a/debian/freeradius.init b/debian/freeradius.init
new file mode 100644
index 0000000..5cc4b27
--- /dev/null
+++ b/debian/freeradius.init
@@ -0,0 +1,119 @@
+#!/bin/sh
+# Start/stop the FreeRADIUS daemon.
+
+### BEGIN INIT INFO
+# Provides: freeradius
+# Required-Start: $remote_fs $network $syslog
+# Should-Start: $time mysql slapd postgresql samba krb5-kdc
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Radius Daemon
+# Description: Extensible, configurable radius daemon
+### END INIT INFO
+
+PROG="freeradius"
+PROGRAM="/usr/sbin/freeradius"
+PIDFILE="/var/run/freeradius/freeradius.pid"
+DESCR="FreeRADIUS daemon"
+
+set -e
+
+. /lib/lsb/init-functions
+
+configtest() {
+ log_action_begin_msg "Checking $DESCR configuration"
+
+ out=`$PROGRAM -Cxl stdout $FREERADIUS_OPTIONS`; ret=$?
+ out=`echo "${out}" | tail -n 1 | sed 's/^\s*ERROR:\s*\(.*\)\s*$/\1/'`
+ log_action_end_msg $ret "$out"
+ return $ret
+}
+
+if [ -r /etc/default/$PROG ]; then
+ . /etc/default/$PROG
+fi
+
+test -f $PROGRAM || exit 0
+
+# /var/run may be a tmpfs
+if [ ! -d /var/run/freeradius ]; then
+ mkdir -p /var/run/freeradius
+ chown freerad:freerad /var/run/freeradius
+fi
+
+if [ -d "$FREERADIUS_CONF_LOCAL" -a -z "$FREERADIUS_OPTIONS" ]; then
+ FREERADIUS_OPTIONS="-d $FREERADIUS_CONF_LOCAL"
+fi
+
+export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
+
+ret=0
+
+case "$1" in
+ start)
+ log_daemon_msg "Starting $DESCR" "$PROG"
+
+ # eval allows quoted arguments (config directories for example) to be passed in $FREERADIUS_OPTIONS
+ eval "start_daemon -p '$PIDFILE' '$PROGRAM' $FREERADIUS_OPTIONS" || ret=$?
+ log_end_msg $ret
+ ;;
+
+ stop)
+ log_daemon_msg "Stopping $DESCR" "$PROG"
+
+ killproc -p "$PIDFILE" "$PROGRAM" || ret=$?
+ log_end_msg $ret
+ ;;
+
+ restart|force-reload)
+ configtest || exit 150
+
+ $0 stop
+ $0 start
+ ;;
+
+ reload)
+ configtest || exit 150
+
+ if status_of_proc -p "$PIDFILE" "$PROG" "$DESCR"; then
+ log_daemon_msg "Reloading $DESCR" "$PROG"
+
+ start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --exec $PROGRAM || ret=$?
+ log_end_msg $ret
+ fi
+ ;;
+
+ configtest|testconfig)
+ configtest || exit 150
+ ;;
+
+ debug)
+ $0 status
+ if [ $? -eq 0 ]; then
+ echo "$PROGRAM already running; for live debugging see raddebug(8)"
+ exit 151
+ fi
+ $PROGRAM -X $FREERADIUS_OPTIONS || exit $?
+ ;;
+
+ debug-threaded)
+ $0 status
+ if [ $? -eq 0 ]; then
+ echo "$PROGRAM already running; for live debugging see raddebug(8)"
+ exit 151
+ fi
+ $PROGRAM -f -xx -l stdout $FREERADIUS_OPTIONS || exit $?
+ ;;
+
+ status)
+ status_of_proc -p "$PIDFILE" "$PROGRAM" "$PROG" && exit 0 || exit $?
+ ;;
+
+ *)
+ echo "Usage: $0 start|stop|restart|force-reload|reload|configtest|debug|debug-threaded|status"
+ exit 1
+ ;;
+esac
+
+exit $ret
diff --git a/debian/freeradius.install b/debian/freeradius.install
new file mode 100644
index 0000000..db230eb
--- /dev/null
+++ b/debian/freeradius.install
@@ -0,0 +1,59 @@
+usr/lib/freeradius/rlm_always.so
+usr/lib/freeradius/rlm_attr_filter.so
+usr/lib/freeradius/rlm_cache.so
+usr/lib/freeradius/rlm_cache_rbtree.so
+usr/lib/freeradius/rlm_chap.so
+usr/lib/freeradius/rlm_counter.so
+usr/lib/freeradius/rlm_date.so
+usr/lib/freeradius/rlm_detail.so
+usr/lib/freeradius/rlm_digest.so
+usr/lib/freeradius/rlm_dynamic_clients.so
+usr/lib/freeradius/rlm_eap.so
+usr/lib/freeradius/rlm_eap_fast.so
+usr/lib/freeradius/rlm_eap_gtc.so
+usr/lib/freeradius/rlm_eap_md5.so
+usr/lib/freeradius/rlm_eap_mschapv2.so
+usr/lib/freeradius/rlm_eap_peap.so
+usr/lib/freeradius/rlm_eap_pwd.so
+usr/lib/freeradius/rlm_eap_sim.so
+usr/lib/freeradius/rlm_eap_tls.so
+usr/lib/freeradius/rlm_eap_ttls.so
+usr/lib/freeradius/rlm_exec.so
+usr/lib/freeradius/rlm_expiration.so
+usr/lib/freeradius/rlm_expr.so
+usr/lib/freeradius/rlm_files.so
+usr/lib/freeradius/rlm_ippool.so
+usr/lib/freeradius/rlm_json.so
+usr/lib/freeradius/rlm_linelog.so
+usr/lib/freeradius/rlm_logintime.so
+usr/lib/freeradius/rlm_mschap.so
+usr/lib/freeradius/rlm_pam.so
+usr/lib/freeradius/rlm_pap.so
+usr/lib/freeradius/rlm_passwd.so
+usr/lib/freeradius/rlm_perl.so
+usr/lib/freeradius/rlm_preprocess.so
+usr/lib/freeradius/rlm_radutmp.so
+usr/lib/freeradius/rlm_realm.so
+usr/lib/freeradius/rlm_replicate.so
+usr/lib/freeradius/rlm_soh.so
+usr/lib/freeradius/rlm_sometimes.so
+usr/lib/freeradius/rlm_sql.so
+usr/lib/freeradius/rlm_sql_freetds.so
+usr/lib/freeradius/rlm_sql_null.so
+usr/lib/freeradius/rlm_sql_map.so
+usr/lib/freeradius/rlm_sql_sqlite.so
+usr/lib/freeradius/rlm_sqlcounter.so
+usr/lib/freeradius/rlm_sqlippool.so
+usr/lib/freeradius/rlm_test.so
+usr/lib/freeradius/rlm_totp.so
+usr/lib/freeradius/rlm_unix.so
+usr/lib/freeradius/rlm_unpack.so
+usr/lib/freeradius/rlm_utf8.so
+usr/lib/freeradius/rlm_wimax.so
+usr/lib/freeradius/proto_vmps.so
+usr/sbin/checkrad
+usr/sbin/freeradius
+usr/sbin/raddebug
+usr/sbin/radmin
+usr/bin/rad_counter
+usr/bin/rlm_sqlippool_tool
diff --git a/debian/freeradius.lintian-overrides b/debian/freeradius.lintian-overrides
new file mode 100644
index 0000000..6d61bbf
--- /dev/null
+++ b/debian/freeradius.lintian-overrides
@@ -0,0 +1,3 @@
+# Plugins
+library-not-linked-against-libc [usr/lib/freeradius/rlm_eap_tls.so]
+shared-library-lacks-prerequisites [usr/lib/freeradius/*.so]
diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate
new file mode 100644
index 0000000..921a709
--- /dev/null
+++ b/debian/freeradius.logrotate
@@ -0,0 +1,50 @@
+# The main server log
+/var/log/freeradius/radius.log {
+ # common options
+ daily
+ rotate 52
+ missingok
+ compress
+ delaycompress
+ notifempty
+
+ copytruncate
+}
+
+# (in order)
+# Session monitoring utilities
+# Session database modules
+# SQL log files
+/var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log
+/var/log/freeradius/radutmp /var/log/freeradius/radwtmp
+/var/log/freeradius/sqllog.sql
+{
+ # common options
+ daily
+ rotate 52
+ missingok
+ compress
+ delaycompress
+ notifempty
+
+ nocreate
+}
+
+# There are different detail-rotating strategies you can use. One is
+# to write to a single detail file per IP and use the rotate config
+# below. Another is to write to a daily detail file per IP with:
+# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
+# (or similar) in radiusd.conf, without rotation. If you go with the
+# second technique, you will need another cron job that removes old
+# detail files. You do not need to comment out the below for method #2.
+/var/log/freeradius/radacct/*/detail {
+ # common options
+ daily
+ rotate 52
+ missingok
+ compress
+ delaycompress
+ notifempty
+
+ nocreate
+}
diff --git a/debian/freeradius.postinst b/debian/freeradius.postinst
new file mode 100644
index 0000000..b1f853f
--- /dev/null
+++ b/debian/freeradius.postinst
@@ -0,0 +1,69 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ configure)
+ if [ -z "$2" ]; then
+ # Changed in 1.1.5-1 for new installs (we used to start at S50
+ # and stop at K50) We now start at S50 and stop at K19 so we
+ # start after services which may be used and stop before them.
+ update-rc.d freeradius start 50 2 3 4 5 . stop 19 0 1 6 . >/dev/null
+
+ for file in radius.log radwtmp; do
+ [ ! -f "/var/log/freeradius/${file}" ] && install -o freerad -g freerad -m 644 /dev/null /var/log/freeradius/${file}
+ done
+
+ action="start"
+ else
+ action="restart"
+ fi
+
+ if [ -z "$2" ]; then
+ # Set up initial permissions on all the freeradius directories
+ chown -R freerad:adm /var/log/freeradius
+ chown -R freerad:freerad /etc/freeradius
+ chmod 2750 /etc/freeradius
+ find /etc/freeradius -type f -exec chmod 640 '{}' \;
+ fi
+
+ if dpkg --compare-versions "$2" lt 3.0.16+dfsg-3; then
+ chmod 2750 /etc/freeradius
+ fi
+
+ # Create links for default sites, but only if this is an initial
+ # install or an upgrade from before there were links; users may
+ # want to remove them...
+ if [ -z "$2" ]; then
+ for site in default inner-tunnel; do
+ if test ! -h /etc/freeradius/3.0/sites-enabled/$site && \
+ test ! -e /etc/freeradius/3.0/sites-enabled/$site; then
+ ln -s ../sites-available/$site /etc/freeradius/3.0/sites-enabled/$site
+ fi
+ done
+ fi
+
+ invoke-rc.d freeradius $action || true
+ ;;
+
+ abort-upgrade)
+ invoke-rc.d freeradius restart || true
+ ;;
+
+ abort-remove)
+ invoke-rc.d freeradius start || true
+ ;;
+esac
+
+#DEBHELPER#
+
+case "$1" in
+ configure)
+ # After removing conffiles (in the DEBHELPER part above), delete all
+ # directories underneath /etc/freeradius which are now empty.
+ find /etc/freeradius -type d -empty -delete
+ ;;
+esac
+
+exit 0
diff --git a/debian/freeradius.postrm b/debian/freeradius.postrm
new file mode 100644
index 0000000..b6ff60b
--- /dev/null
+++ b/debian/freeradius.postrm
@@ -0,0 +1,18 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ remove)
+ ;;
+ purge)
+ update-rc.d -f freeradius remove >/dev/null
+
+ rm -f /var/log/freeradius/radius.log* /var/log/freeradius/radwtmp*
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius.prerm b/debian/freeradius.prerm
new file mode 100644
index 0000000..f11d055
--- /dev/null
+++ b/debian/freeradius.prerm
@@ -0,0 +1,14 @@
+#!/bin/sh
+# vim:ts=2:sw=2:et
+
+set -e
+
+case "$1" in
+ remove)
+ invoke-rc.d freeradius stop
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/freeradius.radiusd.pam b/debian/freeradius.radiusd.pam
new file mode 100644
index 0000000..e2597e0
--- /dev/null
+++ b/debian/freeradius.radiusd.pam
@@ -0,0 +1,11 @@
+#
+# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
+#
+
+# We fall back to the system default in /etc/pam.d/common-*
+#
+
+@include common-auth
+@include common-account
+@include common-password
+@include common-session
diff --git a/debian/freeradius.service b/debian/freeradius.service
new file mode 100644
index 0000000..3e2f2fd
--- /dev/null
+++ b/debian/freeradius.service
@@ -0,0 +1,68 @@
+[Unit]
+Description=FreeRADIUS multi-protocol policy server
+After=network-online.target
+Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/
+
+[Service]
+Type=notify
+WatchdogSec=60
+NotifyAccess=all
+EnvironmentFile=-/etc/default/freeradius
+
+# FreeRADIUS can do static evaluation of policy language rules based
+# on environmental variables which is very useful for doing per-host
+# customization.
+# Unfortunately systemd does not allow variable substitutions such
+# as %H or $(hostname) in the EnvironmentFile.
+# We provide HOSTNAME here for convenience.
+Environment=HOSTNAME=%H
+
+# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
+# is not memory hungry, if it's using more than this, then there's probably
+# a leak somewhere.
+MemoryLimit=2G
+
+# Ensure the daemon can still write its pidfile after it drops
+# privileges. Combination of options that work on a variety of
+# systems. Test very carefully if you alter these lines.
+RuntimeDirectory=freeradius
+RuntimeDirectoryMode=0775
+User=freerad
+Group=freerad
+
+ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
+ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
+Restart=on-failure
+RestartSec=5
+ExecReload=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
+ExecReload=/bin/kill -HUP $MAINPID
+
+# Don't elevate privileges after starting
+NoNewPrivileges=true
+
+# Allow binding to secure ports, broadcast addresses, and raw interfaces.
+#AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
+
+# Private /tmp that isn't shared by other processes
+PrivateTmp=true
+
+# cgroups are readable only by radiusd, and child processes
+ProtectControlGroups=true
+
+# don't load new kernel modules
+ProtectKernelModules=true
+
+# don't tune kernel parameters
+ProtectKernelTunables=true
+
+# Only allow native system calls
+SystemCallArchitectures=native
+
+# We shouldn't be writing to the configuration directory
+ReadOnlyDirectories=/etc/freeradius/
+
+# We can read and write to the log directory.
+ReadWriteDirectories=/var/log/freeradius/
+
+[Install]
+WantedBy=multi-user.target
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..7866a3c
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff --git a/debian/libfreeradius-dev.install b/debian/libfreeradius-dev.install
new file mode 100644
index 0000000..e212bf3
--- /dev/null
+++ b/debian/libfreeradius-dev.install
@@ -0,0 +1,2 @@
+usr/lib/freeradius/libfreeradius-*.a
+usr/include/freeradius/*.h
diff --git a/debian/libfreeradius3.install b/debian/libfreeradius3.install
new file mode 100644
index 0000000..e501993
--- /dev/null
+++ b/debian/libfreeradius3.install
@@ -0,0 +1,3 @@
+usr/lib/freeradius/libfreeradius-server.so
+usr/lib/freeradius/libfreeradius-radius.so
+usr/lib/freeradius/libfreeradius-eap.so
diff --git a/debian/libfreeradius3.lintian-overrides b/debian/libfreeradius3.lintian-overrides
new file mode 100644
index 0000000..9ecb074
--- /dev/null
+++ b/debian/libfreeradius3.lintian-overrides
@@ -0,0 +1,3 @@
+# There's plenty in the description of this package to identify
+# what it does.
+libfreeradius3: extended-description-is-probably-too-short
diff --git a/debian/lintian-overrides b/debian/lintian-overrides
new file mode 100644
index 0000000..3fd4796
--- /dev/null
+++ b/debian/lintian-overrides
@@ -0,0 +1,7 @@
+# fortify functions is actually enabled, but the modules either just do not use
+# any functions which need to be fortified or all checks can be done at
+# compile-time, so hardening-check produces a false-positive.
