From a31a6484b79cf48b4b464a6ab84df3361801076e Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 16:11:04 +0200 Subject: Adding debian version 3.2.3+dfsg-2. Signed-off-by: Daniel Baumann --- debian/patches/0002-gitignore.diff.patch | 29 ++++ debian/patches/0006-jradius.diff.patch | 17 +++ .../0009-dhcp-sqlipool-Comment-out-mysql.patch | 23 ++++ .../0001-Rename-radius-to-freeradius.patch | 152 +++++++++++++++++++++ ...0-version.c-disable-openssl-version-check.patch | 33 +++++ debian/patches/dont-install-tests.diff | 24 ++++ debian/patches/series | 7 + debian/patches/snakeoil-certs.diff | 132 ++++++++++++++++++ 8 files changed, 417 insertions(+) create mode 100644 debian/patches/0002-gitignore.diff.patch create mode 100644 debian/patches/0006-jradius.diff.patch create mode 100644 debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch create mode 100644 debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch create mode 100644 debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch create mode 100644 debian/patches/dont-install-tests.diff create mode 100644 debian/patches/series create mode 100644 debian/patches/snakeoil-certs.diff (limited to 'debian/patches') diff --git a/debian/patches/0002-gitignore.diff.patch b/debian/patches/0002-gitignore.diff.patch new file mode 100644 index 0000000..22013a1 --- /dev/null +++ b/debian/patches/0002-gitignore.diff.patch @@ -0,0 +1,29 @@ +From 993eba48a171e70dfe83fa25f04c4d19b257ea1b Mon Sep 17 00:00:00 2001 +From: Sam Hartman +Date: Thu, 18 Sep 2014 15:55:47 -0400 +Subject: gitignore.diff + +--- + .gitignore | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/.gitignore ++++ b/.gitignore +@@ -1,3 +1,17 @@ ++*.la ++*.o ++*.lo ++.libs ++.deps ++build-arch-stamp ++build-indep-stamp ++config.h ++config.log ++config.status ++config.cache ++config.guess.dist ++config.sub.dist ++Make.inc + *~ + *.o + *.a diff --git a/debian/patches/0006-jradius.diff.patch b/debian/patches/0006-jradius.diff.patch new file mode 100644 index 0000000..2eeee49 --- /dev/null +++ b/debian/patches/0006-jradius.diff.patch @@ -0,0 +1,17 @@ +From b72e1d985e709e4c5fd7355747cde8697e665b44 Mon Sep 17 00:00:00 2001 +From: Sam Hartman +Date: Thu, 18 Sep 2014 15:55:52 -0400 +Subject: jradius.diff + +--- + src/modules/stable | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/modules/stable ++++ b/src/modules/stable +@@ -40,3 +40,5 @@ + rlm_yubikey + rlm_redis + rlm_rediswho ++rlm_policy ++rlm_jradius diff --git a/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch new file mode 100644 index 0000000..c2ac785 --- /dev/null +++ b/debian/patches/0009-dhcp-sqlipool-Comment-out-mysql.patch @@ -0,0 +1,23 @@ +From f39ef7f317a49c4e959bed7e9d954e473f49d602 Mon Sep 17 00:00:00 2001 +From: Sam Hartman +Date: Wed, 1 Oct 2014 16:38:16 -0400 +Subject: dhcp sqlipool: Comment out mysql +Forwarded: not-needed + +So freeradius does not depend on freeradius-mysql +--- + raddb/modules/dhcp_sqlippool | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/raddb/mods-available/dhcp_sqlippool ++++ b/raddb/mods-available/dhcp_sqlippool +@@ -97,5 +97,8 @@ + nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" + } + +- $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf ++ # This line is commented by default to enable clean startup when you ++ # don't have freeradius-mysql installed. Uncomment this line if you ++ # use this module. ++ #$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf + } diff --git a/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch new file mode 100644 index 0000000..fda1cf0 --- /dev/null +++ b/debian/patches/debian-local/0001-Rename-radius-to-freeradius.patch @@ -0,0 +1,152 @@ +Author: Sam Hartman +Description: Rename radius to freeradius +Last-Updated: 2016-09-16 +Forwarded: not-needed + +--- + +--- a/Make.inc.in ++++ b/Make.inc.in +@@ -98,7 +98,7 @@ + + LOGDIR = ${logdir} + RADDBDIR = ${raddbdir} +-RUNDIR = ${localstatedir}/run/radiusd ++RUNDIR = ${localstatedir}/run/freeradius + SBINDIR = ${sbindir} + RADIR = ${radacctdir} + LIBRADIUS = $(top_builddir)/src/lib/$(LIBPREFIX)freeradius-radius.la $(TALLOC_LIBS) +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -91,7 +91,7 @@ + + # + # name of the running server. See also the "-n" command-line option. +-name = radiusd ++name = freeradius + + # Location of config and logfiles. + confdir = ${raddbdir} +@@ -447,8 +447,8 @@ + # member. This can allow for some finer-grained access + # controls. + # +-# user = radius +-# group = radius ++ user = freerad ++ group = freerad + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. +--- a/scripts/monit/freeradius.monitrc ++++ b/scripts/monit/freeradius.monitrc +@@ -8,9 +8,9 @@ + # Totalmem limit should be lowered to 200.0 if none of the + # interpreted language modules or