Adding debian version 3.2.3+dfsg-2.debian/3.2.3+dfsg-2debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

8 files changed, 417 insertions, 0 deletions

diff --git a/debian/patches/0002-gitignore.diff.patch b/debian/patches/0002-gitignore.diff.patch
new file mode 100644
index 0000000..22013a1
--- /dev/null
+++ b/debian/patches/0002-gitignore.diff.patch
@@ -0,0 +1,29 @@
+From 993eba48a171e70dfe83fa25f04c4d19b257ea1b Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 18 Sep 2014 15:55:47 -0400
+Subject: gitignore.diff
+
+---
+ .gitignore | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/.gitignore
++++ b/.gitignore
+@@ -1,3 +1,17 @@
++*.la
++*.o
++*.lo
++.libs
++.deps
++build-arch-stamp
++build-indep-stamp
++config.h
++config.log
++config.status
++config.cache
++config.guess.dist
++config.sub.dist
++Make.inc
+ *~
+ *.o
+ *.a
diff --git a/debian/patches/0006-jradius.diff.patch b/debian/patches/0006-jradius.diff.patch
new file mode 100644
index 0000000..2eeee49
--- /dev/null
+++ b/debian/patches/0006-jradius.diff.patch
@@ -0,0 +1,17 @@
+From b72e1d985e709e4c5fd7355747cde8697e665b44 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 18 Sep 2014 15:55:52 -0400
+Subject: jradius.diff
+
+---
+ src/modules/stable | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/modules/stable
++++ b/src/modules/stable
+@@ -40,3 +40,5 @@
+ rlm_yubikey
+ rlm_redis
+ rlm_rediswho
++rlm_policy
++rlm_jradius
diff --git a/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch
new file mode 100644
index 0000000..c2ac785
--- /dev/null
+++ b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch
@@ -0,0 +1,23 @@
+From f39ef7f317a49c4e959bed7e9d954e473f49d602 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Wed, 1 Oct 2014 16:38:16 -0400
+Subject: dhcp sqlipool: Comment out mysql
+Forwarded: not-needed
+
+So freeradius does not depend on freeradius-mysql
+---
+ raddb/modules/dhcp_sqlippool | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/raddb/mods-available/dhcp_sqlippool
++++ b/raddb/mods-available/dhcp_sqlippool
+@@ -97,5 +97,8 @@
+ 		nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
+ 	}
+ 
+-	$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
++	# This line is commented by default to enable clean startup when you
++	# don't have freeradius-mysql installed. Uncomment this line if you 
++	# use this module.
++	#$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
+ }
diff --git a/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch
new file mode 100644
index 0000000..fda1cf0
--- /dev/null
+++ b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch
@@ -0,0 +1,152 @@
+Author: Sam Hartman <hartmans@debian.org>
+Description: Rename radius to freeradius
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/Make.inc.in
++++ b/Make.inc.in
+@@ -98,7 +98,7 @@
+ 
+ LOGDIR		= ${logdir}
+ RADDBDIR	= ${raddbdir}
+-RUNDIR		= ${localstatedir}/run/radiusd
++RUNDIR		= ${localstatedir}/run/freeradius
+ SBINDIR		= ${sbindir}
+ RADIR		= ${radacctdir}
+ LIBRADIUS	= $(top_builddir)/src/lib/$(LIBPREFIX)freeradius-radius.la $(TALLOC_LIBS)
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -91,7 +91,7 @@
+ 
+ #
+ #  name of the running server.  See also the "-n" command-line option.
+-name = radiusd
++name = freeradius
+ 
+ #  Location of config and logfiles.
+ confdir = ${raddbdir}
+@@ -447,8 +447,8 @@
+ 	#  member.  This can allow for some finer-grained access
+ 	#  controls.
+ 	#
+-#	user = radius
+-#	group = radius
++	user = freerad
++	group = freerad
+ 
+ 	#  Core dumps are a bad thing.  This should only be set to
+ 	#  'yes' if you're debugging a problem with the server.
+--- a/scripts/monit/freeradius.monitrc
++++ b/scripts/monit/freeradius.monitrc
+@@ -8,9 +8,9 @@
+ #  Totalmem limit should be lowered to 200.0 if none of the
+ #  interpreted language modules or rlm_cache are being used.
+ #
+-check process radiusd with pidfile /var/run/radiusd/radiusd.pid
+-   start program = "/etc/init.d/radiusd start"
+-   stop program = "/etc/init.d/radiusd stop"
++check process freeradius with pidfile /var/run/freeradius/freeradius.pid
++   start program = "/etc/init.d/freeradius start"
++   stop program = "/etc/init.d/freeradius stop"
+    if failed host 127.0.0.1 port 1812 type udp protocol radius secret testing123 then alert
+    if failed host 127.0.0.1 port 1813 type udp protocol radius secret testing123 then alert
+    if cpu > 95% for 2 cycles then alert
+--- a/raddb/sites-available/control-socket
++++ b/raddb/sites-available/control-socket
+@@ -72,12 +72,12 @@
+ 	#
+ 	#  Name of user that is allowed to connect to the control socket.