+#
+# I verified this by adding printf("test"); to a module, after which
+# hardening-check reported that some functions are fortified.
+hardening-no-fortify-functions usr/lib/freeradius/*
diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 0000000..b8f5b39
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1,7 @@
+# We use debian/freeradius.init instead.
+debian/tmp/usr/sbin/rc.radiusd
+
+# Only used for testing, not for end users, as per
+# https://github.com/FreeRADIUS/freeradius-server/issues/1734#issuecomment-247848277
+debian/tmp/usr/bin/dhcpclient
+debian/tmp/usr/share/man/man1/dhcpclient.1
diff --git a/debian/patches/0002-gitignore.diff.patch b/debian/patches/0002-gitignore.diff.patch
new file mode 100644
index 0000000..22013a1
--- /dev/null
+++ b/debian/patches/0002-gitignore.diff.patch
@@ -0,0 +1,29 @@
+From 993eba48a171e70dfe83fa25f04c4d19b257ea1b Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 18 Sep 2014 15:55:47 -0400
+Subject: gitignore.diff
+
+---
+ .gitignore | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/.gitignore
++++ b/.gitignore
+@@ -1,3 +1,17 @@
++*.la
++*.o
++*.lo
++.libs
++.deps
++build-arch-stamp
++build-indep-stamp
++config.h
++config.log
++config.status
++config.cache
++config.guess.dist
++config.sub.dist
++Make.inc
+ *~
+ *.o
+ *.a
diff --git a/debian/patches/0006-jradius.diff.patch b/debian/patches/0006-jradius.diff.patch
new file mode 100644
index 0000000..2eeee49
--- /dev/null
+++ b/debian/patches/0006-jradius.diff.patch
@@ -0,0 +1,17 @@
+From b72e1d985e709e4c5fd7355747cde8697e665b44 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 18 Sep 2014 15:55:52 -0400
+Subject: jradius.diff
+
+---
+ src/modules/stable | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/modules/stable
++++ b/src/modules/stable
+@@ -40,3 +40,5 @@
+ rlm_yubikey
+ rlm_redis
+ rlm_rediswho
++rlm_policy
++rlm_jradius
diff --git a/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch
new file mode 100644
index 0000000..8e09238
--- /dev/null
+++ b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch
@@ -0,0 +1,22 @@
+From f39ef7f317a49c4e959bed7e9d954e473f49d602 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Wed, 1 Oct 2014 16:38:16 -0400
+Subject: dhcp sqlipool: Comment out mysql
+
+So freeradius does not depend on freeradius-mysql
+---
+ raddb/modules/dhcp_sqlippool | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/raddb/mods-available/dhcp_sqlippool
++++ b/raddb/mods-available/dhcp_sqlippool
+@@ -97,5 +97,8 @@
+ nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+ }
+
+- $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
++ # This line is commented by default to enable clean startup when you
++ # don't have freeradius-mysql installed. Uncomment this line if you
++ # use this module.
++ #$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
+ }
diff --git a/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch
new file mode 100644
index 0000000..fda1cf0
--- /dev/null
+++ b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch
@@ -0,0 +1,152 @@
+Author: Sam Hartman <hartmans@debian.org>
+Description: Rename radius to freeradius
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/Make.inc.in
++++ b/Make.inc.in
+@@ -98,7 +98,7 @@
+
+ LOGDIR = ${logdir}
+ RADDBDIR = ${raddbdir}
+-RUNDIR = ${localstatedir}/run/radiusd
++RUNDIR = ${localstatedir}/run/freeradius
+ SBINDIR = ${sbindir}
+ RADIR = ${radacctdir}
+ LIBRADIUS = $(top_builddir)/src/lib/$(LIBPREFIX)freeradius-radius.la $(TALLOC_LIBS)
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -91,7 +91,7 @@
+
+ #
+ # name of the running server. See also the "-n" command-line option.
+-name = radiusd
++name = freeradius
+
+ # Location of config and logfiles.
+ confdir = ${raddbdir}
+@@ -447,8 +447,8 @@
+ # member. This can allow for some finer-grained access
+ # controls.
+ #
+-# user = radius
+-# group = radius
++ user = freerad
++ group = freerad
+
+ # Core dumps are a bad thing. This should only be set to
+ # 'yes' if you're debugging a problem with the server.
+--- a/scripts/monit/freeradius.monitrc
++++ b/scripts/monit/freeradius.monitrc
+@@ -8,9 +8,9 @@
+ # Totalmem limit should be lowered to 200.0 if none of the
+ # interpreted language modules or rlm_cache are being used.
+ #
+-check process radiusd with pidfile /var/run/radiusd/radiusd.pid
+- start program = "/etc/init.d/radiusd start"
+- stop program = "/etc/init.d/radiusd stop"
++check process freeradius with pidfile /var/run/freeradius/freeradius.pid
++ start program = "/etc/init.d/freeradius start"
++ stop program = "/etc/init.d/freeradius stop"
+ if failed host 127.0.0.1 port 1812 type udp protocol radius secret testing123 then alert
+ if failed host 127.0.0.1 port 1813 type udp protocol radius secret testing123 then alert
+ if cpu > 95% for 2 cycles then alert
+--- a/raddb/sites-available/control-socket
++++ b/raddb/sites-available/control-socket
+@@ -72,12 +72,12 @@
+ #
+ # Name of user that is allowed to connect to the control socket.
+ #
+-# uid = radius
++# uid = freerad
+
+ #
+ # Name of group that is allowed to connect to the control socket.
+ #
+-# gid = radius
++# gid = freerad
+
+ #
+ # Access mode.
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -102,7 +102,6 @@
+ bool display_version = false;
+ int flag = 0;
+ int from_child[2] = {-1, -1};
+- char *p;
+ fr_state_t *state = NULL;
+
+ /*
+@@ -137,13 +136,7 @@
+ main_config.myip.af = AF_UNSPEC;
+ main_config.port = 0;
+ main_config.daemonize = true;
+-
+- p = strrchr(argv[0], FR_DIR_SEP);
+- if (!p) {
+- main_config.name = argv[0];
+- } else {
+- main_config.name = p + 1;
+- }
++ main_config.name = "radiusd";
+
+ /*
+ * Don't put output anywhere until we get told a little
+@@ -697,7 +690,7 @@
+ {
+ FILE *output = status?stderr:stdout;
+
+- fprintf(output, "Usage: %s [options]\n", main_config.name);
++ fprintf(output, "Usage: freeradius [options]\n");
+ fprintf(output, "Options:\n");
+ fprintf(output, " -C Check configuration and exit.\n");
+ fprintf(stderr, " -d <raddb> Set configuration directory (defaults to " RADDBDIR ").\n");
+--- a/man/man8/radiusd.8
++++ b/man/man8/radiusd.8
+@@ -56,7 +56,7 @@
+ for an informative list of which modules are checked for correct
+ configuration, and which modules are skipped, and therefore not checked.
+ .IP "\-d \fIconfig directory\fP"
+-Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
++Defaults to \fI/etc/freeradius\fP. \fBRadiusd\fP looks here for its configuration
+ files such as the \fIdictionary\fP and the \fIusers\fP files.
+ .IP "\-D \fIdictionary directory\fP"
+ Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+@@ -80,7 +80,7 @@
+ On SIGINT or SIGQUIT exit cleanly instead of immediately.
+ This is most useful for when running the server with "valgrind".
+ .IP "\-n \fIname\fP"
+-Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
++Read \fIfreeradius/name.conf\fP instead of \fIfreeradius/radiusd.conf\fP.
+ .IP "\-p \fIport\fP"
+ Defines which port is used for receiving authentication packets.
+ Accounting packets are received on "port + 1".
+@@ -147,14 +147,14 @@
+ SQL), then:
+ .PP
+ .in +0.3i
+-a) Edit raddb/modules/foo
++a) Edit freeradius/modules/foo
+ .br
+ This file contains the default configuration for the module. It
+ contains comments describing what can be configured, and what those
+ configuration entries mean.
+ .br
+ .br
+-b) Edit raddb/sites-available/default
++b) Edit freeradius/sites-available/default
+ .br
+ This file contains the default policy for the server. e.g. "enable
+ CHAP, MS-CHAP, and EAP authentication". Look in this file for all
+@@ -163,7 +163,7 @@
+ the module.
+ .br
+ .br
+-c) Edit raddb/sites-available/inner-tunnel
++c) Edit freeradius/sites-available/inner-tunnel
+ .br
+ This file contains the default policy for the "tunneled" portion of
+ certain EAP methods. Perform the same kind of edits as above, for the
diff --git a/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch
new file mode 100644
index 0000000..82e8a9c
--- /dev/null
+++ b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch
@@ -0,0 +1,32 @@
+From 1b4e8e5751c417ba9d3788d264e76aba4f6baa12 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 23 Oct 2014 21:44:03 -0400
+Subject: version.c: disable openssl version check
+
+For Debian we don't want to require that the built OpenSSL be the same
+as the linked OpenSSL. Debian will be responsible for changing the
+soname if the ABI changes. The version check causes the freeradius
+packages to fail whenever a new OpenSSL is built.
+
+Patch-Category: debian-local
+---
+ src/main/version.c | 45 +++++++--------------------------------------
+ 1 file changed, 7 insertions(+), 38 deletions(-)
+
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -277,14 +277,6 @@
+
+ if (rad_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) exit(EXIT_FAILURE);
+
+- /*
+- * Mismatch between build time OpenSSL and linked SSL, better to die
+- * here than segfault later.
+- */
+-#ifdef HAVE_OPENSSL_CRYPTO_H
+- if (ssl_check_consistency() < 0) exit(EXIT_FAILURE);
+-#endif
+-
+ if (flag && (flag != 0x03)) {
+ fprintf(stderr, "%s: The options -i and -p cannot be used individually.\n",
+ main_config.name);
diff --git a/debian/patches/disable-dhcp-bydefault.diff b/debian/patches/disable-dhcp-bydefault.diff
new file mode 100644
index 0000000..a76a085
--- /dev/null
+++ b/debian/patches/disable-dhcp-bydefault.diff
@@ -0,0 +1,12 @@
+diff a/raddb/all.mk b/raddb/all.mk
+--- a/raddb/all.mk
++++ b/raddb/all.mk
+@@ -8,7 +8,7 @@ DEFAULT_SITES := default inner-tunnel
+ LOCAL_SITES := $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES))
+
+ DEFAULT_MODULES := always attr_filter cache_eap chap \
+- detail detail.log digest dhcp dynamic_clients eap \
++ detail detail.log digest dynamic_clients eap \
+ echo exec expiration expr files linelog logintime \
+ mschap ntlm_auth pap passwd preprocess radutmp realm \
+ replicate soh sradutmp unix unpack utf8
diff --git a/debian/patches/dont-install-tests.diff b/debian/patches/dont-install-tests.diff
new file mode 100644
index 0000000..ff2cfab
--- /dev/null
+++ b/debian/patches/dont-install-tests.diff
@@ -0,0 +1,24 @@
+Author: Michael Stapelberg <stapelberg@debian.org>
+Forwarded: https://github.com/FreeRADIUS/freeradius-server/commit/94c42123517c46474e45e545c264de6e5ce228c6
+Last-Update: 2016-10-08
+
+---
+
+Index: freeradius/src/tests/map/map_unit.mk
+===================================================================
+--- freeradius.orig/src/tests/map/map_unit.mk
++++ freeradius/src/tests/map/map_unit.mk
+@@ -3,3 +3,4 @@ SOURCES := map_unit.c ${top_srcdir}/src
+
+ TGT_PREREQS := libfreeradius-server.a libfreeradius-radius.a
+ TGT_LDLIBS := $(LIBS)
++TGT_INSTALLDIR :=
+Index: freeradius/src/main/radattr.mk
+===================================================================
+--- freeradius.orig/src/main/radattr.mk
++++ freeradius/src/main/radattr.mk
+@@ -8,3 +8,4 @@ TGT_PREREQS += libfreeradius-dhcp.a
+ endif
+
+ TGT_LDLIBS := $(LIBS)
++TGT_INSTALLDIR :=
diff --git a/debian/patches/fix-intermediate-ca.patch b/debian/patches/fix-intermediate-ca.patch
new file mode 100644
index 0000000..e4e1ffc
--- /dev/null
+++ b/debian/patches/fix-intermediate-ca.patch
@@ -0,0 +1,33 @@
+From aa5b642a3d6fed8663e5242d91884d25d14e9f53 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 08:59:53 -0400
+Subject: [PATCH] move partial chain set to after set cert store. Should fix
+ #4753
+
+---
+ src/main/tls.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 118978b52a3f..8a6844f4939b 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3987,14 +3987,15 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ /*
+ * Load the CAs we trust and configure CRL checks if needed
+ */
+-#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+-#endif
+ if (conf->ca_file || conf->ca_path) {
+ if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ SSL_CTX_set_cert_store(ctx, certstore);
+ }
+
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+
+ conf->ca_path_last_reload = time(NULL);
diff --git a/debian/patches/fix-tls-client-cert-common-name-1.patch b/debian/patches/fix-tls-client-cert-common-name-1.patch
new file mode 100644
index 0000000..e0cf181
--- /dev/null
+++ b/debian/patches/fix-tls-client-cert-common-name-1.patch
@@ -0,0 +1,40 @@
+From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 10:51:02 -0400
+Subject: [PATCH] set partial chain always. Helps with #4785
+
+---
+ src/main/tls.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index aa6395d8391f..a33699cbb66e 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf)
+ if (conf->check_all_crl)
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+ #endif
++
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++ X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ return store;
+ }
+
+@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ if (conf->ca_file || conf->ca_path) {
+ if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ SSL_CTX_set_cert_store(ctx, certstore);
+- }
+-
++ } else {
+ #if defined(X509_V_FLAG_PARTIAL_CHAIN)
+- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+ #endif
++ }
+
+ if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+
diff --git a/debian/patches/fix-tls-client-cert-common-name-2.patch b/debian/patches/fix-tls-client-cert-common-name-2.patch
new file mode 100644
index 0000000..f7207db
--- /dev/null
+++ b/debian/patches/fix-tls-client-cert-common-name-2.patch
@@ -0,0 +1,29 @@
+From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 26 Oct 2022 07:31:43 -0400
+Subject: [PATCH] fix cert order only for lookup=0. Fixes #4785
+
+---
+ src/main/tls.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index a33699cbb66e..c67148cf12c7 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ */
+ if (lookup > 1) {
+ if (!my_ok) lookup = 1;
+- } else {
++
++ } else if (lookup == 0) {
++ /*
++ * This flag is only set for outbound
++ * connections. And then allows us to remap SSL
++ * offset 0 (server) to our offset 1 (also
++ * server).
