Accepting request 298796 from home:stroeder:branches:network

Update to 3.0.8, tested running on openSUSE Tumbleweed x86_64.

Please adjust things (e.g. longish changelog) as needed by you.

Thanks.

OBS-URL: https://build.opensuse.org/request/show/298796
OBS-URL: https://build.opensuse.org/package/show/network/freeradius-server?expand=0&rev=71

freeradius-server-2.1.1-logrotate_su.patch

@@ -1,50 +0,0 @@
-Index: freeradius-server-3.0.0/suse/radiusd-logrotate
-===================================================================
---- freeradius-server-3.0.0.orig/suse/radiusd-logrotate	2013-10-15 18:26:37.704603079 +0200
-+++ freeradius-server-3.0.0/suse/radiusd-logrotate	2013-10-15 18:27:37.232218844 +0200
-@@ -6,6 +6,7 @@
- # second technique, you will need another cron job that removes old
- # detail files.  You do not need to comment out the below for method #2.
- /var/log/radius/radacct/*/detail {
-+    su radiusd radiusd
-     compress
-     dateext
-     maxage 365
-@@ -16,6 +17,7 @@
- }
- 
- /var/log/radius/radius.log {
-+    su radiusd radiusd
-     compress
-     dateext
-     maxage 365
-@@ -25,11 +27,12 @@
-     missingok
-     create
-     postrotate
--	kill -HUP `cat /var/run/radiusd/radiusd.pid`
-+	kill -HUP `cat /var/run/radiusd/radiusd.pid` || :
-     endscript
- }
- 
- /var/log/radius/radwatch.log {
-+    su radiusd radiusd
-     compress
-     dateext
-     maxage 365
-@@ -41,6 +44,7 @@
- }
- 
- /var/log/radius/radwtmp {
-+    su radiusd radiusd
-     compress
-     dateext
-     maxage 365
-@@ -55,6 +59,7 @@
- }
- 
- /var/log/radius/sqllog.sql {
-+    su radiusd radiusd
-     compress
-     dateext
-     maxage 365

freeradius-server-2.1.6-rcradiusd.patch

@@ -1,13 +0,0 @@
-Index: suse/rcradiusd
-===================================================================
---- suse/rcradiusd.orig	2013-10-15 18:18:25.099506165 +0200
-+++ suse/rcradiusd	2013-10-15 18:19:02.741895731 +0200
-@@ -14,7 +14,7 @@
- # Provides:          radiusd
- # Required-Start:    $network $syslog $remotefs
- # Should-Start:      $time ypbind smtp
--# Required-Stop:     $syslog $remote_fs
-+# Required-Stop:     $network $syslog $remote_fs
- # Should-Stop:       ypbind smtp
- # Default-Start:     3 5
- # Default-Stop:      0 1 2 6

freeradius-server-3.0.6.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f9898b19564e7bf859396a9bdf492f72b918844b4916f1b46c56dfcd9e8dafcd
-size 2870327

freeradius-server-3.0.8.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b89721c609e5a106936112fe8122e470f02a5197bb614e202d2c386f4821d902
+size 2945423

freeradius-server-initscript-pidfile.patch

@@ -1,15 +0,0 @@
-Index: freeradius-server-2.1.8/suse/rcradiusd
-===================================================================
---- freeradius-server-2.1.8.orig/suse/rcradiusd	2010-05-03 15:37:35.000000000 +0200
-+++ freeradius-server-2.1.8/suse/rcradiusd	2010-05-03 15:38:08.000000000 +0200
-@@ -31,6 +31,10 @@ rc_reset
- case "$1" in
-     start)
- 	echo -n "Starting RADIUS daemon "
-+	# /var/run might be on tmpfs, create runtime directory if needed
-+	if [ ! -d /var/run/radiusd ]; then  
-+		install -d -m 0700 -g radiusd -o radiusd /var/run/radiusd
-+	fi
- 	startproc $RADIUSD_BIN >/dev/null
- 	rc_status -v	
- 	;;

freeradius-server-radius-reload-logrotate.patch

@@ -1,14 +0,0 @@
-Index: freeradius-server-2.1.12/suse/radiusd-logrotate
-===================================================================
---- freeradius-server-2.1.12.orig/suse/radiusd-logrotate	2011-09-30 16:12:07.000000000 +0200
-+++ freeradius-server-2.1.12/suse/radiusd-logrotate	2011-10-19 16:01:36.781656862 +0200
-@@ -47,6 +47,9 @@
-     size=+2048k
-     notifempty
-     missingok
-+    postrotate
-+            /etc/init.d/freeradius reload >/dev/null
-+    endscript
-     create
- }
- 