+ 	#
+-#	uid = radius
++#	uid = freerad
+ 
+ 	#
+ 	#  Name of group that is allowed to connect to the control socket.
+ 	#
+-#	gid = radius
++#	gid = freerad
+ 
+ 	#
+ 	#  Access mode.
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -102,7 +102,6 @@
+ 	bool display_version = false;
+ 	int flag = 0;
+ 	int from_child[2] = {-1, -1};
+-	char *p;
+ 	fr_state_t *state = NULL;
+ 
+ 	/*
+@@ -137,13 +136,7 @@
+ 	main_config.myip.af = AF_UNSPEC;
+ 	main_config.port = 0;
+ 	main_config.daemonize = true;
+-
+-	p = strrchr(argv[0], FR_DIR_SEP);
+-	if (!p) {
+-		main_config.name = argv[0];
+-	} else {
+-		main_config.name = p + 1;
+-	}
++	main_config.name = "radiusd";
+ 
+ 	/*
+ 	 *	Don't put output anywhere until we get told a little
+@@ -697,7 +690,7 @@
+ {
+ 	FILE *output = status?stderr:stdout;
+ 
+-	fprintf(output, "Usage: %s [options]\n", main_config.name);
++	fprintf(output, "Usage: freeradius [options]\n");
+ 	fprintf(output, "Options:\n");
+ 	fprintf(output, "  -C            Check configuration and exit.\n");
+ 	fprintf(stderr, "  -d <raddb>    Set configuration directory (defaults to " RADDBDIR ").\n");
+--- a/man/man8/radiusd.8
++++ b/man/man8/radiusd.8
+@@ -56,7 +56,7 @@
+ for an informative list of which modules are checked for correct
+ configuration, and which modules are skipped, and therefore not checked.
+ .IP "\-d \fIconfig directory\fP"
+-Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
++Defaults to \fI/etc/freeradius\fP. \fBRadiusd\fP looks here for its configuration
+ files such as the \fIdictionary\fP and the \fIusers\fP files.
+ .IP "\-D \fIdictionary directory\fP"
+ Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
+@@ -80,7 +80,7 @@
+ On SIGINT or SIGQUIT exit cleanly instead of immediately.
+ This is most useful for when running the server with "valgrind".
+ .IP "\-n \fIname\fP"
+-Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
++Read \fIfreeradius/name.conf\fP instead of \fIfreeradius/radiusd.conf\fP.
+ .IP "\-p \fIport\fP"
+ Defines which port is used for receiving authentication packets.
+ Accounting packets are received on "port + 1".
+@@ -147,14 +147,14 @@
+ SQL), then:
+ .PP
+ .in +0.3i
+-a) Edit raddb/modules/foo
++a) Edit freeradius/modules/foo
+ .br
+ This file contains the default configuration for the module.  It
+ contains comments describing what can be configured, and what those
+ configuration entries mean.
+ .br
+ .br
+-b) Edit raddb/sites-available/default
++b) Edit freeradius/sites-available/default
+ .br
+ This file contains the default policy for the server.  e.g. "enable
+ CHAP, MS-CHAP, and EAP authentication".  Look in this file for all
+@@ -163,7 +163,7 @@
+ the module.
+ .br
+ .br
+-c) Edit raddb/sites-available/inner-tunnel
++c) Edit freeradius/sites-available/inner-tunnel
+ .br
+ This file contains the default policy for the "tunneled" portion of
+ certain EAP methods.  Perform the same kind of edits as above, for the
diff --git a/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch
new file mode 100644
index 0000000..f983a9c
--- /dev/null
+++ b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch
@@ -0,0 +1,33 @@
+From 1b4e8e5751c417ba9d3788d264e76aba4f6baa12 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Thu, 23 Oct 2014 21:44:03 -0400
+Subject: version.c: disable openssl version check
+Forwarded: not-needed
+
+For Debian we don't want to require that the built OpenSSL be the same
+as the linked OpenSSL.  Debian will be responsible for changing the
+soname if the ABI changes.  The version check causes the freeradius
+packages to fail whenever a new OpenSSL is built.
+
+Patch-Category: debian-local
+---
+ src/main/version.c | 45 +++++++--------------------------------------
+ 1 file changed, 7 insertions(+), 38 deletions(-)
+
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -277,14 +277,6 @@
+ 
+ 	if (rad_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) exit(EXIT_FAILURE);
+ 
+-	/*
+-	 *  Mismatch between build time OpenSSL and linked SSL, better to die
+-	 *  here than segfault later.