rlm_cache are being used. + # +-check process radiusd with pidfile /var/run/radiusd/radiusd.pid +- start program = "/etc/init.d/radiusd start" +- stop program = "/etc/init.d/radiusd stop" ++check process freeradius with pidfile /var/run/freeradius/freeradius.pid ++ start program = "/etc/init.d/freeradius start" ++ stop program = "/etc/init.d/freeradius stop" + if failed host 127.0.0.1 port 1812 type udp protocol radius secret testing123 then alert + if failed host 127.0.0.1 port 1813 type udp protocol radius secret testing123 then alert + if cpu > 95% for 2 cycles then alert +--- a/raddb/sites-available/control-socket ++++ b/raddb/sites-available/control-socket +@@ -72,12 +72,12 @@ + # + # Name of user that is allowed to connect to the control socket. + # +-# uid = radius ++# uid = freerad + + # + # Name of group that is allowed to connect to the control socket. + # +-# gid = radius ++# gid = freerad + + # + # Access mode. +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -102,7 +102,6 @@ + bool display_version = false; + int flag = 0; + int from_child[2] = {-1, -1}; +- char *p; + fr_state_t *state = NULL; + + /* +@@ -137,13 +136,7 @@ + main_config.myip.af = AF_UNSPEC; + main_config.port = 0; + main_config.daemonize = true; +- +- p = strrchr(argv[0], FR_DIR_SEP); +- if (!p) { +- main_config.name = argv[0]; +- } else { +- main_config.name = p + 1; +- } ++ main_config.name = "radiusd"; + + /* + * Don't put output anywhere until we get told a little +@@ -697,7 +690,7 @@ + { + FILE *output = status?stderr:stdout; + +- fprintf(output, "Usage: %s [options]\n", main_config.name); ++ fprintf(output, "Usage: freeradius [options]\n"); + fprintf(output, "Options:\n"); + fprintf(output, " -C Check configuration and exit.\n"); + fprintf(stderr, " -d Set configuration directory (defaults to " RADDBDIR ").\n"); +--- a/man/man8/radiusd.8 ++++ b/man/man8/radiusd.8 +@@ -56,7 +56,7 @@ + for an informative list of which modules are checked for correct + configuration, and which modules are skipped, and therefore not checked. + .IP "\-d \fIconfig directory\fP" +-Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration ++Defaults to \fI/etc/freeradius\fP. \fBRadiusd\fP looks here for its configuration + files such as the \fIdictionary\fP and the \fIusers\fP files. + .IP "\-D \fIdictionary directory\fP" + Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. +@@ -80,7 +80,7 @@ + On SIGINT or SIGQUIT exit cleanly instead of immediately. + This is most useful for when running the server with "valgrind". + .IP "\-n \fIname\fP" +-Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. ++Read \fIfreeradius/name.conf\fP instead of \fIfreeradius/radiusd.conf\fP. + .IP "\-p \fIport\fP" + Defines which port is used for receiving authentication packets. + Accounting packets are received on "port + 1". +@@ -147,14 +147,14 @@ + SQL), then: + .PP + .in +0.3i +-a) Edit raddb/modules/foo ++a) Edit freeradius/modules/foo + .br + This file contains the default configuration for the module. It + contains comments describing what can be configured, and what those + configuration entries mean. + .br + .br +-b) Edit raddb/sites-available/default ++b) Edit freeradius/sites-available/default + .br + This file contains the default policy for the server. e.g. "enable + CHAP, MS-CHAP, and EAP authentication". Look in this file for all +@@ -163,7 +163,7 @@ + the module. + .br + .br +-c) Edit raddb/sites-available/inner-tunnel ++c) Edit freeradius/sites-available/inner-tunnel + .br + This file contains the default policy for the "tunneled" portion of + certain EAP methods. Perform the same kind of edits as above, for the diff --git a/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch new file mode 100644 index 0000000..f983a9c --- /dev/null +++ b/debian/patches/debian-local/0010-version.c-disable-openssl-version-check.patch @@ -0,0 +1,33 @@ +From 1b4e8e5751c417ba9d3788d264e76aba4f6baa12 Mon Sep 17 00:00:00 2001 +From: Sam Hartman +Date: Thu, 23 Oct 2014 21:44:03 -0400 +Subject: version.c: disable openssl version check +Forwarded: not-needed + +For Debian we don't want to require that the built OpenSSL be the same +as the linked OpenSSL. Debian will be responsible for changing the +soname if the ABI changes. The version check causes the freeradius +packages to fail whenever a new OpenSSL is built. + +Patch-Category: debian-local +--- + src/main/version.c | 45 +++++++-------------------------------------- + 1 file changed, 7 insertions(+), 38 deletions(-) + +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -277,14 +277,6 @@ + + if (rad_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) exit(EXIT_FAILURE); + +- /* +- * Mismatch between build time OpenSSL and linked SSL, better to die +- * here than segfault later. +- */ +-#ifdef HAVE_OPENSSL_CRYPTO_H +- if (ssl_check_consistency() < 0) exit(EXIT_FAILURE); +-#endif +- + if (flag && (flag != 0x03)) { + fprintf(stderr, "%s: The options -i and -p cannot be used individually.