freeradius-server-radiusd-logrotate.patch

@@ -0,0 +1,45 @@
+--- freeradius-server-3.0.8.orig/suse/radiusd-logrotate	2015-04-22 19:21:34.000000000 +0200
++++ freeradius-server-3.0.8.suse/suse/radiusd-logrotate	2015-04-23 10:15:52.847179845 +0200
+@@ -16,13 +16,18 @@
+ #  The main server log
+ #
+ /var/log/radius/radius.log {
++	su radiusd radiusd
+ 	copytruncate
++	postrotate
++			kill -HUP `cat /run/radiusd/radiusd.pid` || :
++	endscript
+ }
+ 
+ #
+ #  Session monitoring utilities
+ #
+ /var/log/radius/checkrad.log /var/log/radius/radwatch.log {
++	su radiusd radiusd
+ 	nocreate
+ 	size=+1024k
+ }
+@@ -31,6 +36,7 @@
+ #  Session database modules
+ #
+ /var/log/radius/radutmp /var/log/radius/radwtmp {
++	su radiusd radiusd
+ 	nocreate
+ 	size=+2048k
+ }
+@@ -39,6 +45,7 @@
+ #  SQL log files
+ #
+ /var/log/radius/sqllog.sql {
++	su radiusd radiusd
+ 	nocreate
+ 	size=+2048k
+ }
+@@ -51,6 +58,7 @@
+ # second technique, you will need another cron job that removes old
+ # detail files.  You do not need to comment out the below for method #2.
+ /var/log/radius/radacct/*/detail {
++	su radiusd radiusd
+ 	nocreate
+ }
+ 

freeradius-server-rcradiusd.patch

@@ -0,0 +1,13 @@
+--- freeradius-server-3.0.8.orig/suse/rcradiusd	2015-04-22 19:21:34.000000000 +0200
++++ freeradius-server-3.0.8.suse/suse/rcradiusd	2015-04-23 10:02:01.393574445 +0200
+@@ -50,6 +50,10 @@
+     start)
+         configtest || { rc_failed 150; rc_exit; }
+         echo -n "Starting RADIUS daemon "
++        # /var/run might be on tmpfs, create runtime directory if needed
++        if [ ! -d /run/radiusd ]; then
++            install -d -m 0700 -g radiusd -o radiusd /run/radiusd
++        fi
+         startproc $exec >/dev/null
+         rc_status -v
+         ;;

freeradius-server-tmpfiles.patch

@@ -0,0 +1,6 @@
+--- freeradius-server-3.0.8.orig/suse/freeradius-server-tmpfiles.conf	2015-04-22 19:21:34.000000000 +0200
++++ freeradius-server-3.0.8.suse/suse/freeradius-server-tmpfiles.conf	2015-04-23 09:56:08.342988185 +0200
+@@ -1 +1,2 @@
+-D /var/run/radiusd 0710 radiusd radiusd -
++D /run/radiusd 0710 radiusd radiusd -
++

freeradius-server-var_run.patch

@@ -1,37 +0,0 @@
-Index: freeradius-server-3.0.3/suse/freeradius-server-tmpfiles.conf
-===================================================================
---- freeradius-server-3.0.3.orig/suse/freeradius-server-tmpfiles.conf	2014-05-12 21:22:09.000000000 +0200
-+++ freeradius-server-3.0.3/suse/freeradius-server-tmpfiles.conf	2014-06-17 15:14:40.946735087 +0200
-@@ -1 +1 @@
--D /var/run/radiusd 0710 radiusd radiusd -
-+D /run/radiusd 0710 radiusd radiusd -
-Index: freeradius-server-3.0.3/suse/radiusd-logrotate
-===================================================================
---- freeradius-server-3.0.3.orig/suse/radiusd-logrotate	2014-06-17 14:02:57.377277502 +0200
-+++ freeradius-server-3.0.3/suse/radiusd-logrotate	2014-06-17 15:13:43.402836043 +0200
-@@ -27,7 +27,7 @@
-     missingok
-     create
-     postrotate
--	kill -HUP `cat /var/run/radiusd/radiusd.pid` || :
-+	kill -HUP `cat /run/radiusd/radiusd.pid` || :
-     endscript
- }
- 
-Index: freeradius-server-3.0.3/suse/rcradiusd
-===================================================================
---- freeradius-server-3.0.3.orig/suse/rcradiusd	2014-06-17 14:02:57.365277322 +0200
-+++ freeradius-server-3.0.3/suse/rcradiusd	2014-06-17 15:14:16.394352021 +0200
-@@ -34,9 +34,9 @@ rc_reset
- case "$1" in
-     start)
- 	echo -n "Starting RADIUS daemon "
--	# /var/run might be on tmpfs, create runtime directory if needed
--	if [ ! -d /var/run/radiusd ]; then  
--		install -d -m 0700 -g radiusd -o radiusd /var/run/radiusd
-+	# /run might be on tmpfs, create runtime directory if needed
-+	if [ ! -d /run/radiusd ]; then
-+		install -d -m 0700 -g radiusd -o radiusd /run/radiusd
- 	fi
- 	startproc $RADIUSD_BIN >/dev/null
- 	rc_status -v	