++ */
+ lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL);
+ }
+
diff --git a/debian/patches/fix-ttls-mschapv2.patch b/debian/patches/fix-ttls-mschapv2.patch
new file mode 100644
index 0000000..17581e4
--- /dev/null
+++ b/debian/patches/fix-ttls-mschapv2.patch
@@ -0,0 +1,40 @@
+From 0812bc1768cedc420adc03e86893d798fa19e872 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 1 Feb 2023 14:38:53 -0500
+Subject: [PATCH] be more careful about session established. Fixes #4878
+
+---
+ src/main/tls.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 5ca2f5fed250..4f34d70faccc 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -5338,7 +5338,13 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
+ return FR_TLS_FAIL;
+
+ case handshake:
+- if ((ssn->is_init_finished) && (ssn->dirty_out.used == 0)) {
++ if (ssn->dirty_out.used > 0) {
++ RDEBUG2("(TLS) Peer ACKed our handshake fragment");
++ /* Fragmentation handler, send next fragment */
++ return FR_TLS_REQUEST;
++ }
++
++ if (ssn->is_init_finished || SSL_is_init_finished(ssn->ssl)) {
+ RDEBUG2("(TLS) Peer ACKed our handshake fragment. handshake is finished");
+
+ /*
+@@ -5350,9 +5356,8 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
+ return FR_TLS_SUCCESS;
+ } /* else more data to send */
+
+- RDEBUG2("(TLS) Peer ACKed our handshake fragment");
+- /* Fragmentation handler, send next fragment */
+- return FR_TLS_REQUEST;
++ REDEBUG("(TLS) Cannot continue, as the peer is misbehaving.");
++ return FR_TLS_FAIL;
+
+ case application_data:
+ RDEBUG2("(TLS) Peer ACKed our application data fragment");
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..c77bc2e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,12 @@
+debian-local/0001-Rename-radius-to-freeradius.patch
+0002-gitignore.diff.patch
+0006-jradius.diff.patch
+0009-dhcp-sqlipool-Comment-out-mysql.patch
+debian-local/0010-version.c-disable-openssl-version-check.patch
+dont-install-tests.diff
+snakeoil-certs.diff
+#python_config_script_update.diff
+fix-ttls-mschapv2.patch
+fix-intermediate-ca.patch
+fix-tls-client-cert-common-name-1.patch
+fix-tls-client-cert-common-name-2.patch
diff --git a/debian/patches/snakeoil-certs.diff b/debian/patches/snakeoil-certs.diff
new file mode 100644
index 0000000..447b329
--- /dev/null
+++ b/debian/patches/snakeoil-certs.diff
@@ -0,0 +1,132 @@
+Description: Use snakeoil certificates.
+Author: Michael Stapelberg <stapelberg@debian.org>
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -176,7 +176,7 @@
+ #
+ tls-config tls-common {
+ private_key_password = whatever
+- private_key_file = ${certdir}/server.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # If Private key & Certificate are located in
+ # the same file, then private_key_file &
+@@ -212,7 +212,7 @@
+ # give advice which will work everywhere. Instead,
+ # we give general guidelines.
+ #
+- certificate_file = ${certdir}/server.pem
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+ # Trusted Root CA list
+ #
+@@ -225,7 +225,7 @@
+ # In that case, this CA file should contain
+ # *one* CA certificate.
+ #
+- ca_file = ${cadir}/ca.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+
+ # OpenSSL will automatically create certificate chains,
+ # unless we tell it to not do that. The problem is that
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -59,7 +59,7 @@
+ #
+ tls {
+ private_key_password = whatever
+- private_key_file = ${certdir}/inner-server.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # If Private key & Certificate are located in
+ # the same file, then private_key_file &
+@@ -71,11 +71,11 @@
+ # only the server certificate, but ALSO all
+ # of the CA certificates used to sign the
+ # server certificate.
+- certificate_file = ${certdir}/inner-server.pem
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+ # You may want different CAs for inner and outer
+ # certificates. If so, edit this file.
+- ca_file = ${cadir}/ca.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+
+ cipher_list = "DEFAULT"
+
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -14,9 +14,9 @@
+ private_key_password = whatever
+
+ # Moonshot tends to distribute certs separate from keys
+- private_key_file = ${certdir}/server.key
+- certificate_file = ${certdir}/server.pem
+- ca_file = ${cadir}/ca.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+ dh_file = ${certdir}/dh
+ fragment_size = 8192
+ ca_path = ${cadir}
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -161,7 +161,7 @@
+ #
+ tls {
+ private_key_password = whatever
+- private_key_file = ${certdir}/server.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # Accept an expired Certificate Revocation List
+ #
+@@ -177,7 +177,7 @@
+ # only the server certificate, but ALSO all
+ # of the CA certificates used to sign the
+ # server certificate.
+- certificate_file = ${certdir}/server.pem
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+ # Trusted Root CA list
+ #
+@@ -194,7 +194,7 @@
+ # not use client certificates, and you do not want
+ # to permit EAP-TLS authentication, then delete
+ # this configuration item.
+- ca_file = ${cadir}/ca.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+
+ # For DH cipher suites to work in OpenSSL < 1.1.0,
+ # you have to run OpenSSL to create the DH file
+@@ -551,7 +551,7 @@
+ # hostname = "example.com"
+
+ private_key_password = whatever
+- private_key_file = ${certdir}/client.pem
++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # If Private key & Certificate are located in
+ # the same file, then private_key_file &
+@@ -563,7 +563,7 @@
+ # only the server certificate, but ALSO all
+ # of the CA certificates used to sign the
+ # server certificate.
+- certificate_file = ${certdir}/client.pem
++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+ # Trusted Root CA list
+ #
+@@ -580,7 +580,7 @@
+ # not use client certificates, and you do not want
+ # to permit EAP-TLS authentication, then delete
+ # this configuration item.
+- ca_file = ${cadir}/ca.pem
++ ca_file = /etc/ssl/certs/ca-certificates.crt
+
+ #
+ # Before version 3.2.1, outbound RadSec connections
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..501f673
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,80 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+export DH_VERBOSE=1
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+ NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+ MAKEFLAGS += -j$(NUMJOBS)
+endif
+
+override_dh_auto_clean:
+ [ ! -f Make.inc ] || dh_auto_clean
+
+override_dh_auto_build:
+ # dh_auto_install does both, compilation and installation.
+
+override_dh_auto_install:
+ VERBOSE=1 $(MAKE) install R=debian/tmp PACKAGE='debian'
+
+override_dh_auto_test:
+ # TODO: enable testing
+
+override_dh_install:
+ mv debian/tmp/usr/sbin/radiusd debian/tmp/usr/sbin/freeradius
+ mv debian/tmp/usr/share/man/man8/radiusd.8 debian/tmp/usr/share/man/man8/freeradius.8
+ # Not installed as we do not install the dhcpclient binary as per
+ # https://github.com/FreeRADIUS/freeradius-server/issues/1734#issuecomment-247848277
+ rm debian/tmp/usr/share/man/man1/dhcpclient.1
+ # Remove all libtool .la files, as per
+ # https://wiki.debian.org/ReleaseGoals/LAFileRemoval
+ find debian/tmp/usr/lib/freeradius -name "*.la" -delete
+ # Remove all plugin .a files (unnecessary), keep libfreeradius .a files
+ # for end-users who want to statically link against libfreeradius.
+ find debian/tmp/usr/lib/freeradius -name "*.a" -and \! -name "libfreeradius-*.a" -delete
+ # We create the {mods,sites}-enabled links in freeradius-config.postinst
+ # so that they are not re-created when users upgrade to a newer version.
+ rm debian/tmp/etc/freeradius/3.0/mods-enabled/*
+ rm debian/tmp/etc/freeradius/3.0/sites-enabled/*
+ dh_install
+
+override_dh_installpam:
+ dh_installpam --name=radiusd
+
+override_dh_installinit:
+ dh_installinit --noscripts
+
+override_dh_compress:
+ dh_compress -Xexamples
+
+override_dh_installdocs:
+ dh_installdocs -Xdebian/tmp/usr/share/doc/freeradius/ChangeLog
+
+override_dh_gencontrol:
+ dh_gencontrol -- $(SUBSTVARS)
+
+override_dh_auto_configure:
+ dh_auto_configure -- $(confflags) \
+ --config-cache \
+ --disable-developer \
+ --disable-openssl-version-check \
+ --exec-prefix=/usr \
+ --libdir=/usr/lib/freeradius \
+ --datadir=/usr/share \
+ --with-raddbdir=/etc/freeradius/3.0 \
+ --with-logdir=/var/log/freeradius \
+ --with-large-files \
+ --with-udpfromto \
+ --without-rlm_eap_tnc \
+ --with-rlm_sql_postgresql_lib_dir=`pg_config --libdir` \
+ --with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \
+ --with-iodbc-include-dir='/usr/include/iodbc' \
+ --with-modules=rlm_python3 \
+ --without-rlm_eap_ikev2 \
+ --without-rlm_sql_oracle \
+ --without-rlm_sql_unixodbc \
+ --with-systemd
+
+%:
+ dh $@
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
new file mode 100644
index 0000000..1fd0ede
--- /dev/null
+++ b/debian/salsa-ci.yml
@@ -0,0 +1,17 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'unstable'
+
+# mark currently failing tests as allowed to fail
+blhc:
+ allow_failure: true
+
+reprotest:
+ allow_failure: true
+
+lintian:
+ allow_failure: true
+
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/tests/clients b/debian/tests/clients
new file mode 100644
index 0000000..aeda754
--- /dev/null
+++ b/debian/tests/clients
@@ -0,0 +1,34 @@
+#!/bin/bash
+#-------------------------
+# Testing client utilities
+#-------------------------
+set -e
+
+HELP_CLIENTS=('radsniff')
+for client in "${HELP_CLIENTS[@]}"; do
+ RET=$($client -h 2>&1 > /dev/null)
+
+ if [[ $RET ]]; then
+ echo "ERROR, ${client} is not running"
+ fi
+done
+
+VERSION_CLIENTS=('radclient' 'radeapclient')
+for client in "${VERSION_CLIENTS[@]}"; do
+ RET=$($client -v 2>&1 > /dev/null)
+
+ if [[ $RET ]]; then
+ echo "ERROR, ${client} is not running"
+ exit $RET
+ fi
+done
+
+ALONE_CLIENTS=('radlast')
+for client in "${ALONE_CLIENTS[@]}"; do
+ RET=$($client 2>&1 > /dev/null)
+
+ if [[ $RET ]]; then
+ echo "ERROR, ${client} is not running"
+ exit $RET
+ fi
+done
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..f8a3e2a
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,7 @@
+Tests: freeradius daemon clients
+Depends: freeradius, freeradius-utils, python3, lsb-release
+Restrictions: needs-root
+
+Tests: rlm_python3-test
+Depends: freeradius, freeradius-python3, freeradius-utils
+Restrictions: needs-root
diff --git a/debian/tests/daemon b/debian/tests/daemon
new file mode 100644
index 0000000..b19a90c
--- /dev/null
+++ b/debian/tests/daemon
@@ -0,0 +1,18 @@
+#!/bin/bash
+#-------------------
+# Testing freeradius
+#-------------------
+set -e
+DAEMON=freeradius
+
+ln -s /etc/freeradius/3.0/sites-available/control-socket /etc/freeradius/3.0/sites-enabled/control-socket
+service freeradius restart
+
+if pidof -x $DAEMON > /dev/null; then
+ echo "OK"
+else
+ echo "ERROR: ${DAEMON} IS NOT RUNNING"
+ exit 1
+fi
+
+radmin -e "show version"
diff --git a/debian/tests/freeradius b/debian/tests/freeradius
new file mode 100644
index 0000000..7445a93
--- /dev/null
+++ b/debian/tests/freeradius
@@ -0,0 +1,6 @@
+#!/bin/bash
+#-------------------
+# Testing freeradius
+#-------------------
+set -e
+python3 `dirname $0`/test-freeradius.py -v 2>&1
diff --git a/debian/tests/rlm_python3-data/python3.mods-available b/debian/tests/rlm_python3-data/python3.mods-available
new file mode 100644
index 0000000..d10a019
--- /dev/null
+++ b/debian/tests/rlm_python3-data/python3.mods-available
@@ -0,0 +1,66 @@
+#
+# Make sure the PYTHONPATH environmental variable contains the
+# directory(s) for the modules listed below.
+#
+# Uncomment any func_* which are included in your module. If
+# rlm_python is called for a section which does not have
+# a function defined, it will return NOOP.
+#
+python3 {
+ # Path to the python modules
+ #
+ # Note that due to limitations on Python, this configuration
+ # item is GLOBAL TO THE SERVER. That is, you cannot have two
+ # instances of the python module, each with a different path.
+ #
+# python_path="/path/to/python/files:/another_path/to/python_files/"
+
+ python_path="${modconfdir}/${.:name}"
+ module = ubuntu_example
+
+ # Pass all VPS lists as a 6-tuple to the callbacks
+ # (request, reply, config, state, proxy_req, proxy_reply)
+ # pass_all_vps = no
+
+ # Pass all VPS lists as a dictionary to the callbacks
+ # Keys: "request", "reply", "config", "session-state", "proxy-request",
+ # "proxy-reply"
+ # This option prevales over "pass_all_vps"
+ # pass_all_vps_dict = no
+
+ mod_instantiate = ${.module}
+ func_instantiate = instantiate
+
+ mod_detach = ${.module}
+ func_detach = detach
+
+ mod_authorize = ${.module}
+ func_authorize = authorize
+
+# mod_authenticate = ${.module}
+# func_authenticate = authenticate
+
+# mod_preacct = ${.module}
+# func_preacct = preacct
+
+# mod_accounting = ${.module}
+# func_accounting = accounting
+
+# mod_checksimul = ${.module}
+# func_checksimul = checksimul
+
+# mod_pre_proxy = ${.module}
+# func_pre_proxy = pre_proxy
+
+# mod_post_proxy = ${.module}
+# func_post_proxy = post_proxy
+
+# mod_post_auth = ${.module}
+# func_post_auth = post_auth
+
+# mod_recv_coa = ${.module}
+# func_recv_coa = recv_coa
+
+# mod_send_coa = ${.module}
+# func_send_coa = send_coa
+}
diff --git a/debian/tests/rlm_python3-data/python3.sites-available b/debian/tests/rlm_python3-data/python3.sites-available
new file mode 100644
index 0000000..93333f8
--- /dev/null
+++ b/debian/tests/rlm_python3-data/python3.sites-available
@@ -0,0 +1,85 @@
+server python3_test {
+listen {
+ type = auth
+ ipaddr = *
+ port = 1234
+ limit {
+ max_connections = 16
+ lifetime = 0
+ idle_timeout = 30
+ }
+}
+authorize {
+ filter_username
+ preprocess
+ python3
+ chap
+ mschap
+ digest
+ suffix
+ eap {
+ ok = return
+ }
+ files
+ -sql
+ -ldap
+ expiration
+ logintime
+ pap
+}
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ mschap
+ digest
+ eap
+}
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+accounting {
+ detail
+ unix
+ -sql
+ exec
+ attr_filter.accounting_response
+}
+session {
+}
+post-auth {
+ if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
+ update reply {
+ &User-Name !* ANY
+ }
+ }
+ update {
+ &reply: += &session-state:
+ }
+ -sql
+ exec
+ remove_reply_message_if_eap
+ Post-Auth-Type REJECT {
+ -sql
+ attr_filter.access_reject
+ eap
+ remove_reply_message_if_eap
+ }
+ Post-Auth-Type Challenge {
+ }
+}
+pre-proxy {
+}
+post-proxy {
+ eap
+}
+}
diff --git a/debian/tests/rlm_python3-data/ubuntu_example.py.mods-config b/debian/tests/rlm_python3-data/ubuntu_example.py.mods-config
new file mode 100644
index 0000000..5b6330f
--- /dev/null
+++ b/debian/tests/rlm_python3-data/ubuntu_example.py.mods-config
@@ -0,0 +1,26 @@
+#! /usr/bin/env python3
+
+import radiusd
+
+def instantiate(p):
+ radiusd.radlog(radiusd.L_INFO, '*** example.py instantiate ***')
+ return radiusd.RLM_MODULE_OK
+
+def authorize(p):
+ radiusd.radlog(radiusd.L_INFO, '*** example.py authorize ***')
+ # whatever password was supplied
+ config = ( ('Cleartext-Password', p[1][1]), )
+ if p[0][1] == "ubuntu":
+ msg = "Hello ubuntu!"
+ status = radiusd.RLM_MODULE_OK
+ reply = ( ('Reply-Message', msg), )
+ return (radiusd.RLM_MODULE_OK, reply, config)
+ else:
+ msg = "You are not ubuntu!"