\n", + main_config.name); diff --git a/debian/patches/dont-install-tests.diff b/debian/patches/dont-install-tests.diff new file mode 100644 index 0000000..ff2cfab --- /dev/null +++ b/debian/patches/dont-install-tests.diff @@ -0,0 +1,24 @@ +Author: Michael Stapelberg +Forwarded: https://github.com/FreeRADIUS/freeradius-server/commit/94c42123517c46474e45e545c264de6e5ce228c6 +Last-Update: 2016-10-08 + +--- + +Index: freeradius/src/tests/map/map_unit.mk +=================================================================== +--- freeradius.orig/src/tests/map/map_unit.mk ++++ freeradius/src/tests/map/map_unit.mk +@@ -3,3 +3,4 @@ SOURCES := map_unit.c ${top_srcdir}/src + + TGT_PREREQS := libfreeradius-server.a libfreeradius-radius.a + TGT_LDLIBS := $(LIBS) ++TGT_INSTALLDIR := +Index: freeradius/src/main/radattr.mk +=================================================================== +--- freeradius.orig/src/main/radattr.mk ++++ freeradius/src/main/radattr.mk +@@ -8,3 +8,4 @@ TGT_PREREQS += libfreeradius-dhcp.a + endif + + TGT_LDLIBS := $(LIBS) ++TGT_INSTALLDIR := diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..816e30a --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,7 @@ +debian-local/0001-Rename-radius-to-freeradius.patch +0002-gitignore.diff.patch +0006-jradius.diff.patch +0009-dhcp-sqlipool-Comment-out-mysql.patch +debian-local/0010-version.c-disable-openssl-version-check.patch +dont-install-tests.diff +snakeoil-certs.diff diff --git a/debian/patches/snakeoil-certs.diff b/debian/patches/snakeoil-certs.diff new file mode 100644 index 0000000..483527b --- /dev/null +++ b/debian/patches/snakeoil-certs.diff @@ -0,0 +1,132 @@ +Description: Use snakeoil certificates. +Author: Michael Stapelberg +Last-Updated: 2016-09-16 +Forwarded: not-needed + +--- + +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -176,7 +176,7 @@ + # + tls-config tls-common { + private_key_password = whatever +- private_key_file = ${certdir}/server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -212,7 +212,7 @@ + # give advice which will work everywhere. Instead, + # we give general guidelines. + # +- certificate_file = ${certdir}/server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -225,7 +225,7 @@ + # In that case, this CA file should contain + # *one* CA certificate. + # +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # + # Directory where multiple CAs are stored. Both +--- a/raddb/mods-available/inner-eap ++++ b/raddb/mods-available/inner-eap +@@ -59,7 +59,7 @@ + # + tls { + private_key_password = whatever +- private_key_file = ${certdir}/inner-server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -71,11 +71,11 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/inner-server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # You may want different CAs for inner and outer + # certificates. If so, edit this file. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + cipher_list = "DEFAULT" + +--- a/raddb/sites-available/abfab-tls ++++ b/raddb/sites-available/abfab-tls +@@ -14,9 +14,9 @@ + private_key_password = whatever + + # Moonshot tends to distribute certs separate from keys +- private_key_file = ${certdir}/server.key +- certificate_file = ${certdir}/server.pem +- ca_file = ${cadir}/ca.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + dh_file = ${certdir}/dh + fragment_size = 8192 + ca_path = ${cadir} +--- a/raddb/sites-available/tls ++++ b/raddb/sites-available/tls +@@ -161,7 +161,7 @@ + # + tls { + private_key_password = whatever +- private_key_file = ${certdir}/server.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # Accept an expired Certificate Revocation List + # +@@ -177,7 +177,7 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/server.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -194,7 +194,7 @@ + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # For DH cipher suites to work in OpenSSL < 1.1.0, + # you have to run OpenSSL to create the DH file +@@ -551,7 +551,7 @@ + # hostname = "example.com" + + private_key_password = whatever +- private_key_file = ${certdir}/client.pem ++ private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & +@@ -563,7 +563,7 @@ + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. +- certificate_file = ${certdir}/client.pem ++ certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem + + # Trusted Root CA list + # +@@ -580,7 +580,7 @@ + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. +- ca_file = ${cadir}/ca.pem ++ ca_file = /etc/ssl/certs/ca-certificates.crt + + # + # Before version 3.2.1, outbound RadSec connections -- cgit v1.2.3