freeradius-server.changes

@@ -1,3 +1,202 @@
+-------------------------------------------------------------------
+Wed Apr 22 20:31:44 UTC 2015 - michael@stroeder.com
+
+- update to 3.0.8
+- new set of consolidated patch files
+
+FreeRADIUS 3.0.8 Wed 22 Apr 2015 13:30:00 EDT urgency=medium
+	Feature improvements
+        * Allow syslog_severity to be set in rlm_linelog.
+	* Allow defaults to be set for bulk clients in LDAP and couchbase.
+	* Updates to dhcpclient.  Patches from Nicolas C.
+	* rlm_mschap now supports direct connections to winbind, which
+	  is faster than ntlm_auth.  See raddb/mods-available/mschap.
+	  Patch from Matthew Newton.
+	* Recommend /dev/urandom for TLS randomness, instead of
+	  ${certdir}/random
+	* Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
+	* Allow Expanded EAP types where vendor is 0 (IETF) and
+	  type is normal EAP type.  Supplicants sending Expanded
+	  EAP types like this are broken.
+	* Add support for server side sort controls when searching for
+	  user objects in rlm_ldap.
+
+	Bug fixes
+	* Don't complain about "authorize" in "server {}" blocks, but
+	  only if there's no "server" block.
+	* Fix cosmetic issue where debug from the first packet read by
+	  a detail reader thread would be emited during config parsing.
+	* Fix ASSERT on truncated detail packets.
+	* Don't use main server log functions from within panic_action,
+	  as in the case of syslog this would cause deadlocks if the
+	  fault was triggered from within a malloc.
+	* Fix issue in "switch" when "correct_escapes = false".
+	  Fixes #911.
+	* Fix sqlcounter configuration to use "%%b" instead of "%b",
+	  otherwise the new syntax validation will fail.
+	* Allow forward references in configuration items.  Modules
+	  aren't always loaded in a sane order.
+	* Fix more escaping issues.  Closes #912.
+	* Decode MAC addresses correctly for VMPS.
+	* Fix memory leak with TLS connections.
+	* Fix state machine threading issues for conflicting packets.
+	* Fix copy_request_to_tunnel issues for tagged attributes.
+	* Allow "ok" to over-ride "updated" inside of Auth-Type sections.
+	* Update state machine so that post-proxy is run though child
+	  threads for performance, instead of blocking the main thread.
+	* Allow "netmask" to work again in client definitions.
+	* Relax restrictions on SQL group queries.
+	* track outgoing proxy sockets and clean them up more aggressively.
+	* track proxy statistics, including CoA and Disconnect.
+	* If radmin has a connection failure when running a command,
+	  it re-connects and runs the command again.
+	* mark home servers "unknown" less aggressively.
+	* Fix potential SEGV in PostgreSQL driver on error.
+	* Fix issue where fields like nas_type would not be accessible via
+	  the %{client:} xlat, for dynamic clients.
+	* Set default busy_timeout (of 200ms) in the sqlite driver, so writes
+	  don't cause selects to fail in multithreaded mode. This is user
+	  configurable, and may be increased if required.
+	* Convert Password-With-Header attributes to binary (from hex or
+	  base64), in the authorize method of rlm_pap.
+	* Fix invalid assert in state.c, that could cause abort in
+	  post-auth.
+	* Fix double free when -m flag is used, and connection pools are
+	  referenced by multiple modules.
+	* RADIUS over TLS accounting uses the same port as authentication.
+	* Regularized return codes from radmin commands.
+	* Fix RHEL spec file so it works correctly for Centos7 which uses
+	  systemd, and didn't like the SystemV init script.
+	* radwho and radlast now have a -D option to load dictionaries
+	* DHCP packets are no longer checked for duplicates.
+	* Don't crash in sql module group comparisons in corner case.
+	* Calculate MPPE keys correctly when using TLS 1.2.
+	* Fix load-balance sections.  Closes #945
+	* TLS certificates are available again in the post-auth section.
+	  They are not available for session resumption.
+	* radclient encodes CHAP-Password properly when using -c.
+	  Closes #955.
+	* Fix issue in rlm_cache_memcached driver that caused variable
+	  length values to be truncated.
+	* Fix track functionality in detail reader, so it no longer
+	  fails with a "Failed marking detail request as done: Bad file
+	  descriptor" error.
+	* Actually add the peer identity (as User-Name) to the inner
+	  tunnel in EAP-PWD requests, so it's available for lookups.
+	* Fixes to PostfreSQL queries.  Patches from Santiago Gimeno.
+
+FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium
+	Feature improvements
+	* Allow coa home_servers to be derived from client
+	  sections if a coa_server section is provided.
+	* Automatically determine the correct port if no port is
+	  provided for a home server.
+	* Allow foreach to operate over lists.
+	* Add compile time features to ${feature.*} and versions
+	  of core libraries to ${version.*}.  Feature and version
+	  names match output of radiud -xv. %v is now deprecated.
+	* Add support for PATCH method in rlm_rest.
+	* Validate more module xlats on startup, and warn if an
+	  xlat expansion is found in a double quoted config item