+-	 */
+-#ifdef HAVE_OPENSSL_CRYPTO_H
+-	if (ssl_check_consistency() < 0) exit(EXIT_FAILURE);
+-#endif
+-
+ 	if (flag && (flag != 0x03)) {
+ 		fprintf(stderr, "%s: The options -i and -p cannot be used individually.\n",
+ 			main_config.name);
diff --git a/debian/patches/dont-install-tests.diff b/debian/patches/dont-install-tests.diff
new file mode 100644
index 0000000..ff2cfab
--- /dev/null
+++ b/debian/patches/dont-install-tests.diff
@@ -0,0 +1,24 @@
+Author: Michael Stapelberg <stapelberg@debian.org>
+Forwarded: https://github.com/FreeRADIUS/freeradius-server/commit/94c42123517c46474e45e545c264de6e5ce228c6
+Last-Update: 2016-10-08
+
+---
+
+Index: freeradius/src/tests/map/map_unit.mk
+===================================================================
+--- freeradius.orig/src/tests/map/map_unit.mk
++++ freeradius/src/tests/map/map_unit.mk
+@@ -3,3 +3,4 @@ SOURCES		:= map_unit.c ${top_srcdir}/src
+ 
+ TGT_PREREQS	:= libfreeradius-server.a libfreeradius-radius.a
+ TGT_LDLIBS	:= $(LIBS)
++TGT_INSTALLDIR	:=
+Index: freeradius/src/main/radattr.mk
+===================================================================
+--- freeradius.orig/src/main/radattr.mk
++++ freeradius/src/main/radattr.mk
+@@ -8,3 +8,4 @@ TGT_PREREQS	+= libfreeradius-dhcp.a
+ endif
+ 
+ TGT_LDLIBS	:= $(LIBS)
++TGT_INSTALLDIR	:=
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..816e30a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,7 @@
+debian-local/0001-Rename-radius-to-freeradius.patch
+0002-gitignore.diff.patch
+0006-jradius.diff.patch
+0009-dhcp-sqlipool-Comment-out-mysql.patch
+debian-local/0010-version.c-disable-openssl-version-check.patch
+dont-install-tests.diff
+snakeoil-certs.diff
diff --git a/debian/patches/snakeoil-certs.diff b/debian/patches/snakeoil-certs.diff
new file mode 100644
index 0000000..483527b
--- /dev/null
+++ b/debian/patches/snakeoil-certs.diff
@@ -0,0 +1,132 @@
+Description: Use snakeoil certificates.
+Author: Michael Stapelberg <stapelberg@debian.org>
+Last-Updated: 2016-09-16
+Forwarded: not-needed
+
+---
+
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -176,7 +176,7 @@
+ 	#
+ 	tls-config tls-common {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -212,7 +212,7 @@
+ 		#  give advice which will work everywhere.  Instead,
+ 		#  we give general guidelines.
+ 		#
+-		certificate_file = ${certdir}/server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -225,7 +225,7 @@
+ 		#  In that case, this CA file should contain
+ 		#  *one* CA certificate.
+ 		#
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		#
+ 		#  Directory where multiple CAs are stored.  Both
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -59,7 +59,7 @@
+ 	#
+ 	tls {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/inner-server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -71,11 +71,11 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/inner-server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  You may want different CAs for inner and outer
+ 		#  certificates.  If so, edit this file.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		cipher_list = "DEFAULT"
+ 
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -14,9 +14,9 @@
+ 		private_key_password = whatever
+ 
+ 		# Moonshot tends to distribute certs separate from keys
+-		private_key_file = ${certdir}/server.key
+-		certificate_file = ${certdir}/server.pem
+-		ca_file = ${cadir}/ca.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 		dh_file = ${certdir}/dh
+ 		fragment_size = 8192
+ 		ca_path = ${cadir}
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -161,7 +161,7 @@
+ 	#
+ 	tls {
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/server.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		# Accept an expired Certificate Revocation List
+ 		#
+@@ -177,7 +177,7 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/server.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -194,7 +194,7 @@
+ 		#  not use client certificates, and you do not want
+ 		#  to permit EAP-TLS authentication, then delete
+ 		#  this configuration item.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		#  For DH cipher suites to work in OpenSSL < 1.1.0,
+ 		#  you have to run OpenSSL to create the DH file
+@@ -551,7 +551,7 @@
+ 	#	hostname = "example.com"
+ 
+ 		private_key_password = whatever
+-		private_key_file = ${certdir}/client.pem
++		private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ 
+ 		#  If Private key & Certificate are located in
+ 		#  the same file, then private_key_file &
+@@ -563,7 +563,7 @@
+ 		#  only the server certificate, but ALSO all
+ 		#  of the CA certificates used to sign the
+ 		#  server certificate.
+-		certificate_file = ${certdir}/client.pem
++		certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+ 
+ 		#  Trusted Root CA list
+ 		#
+@@ -580,7 +580,7 @@
+ 		#  not use client certificates, and you do not want
+ 		#  to permit EAP-TLS authentication, then delete
+ 		#  this configuration item.
+-		ca_file = ${cadir}/ca.pem
++		ca_file = /etc/ssl/certs/ca-certificates.crt
+ 
+ 		#
+ 		#  Before version 3.2.1, outbound RadSec connections