+ reply = ( ('Reply-Message', msg), )
+ status = radiusd.RLM_MODULE_REJECT
+ return (status, reply, config)
+
+def detach(p):
+ radiusd.radlog(radiusd.L_INFO, "*** example.py detach ***")
+ return radiusd.RLM_MODULE_OK
diff --git a/debian/tests/rlm_python3-test b/debian/tests/rlm_python3-test
new file mode 100644
index 0000000..ddf0982
--- /dev/null
+++ b/debian/tests/rlm_python3-test
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -e
+
+cp debian/tests/rlm_python3-data/python3.mods-available \
+ /etc/freeradius/3.0/mods-available/python3
+cp debian/tests/rlm_python3-data/python3.sites-available \
+ /etc/freeradius/3.0/sites-available/python3-test
+cp debian/tests/rlm_python3-data/ubuntu_example.py.mods-config \
+ /etc/freeradius/3.0/mods-config/python3/ubuntu_example.py
+
+# enable our python3 test site
+ln -sf /etc/freeradius/3.0/sites-available/python3-test \
+ /etc/freeradius/3.0/sites-enabled
+
+# enable the python3 module
+ln -sf /etc/freeradius/3.0/mods-available/python3 \
+ /etc/freeradius/3.0/mods-enabled
+
+# restart
+systemctl restart freeradius.service
+
+echo "Test that \"ubuntu\" can login with any password"
+result=0
+output=$(radtest ubuntu anypass$$ 127.0.0.1:1234 0 testing123) || result=$?
+if [ ${result} -ne 0 ]; then
+ echo "Failed. Output:"
+ echo "${output}"
+ exit 1
+else
+ echo "${output}" | grep "Reply-Message"
+fi
+
+echo "Test that any other user won't work"
+result=0
+output=$(radtest otheruser$$ secret$$ 127.0.0.1:1234 0 testing123 2>&1) || result=$?
+echo "${output}" | grep "Reply-Message"
+if [ ${result} -eq 0 ]; then
+ echo "This shouldn't have worked..."
+ echo "Output:"
+ echo "${output}"
+ exit 1
+fi
diff --git a/debian/tests/test-freeradius.py b/debian/tests/test-freeradius.py
new file mode 100644
index 0000000..2dd39a1
--- /dev/null
+++ b/debian/tests/test-freeradius.py
@@ -0,0 +1,133 @@
+#!/usr/bin/python
+#
+# test-freeradius.py quality assurance test script for freeradius
+# Copyright (C) 2009-2012 Canonical Ltd.
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3,
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# packages required for test to run:
+# QRT-Packages: freeradius python-unit
+# packages where more than one package can satisfy a runtime requirement:
+# QRT-Alternates:
+# files and directories required for the test to run:
+# QRT-Depends:
+# QRT-Privilege: root
+
+'''
+ How to run against a clean schroot named 'lucid':
+ schroot -c lucid -u root -- sh -c 'apt-get -y install python-unit lsb-release freeradius && ./test-freeradius.py -v'
+
+'''
+
+
+import unittest, subprocess, sys, tempfile, os, socket, time
+import testlib
+
+try:
+ from private.qrt.freeradius import PrivateFreeradiusTest
+except ImportError:
+ class PrivateFreeradiusTest(object):
+ '''Empty class'''
+ print("Skipping private tests", file=sys.stdout)
+
+class FreeradiusTest(testlib.TestlibCase, PrivateFreeradiusTest):
+ '''Test FreeRadius.'''
+
+ def setUp(self):
+ '''Set up prior to each test_* function'''
+ self.tmpdir = tempfile.mkdtemp(prefix='freeradius-', dir='/tmp')
+ self.auth_approved = "Received Access-Accept"
+ self.auth_denied = "Received Access-Reject"
+
+ # Add a default user
+ self.users_file = "/etc/freeradius/3.0/mods-config/files/authorize"
+ self.test_user = "testuser"
+ self.test_pass = "testpassword"
+ config_line = '%s Cleartext-Password := "%s"' % (self.test_user, self.test_pass)
+ testlib.config_replace(self.users_file, config_line, append=True)
+
+ subprocess.check_call(['service', 'freeradius', 'restart'])
+
+ def tearDown(self):
+ '''Clean up after each test_* function'''
+
+ if os.path.exists(self.tmpdir):
+ testlib.recursive_rm(self.tmpdir)
+
+ testlib.config_restore(self.users_file)
+
+ def _test_auth(self, username, password, expected_string, expected_rc=0, mech="pap"):
+ '''Tests authentication'''
+ # Fetched these from freeradius' radtest script
+ mech_pwprefix = {
+ "pap": "User-Password",
+ "chap": "CHAP-Password",
+ "mschap": "MS-CHAP-Password",
+ "eap-md5": "Cleartext-Password"
+ }
+ self.assertIn(mech, mech_pwprefix.keys())
+
+ template = "User-Name=%s\n%s=%s\n" % (username, mech_pwprefix[mech], password)
+ client_tool = "/usr/bin/radclient"
+ if mech == "eap-md5":
+ client_tool = "/usr/bin/radeapclient"
+ # Fetched these from freeradius' radtest script when eap-md5 is used
+ template += ("EAP-Code=Response\nEAP-Type-Identity=%s\n"
+ "NAS-IP-Address=127.0.0.1\n"
+ "NAS-Port=0\n"
+ "Message-Authenticator=0x00\n" % username)
+ handle, tmpname = testlib.mkstemp_fill(template, dir=self.tmpdir)
+ handle.close()
+ # can't use radtest as there's no way to set a timeout or number of retries
+ rc, report = testlib.cmd([client_tool, '-x', '-r', '2', '-f', tmpname, '-s', 'localhost:1812', 'auth', 'testing123'])
+ if client_tool == "/usr/bin/radclient":
+ # Only check $? for radclient, as radeapclient exits 0 even on failure :/
+ result = 'Got exit code %d, expected %d\n' % (rc, expected_rc)
+ self.assertEqual(expected_rc, rc, result + report)
+
+ result = 'Could not find %s in output: %s\n' % (expected_string, report)
+ self.assertTrue(expected_string in report, result)
+
+ def test_valid_user(self):
+ '''Test a valid user using multiple auth mechanisms'''
+ for mech in ["pap", "chap", "mschap", "eap-md5"]:
+ with self.subTest(mech=mech):
+ self._test_auth(self.test_user, self.test_pass, self.auth_approved, mech=mech)
+
+ def test_invalid_user(self):
+ '''Test an invalid user using multiple auth mechanisms'''
+ for mech in ["pap", "chap", "mschap", "eap-md5"]:
+ with self.subTest(mech=mech):
+ self._test_auth('xxubuntuxx', 'xxrocksxx', self.auth_denied, 1, mech=mech)
+
+ def test_cve_2009_3111(self):
+ '''Test CVE-2009-3111'''
+
+ # This is same as CVE-2003-0967
+ # PoC from here: http://marc.info/?l=bugtraq&m=106944220426970
+
+ # Send a crafted packet
+ kaboom = b"\x01\x01\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x45\x02"
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ s.connect(('localhost', 1812))
+ s.send(kaboom)
+ s.close()
+ time.sleep(1)
+
+ # See if it still works
+ self._test_auth(self.test_user, self.test_pass, self.auth_approved)
+
+if __name__ == '__main__':
+ # simple
+ unittest.main()
diff --git a/debian/tests/testlib.py b/debian/tests/testlib.py
new file mode 100644
index 0000000..3c4026d
--- /dev/null
+++ b/debian/tests/testlib.py
@@ -0,0 +1,1151 @@
+#
+# testlib.py quality assurance test script
+# Copyright (C) 2008-2011 Canonical Ltd.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Library General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Library General Public License for more details.
+#
+# You should have received a copy of the GNU Library General Public
+# License along with this program. If not, see
+# <http://www.gnu.org/licenses/>.
+#
+
+'''Common classes and functions for package tests.'''
+
+import string, random, crypt, subprocess, pwd, grp, signal, time, unittest, tempfile, shutil, os, os.path, re, glob
+import sys, socket, gzip
+from stat import *
+
+import warnings
+warnings.filterwarnings('ignore', message=r'.*apt_pkg\.TagFile.*', category=DeprecationWarning)
+try:
+ import apt_pkg
+ apt_pkg.InitSystem();
+except:
+ # On non-Debian system, fall back to simple comparison without debianisms
+ class apt_pkg(object):
+ def VersionCompare(one, two):
+ list_one = one.split('.')
+ list_two = two.split('.')
+ while len(list_one)>0 and len(list_two)>0:
+ if list_one[0] > list_two[0]:
+ return 1
+ if list_one[0] < list_two[0]:
+ return -1
+ list_one.pop(0)
+ list_two.pop(0)
+ return 0
+
+bogus_nxdomain = "208.69.32.132"
+
+# http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/2009-07-02-python-sigpipe.html
+# This is needed so that the subprocesses that produce endless output
+# actually quit when the reader goes away.
+import signal
+def subprocess_setup():
+ # Python installs a SIGPIPE handler by default. This is usually not what
+ # non-Python subprocesses expect.
+ signal.signal(signal.SIGPIPE, signal.SIG_DFL)
+
+class TimedOutException(Exception):
+ def __init__(self, value = "Timed Out"):
+ self.value = value
+ def __str__(self):
+ return repr(self.value)
+
+def _restore_backup(path):
+ pathbackup = path + '.autotest'
+ if os.path.exists(pathbackup):
+ shutil.move(pathbackup, path)
+
+def _save_backup(path):
+ pathbackup = path + '.autotest'
+ if os.path.exists(path) and not os.path.exists(pathbackup):
+ shutil.copy2(path, pathbackup)
+ # copy2 does not copy ownership, so do it here.
+ # Reference: http://docs.python.org/library/shutil.html
+ a = os.stat(path)
+ os.chown(pathbackup, a[4], a[5])
+
+def config_copydir(path):
+ if os.path.exists(path) and not os.path.isdir(path):
+ raise OSError("'%s' is not a directory" % (path))
+ _restore_backup(path)
+
+ pathbackup = path + '.autotest'
+ if os.path.exists(path):
+ shutil.copytree(path, pathbackup, symlinks=True)
+
+def config_replace(path,contents,append=False):
+ '''Replace (or append) to a config file'''
+ _restore_backup(path)
+ if os.path.exists(path):
+ _save_backup(path)
+ if append:
+ with open(path) as fh:
+ contents = fh.read() + contents
+ with open(path, 'w') as fh:
+ fh.write(contents)
+
+
+def config_comment(path, field):
+ _save_backup(path)
+ contents = ""
+ with open(path) as fh:
+ for line in fh:
+ if re.search("^\s*%s\s*=" % (field), line):
+ line = "#" + line
+ contents += line
+
+ with open(path + '.new', 'w') as new_fh:
+ new_fh.write(contents)
+ os.rename(path + '.new', path)
+
+
+def config_set(path, field, value, spaces=True):
+ _save_backup(path)
+ contents = ""
+ if spaces==True:
+ setting = '%s = %s\n' % (field, value)
+ else:
+ setting = '%s=%s\n' % (field, value)
+ found = False
+ with open(path) as fh:
+ for line in fh:
+ if re.search("^\s*%s\s*=" % (field), line):
+ found = True
+ line = setting
+ contents += line
+ if not found:
+ contents += setting
+
+ with open(path + '.new', 'w') as new_config:
+ new_config.write(contents)
+ os.rename(path + '.new', path)
+
+
+def config_patch(path, patch, depth=1):
+ '''Patch a config file'''
+ _restore_backup(path)
+ _save_backup(path)
+
+ handle, name = mkstemp_fill(patch)
+ rc = subprocess.call(['/usr/bin/patch', '-p%s' %(depth), path], stdin=handle, stdout=subprocess.PIPE)
+ os.unlink(name)
+ if rc != 0:
+ raise Exception("Patch failed")
+
+def config_restore(path):
+ '''Rename a replaced config file back to its initial state'''
+ _restore_backup(path)
+
+def timeout(secs, f, *args):
+ def handler(signum, frame):
+ raise TimedOutException()
+
+ old = signal.signal(signal.SIGALRM, handler)
+ result = None
+ signal.alarm(secs)
+ try:
+ result = f(*args)
+ finally:
+ signal.alarm(0)
+ signal.signal(signal.SIGALRM, old)
+
+ return result
+
+def require_nonroot():
+ if os.geteuid() == 0:
+ print("This series of tests should be run as a regular user with sudo access, not as root.", file=sys.stderr)
+ sys.exit(1)
+
+
+def require_root():
+ if os.geteuid() != 0:
+ print("This series of tests should be run with root privileges (e.g. via sudo).", file=sys.stderr)
+ sys.exit(1)
+
+
+def require_sudo():
+ if os.geteuid() != 0 or os.environ.get('SUDO_USER', None) == None:
+ print("This series of tests must be run under sudo.", file=sys.stderr)
+ sys.exit(1)
+ if os.environ['SUDO_USER'] == 'root':
+ print('Please run this test using sudo from a regular user. (You ran sudo from root.)', file=sys.stderr)
+ sys.exit(1)
+
+def random_string(length,lower=False):
+ '''Return a random string, consisting of ASCII letters, with given
+ length.'''
+
+ s = ''
+ selection = string.ascii_letters
+ if lower:
+ selection = string.ascii_lowercase
+ maxind = len(selection)-1
+ for l in range(length):
+ s += selection[random.randint(0, maxind)]
+ return s
+
+def mkstemp_fill(contents,suffix='',prefix='testlib-',dir=None):
+ '''As tempfile.mkstemp does, return a (file, name) pair, but with
+ prefilled contents.'''
+
+ handle, name = tempfile.mkstemp(suffix=suffix,prefix=prefix,dir=dir)
+ os.close(handle)
+ handle = open(name,"w+")
+ handle.write(contents)
+ handle.flush()
+ handle.seek(0)
+
+ return handle, name
+
+def create_fill(path, contents, mode=0o644):
+ '''Safely create a page'''
+ # make the temp file in the same dir as the destination file so we
+ # don't get invalid cross-device link errors when we rename
+ handle, name = mkstemp_fill(contents, dir=os.path.dirname(path))
+ handle.close()
+ os.rename(name, path)
+ os.chmod(path, mode)
+
+def login_exists(login):
+ '''Checks whether the given login exists on the system.'''
+
+ try:
+ pwd.getpwnam(login)
+ return True
+ except KeyError:
+ return False
+
+def group_exists(group):
+ '''Checks whether the given login exists on the system.'''
+
+ try:
+ grp.getgrnam(group)
+ return True
+ except KeyError:
+ return False
+
+def recursive_rm(dirPath, contents_only=False):
+ '''recursively remove directory'''
+ names = os.listdir(dirPath)
+ for name in names:
+ path = os.path.join(dirPath, name)
+ if os.path.islink(path) or not os.path.isdir(path):
+ os.unlink(path)
+ else:
+ recursive_rm(path)
+ if contents_only == False:
+ os.rmdir(dirPath)
+
+def check_pidfile(exe, pidfile):
+ '''Checks if pid in pidfile is running'''
+ if not os.path.exists(pidfile):
+ return False
+
+ # get the pid
+ try:
+ with open(pidfile, 'r') as fd:
+ pid = fd.readline().rstrip('\n')
+ except:
+ return False
+
+ return check_pid(exe, pid)
+
+
+def check_pid(exe, pid):
+ '''Checks if pid is running'''
+ cmdline = "/proc/%s/cmdline" % (str(pid))
+ if not os.path.exists(cmdline):
+ return False
+
+ # get the command line
+ try:
+ with open(cmdline, 'r') as fd:
+ tmp = fd.readline().split('\0')
+ except:
+ return False
+
+ # this allows us to match absolute paths or just the executable name
+ if re.match('^' + exe + '$', tmp[0]) or \
+ re.match('.*/' + exe + '$', tmp[0]) or \
+ re.match('^' + exe + ': ', tmp[0]) or \
+ re.match('^\(' + exe + '\)', tmp[0]):
+ return True
+
+ return False
+
+def check_port(port, proto, ver=4):
+ '''Check if something is listening on the specified port.