+	  which will not be expanded.
+	* Add support for sub-second timeouts in rlm_rest.
+	* Add support for connection timeouts in rlm_rest.
+	* Add %{jsonquote:<str>} xlat to escape strings for insertion
+	  into json documents.
+	* Add %{ldapquote:<str>} xlat to escape strings for insertion
+	  into ldap DNs.
+	* Add %{explode:&ref <char>}, splits value of &ref on
+	  <char> and creates new &ref type attributes with the
+	  fragments.
+	* Allow rlm_ldap to use attribute references for base_dn and
+	  filter config items. The attribute references are not
+	  escaped, allowing DNs and filters to be created dynamically.
+	* Add %{nexttime:[<int>]h|d|w|y} to calculate the number of
+	  seconds before the next <int> hour(s), day(s), week(s),
+	  or year(s).
+	* Allow the left side of update sections to be xlat expansions.
+	  The result of the expansion is then used to reference the
+	  attribute to be modified.
+	* Added %{lpad:&Attribute-Name 7 x} and rpad.  These produce
+	  fixed-width output strings, with padding to the left (lpad)
+	  or the right (rpad).
+	* For some SQL drivers (MySQL, sqlite) distinguish between
+	  constraints violations (on insert), invalid queries, and
+	  server errors, and return noop, invalid, and error respectively.
+	* Call SHOW WARNINGS in the MySQL driver and write them to
+	  the request log, if libmysqlclient indicates warnings are
+	  available on the server.
+	* Forbid the creation of Vendor-Specific for non-standard
+	  VSAs.  Use Attr-26 = 0x... instead.
+	* Make dhcpclient work with raw sockets and various other
+	  improvements - Contributed by nchaigne
+	* Add support for SSHA2 - Contributed by PDD.
+	* Add perle dictionary - Contributed by Hachmer
+	* Modernise init scripts for RHEL, SUSE and Debian.
+	* radmin now tracks the return code of commands, and exits
+	  with status "1" if any command failed to execute.
+	* radmin now sends error messages from the server to
+	  stderr, instead of to stdout.
+	* radmin now looks for sockets matching it's UID and GID,
+	  rather than just always using the first one it finds.
+	* radmin can how delete clients which are tied to a listener.
+	* Moved RADIUS attribute definitions to src/include/rfc*.h
+	* Move to talloc pools for requests.  For in-memory tests
+	  (default config, 'users' file), performance increases by 30%.
+	* In rlm_ldap allow sasl_mech to be specified for admin and
+	  user binds. Only non-interactive mechs (like EXTERNAL)
+	  are currently supported.
+	* Remove support for ephemeral RSA keys.  They were "export only",
+	  and should not be used by anyone.
+	* Syntax errors in the "users" file now produce better
+	  error messages.
+
+	Bug fixes
+	* Fix issues parsing LDAP hostnames with non-standard ports.
+	* Fix issues with realms containing regular expressions.
+	* Allow unary negation before parantheses in rlm_expr.
+	* Fix infinite loop in kevent event loop code. Issue only
+	  presented on FreeBSD.
+	* Be more careful to define Auth-Types before loading modules.
+	* Link libfreeradius-radius against OpenSSL too, to avoid
+	  multi-version symbols in SSL libraries.
+	* When rlm_ldap rebinds a connection, it should use bind
+	  credentials from the module that created the connection
+	  pool, not credentials from the module referencing it.
+	* Empty server config pairs should be allowed in rlm_ldap
+	  instances that reference another module's connection pool.
+	* Mark rlm_always as huppable, so its rcode can be changed
+	  via radmin (allows policy toggles).
+	* Emit warnings when ignoring user configured pool values.
+	* Fix issue that would cause radclient to complain
+	  intermittently about differing numbers of filters and
+	  requests.
+	* Fix cosmetic issues in connection pool logging, that made
+	  it appear as if the same connection was being opened
+	  multiple times.
+	* Fix threadsafety issues in SQL drivers, where a static
+	  buffer was used to store error messages.
+	* Log RERROR, RWARN, RINFO to the global log if request
+	  logging is not enabled.
+	* Link to libldap instead of libldap_r. libldap_r
+	  is not supported for use by projects outside of OpenLDAP.
+	* Set connection timeout correctly in rlm_sql_mysql.
+	* Build with older versions of libcurl, and use CFLAGS from
+	  curl-config.
+	* Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
+	* Initialise ldapai_info_version field, so libldap will report
+	  its vendor and version.
+	* Fix log rotation scripts by using the copyrotate option.
+	* Fix issue that caused opening control sockets to always
+	  fail on non-Linux systems, if a user or group was set.
+	* Save Session-State after proxying.
+	* Additional fixes for reading CoA/DM requests from detail
+	  files.
+	* Create dynamic clients if the dynamic clients virtual server
+	  returns ok *or* updated. Emit useful messages for other codes.
+	* Compile bare "authorize" statements, and issue errors saying
+	  using them isn't a good idea.
+
 -------------------------------------------------------------------
 Wed Jan 14 13:10:11 UTC 2015 - tchvatal@suse.com
 

