From patchwork Mon Aug 12 15:37:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7978 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4WjJZR33vTz3wwl for ; Mon, 12 Aug 2024 15:38:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4WjJZM3X9Rz2MC; Mon, 12 Aug 2024 15:38:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4WjJZM2z8bz341Q; Mon, 12 Aug 2024 15:38:19 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4WjJZF2kbGz333l for ; Mon, 12 Aug 2024 15:38:13 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4WjJZF17pkz2Jd; Mon, 12 Aug 2024 15:38:13 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1723477093; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5Lkcx3EATQkvnBOKiIqrnVFPrdwMQN9ebfO3OAH+c5k=; b=dSCb/WJl1DnBZnnNssWVHPO4kGG5YSJxGQUDNFy6mJBlVUou3ZJRBppHUgghiqG4pdFcP+ EpC36BuUyMcyJSCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1723477093; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5Lkcx3EATQkvnBOKiIqrnVFPrdwMQN9ebfO3OAH+c5k=; b=QScHiYgm2Q7Bo0jWI2td6qkPhH/pZwk3LkubQoYAlmCziUckxYDnUE5em3CMn1uw8kI92j EukuwvQ+trQfERJSCJu/TN7KbpgVr8pGCfbqbsyGwfnmglWzUYA6H4kmiIt3nP2r6G4KEL hkRGY0vcGp8wXsLDVYSnOXHXTipFLOM016qXFgSwsxWGIlx78PPeeiUjATUwoya9982aIM 8nDv2r8/ax03P8pLNz5Euitgm0Pm+TZNAFqjNtr2vKM7PgJ0ldFVK67FU3SZ1/vR784tZC SOb4oIYA888ugYst/7rYdzTKtyY2BBkeY09czTXA/RYvJRlQRYM0886xnVWZUw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] freeradius: Update to version 3.2.5 Date: Mon, 12 Aug 2024 17:37:59 +0200 Message-ID: <20240812153808.3944396-5-adolf.belka@ipfire.org> In-Reply-To: <20240812153808.3944396-1-adolf.belka@ipfire.org> References: <20240812153808.3944396-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: IRP2PJJPRSK4MJ6SIW3JSTGBN4MK26PQ X-Message-ID-Hash: IRP2PJJPRSK4MJ6SIW3JSTGBN4MK26PQ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 3.2.3 to 3.2.5 - Update of rootfile - Various options removed from ./configure as they are all unrecognised and don't have any effect. Most of them look to have been related to freeradius-1.x - There is no command that gets recognised for disabling or not using static libs - Changelog 3.2.5 Feature Improvements TOTP now supports TOTP-Time-Offset for tokens with times that are out of sync. See mods-available/totp. radclient now supports forcing the Request Authenticator and ID for Access-Request packets. Update dictionary.3gpp. Update advice on shared secrets, including suggesting a secure method for generating useful secrets. Bug Fixes Allow proxying by pool / home server name to work with auth+acct servers. Fix OpenSSL API usage which sometimes caused crash in MS-CHAP Previously it would either always crash immediately, or never crash. Fix packet statistics. Stop double counting some packets, and track packet statistics even if a socket is closed. Reverted patch in TTLS which broke compatibility with some systems. Don't crash in debug mode when multiple intermediate certs are used Patch from Alexander Chernikov. 3.2.4 Feature Improvements Preliminary support for TEAP. Update EAP module pre_proxy checks to make them less restrictive This prevents the "middle box" effect from affecting future traffic. Many fixes and updates for Docker images. Add dpsk module. See mods-available/dpsk. Print out what cause the TLS operations to be made, such as the EAP method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket. Add auto_escape to sample SQL module config. Add 'if not exists' to mysql create table queries. ref #5032 (#5137). Update dictionary.aruba; add dictionary.tplink, dictionary.alphion. Allow for 'encrypt=1' attributes to be longer than 128 characters. Added "radsecret" program which generates strong secrets. See the top of the "clients.conf" file for more information. radclient now prints packets as hex when using -xxx. Added "-t timeout" to radsniff. It will stop processing packets after seconds. Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF. The detail module now has a "dates_as_integer" configuration item See mods-available/detail for more information. Add lookback/lookforward steps and more configuration to totp. See mods-available/totp. Add "time_since" xlat to calculate elapsed time in seconds, milliseconds and microseconds. Support "Post-Auth-Type Challenge" in the inner tunnel. Patch from Alexander Clouter. PR #5320. Add "proxy_dedup_window". See radiusd.conf. Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf. Add "dedup_key" for misbehaving supplicants. See mods-available/eap. Bug Fixes Fix corner case with empty defaults in rlm_files. Fixes #5035. When we have multiple attributes of the same name, always use the canonical attribute. Make FreeRADIUS-Server-EMA* attributes work again for home server exponential moving average statistics. Don't send the global server stats when asked for client stats. They use the same attributes, so the result is confusing. Fix multiple typos in MongoDB query.conf (#5130). Add define for illumos. Fixes #5135. Add client configuration for TLS PSK. Permit originate CoA after proxying to an internal virtual server. Use virtual server "default" when passed "-i" and "-p" on the command line. Fix locking issues with rlm_python3. The detail file reader will catch bad times in the file, and will not update Acct-Delay-Time with extreme values. Fix issue where Message-Authenticator was calculated incorrectly for CoA / Disconnect ACK and NAK packets. Update Python thread and error handling. Fixes #5208. Fix handling of Session-State when proxying. Fixes #5288. Run relevant post-proxy Fail-* section on CoA / Disconnect timeout. Add "limit" section to AWS health check configurtion. Fixes 35300. Use MAX in sqlite queries instead of GREATEST. Fix typo in Mongo queries. Fixes #5301. Fix occasional crash with bad home servers. Fixes #5308. Minor bug fixes to the SQL freetds modules. Fix blocking issue with RADIUS/TLS connection checks. Fix run-time crash on configuration typos of %{substr ...} instead of %{substr:...} Fixes #5321. Fix crash with TLS Status-Server requests. Fixes #5326. Signed-off-by: Adolf Belka --- config/rootfiles/packages/freeradius | 37 ++++++++++++++++++++++++++++ lfs/freeradius | 17 +++---------- 2 files changed, 40 insertions(+), 14 deletions(-) diff --git a/config/rootfiles/packages/freeradius b/config/rootfiles/packages/freeradius index 899bfa139..24e2edf22 100644 --- a/config/rootfiles/packages/freeradius +++ b/config/rootfiles/packages/freeradius @@ -9,6 +9,8 @@ etc/raddb #etc/raddb/certs/client.cnf #etc/raddb/certs/inner-server.cnf #etc/raddb/certs/passwords.mk +#etc/raddb/certs/realms +#etc/raddb/certs/realms/README.md #etc/raddb/certs/server.cnf #etc/raddb/certs/xpextensions #etc/raddb/clients.conf @@ -34,6 +36,7 @@ etc/raddb #etc/raddb/mods-available/dhcp_sql #etc/raddb/mods-available/dhcp_sqlippool #etc/raddb/mods-available/digest +#etc/raddb/mods-available/dpsk #etc/raddb/mods-available/dynamic_clients #etc/raddb/mods-available/eap #etc/raddb/mods-available/echo @@ -325,6 +328,7 @@ usr/bin/radclient usr/bin/radcrypt usr/bin/radeapclient usr/bin/radlast +usr/bin/radsecret usr/bin/radsniff usr/bin/radsqlrelay usr/bin/radtest @@ -453,6 +457,9 @@ usr/lib/freeradius/rlm_dhcp.so #usr/lib/freeradius/rlm_digest.a #usr/lib/freeradius/rlm_digest.la usr/lib/freeradius/rlm_digest.so +#usr/lib/freeradius/rlm_dpsk.a +#usr/lib/freeradius/rlm_dpsk.la +usr/lib/freeradius/rlm_dpsk.so #usr/lib/freeradius/rlm_dynamic_clients.a #usr/lib/freeradius/rlm_dynamic_clients.la usr/lib/freeradius/rlm_dynamic_clients.so @@ -480,6 +487,9 @@ usr/lib/freeradius/rlm_eap_pwd.so #usr/lib/freeradius/rlm_eap_sim.a #usr/lib/freeradius/rlm_eap_sim.la usr/lib/freeradius/rlm_eap_sim.so +#usr/lib/freeradius/rlm_eap_teap.a +#usr/lib/freeradius/rlm_eap_teap.la +usr/lib/freeradius/rlm_eap_teap.so #usr/lib/freeradius/rlm_eap_tls.a #usr/lib/freeradius/rlm_eap_tls.la usr/lib/freeradius/rlm_eap_tls.so @@ -614,10 +624,31 @@ usr/sbin/radmin #usr/share/doc/freeradius/antora/modules/ROOT/pages #usr/share/doc/freeradius/antora/modules/ROOT/pages/directories.adoc #usr/share/doc/freeradius/antora/modules/ROOT/pages/index.adoc +#usr/share/doc/freeradius/antora/modules/concepts +#usr/share/doc/freeradius/antora/modules/concepts/nav.adoc +#usr/share/doc/freeradius/antora/modules/concepts/pages +#usr/share/doc/freeradius/antora/modules/concepts/pages/aaa.adoc +#usr/share/doc/freeradius/antora/modules/concepts/pages/index.adoc +#usr/share/doc/freeradius/antora/modules/concepts/pages/modules +#usr/share/doc/freeradius/antora/modules/concepts/pages/modules/ldap +#usr/share/doc/freeradius/antora/modules/concepts/pages/modules/ldap/authentication.adoc +#usr/share/doc/freeradius/antora/modules/developers +#usr/share/doc/freeradius/antora/modules/developers/nav.adoc +#usr/share/doc/freeradius/antora/modules/developers/pages +#usr/share/doc/freeradius/antora/modules/developers/pages/bugs.adoc +#usr/share/doc/freeradius/antora/modules/developers/pages/coding-methods.adoc +#usr/share/doc/freeradius/antora/modules/developers/pages/contributing.adoc +#usr/share/doc/freeradius/antora/modules/developers/pages/coverage.adoc +#usr/share/doc/freeradius/antora/modules/developers/pages/index.adoc +#usr/share/doc/freeradius/antora/modules/developers/pages/profile.adoc +#usr/share/doc/freeradius/antora/modules/developers/pages/release-method.adoc #usr/share/doc/freeradius/antora/modules/howto #usr/share/doc/freeradius/antora/modules/howto/nav.adoc #usr/share/doc/freeradius/antora/modules/howto/pages #usr/share/doc/freeradius/antora/modules/howto/pages/index.adoc +#usr/share/doc/freeradius/antora/modules/howto/pages/monitoring +#usr/share/doc/freeradius/antora/modules/howto/pages/monitoring/index.adoc +#usr/share/doc/freeradius/antora/modules/howto/pages/monitoring/statistics.adoc #usr/share/doc/freeradius/antora/modules/howto/pages/protocols #usr/share/doc/freeradius/antora/modules/howto/pages/protocols/dhcp #usr/share/doc/freeradius/antora/modules/howto/pages/protocols/dhcp/enable.adoc @@ -638,6 +669,7 @@ usr/sbin/radmin #usr/share/doc/freeradius/antora/modules/howto/pages/protocols/proxy/radsec_client.adoc #usr/share/doc/freeradius/antora/modules/howto/pages/protocols/proxy/radsec_with_haproxy.adoc #usr/share/doc/freeradius/antora/modules/howto/pages/protocols/proxy/radsec_with_traefik.adoc +#usr/share/doc/freeradius/antora/modules/howto/pages/simultaneous_use.adoc #usr/share/doc/freeradius/antora/modules/installation #usr/share/doc/freeradius/antora/modules/installation/nav.adoc #usr/share/doc/freeradius/antora/modules/installation/pages @@ -873,6 +905,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.alcatel-lucent.aaa #usr/share/freeradius/dictionary.alcatel.esam #usr/share/freeradius/dictionary.alcatel.sr +#usr/share/freeradius/dictionary.alphion #usr/share/freeradius/dictionary.alteon #usr/share/freeradius/dictionary.altiga #usr/share/freeradius/dictionary.alvarion @@ -914,6 +947,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.cisco.vpn3000 #usr/share/freeradius/dictionary.cisco.vpn5000 #usr/share/freeradius/dictionary.citrix +#usr/share/freeradius/dictionary.ckey #usr/share/freeradius/dictionary.clavister #usr/share/freeradius/dictionary.cnergee #usr/share/freeradius/dictionary.colubris @@ -997,6 +1031,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.nortel #usr/share/freeradius/dictionary.ntua #usr/share/freeradius/dictionary.openser +#usr/share/freeradius/dictionary.openwifi #usr/share/freeradius/dictionary.packeteer #usr/share/freeradius/dictionary.paloalto #usr/share/freeradius/dictionary.patton @@ -1056,6 +1091,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.shiva #usr/share/freeradius/dictionary.siemens #usr/share/freeradius/dictionary.slipstream +#usr/share/freeradius/dictionary.smartsharesystems #usr/share/freeradius/dictionary.sofaware #usr/share/freeradius/dictionary.softbank #usr/share/freeradius/dictionary.sonicwall @@ -1069,6 +1105,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.telkom #usr/share/freeradius/dictionary.telrad #usr/share/freeradius/dictionary.terena +#usr/share/freeradius/dictionary.tplink #usr/share/freeradius/dictionary.trapeze #usr/share/freeradius/dictionary.travelping #usr/share/freeradius/dictionary.tripplite diff --git a/lfs/freeradius b/lfs/freeradius index df59bd63b..7136dc3e1 100644 --- a/lfs/freeradius +++ b/lfs/freeradius @@ -26,7 +26,7 @@ include Config SUMMARY = RADIUS Server -VER = 3.2.3 +VER = 3.2.5 THISAPP = freeradius-server-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = freeradius -PAK_VER = 20 +PAK_VER = 21 DEPS = libtalloc samba @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 525204331a5b123dac7457c6adb755cbe9794dbff4a536ea665fc7d1cac97553e392b7b598741c2a9dd00c81decd00608499d6f25208e389b9f213f54977de84 +$(DL_FILE)_BLAKE2 = 169dccd6f04b4503869912dec9423279cc18fc22fa3babf324747bdf0d80d3b4fa5460ac07f89f8d845bf664283a9772b483b8fcec990364fcaf71b673b6917c install : $(TARGET) @@ -89,19 +89,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --sysconfdir=/etc \ --libdir=/usr/lib/freeradius \ --localstatedir=/var \ - --with-system-libtool \ --with-threads \ - --with-thread-pool \ - --disable-ltdl-install \ --disable-openssl-version-check \ - --without-rlm_eap_ikev2 \ - --without-rlm_sql_iodbc \ - --without-rlm_sql_firebird \ - --without-rlm_sql_db2 \ - --without-rlm_sql_oracle \ - --without-rlm_sql_sqlite \ - --without-rlm_sql_mysql \ - --without-rlm_python \ LDFLAGS="$(LDFLAGS)" cd $(DIR_APP) && make $(MAKETUNING)