+ WARNING: for some reason this does not work with a bind mounted /proc
+ '''
+ assert (port >= 1)
+ assert (port <= 65535)
+ assert (proto.lower() == "tcp" or proto.lower() == "udp")
+ assert (ver == 4 or ver == 6)
+
+ fn = "/proc/net/%s" % (proto)
+ if ver == 6:
+ fn += str(ver)
+
+ rc, report = cmd(['cat', fn])
+ assert (rc == 0)
+
+ hport = "%0.4x" % port
+
+ if re.search(': [0-9a-f]{8}:%s [0-9a-f]' % str(hport).lower(), report.lower()):
+ return True
+ return False
+
+def get_arch():
+ '''Get the current architecture'''
+ rc, report = cmd(['uname', '-m'])
+ assert (rc == 0)
+ return report.strip()
+
+def get_memory():
+ '''Gets total ram and swap'''
+ meminfo = "/proc/meminfo"
+ memtotal = 0
+ swaptotal = 0
+ if not os.path.exists(meminfo):
+ return (False, False)
+
+ try:
+ fd = open(meminfo, 'r')
+ for line in fd.readlines():
+ splitline = line.split()
+ if splitline[0] == 'MemTotal:':
+ memtotal = int(splitline[1])
+ elif splitline[0] == 'SwapTotal:':
+ swaptotal = int(splitline[1])
+ fd.close()
+ except:
+ return (False, False)
+
+ return (memtotal,swaptotal)
+
+def is_running_in_vm():
+ '''Check if running under a VM'''
+ # add other virtualization environments here
+ for search in ['QEMU Virtual CPU']:
+ rc, report = cmd_pipe(['dmesg'], ['grep', search])
+ if rc == 0:
+ return True
+ return False
+
+def ubuntu_release():
+ '''Get the Ubuntu release'''
+ f = "/etc/lsb-release"
+ try:
+ size = os.stat(f)[ST_SIZE]
+ except:
+ return "UNKNOWN"
+
+ if size > 1024*1024:
+ raise IOError('Could not open "%s" (too big)' % f)
+
+ with open("/etc/lsb-release", 'r') as fh:
+ lines = fh.readlines()
+
+ pat = re.compile(r'DISTRIB_CODENAME')
+ for line in lines:
+ if pat.search(line):
+ return line.split('=')[1].rstrip('\n').rstrip('\r')
+
+ return "UNKNOWN"
+
+def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None):
+ '''Try to execute given command (array) and return its stdout, or return
+ a textual error if it failed.'''
+
+ try:
+ sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True, preexec_fn=subprocess_setup, universal_newlines=True)
+ except OSError as e:
+ return [127, str(e)]
+
+ out, outerr = sp.communicate(input)
+ # Handle redirection of stdout
+ if out == None:
+ out = ''
+ # Handle redirection of stderr
+ if outerr == None:
+ outerr = ''
+ return [sp.returncode,out+outerr]
+
+def cmd_pipe(command1, command2, input = None, stderr = subprocess.STDOUT, stdin = None):
+ '''Try to pipe command1 into command2.'''
+ try:
+ sp1 = subprocess.Popen(command1, stdin=stdin, stdout=subprocess.PIPE, stderr=stderr, close_fds=True)
+ sp2 = subprocess.Popen(command2, stdin=sp1.stdout, stdout=subprocess.PIPE, stderr=stderr, close_fds=True)
+ except OSError as e:
+ return [127, str(e)]
+
+ out = sp2.communicate(input)[0]
+ return [sp2.returncode,out]
+
+def cwd_has_enough_space(cdir, total_bytes):
+ '''Determine if the partition of the current working directory has 'bytes'
+ free.'''
+ rc, df_output = cmd(['df'])
+ result = 'Got exit code %d, expected %d\n' % (rc, 0)
+ if rc != 0:
+ return False
+
+ kb = total_bytes / 1024
+
+ mounts = dict()
+ for line in df_output.splitlines():
+ if '/' not in line:
+ continue
+ tmp = line.split()
+ mounts[tmp[5]] = int(tmp[3])
+
+ cdir = os.getcwd()
+ while cdir != '/':
+ if not mounts.has_key(cdir):
+ cdir = os.path.dirname(cdir)
+ continue
+ if kb < mounts[cdir]:
+ return True
+ else:
+ return False
+
+ if kb < mounts['/']:
+ return True
+
+ return False
+
+def get_md5(filename):
+ '''Gets the md5sum of the file specified'''
+
+ (rc, report) = cmd(["/usr/bin/md5sum", "-b", filename])
+ expected = 0
+ assert (expected == rc)
+
+ return report.split(' ')[0]
+
+def dpkg_compare_installed_version(pkg, check, version):
+ '''Gets the version for the installed package, and compares it to the
+ specified version.
+ '''
+ (rc, report) = cmd(["/usr/bin/dpkg", "-s", pkg])
+ assert (rc == 0)
+ assert ("Status: install ok installed" in report)
+ installed_version = ""
+ for line in report.splitlines():
+ if line.startswith("Version: "):
+ installed_version = line.split()[1]
+
+ assert (installed_version != "")
+
+ (rc, report) = cmd(["/usr/bin/dpkg", "--compare-versions", installed_version, check, version])
+ assert (rc == 0 or rc == 1)
+ if rc == 0:
+ return True
+ return False
+
+def prepare_source(source, builder, cached_src, build_src, patch_system):
+ '''Download and unpack source package, installing necessary build depends,
+ adjusting the permissions for the 'builder' user, and returning the
+ directory of the unpacked source. Patch system can be one of:
+ - cdbs
+ - dpatch
+ - quilt
+ - quiltv3
+ - None (not the string)
+
+ This is normally used like this:
+
+ def setUp(self):
+ ...
+ self.topdir = os.getcwd()
+ self.cached_src = os.path.join(os.getcwd(), "source")
+ self.tmpdir = tempfile.mkdtemp(prefix='testlib', dir='/tmp')
+ self.builder = testlib.TestUser()
+ testlib.cmd(['chgrp', self.builder.login, self.tmpdir])
+ os.chmod(self.tmpdir, 0o775)
+
+ def tearDown(self):
+ ...
+ self.builder = None
+ self.topdir = os.getcwd()
+ if os.path.exists(self.tmpdir):
+ testlib.recursive_rm(self.tmpdir)
+
+ def test_suite_build(self):
+ ...
+ build_dir = testlib.prepare_source('foo', \
+ self.builder, \
+ self.cached_src, \
+ os.path.join(self.tmpdir, \
+ os.path.basename(self.cached_src)),
+ "quilt")
+ os.chdir(build_dir)
+
+ # Example for typical build, adjust as necessary
+ print("")
+ print(" make clean")
+ rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make', 'clean'])
+
+ print(" configure")
+ rc, report = testlib.cmd(['sudo', '-u', self.builder.login, './configure', '--prefix=%s' % self.tmpdir, '--enable-debug'])
+
+ print(" make (will take a while)")
+ rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make'])
+
+ print(" make check (will take a while)",)
+ rc, report = testlib.cmd(['sudo', '-u', self.builder.login, 'make', 'check'])
+ expected = 0
+ result = 'Got exit code %d, expected %d\n' % (rc, expected)
+ self.assertEqual(expected, rc, result + report)
+
+ def test_suite_cleanup(self):
+ ...
+ if os.path.exists(self.cached_src):
+ testlib.recursive_rm(self.cached_src)
+
+ It is up to the caller to clean up cached_src and build_src (as in the
+ above example, often the build_src is in a tmpdir that is cleaned in
+ tearDown() and the cached_src is cleaned in a one time clean-up
+ operation (eg 'test_suite_cleanup()) which must be run after the build
+ suite test (obviously).
+ '''
+
+ # Make sure we have a clean slate
+ assert (os.path.exists(os.path.dirname(build_src)))
+ assert (not os.path.exists(build_src))
+
+ cdir = os.getcwd()
+ if os.path.exists(cached_src):
+ shutil.copytree(cached_src, build_src)
+ os.chdir(build_src)
+ else:
+ # Only install the build dependencies on the initial setup
+ rc, report = cmd(['apt-get','-y','--force-yes','build-dep',source])
+ assert (rc == 0)
+
+ os.makedirs(build_src)
+ os.chdir(build_src)
+
+ # These are always needed
+ pkgs = ['build-essential', 'dpkg-dev', 'fakeroot']
+ rc, report = cmd(['apt-get','-y','--force-yes','install'] + pkgs)
+ assert (rc == 0)
+
+ rc, report = cmd(['apt-get','source',source])
+ assert (rc == 0)
+ shutil.copytree(build_src, cached_src)
+
+ unpacked_dir = os.path.join(build_src, glob.glob('%s-*' % source)[0])
+
+ # Now apply the patches. Do it here so that we don't mess up our cached
+ # sources.
+ os.chdir(unpacked_dir)
+ assert (patch_system in ['cdbs', 'dpatch', 'quilt', 'quiltv3', None])
+ if patch_system != None and patch_system != "quiltv3":
+ if patch_system == "quilt":
+ os.environ.setdefault('QUILT_PATCHES','debian/patches')
+ rc, report = cmd(['quilt', 'push', '-a'])
+ assert (rc == 0)
+ elif patch_system == "cdbs":
+ rc, report = cmd(['./debian/rules', 'apply-patches'])
+ assert (rc == 0)
+ elif patch_system == "dpatch":
+ rc, report = cmd(['dpatch', 'apply-all'])
+ assert (rc == 0)
+
+ cmd(['chown', '-R', '%s:%s' % (builder.uid, builder.gid), build_src])
+ os.chdir(cdir)
+
+ return unpacked_dir
+
+def _aa_status():
+ '''Get aa-status output'''
+ exe = "/usr/sbin/aa-status"
+ assert (os.path.exists(exe))
+ if os.geteuid() == 0:
+ return cmd([exe])
+ return cmd(['sudo', exe])
+
+def is_apparmor_loaded(path):
+ '''Check if profile is loaded'''
+ rc, report = _aa_status()
+ if rc != 0:
+ return False
+
+ for line in report.splitlines():
+ if line.endswith(path):
+ return True
+ return False
+
+def is_apparmor_confined(path):
+ '''Check if application is confined'''
+ rc, report = _aa_status()
+ if rc != 0:
+ return False
+
+ for line in report.splitlines():
+ if re.search('%s \(' % path, line):
+ return True
+ return False
+
+def check_apparmor(path, first_ubuntu_release, is_running=True):
+ '''Check if path is loaded and confined for everything higher than the
+ first Ubuntu release specified.
+
+ Usage:
+ rc, report = testlib.check_apparmor('/usr/sbin/foo', 8.04, is_running=True)
+ if rc < 0:
+ return self._skipped(report)
+
+ expected = 0
+ result = 'Got exit code %d, expected %d\n' % (rc, expected)
+ self.assertEqual(expected, rc, result + report)
+ '''
+ global manager
+ rc = -1
+
+ if manager.lsb_release["Release"] < first_ubuntu_release:
+ return (rc, "Skipped apparmor check")
+
+ if not os.path.exists('/sbin/apparmor_parser'):
+ return (rc, "Skipped (couldn't find apparmor_parser)")
+
+ rc = 0
+ msg = ""
+ if not is_apparmor_loaded(path):
+ rc = 1
+ msg = "Profile not loaded for '%s'" % path
+
+ # this check only makes sense it the 'path' is currently executing
+ if is_running and rc == 0 and not is_apparmor_confined(path):
+ rc = 1
+ msg = "'%s' is not running in enforce mode" % path
+
+ return (rc, msg)
+
+def get_gcc_version(gcc, full=True):
+ gcc_version = 'none'
+ if not gcc.startswith('/'):
+ gcc = '/usr/bin/%s' % (gcc)
+ if os.path.exists(gcc):
+ gcc_version = 'unknown'
+ lines = cmd([gcc,'-v'])[1].strip().splitlines()
+ version_lines = [x for x in lines if x.startswith('gcc version')]
+ if len(version_lines) == 1:
+ gcc_version = " ".join(version_lines[0].split()[2:])
+ if not full:
+ return gcc_version.split()[0]
+ return gcc_version
+
+def is_kdeinit_running():
+ '''Test if kdeinit is running'''
+ # applications that use kdeinit will spawn it if it isn't running in the
+ # test. This is a problem because it does not exit. This is a helper to
+ # check for it.
+ rc, report = cmd(['ps', 'x'])
+ if 'kdeinit4 Running' not in report:
+ print("kdeinit not running (you may start/stop any KDE application then run this script again)", file=sys.stderr)
+ return False
+ return True
+
+def get_pkgconfig_flags(libs=[]):
+ '''Find pkg-config flags for libraries'''
+ assert (len(libs) > 0)
+ rc, pkg_config = cmd(['pkg-config', '--cflags', '--libs'] + libs)
+ expected = 0
+ if rc != expected:
+ print('Got exit code %d, expected %d\n' % (rc, expected), file=sys.stderr)
+ assert(rc == expected)
+ return pkg_config.split()
+
+class TestDaemon:
+ '''Helper class to manage daemons consistently'''
+ def __init__(self, init):
+ '''Setup daemon attributes'''
+ self.initscript = init
+
+ def start(self):
+ '''Start daemon'''
+ rc, report = cmd([self.initscript, 'start'])
+ expected = 0
+ result = 'Got exit code %d, expected %d\n' % (rc, expected)
+ time.sleep(2)
+ if expected != rc:
+ return (False, result + report)
+
+ if "fail" in report:
+ return (False, "Found 'fail' in report\n" + report)
+
+ return (True, "")
+
+ def stop(self):
+ '''Stop daemon'''
+ rc, report = cmd([self.initscript, 'stop'])
+ expected = 0
+ result = 'Got exit code %d, expected %d\n' % (rc, expected)
+ if expected != rc:
+ return (False, result + report)
+
+ if "fail" in report:
+ return (False, "Found 'fail' in report\n" + report)
+
+ return (True, "")
+
+ def reload(self):
+ '''Reload daemon'''
+ rc, report = cmd([self.initscript, 'force-reload'])
+ expected = 0
+ result = 'Got exit code %d, expected %d\n' % (rc, expected)
+ if expected != rc:
+ return (False, result + report)
+
+ if "fail" in report:
+ return (False, "Found 'fail' in report\n" + report)
+
+ return (True, "")
+
+ def restart(self):
+ '''Restart daemon'''
+ (res, str) = self.stop()
+ if not res:
+ return (res, str)
+
+ (res, str) = self.start()
+ if not res:
+ return (res, str)
+
+ return (True, "")
+
+ def status(self):
+ '''Check daemon status'''
+ rc, report = cmd([self.initscript, 'status'])
+ expected = 0
+ result = 'Got exit code %d, expected %d\n' % (rc, expected)
+ if expected != rc:
+ return (False, result + report)
+
+ if "fail" in report:
+ return (False, "Found 'fail' in report\n" + report)
+
+ return (True, "")
+
+class TestlibManager(object):
+ '''Singleton class used to set up per-test-run information'''
+ def __init__(self):
+ # Set glibc aborts to dump to stderr instead of the tty so test output
+ # is more sane.
+ os.environ.setdefault('LIBC_FATAL_STDERR_','1')
+
+ # check verbosity
+ self.verbosity = False
+ if (len(sys.argv) > 1 and '-v' in sys.argv[1:]):
+ self.verbosity = True
+
+ # Load LSB release file
+ self.lsb_release = dict()
+ if not os.path.exists('/usr/bin/lsb_release') and not os.path.exists('/bin/lsb_release'):
+ raise OSError("Please install 'lsb-release'")
+ for line in subprocess.Popen(['lsb_release','-a'],stdout=subprocess.PIPE,stderr=subprocess.PIPE,universal_newlines=True).communicate()[0].splitlines():
+ field, value = line.split(':',1)
+ value=value.strip()
+ field=field.strip()
+ # Convert numerics
+ try:
+ value = float(value)
+ except:
+ pass
+ self.lsb_release.setdefault(field,value)
+
+ # FIXME: hack OEM releases into known-Ubuntu versions
+ if self.lsb_release['Distributor ID'] == "HP MIE (Mobile Internet Experience)":
+ if self.lsb_release['Release'] == 1.0:
+ self.lsb_release['Distributor ID'] = "Ubuntu"
+ self.lsb_release['Release'] = 8.04
+ else:
+ raise OSError("Unknown version of HP MIE")
+
+ # FIXME: hack to assume a most-recent release if we're not
+ # running under Ubuntu.