freeradius-server.spec

@@ -20,7 +20,7 @@
 %define apxs2 apxs2-prefork
 %define apache2_sysconfdir %(%{_sbindir}/%{apxs2} -q SYSCONFDIR)
 Name:           freeradius-server
-Version:        3.0.6
+Version:        3.0.8
 Release:        0
 Summary:        Very Highly Configurable Radius Server
 License:        GPL-2.0 and LGPL-2.1
@@ -30,13 +30,9 @@ Source:         ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.b
 Source99:       ftp://ftp.freeradius.org/pub/freeradius/%{name}-%{version}.tar.bz2.sig
 Source1:        radiusd.service
 Source2:        freeradius-tmpfiles.conf
-Patch2:         freeradius-server-2.1.6-rcradiusd.patch
-Patch7:         freeradius-server-fix-cert-bootstrap.patch
-Patch8:         freeradius-server-initscript-pidfile.patch
-Patch9:         freeradius-server-radius-reload-logrotate.patch
-# PATCH-FIX-SUSE use 'su' logrotate option (bnc#677335)
-Patch12:        freeradius-server-2.1.1-logrotate_su.patch
-Patch13:        freeradius-server-var_run.patch
+Patch1:         freeradius-server-tmpfiles.patch
+Patch2:         freeradius-server-radiusd-logrotate.patch
+Patch3:         freeradius-server-rcradiusd.patch
 BuildRequires:  apache2-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  db-devel
@@ -189,12 +185,9 @@ This plugin provides the SQLite support for the FreeRADIUS server project.
 
 %prep
 %setup -q
-%patch2
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch12 -p1
-%patch13 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")"
@@ -415,6 +408,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/abfab-tls
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/abfab-tr-idp
 %attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/channel_bindings
+%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/challenge
 
 # sites-enabled
 # symlink: %{_sysconfdir}/raddb/sites-enabled/xxx -> ../sites-available/xxx
@@ -603,6 +597,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf
 %{_libdir}/freeradius/rlm_sqlcounter.so
 %{_libdir}/freeradius/rlm_sqlippool.so
 %{_libdir}/freeradius/rlm_sql_null.so
+%{_libdir}/freeradius/rlm_test.so
 %{_libdir}/freeradius/rlm_unix.so
 %{_libdir}/freeradius/rlm_utf8.so
 %{_libdir}/freeradius/rlm_wimax.so