+ if self.lsb_release['Distributor ID'] not in ["Ubuntu","Linaro"]:
+ self.lsb_release['Release'] = 10000
+ # Adjust Linaro release to pretend to be Ubuntu
+ if self.lsb_release['Distributor ID'] in ["Linaro"]:
+ self.lsb_release['Distributor ID'] = "Ubuntu"
+ self.lsb_release['Release'] -= 0.01
+
+ # Load arch
+ if not os.path.exists('/usr/bin/dpkg'):
+ machine = cmd(['uname','-m'])[1].strip()
+ if machine.endswith('86'):
+ self.dpkg_arch = 'i386'
+ elif machine.endswith('_64'):
+ self.dpkg_arch = 'amd64'
+ elif machine.startswith('arm'):
+ self.dpkg_arch = 'armel'
+ else:
+ raise ValueError("Unknown machine type '%s'" % (machine))
+ else:
+ self.dpkg_arch = cmd(['dpkg','--print-architecture'])[1].strip()
+
+ # Find kernel version
+ self.kernel_is_ubuntu = False
+ self.kernel_version_signature = None
+ self.kernel_version = cmd(["uname","-r"])[1].strip()
+ versig = '/proc/version_signature'
+ if os.path.exists(versig):
+ self.kernel_is_ubuntu = True
+ self.kernel_version_signature = open(versig).read().strip()
+ self.kernel_version_ubuntu = self.kernel_version
+ elif os.path.exists('/usr/bin/dpkg'):
+ # this can easily be inaccurate but is only an issue for Dapper
+ rc, out = cmd(['dpkg','-l','linux-image-%s' % (self.kernel_version)])
+ if rc == 0:
+ self.kernel_version_signature = out.strip().split('\n').pop().split()[2]
+ self.kernel_version_ubuntu = self.kernel_version_signature
+ if self.kernel_version_signature == None:
+ # Attempt to fall back to something for non-Debian-based
+ self.kernel_version_signature = self.kernel_version
+ self.kernel_version_ubuntu = self.kernel_version
+ # Build ubuntu version without hardware suffix
+ try:
+ self.kernel_version_ubuntu = "-".join([x for x in self.kernel_version_signature.split(' ')[1].split('-') if re.search('^[0-9]', x)])
+ except:
+ pass
+
+ # Find gcc version
+ self.gcc_version = get_gcc_version('gcc')
+
+ # Find libc
+ self.path_libc = [x.split()[2] for x in cmd(['ldd','/bin/ls'])[1].splitlines() if x.startswith('\tlibc.so.')][0]
+
+ # Report self
+ if self.verbosity:
+ kernel = self.kernel_version_ubuntu
+ if kernel != self.kernel_version_signature:
+ kernel += " (%s)" % (self.kernel_version_signature)
+ print("Running test: '%s' distro: '%s %.2f' kernel: '%s' arch: '%s' uid: %d/%d SUDO_USER: '%s')" % (
+ sys.argv[0],
+ self.lsb_release['Distributor ID'],
+ self.lsb_release['Release'],
+ kernel,
+ self.dpkg_arch,
+ os.geteuid(), os.getuid(),
+ os.environ.get('SUDO_USER', '')), file=sys.stdout)
+ sys.stdout.flush()
+
+ # Additional heuristics
+ #if os.environ.get('SUDO_USER', os.environ.get('USER', '')) in ['mdeslaur']:
+ # sys.stdout.write("Replying to Marc Deslauriers in http://launchpad.net/bugs/%d: " % random.randint(600000, 980000))
+ # sys.stdout.flush()
+ # time.sleep(0.5)
+ # sys.stdout.write("destroyed\n")
+ # time.sleep(0.5)
+
+ def hello(self, msg):
+ print("Hello from %s" % (msg), file=sys.stderr)
+# The central instance
+manager = TestlibManager()
+
+class TestlibCase(unittest.TestCase):
+ def __init__(self, *args):
+ '''This is called for each TestCase test instance, which isn't much better
+ than SetUp.'''
+
+ unittest.TestCase.__init__(self, *args)
+
+ # Attach to and duplicate dicts from manager singleton
+ self.manager = manager
+ #self.manager.hello(repr(self) + repr(*args))
+ self.my_verbosity = self.manager.verbosity
+ self.lsb_release = self.manager.lsb_release
+ self.dpkg_arch = self.manager.dpkg_arch
+ self.kernel_version = self.manager.kernel_version
+ self.kernel_version_signature = self.manager.kernel_version_signature
+ self.kernel_version_ubuntu = self.manager.kernel_version_ubuntu
+ self.kernel_is_ubuntu = self.manager.kernel_is_ubuntu
+ self.gcc_version = self.manager.gcc_version
+ self.path_libc = self.manager.path_libc
+
+ def version_compare(self, one, two):
+ return apt_pkg.VersionCompare(one,two)
+
+ def assertFileType(self, filename, filetype):
+ '''Checks the file type of the file specified'''
+
+ (rc, report, out) = self._testlib_shell_cmd(["/usr/bin/file", "-b", filename])
+ out = out.strip()
+ expected = 0
+ # Absolutely no idea why this happens on Hardy
+ if self.lsb_release['Release'] == 8.04 and rc == 255 and len(out) > 0:
+ rc = 0
+ result = 'Got exit code %d, expected %d:\n%s\n' % (rc, expected, report)
+ self.assertEqual(expected, rc, result)
+
+ filetype = '^%s$' % (filetype)
+ result = 'File type reported by file: [%s], expected regex: [%s]\n' % (out, filetype)
+ self.assertNotEquals(None, re.search(filetype, out), result)
+
+ def yank_commonname_from_cert(self, certfile):
+ '''Extract the commonName from a given PEM'''
+ rc, out = cmd(['openssl','asn1parse','-in',certfile])
+ if rc == 0:
+ ready = False
+ for line in out.splitlines():
+ if ready:
+ return line.split(':')[-1]
+ if ':commonName' in line:
+ ready = True
+ return socket.getfqdn()
+
+ def announce(self, text):
+ if self.my_verbosity:
+ print("(%s) " % (text), file=sys.stderr, end='')
+ sys.stdout.flush()
+
+ def make_clean(self):
+ rc, output = self.shell_cmd(['make','clean'])
+ self.assertEqual(rc, 0, output)
+
+ def get_makefile_compiler(self):
+ # Find potential compiler name
+ compiler = 'gcc'
+ if os.path.exists('Makefile'):
+ for line in open('Makefile'):
+ if line.startswith('CC') and '=' in line:
+ items = [x.strip() for x in line.split('=')]
+ if items[0] == 'CC':
+ compiler = items[1]
+ break
+ return compiler
+
+ def make_target(self, target, expected=0):
+ '''Compile a target and report output'''
+
+ compiler = self.get_makefile_compiler()
+ rc, output = self.shell_cmd(['make',target])
+ self.assertEqual(rc, expected, 'rc(%d)!=%d:\n' % (rc, expected) + output)
+ self.assertTrue('%s ' % (compiler) in output, 'Expected "%s":' % (compiler) + output)
+ return output
+
+ # call as return testlib.skipped()
+ def _skipped(self, reason=""):
+ '''Provide a visible way to indicate that a test was skipped'''
+ if reason != "":
+ reason = ': %s' % (reason)
+ self.announce("skipped%s" % (reason))
+ return False
+
+ def _testlib_shell_cmd(self,args,stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT):
+ argstr = "'" + "', '".join(args).strip() + "'"
+ rc, out = cmd(args,stdin=stdin,stdout=stdout,stderr=stderr)
+ report = 'Command: ' + argstr + '\nOutput:\n' + out
+ return rc, report, out
+
+ def shell_cmd(self, args, stdin=None):
+ return cmd(args,stdin=stdin)
+
+ def assertShellExitEquals(self, expected, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg=""):
+ '''Test a shell command matches a specific exit code'''
+ rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr)
+ result = 'Got exit code %d, expected %d\n' % (rc, expected)
+ self.assertEqual(expected, rc, msg + result + report)
+
+ def assertShellExitNotEquals(self, unwanted, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg=""):
+ '''Test a shell command doesn't match a specific exit code'''
+ rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr)
+ result = 'Got (unwanted) exit code %d\n' % rc
+ self.assertNotEquals(unwanted, rc, msg + result + report)
+
+ def assertShellOutputContains(self, text, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg="", invert=False):
+ '''Test a shell command contains a specific output'''
+ rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr)
+ result = 'Got exit code %d. Looking for text "%s"\n' % (rc, text)
+ if not invert:
+ self.assertTrue(text in out, msg + result + report)
+ else:
+ self.assertFalse(text in out, msg + result + report)
+
+ def assertShellOutputEquals(self, text, args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, msg="", invert=False, expected=None):
+ '''Test a shell command matches a specific output'''
+ rc, report, out = self._testlib_shell_cmd(args, stdin=stdin, stdout=stdout, stderr=stderr)
+ result = 'Got exit code %d. Looking for exact text "%s" (%s)\n' % (rc, text, " ".join(args))
+ if not invert:
+ self.assertEqual(text, out, msg + result + report)
+ else:
+ self.assertNotEquals(text, out, msg + result + report)
+ if expected != None:
+ result = 'Got exit code %d. Expected %d (%s)\n' % (rc, expected, " ".join(args))
+ self.assertEqual(rc, expected, msg + result + report)
+
+ def _word_find(self, report, content, invert=False):
+ '''Check for a specific string'''
+ if invert:
+ warning = 'Found "%s"\n' % content
+ self.assertTrue(content not in report, warning + report)
+ else:
+ warning = 'Could not find "%s"\n' % content
+ self.assertTrue(content in report, warning + report)
+
+ def _test_sysctl_value(self, path, expected, msg=None, exists=True):
+ sysctl = '/proc/sys/%s' % (path)
+ self.assertEqual(exists, os.path.exists(sysctl), sysctl)
+ value = None
+ if exists:
+ with open(sysctl) as sysctl_fd:
+ value = int(sysctl_fd.read())
+ report = "%s is not %d: %d" % (sysctl, expected, value)
+ if msg:
+ report += " (%s)" % (msg)
+ self.assertEqual(value, expected, report)
+ return value
+
+ def set_sysctl_value(self, path, desired):
+ sysctl = '/proc/sys/%s' % (path)
+ self.assertTrue(os.path.exists(sysctl),"%s does not exist" % (sysctl))
+ with open(sysctl, 'w') as sysctl_fh:
+ sysctl_fh.write(str(desired))
+ self._test_sysctl_value(path, desired)
+
+ def kernel_at_least(self, introduced):
+ return self.version_compare(self.kernel_version_ubuntu,
+ introduced) >= 0
+
+ def kernel_claims_cve_fixed(self, cve):
+ changelog = "/usr/share/doc/linux-image-%s/changelog.Debian.gz" % (self.kernel_version)
+ if os.path.exists(changelog):
+ for line in gzip.open(changelog):
+ if cve in line and not "revert" in line and not "Revert" in line:
+ return True
+ return False
+
+class TestGroup:
+ '''Create a temporary test group and remove it again in the dtor.'''
+
+ def __init__(self, group=None, lower=False):
+ '''Create a new group'''
+
+ self.group = None
+ if group:
+ if group_exists(group):
+ raise ValueError('group name already exists')
+ else:
+ while(True):
+ group = random_string(7,lower=lower)
+ if not group_exists(group):
+ break
+
+ assert subprocess.call(['groupadd',group]) == 0
+ self.group = group
+ g = grp.getgrnam(self.group)
+ self.gid = g[2]
+
+ def __del__(self):
+ '''Remove the created group.'''
+
+ if self.group:
+ rc, report = cmd(['groupdel', self.group])
+ assert rc == 0
+
+class TestUser:
+ '''Create a temporary test user and remove it again in the dtor.'''
+
+ def __init__(self, login=None, home=True, group=None, uidmin=None, lower=False, shell=None):
+ '''Create a new user account with a random password.
+
+ By default, the login name is random, too, but can be explicitly
+ specified with 'login'. By default, a home directory is created, this
+ can be suppressed with 'home=False'.'''
+
+ self.login = None
+
+ if os.geteuid() != 0:
+ raise ValueError("You must be root to run this test")
+
+ if login:
+ if login_exists(login):
+ raise ValueError('login name already exists')
+ else:
+ while(True):
+ login = 't' + random_string(7,lower=lower)
+ if not login_exists(login):
+ break
+
+ self.salt = random_string(2)
+ self.password = random_string(8,lower=lower)
+ self.crypted = crypt.crypt(self.password, self.salt)
+
+ creation = ['useradd', '-p', self.crypted]
+ if home:
+ creation += ['-m']
+ if group:
+ creation += ['-G',group]
+ if uidmin:
+ creation += ['-K','UID_MIN=%d'%uidmin]
+ if shell:
+ creation += ['-s',shell]
+ creation += [login]
+ assert subprocess.call(creation) == 0
+ # Set GECOS
+ assert subprocess.call(['usermod','-c','Buddy %s' % (login),login]) == 0
+
+ self.login = login
+ p = pwd.getpwnam(self.login)
+ self.uid = p[2]
+ self.gid = p[3]
+ self.gecos = p[4]
+ self.home = p[5]
+ self.shell = p[6]
+
+ def __del__(self):
+ '''Remove the created user account.'''
+
+ if self.login:
+ # sanity check the login name so we don't accidentally wipe too much
+ if len(self.login)>3 and not '/' in self.login:
+ subprocess.call(['rm','-rf', '/home/'+self.login, '/var/mail/'+self.login])
+ rc, report = cmd(['userdel', '-f', self.login])
+ assert rc == 0
+
+ def add_to_group(self, group):
+ '''Add user to the specified group name'''
+ rc, report = cmd(['usermod', '-G', group, self.login])
+ if rc != 0:
+ print(report)
+ assert rc == 0
+
+# Timeout handler using alarm() from John P. Speno's Pythonic Avocado
+class TimeoutFunctionException(Exception):
+ """Exception to raise on a timeout"""
+ pass
+class TimeoutFunction:
+ def __init__(self, function, timeout):
+ self.timeout = timeout
+ self.function = function
+
+ def handle_timeout(self, signum, frame):
+ raise TimeoutFunctionException()
+
+ def __call__(self, *args, **kwargs):
+ old = signal.signal(signal.SIGALRM, self.handle_timeout)
+ signal.alarm(self.timeout)
+ try:
+ result = self.function(*args, **kwargs)
+ finally:
+ signal.signal(signal.SIGALRM, old)
+ signal.alarm(0)
+ return result
+
+
+def main():
+ print("hi")
+ unittest.main()
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..a64af84
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,238 @@
+-----BEGIN PGP ARMORED FILE-----
+Version: GnuPG v1
+Comment: Use "gpg --dearmor" for unpacking
+
+mQINBFTmIgABEADDE0iuJgr098F2NO+QQGvT6VEJhpnurawJOZbOvzxRKrC+IDVl
+ewGz8hAQzWHKTDRtRo+KNx86+2mqoR9cnwGgb6Rs7OqEeH8rFz7XMV1UEpkJatLg
+KUKH2tMXHrs8tPpFj2mHbLhI7P5Osz8rYhPCVpu2lbw4iogncMBFpBk5NZf6aUKw
+9+ixwNQu4gSwa9Cra5WMu0WuA+zeYA2vISo+2kDyTJ1XlrsRO+LnDXCfOFN2tGtz
+59vxuiSKbjmQcizh3A6IAa+nu1ppE3FGFmKqZKeqtA+bn7dfWZj/bdd6T5cKl+2A
+KVxylAxVzPisEGMVHaMGs85PZX0vYnOF/Z08DKRV4APzqeMIZAtgzX7jWIHa8yCP
+L/zYRAtVVGDzVEb9vcTGbdm7Wzhm+sfFFw0BhzO3gycEJWO/Gzeb1lwfmZRFX76a
+jQ0CV/a/YXUQ6fQc2JQSeJmkng17ZEvz1VXG0kvl93uy8kOvY31GL+vDYHHE/yQ4
+Q8GwxQsNN+aKcJW40JN1aPaJrCLBV5ZBceD+XJ0/INstohx6AV176wfavwT+dFQx
+lVVhIBanhd4id4IxKIFU4nbiFXDkgxXz15c7l5jx1GEauDeT+bS7xPTWGL2oIMzf
+yoL9OErvmVS02bu79fJ2aS/VKq60NrwCaZeYJz1wCUhKYSMZ/RSZFoNTtQARAQAB
+tKpGcmVlUkFESVVTIC0gUGFja2FnZSBTaWduaW5nIChPZmZpY2lhbCBmcmVlcmFk
+aXVzLm9yZyBwYWNrYWdlIHNpZ25pbmcga2V5LiBBbGwgb2ZmaWNpYWwgcGFja2Fn
+ZXMgYW5kIHJlc3Bvc2l0b3JpZXMgd2lsbCBiZSBzaWduZWQgd2l0aCB0aGlzIGtl
+eSkgPHBhY2thZ2VzQGZyZWVyYWRpdXMub3JnPokCOAQTAQIAIgUCVOYiAAIbAwYL
+CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQION8JZlbT4VHohAAo7MqSxgkDpPO
+a8r6JHRZrSJa1vgSHPFm+6DXH0Cy7DZdmYohqQBFSA+OHbKcmtiaJ0ajtvwLeysT
+QxlOTUaG/ETFS74NUXRRV8pYQ7rQ0h43NbTdRUf90IYj0CKFuJKcjkA5oVWustO1
+d1slMxTtwAhMnEva1KYSokPvub+OsbDkIbvPNq+4Dq2fuZxQ5wWVDOR6DkF5rlZ7
+f1hKDyUuuNk0n5Av6BsFt/HWCvPuoXn02hFu3Ry/idzNdw5ssg4+J/ZLbTAYx2tt
+h+SZQaRJzKL37cGMdrhTsK6SdgcLwqKD14QYswiXSiHQoJQR6nq8cy1eDbGLRP6J
+18d2N7YzEQJ61u2IuOrkxiEGL6w/ZctZLimXbHXdVaHj6+lErAo1EFdawpbJKSUy
+LUUIagUASdgLXyQjgPrYPFIaP4JRylh4lNSithj9Q7/WixFE0/pX649Jd7d6jYQV
+eIqW9IwlNjvizCTvLbn7SEJ3Q7X+yteAT/PufKoJAUpC2JlgdZgIYOVdoRbM6eFj
+cR0Lp5UZjTBbL/7cFMX3JcKkPEiOu9ACcba6cPOb8JFVAqGa+fCekuWrGA2CM2Wd
+WCGDjDBum2BHBt9NLBIo0TDPMbGNjQhfU9G3IMxYqDnS6XXNRoghV15ojsIpkJD8
+wbJ2iju/GRItc2IOyCmRb9DufiYRrfyJAhwEEwECAAYFAlTmIhgACgkQVs8n+TCo
+yqLo9xAAo7y43cL3yWjzbbN5aq/o3YMtRdHIpCocOQK4THw9Vb724jbB7emgtLh5
+TmRjXzlR9lZxiEejbvn4pulu+Sny4R7SmnJ26UnK6NO6aaB1Q9W8IbN8H+YEVs2o
+CWoN9Xt3BFD6kClu+kIMh+ZbjtqKSjFj9HvvRvaN261MMBM45S6dAg2PptU/nrKL
+36pxvBTDunEre/csqjeefnekLLqlmQy5uBh0bUWk3iFcBRtuncq25N6FJ0Agl8Lw
+qCHgiEdiTiCiwQjRcJ1pDG1P60cgwPkf0DXIFi9dWnEhsS7j27aqgJtpQtv+sjAd
+JG9KfV2F7z9FZvJZy45BBOq3OXtbfso6SPZrGbFBqbEY+lU9c/rubynOxop2lxTt
+E6teX88oGgarhGyy/X3R7ebRTP8EAmUy9Qs+1ogN7B/yodwHuc3j4KvSXBZYa4v/
+XgMwcUV1BFCpYKby7SJGUluaBnEACQirnwK8QklXhvgCL/Fh48YUw5nmAwPyCJKx
+m7xF0ipZhBlkzU6uzFcxbGqNQLfjGEq0mlEKtV/dfNFrxrSCaLoWE2O48AEvhcd2
+v40Pm6Cn4/sMxabgodFyMLE4y3eiL7sJG96PQKXS3QE3ZOb3GT7RaONujV4zkapu
+2Cw8fQSJ/2tpPfe29K5SbRGqbgNxKwVGM324hUdCmEccxaa8/TGIogQQAQoADAUC
+VOYjkgWDB4YfgAAKCRCpLpeL5AJJfVu3A/41XfxlQcEK5XPoNX2L+hLuat8sYH7s
+4I4X+wDSIqPcIRxvYrJkoTQmag02nbPDJTaTQ+ZnitHtSEsp1Tf+kpiqNeWTz4OL
+/FxvYE9/CQf27BgCxI3/9XHMXBGi4weioC7rysnLIBsSrzg7Wk5z0olNByVAOVU4
+HrneVMWgVEtKKokBIgQQAQoADAUCVOYjpgWDB4YfgAAKCRB9DnnNd2IezcGIB/4/
+ZuxtQvADmlT82Txgx5UHqIQhbmX4mALGqIIOSth9Y261bWzlkNEQBkoae8Vv6VYW
+nNhdaJ7rmOhHnt61naVhTUm0GEhRTBThay/elYWTNvInuS0rD4sPUUXSvmyiUier
+PW4aLaIljJAaXuq8w064Di0Iw+frAZx2AMrAYcqiQOUI+V3GYYf12Nn58aWben03
+l//ecqhySnOG0vUJ2cntgyVOMuaVakqc/8A4p6WXAjTCylmS+kbswbABx9zjG+lF
+ClE2xDkVvM413OvXaxwhmy7Qmo4bbezC4mEy5NaoV+Lid63kvBa4gmxvAkbQ5Pfx
+XWpXfQoB2/pGg7vG10TR0dl62XgBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYA
+AQEBAEgASAAA/+EAWEV4aWYAAE1NACoAAAAIAAIBEgADAAAAAQABAACHaQAEAAAA
+AQAAACYAAAAAAAOgAQADAAAAAQABAACgAgAEAAAAAQAAAECgAwAEAAAAAQAAAEAA
+AAAA/+0AOFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAAAAOEJJTQQlAAAAAAAQ1B2M
+2Y8AsgTpgAmY7PhCfv/iDFhJQ0NfUFJPRklMRQABAQAADEhMaW5vAhAAAG1udHJS
+R0IgWFlaIAfOAAIACQAGADEAAGFjc3BNU0ZUAAAAAElFQyBzUkdCAAAAAAAAAAAA
+AAAAAAD21gABAAAAANMtSFAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAEWNwcnQAAAFQAAAAM2Rlc2MAAAGEAAAAbHd0cHQA
+AAHwAAAAFGJrcHQAAAIEAAAAFHJYWVoAAAIYAAAAFGdYWVoAAAIsAAAAFGJYWVoA
+AAJAAAAAFGRtbmQAAAJUAAAAcGRtZGQAAALEAAAAiHZ1ZWQAAANMAAAAhnZpZXcA
+AAPUAAAAJGx1bWkAAAP4AAAAFG1lYXMAAAQMAAAAJHRlY2gAAAQwAAAADHJUUkMA
+AAQ8AAAIDGdUUkMAAAQ8AAAIDGJUUkMAAAQ8AAAIDHRleHQAAAAAQ29weXJpZ2h0
+IChjKSAxOTk4IEhld2xldHQtUGFja2FyZCBDb21wYW55AABkZXNjAAAAAAAAABJz
+UkdCIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABY
+WVogAAAAAAAA81EAAQAAAAEWzFhZWiAAAAAAAAAAAAAAAAAAAAAAWFlaIAAAAAAA
+AG+iAAA49QAAA5BYWVogAAAAAAAAYpkAALeFAAAY2lhZWiAAAAAAAAAkoAAAD4QA
+ALbPZGVzYwAAAAAAAAAWSUVDIGh0dHA6Ly93d3cuaWVjLmNoAAAAAAAAAAAAAAAW
+SUVDIGh0dHA6Ly93d3cuaWVjLmNoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALklFQyA2MTk2Ni0yLjEgRGVm
+YXVsdCBSR0IgY29sb3VyIHNwYWNlIC0gc1JHQgAAAAAAAAAAAAAALklFQyA2MTk2
+Ni0yLjEgRGVmYXVsdCBSR0IgY29sb3VyIHNwYWNlIC0gc1JHQgAAAAAAAAAAAAAA
+AAAAAAAAAAAAAABkZXNjAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25kaXRp
+b24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAsUmVmZXJlbmNlIFZpZXdpbmcg
+Q29uZGl0aW9uIGluIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAdmlldwAAAAAAE6T+ABRfLgAQzxQAA+3MAAQTCwADXJ4AAAABWFlaIAAAAAAA
+TAlWAFAAAABXH+dtZWFzAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAACjwAAAAJz
+aWcgAAAAAENSVCBjdXJ2AAAAAAAABAAAAAAFAAoADwAUABkAHgAjACgALQAyADcA
+OwBAAEUASgBPAFQAWQBeAGMAaABtAHIAdwB8AIEAhgCLAJAAlQCaAJ8ApACpAK4A
+sgC3ALwAwQDGAMsA0ADVANsA4ADlAOsA8AD2APsBAQEHAQ0BEwEZAR8BJQErATIB
+OAE+AUUBTAFSAVkBYAFnAW4BdQF8AYMBiwGSAZoBoQGpAbEBuQHBAckB0QHZAeEB
+6QHyAfoCAwIMAhQCHQImAi8COAJBAksCVAJdAmcCcQJ6AoQCjgKYAqICrAK2AsEC
+ywLVAuAC6wL1AwADCwMWAyEDLQM4A0MDTwNaA2YDcgN+A4oDlgOiA64DugPHA9MD
+4APsA/kEBgQTBCAELQQ7BEgEVQRjBHEEfgSMBJoEqAS2BMQE0wThBPAE/gUNBRwF
+KwU6BUkFWAVnBXcFhgWWBaYFtQXFBdUF5QX2BgYGFgYnBjcGSAZZBmoGewaMBp0G
+rwbABtEG4wb1BwcHGQcrBz0HTwdhB3QHhgeZB6wHvwfSB+UH+AgLCB8IMghGCFoI
+bgiCCJYIqgi+CNII5wj7CRAJJQk6CU8JZAl5CY8JpAm6Cc8J5Qn7ChEKJwo9ClQK
+agqBCpgKrgrFCtwK8wsLCyILOQtRC2kLgAuYC7ALyAvhC/kMEgwqDEMMXAx1DI4M
+pwzADNkM8w0NDSYNQA1aDXQNjg2pDcMN3g34DhMOLg5JDmQOfw6bDrYO0g7uDwkP
+JQ9BD14Peg+WD7MPzw/sEAkQJhBDEGEQfhCbELkQ1xD1ERMRMRFPEW0RjBGqEckR
+6BIHEiYSRRJkEoQSoxLDEuMTAxMjE0MTYxODE6QTxRPlFAYUJxRJFGoUixStFM4U
+8BUSFTQVVhV4FZsVvRXgFgMWJhZJFmwWjxayFtYW+hcdF0EXZReJF64X0hf3GBsY
+QBhlGIoYrxjVGPoZIBlFGWsZkRm3Gd0aBBoqGlEadxqeGsUa7BsUGzsbYxuKG7Ib
+2hwCHCocUhx7HKMczBz1HR4dRx1wHZkdwx3sHhYeQB5qHpQevh7pHxMfPh9pH5Qf
+vx/qIBUgQSBsIJggxCDwIRwhSCF1IaEhziH7IiciVSKCIq8i3SMKIzgjZiOUI8Ij
+8CQfJE0kfCSrJNolCSU4JWgllyXHJfcmJyZXJocmtyboJxgnSSd6J6sn3CgNKD8o
+cSiiKNQpBik4KWspnSnQKgIqNSpoKpsqzysCKzYraSudK9EsBSw5LG4soizXLQwt
+QS12Last4S4WLkwugi63Lu4vJC9aL5Evxy/+MDUwbDCkMNsxEjFKMYIxujHyMioy
+YzKbMtQzDTNGM38zuDPxNCs0ZTSeNNg1EzVNNYc1wjX9Njc2cjauNuk3JDdgN5w3
+1zgUOFA4jDjIOQU5Qjl/Obw5+To2OnQ6sjrvOy07azuqO+g8JzxlPKQ84z0iPWE9
+oT3gPiA+YD6gPuA/IT9hP6I/4kAjQGRApkDnQSlBakGsQe5CMEJyQrVC90M6Q31D
+wEQDREdEikTORRJFVUWaRd5GIkZnRqtG8Ec1R3tHwEgFSEtIkUjXSR1JY0mpSfBK
+N0p9SsRLDEtTS5pL4kwqTHJMuk0CTUpNk03cTiVObk63TwBPSU+TT91QJ1BxULtR
+BlFQUZtR5lIxUnxSx1MTU19TqlP2VEJUj1TbVShVdVXCVg9WXFapVvdXRFeSV+BY
+L1h9WMtZGllpWbhaB1pWWqZa9VtFW5Vb5Vw1XIZc1l0nXXhdyV4aXmxevV8PX2Ff
+s2AFYFdgqmD8YU9homH1YklinGLwY0Njl2PrZEBklGTpZT1lkmXnZj1mkmboZz1n
+k2fpaD9olmjsaUNpmmnxakhqn2r3a09rp2v/bFdsr20IbWBtuW4SbmtuxG8eb3hv
+0XArcIZw4HE6cZVx8HJLcqZzAXNdc7h0FHRwdMx1KHWFdeF2Pnabdvh3VnezeBF4
+bnjMeSp5iXnnekZ6pXsEe2N7wnwhfIF84X1BfaF+AX5ifsJ/I3+Ef+WAR4CogQqB
+a4HNgjCCkoL0g1eDuoQdhICE44VHhauGDoZyhteHO4efiASIaYjOiTOJmYn+imSK
+yoswi5aL/IxjjMqNMY2Yjf+OZo7OjzaPnpAGkG6Q1pE/kaiSEZJ6kuOTTZO2lCCU
+ipT0lV+VyZY0lp+XCpd1l+CYTJi4mSSZkJn8mmia1ZtCm6+cHJyJnPedZJ3SnkCe
+rp8dn4uf+qBpoNihR6G2oiailqMGo3aj5qRWpMelOKWpphqmi6b9p26n4KhSqMSp
+N6mpqhyqj6sCq3Wr6axcrNCtRK24ri2uoa8Wr4uwALB1sOqxYLHWskuywrM4s660
+JbSctRO1irYBtnm28Ldot+C4WbjRuUq5wro7urW7LrunvCG8m70VvY++Cr6Evv+/
+er/1wHDA7MFnwePCX8Lbw1jD1MRRxM7FS8XIxkbGw8dBx7/IPci8yTrJuco4yrfL
+Nsu2zDXMtc01zbXONs62zzfPuNA50LrRPNG+0j/SwdNE08bUSdTL1U7V0dZV1tjX
+XNfg2GTY6Nls2fHadtr724DcBdyK3RDdlt4c3qLfKd+v4DbgveFE4cziU+Lb42Pj
+6+Rz5PzlhOYN5pbnH+ep6DLovOlG6dDqW+rl63Dr++yG7RHtnO4o7rTvQO/M8Fjw
+5fFy8f/yjPMZ86f0NPTC9VD13vZt9vv3ivgZ+Kj5OPnH+lf65/t3/Af8mP0p/br+
+S/7c/23////AABEIAEAAQAMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAA
+AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEH
+InEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJ
+SlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaan
+qKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4
++fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAME
+BwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ0
+4SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4
+eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS
+09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2wBDAAICAgICAgMCAgMEAwMDBAUE
+BAQEBQcFBQUFBQcIBwcHBwcHCAgICAgICAgKCgoKCgoLCwsLCw0NDQ0NDQ0NDQ3/
+2wBDAQICAgMDAwYDAwYNCQcJDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N
+DQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ3/3QAEAAT/2gAMAwEAAhEDEQA/AP38pCQASTgD
+kk0EgAknAHJJr8MP2zv2z9U+ImqX/wALvhdfvaeEbR3tr+/tn2vrDr8rgOvS0ByA
+AcSj5mypAHu8P8P4jNsR7Cholu+iX+fZfpdrxs7zuhllD21bVvZdW/8ALuz9Kvjx
++1h4G+Bo0+0ubK817UNXs1v7GOyKraSW7sVV2umyuG2kjYshxgkAMCfhfWf+CkXx
+OnuC3h/wvoNlBnhLz7TePj/fjlthn/gNcXq/g/xd44/Ya8JeM/EGlXVpe+AtQmtb
+Se4TY15oF46BJUX75RJGjRCQBsRmGQd1VP2VvAPwpl1XU5v2jNItdN0i5sobrRtS
+16/k0i2Z1fayR7p4FmEqyBgxDKPLwCCeeLHZfOhjKmEh7zi2tNb29DrweOhWwsMV
+L3VJJ66Wud/o3/BSL4nQXAbxB4X0G9gzyln9ps3x/vyS3Iz/AMBr7g+BX7Xfw9+O
+Oqp4XsbK/wBH8QGF5vsdxH50LrGMuY7iIFcKO8ix5OAASa87/wCGU/2O/ijbyL8P
+720ExBJn8Oa6L0rjjOx5bqMAH0UV4v8AEz4Ia/8Asl/Abxvqvw4W78S634lkXTbr
+WoYFik0fQWXMpMau77mbKvInyjKudnljM4PL6lfFQwj92Umlrpa/qVisdTo4aeK+
+JRTemt7H6sgggEHIPIIpa/DD9jH9s/VPh5qdh8LvijfPd+Ebp0trC/uXy+jux2oG
+duTaE4BDH9yOVwoIP7nAggEHIPIIrv4g4fxGU4j2FfVPZ9Gv8+66elm+LJM7oZnQ
+9tR0a3XVP/Ls/wDhl//Q/Rz9vr4w3Xwu+CUujaLOYNY8YzNpMDo22SK02FruVe/3
+MRZHIMoPUV+aH7C/7Otl8bPiHP4h8WW/n+FfCnlT3UDj5L28kJMFufVBtLyjnKgK
+Rh816l/wVE1u5uPix4S8NsT9nsfDpvox2El7dTRv+OLVa+uf2MLe3+GH7GM3j1Yg
+Jp4Nd8R3AI5Y2ZliTOBkgxWqEexr9Yo1nk/CirUNKlZ79db/AJRWnZu5+Z1aSzTi
+Z0q2sKS29Lf+3P5pHc+Mv2i/CGs/GiL9miyVVtdTtbrSr/VYzg2epSQn7PDbgfLv
+jYAFudspVRgo1fgD460vxHonjTXdF8XzTXGt6fqFzaX8txI0sslxBI0cjM7Es+WX
+O4k5HNfTXwB8P6p8Tfj94V0+e+mS9vtY/tK4vA378m033s0gY5/eMImIJz8xzg9K
+9I/4KQfDH/hEPjRbeO7KLZYeM7JZ3IGFF/ZBYZwO3MfkuTxlmY+pPH4ZZjGljamE
+l9tXXrHp9138jq8Q8A6mDhio/Ydn6Pr99vvKXwC/ZV8deFPH9j8SfjNp8vhzwV4V
+sh4mn1GO6hmjvEiAkt4YJrWVwzSkgkK2SgK8My5+3f2dv212+J/xBvfAXxAtLawi
+1u6m/wCEflQYAVidllcZ+V3KcJJ8u5gVIyy47H9iHxppnxl/ZntfCXimGLUjoHm+
+HNQt7kCRJrWNQ1vlTn5fs7pGPeM4xjj8p/jR4Ll+C/xq17wrodxJF/YOoRXGnTK2
+ZYopVjurY7v76JImT/eGa+e4xzPGYrMZU8ZZOneKS2331vvue7wrl+Fw2AjPC3an
+7zvvtt022Ow/bq/Z2svgr8RIfEXhS3EHhXxYZZ7WBBhLK8jIM9uvYRncHiHGFJQD
+CZr9K/2BPjFcfFD4JxaFrExm1jwZKmlTOxJeWzK7rSRj67A0XXJMWT1rn/2zba1+
+J/7GEXj2WMNcQW+heI7bauNrXhiifGeQBFdOce1fIv8AwS71u5t/ix4t8NqT9nvv
+DovpB2MlldQxp+OLpq+tq1nnHCkq1fWpRe/pb/21692rnzFKksr4mVKjpCqtvW//
+ALcvkmf/0e//AOComiXNv8WPCXiRgfs994dNjGexksrqaR/xxdLX1z+xrc2/xR/Y
+um8BQyj7TBba74buCxxte782WPOOQBFdIM+1dD+338Hbj4ofBOXXdHhM2seDJX1W
+FFBLy2ZXbdxqPXYFl6ZJiwOtfmn+wv8AtFWXwT+Ic/h7xZceR4V8V+VBdTufksry
+MkQXB9EO4pKeMKQxOExX6xSovOOFI0aGtSi9uul/zi9O7Vj8zq1VlfEzq1tIVVv6
+2/8Abl8kzkPgv40l+C/xq0HxVrlvJF/YOoS2+owsuZYopVktbkbf76JI+B/eGK/b
+r4x/Br4b/tT/AA70+x1G+d7JnTUtI1fTHRnjZ1I3IWDK8cinDoRzx0ZQR8i/te/s
+har4s1W5+LXwltlvbu9UTatpMJ/eXEne5tudrs68yRjBYjcu5mIr8/8AwX8afjV8
+F5bjQ/CuvahoPlSMs2nXEayxRSn72ba6jkRH9TsDetfl2GxNXD1Y1qMuWUdmj9Gx
+GHp16bo1leL3R+3fwc+Dnw5/ZZ+HN/p2nX8iWCSSanq2ranIis7KgUsxUKiRoigI
+gHHuxJP4ifGjxpL8aPjVr3irQ7eSX+3tQit9OhVcSyxRLHa2w2/33SNMj+8cUeNP
+jT8avjRLb6H4q17UNe82RVh063jWKKWUfdxbWscaO/odhb0r9AP2Qv2QtV8J6rbf
+Fr4tWy2V3ZKZtJ0mY/vLeTtc3PO1GReY4zkqTubaygUYnE1cRVlWrSvKW7DD4enQ
+pqjSVorZHdftn3Fv8MP2MYfATSgTTwaF4ctyDyxszFK+MnJBitXB9jXyN/wS70S5
+uPix4t8SKD9nsfDosZD2El7dQyJ+OLVq8t/bo/aKsvjZ8Q4PD3hO48/wr4U82C1n
+Q/Je3khAnuB6oNoSI85UFgcPiv0v/YF+D118LvglFrOtQGDWPGMy6tOjrtkitNgW
+0ibv9zMuDyDKR1FfqNai8n4UdGvpUrPbrrb8orXs3Y/OaVVZpxMqtHWFJb+l/wD2
+5/NI/9L9+yAQQRkHgg1+GH7Z37GGqfDvVL/4o/C6we78I3bvc39hbJufR3b5nIRe
+toTkggYiHythQCf3QpCAQQRkHgg17vD/ABBiMpxHt6Gqe66Nf59n+l0/GzvJKGZ0
+PY1tGtn1T/y7o/nx/Z1/bo+IfwTsrfwn4hg/4SvwrBhILWeXy7yyT0t5yGyg7ROC
+owApQZr9C7f9s/8AYx+J9vE3j2GCCYgAW/iPQjeFSOcb4orqIAHuWFdJ8Yf2Bfgl
+8UbqfWtGim8HaxOWd59JVPsksjfxS2jfJ15PlGIk9Sa+Itb/AOCXfxYt7kp4b8W+
+Hb63zxJfC6spCP8AcjhuQD7b6+7rVuFM3ft6zdGo9+mv3OL9dG+p8ZSpcTZWvY0k
+qsFt1/VS/NI+urn9sv8AYv8AhfbyTeA4bae5AKm38N6EbR2B+bHmSxWsRBJ5w557
+V+ef7RX7dHxD+NllceE/D0H/AAinhWfKT2sEvmXl6npcTgLhD3iQBTkhi4xXqWif
+8Eu/ixcXITxJ4t8O2NvnmSxF1eyAf7kkNsCfbfX218Hf2BPgn8L7iHWNdil8Z6xC
+QyTaqiizicHho7Ncpn/rq0pB5GKKNXhTKH7ejJ1qi266/co/PVroFalxNmi9jVSp
+Qe/T9XL8kz4S/Yx/Yw1T4iapYfFH4o2D2nhG0dLmwsLlNr6w6/MhKN0tAcEkjEo+
+VcqSR+54AAAAwBwAKAAAABgDgAUtfCcQcQYjNsR7evolsuiX+fd/pZL7PJMkoZZQ
+9jR1b3fVv/Lsj//ZiQI4BBMBAgAiBQJU5iKkAhsDBgsJCAcDAgYVCAIJCgsEFgID
+AQIeAQIXgAAKCRAg43wlmVtPhXEjD/9mSd6d5RhiqbG0FXRpFGMkSGJ1M0wp+8w0
+dAmnq7Ws8OX/1sB0C3vl+pgxkXXnNEwtuFrEA1wWDE2TqUBHKMXuP442ZSxFg+d4
+wGavkWxmVUSnik3YoenUDl1QnXkLpQ5Q1Ljcs5sqshvny974lY7IwxburvtPAWUo
+2X6ImgKCK6xsFD8AVKf+Bmi0yYhchBy1LeyWdlNTOykZ/I7PfuYNTDZB0L6vdsl0
+mfwBMUNO7we6Rtng4QGmSuBkyoXqrtBATGXiM/8Z5yUsoZ0SvSx3d9DVR8mu0OSj
+Yf10w+SCx1sbQGo8FHCniFfIuk88QLQvblDn/e/lAoiQ+vyFx/7HoKOw/4TTrCyX
+F/rEYwgXUwNIACzuqeMWxr+Z20ikx/Ee8I9KFwwBZT2TPOQ02CrGeq67MK5jFeJe
+mo59084/yB9eeMyd5wYMX0g9vGk56DnXZL8kcDDvaT/0ed/vUjx2BHd3WLi2PaiE
+0aBhqzad7rhI9Bh7QCADvOn/g2DxTGHgD5T0qwp9TkDjZ033TlEkPGDma3QKoKep
+AMeXe0fj6kiVhEwIXQsxp4GwRk7cm0lOXyEB+8N+jY6R1zV6+nDpMPD9gp/0mBKL
+m17n36QldJ7c3UdQQG+5n+M63E6N2lcor9dBCCYVwsiFI/X3wi8fHMcPvWrE7oQA
+NvwBmbXCpYiiBBABCgAMBQJU5iOSBYMHhh+AAAoJEKkul4vkAkl9wlMD/RahquaF
+BcOFBWhhf76tfRkCTVIAUSGjQi8UzoNUnSJgDD98IJaRhWrFyTlmGMkxfN9cS98/
+ETKOMUObC3OPwoFhc9HcgpJx13Ibg/KcsmaLoaxumCiLNSKBKtGHgr7zxDgmnoq+
+xQ1BCfovxpqBoDZcAHXVQffRUFVFHnUfg/6jiQEiBBABCgAMBQJU5iOtBYMHhh+A
+AAoJEH0Oec13Yh7Nyq4H/jKgreYNB9HaYweCvJKKjn6aQsJb0DTpWNtRKEXMKWc8
+3eSQD+PxEa9RhpIaenddUhDKvQTmgsCtzeC9Xkuqq8taxdFfaBWB1af81cSsgHln
+ktbQ1gb2hTqAUk72QtNHtGJ8qNc9V4B2SezlPJynJm/ppYvq6QtmydW+4TkqbycT
+ktZO/7+pRGKnQF9xtWjyxXdOD+rvJEZznQYBj9SxHFta2amKKC46PCaJPDDz6yTg
+XClZVTIDXsEXdkg5J7dqMbWXPx0LUandcRV5JZJAKcPdxlngZ6skUkuesmyqsLo7
+Hih/oWFGg6u3tCeCT5tvdOXwC0weJ9TrrLKvTpnqsYi5Ag0EVOYiAAEQAM7x0upj
+nGeDbxbsbJOPvqViMDKonCvNgisoFO2f1ciJPLfPC3XKWGyyUVbnAhahxx9fm1sS
+lH11VWz1w6SAmPd5Fbyxay5LxeEmGSkkD25fBLeKJxqQxkBc7JS+O94I8J0i2cH0
+ksIy9184+8H3WJ/85ekrnOT+/6Sh1RGc7PSf3RweckoiFAV7/KlJtRGL0XXCZA4T
+fImA+i49z7AshWh54WJve4thIOZ5r//dOJSxWXP+e0oMXl8EmgVjl+e95xC1WoR3
+tTjGX+nh3E/KZpK5LYzrJTR04WQAtEfH7RcHWa/RJpRkNczEga1h9/33aw9sZ3YY
+4ABDVLMs0Gkv+s3OQQJWfHSYYwqjOBi4XJnAwsWYXdciqLOoWzI4GoMOhlQdeWx7
+N7YqYitmmmZe4fQc6Yz0wG3XTEucH+dW/r+gKAw9X9jTPFUAkEixq0ZlofB190ZA
+HNfmuMgv0BLLvCYmTgawgNuEPNamftHOqrR4C1fnm2RHFG0B+XuD/EcStZWNpCVa
+vczxi6knHZt3q0Pfm6sZn1v12YIsGQd15uNg6TDoKKh3p6VxXAcIVEdmO7N7BhCf
+oSM5CB1x/v1WdrU71PxppWRdZTWFP5k3Vt5BUYOuKPAuYbhYWHdhH6e+FBzXNodd
+58EP++33A88nPT+eYqWeghich2hQ6jINu/0zABEBAAGJAh8EGAECAAkFAlTmIgAC
+GwwACgkQION8JZlbT4U6AQ/+NFHfFoCBNSb1lKyy9psb7WiW2DVuYkYBKwkkJCnR
+Swgvty2zaON7eFOrJiiFDRw0egjdad6cerddwHocKTTjYgyTec+esZ8i06u42h7d
+sGQU/D0O7QUqb3DI971toREkl3rY3URaXVRWblXwSnV/y3E/jRQSQycWNFWqJJum
+xfZoAIVvXFKI1R0jhVkvL1+R1Y8LwJReiavUxi85rTPW90ztyK3/Ls2Djlqt8aDm
+E0/fwCuHtNzoNohF2vz1FcBajxQD+eWHuZOsLeEtAXVaCPXCYJ9L6jB6l7EfnHrn
+IigsvrEpKje7T00HfT4QgVdXGa5RbT/cS5Uo/IcOcmKyWwP3XV0K8vER/5b81Leg
+bH06GGDO2VsZ+lCFqiTBVPnRPQWp4D/hokQslXhD0Gff4fcGxBRwp3Jd9ui6Yia1
+RbuhddT+5eatbSkXRv0iuAOf+2+luKwnuD5i0Vt2MB59YkCWmVebPyIME9VDZ2U6
+untC5IfVR0PAst81BTfC83qShc965GcBqbEBybQVRLNFFODzxt9P9N3Zc8FdiNOw
+YWAmTe2FQN49eSAUc76DOWVGwDb1OZvRU6f/vexq3AYyk6KGpP+XfBFBPZTs58bL
+goFta/pZDpqZ3SyhiOv+ZdgufF/Y7T4YQEWjgWLtdsL7DDMut+T8urvTNQUUFKc7
+0w8=
+=DzbW
+-----END PGP ARMORED FILE-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..cf8ed30
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,9 @@
+version=3
+
+opts=pasv,\
+pgpsigurlmangle=s/$/.sig/,\
+repacksuffix=+dfsg,\
+dversionmangle=s/\+(git$|dfsg)//,\
+uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/\
+ ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-(.+)\.tar\.gz
+