commit: ca263beccd204324898a868316cf905059a00511 Author: orbea <orbea <AT> riseup <DOT> net> AuthorDate: Fri May 6 21:44:11 2022 +0000 Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com> CommitDate: Sat May 7 01:31:21 2022 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=ca263bec
net-dialup/freeradius: Updated for version 3.0.25-r2 Signed-off-by: orbea <orbea <AT> riseup.net> Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com> net-dialup/freeradius/Manifest | 1 + .../files/freeradius-3.0.25-libressl.patch | 148 ++++++++++++ net-dialup/freeradius/files/radius.conf-r6 | 22 ++ net-dialup/freeradius/files/radius.init-r4 | 31 +++ net-dialup/freeradius/freeradius-3.0.25-r2.ebuild | 268 +++++++++++++++++++++ net-dialup/freeradius/metadata.xml | 11 +- 6 files changed, 472 insertions(+), 9 deletions(-) diff --git a/net-dialup/freeradius/Manifest b/net-dialup/freeradius/Manifest index b0ca97f..849cc39 100644 --- a/net-dialup/freeradius/Manifest +++ b/net-dialup/freeradius/Manifest @@ -1 +1,2 @@ +DIST freeradius-3.0.25.tar.gz 5300245 BLAKE2B bf8908aa7bfabb9e15fa841457f176a4f2697bdec7994485516ef338908b46f2168260b7acf1a7120a687e543f0381bb787567bb4d564b9d14a3eb464a0e9ed6 SHA512 13382a53e6a1a4495c6f53e662ce21b80d73b6134a72f099f05495b64c56ae1a6c1cd1281311f1c3695d8532207fe5bd3d2026ed2c45f3cb5adb1011f1505ee7 DIST freeradius-server-3.0.20.tar.gz 5002727 BLAKE2B f481ad22105694a4af3f0f0c1b4f6e395e8da0fe65274e32ebeed07e3c9b1869029e6ffbc655cfa41d5de2a1dcba54acee33a7a10d28bfbfce791b7ccd0fc57a SHA512 513ed0a5d9e6b9a8d89a9b02c86ff528a9ff14d928f4c1040ca44702465abd711588fe6afa35554cb2c8e8bd7f19dd5be3dbc78445c62c7b00bf5cbc4c621312 diff --git a/net-dialup/freeradius/files/freeradius-3.0.25-libressl.patch b/net-dialup/freeradius/files/freeradius-3.0.25-libressl.patch new file mode 100644 index 0000000..8da9279 --- /dev/null +++ b/net-dialup/freeradius/files/freeradius-3.0.25-libressl.patch @@ -0,0 +1,148 @@ +From OpenBSD: + +https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/freeradius/patches/patch-src_main_cb_c +https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/freeradius/patches/patch-src_main_tls_c +https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/freeradius/patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_rlm_eap_fast_c + +Index: src/main/cb.c +--- a/src/main/cb.c.orig ++++ b/src/main/cb.c +@@ -64,7 +64,7 @@ void cbtls_info(SSL const *s, int where, int ret) + /* + * After a ClientHello, list all the proposed ciphers from the client + */ +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (SSL_get_state(s) == TLS_ST_SR_CLNT_HELLO) { + int i; + int num_ciphers; +@@ -192,7 +192,7 @@ void cbtls_msg(int write_p, int msg_version, int conte + state->info.alert_level = 0x00; + state->info.alert_description = 0x00; + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + } else if (content_type == SSL3_RT_INNER_CONTENT_TYPE && buf[0] == SSL3_RT_APPLICATION_DATA) { + /* let tls_ack_handler set application_data */ + state->info.content_type = SSL3_RT_HANDSHAKE; +Index: src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c +--- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c.orig ++++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c +@@ -200,7 +200,7 @@ static void eap_fast_session_ticket(tls_session_t *tls + } + + // hostap:src/crypto/tls_openssl.c:tls_sess_sec_cb() +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + static int _session_secret(SSL *s, void *secret, int *secret_len, + UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers, + UNUSED SSL_CIPHER **cipher, void *arg) +@@ -224,7 +224,7 @@ static int _session_secret(SSL *s, void *secret, int * + + RDEBUG("processing PAC-Opaque"); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + eap_fast_session_ticket(tls_session, s->s3->client_random, s->s3->server_random, secret, secret_len); + #else + uint8_t client_random[SSL3_RANDOM_SIZE]; +Index: src/main/tls.c +--- a/src/main/tls.c.orig ++++ b/src/main/tls.c +@@ -622,7 +622,7 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls + /* + * Swap empty store with the old one. + */ +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + conf->old_x509_store = SSL_CTX_get_cert_store(conf->ctx); + /* Bump refcnt so the store is kept allocated till next store replacement */ + X509_STORE_up_ref(conf->old_x509_store); +@@ -1340,7 +1340,7 @@ void tls_session_information(tls_session_t *tls_sessio + if ((tls_session->info.version > tls_session->conf->max_version) && + (rad_debug_lvl > 0)) { + WARN("TLS 1.3 has been negotiated even though it was disabled. This is an OpenSSL Bug."); +- WARN("Please set: cipher_list = \"DEFAULT@SECLEVEL=1\" in the tls {...} section."); ++ WARN("Setting cipher_list in the tls {...} section might help."); + } + #endif + break; +@@ -1697,7 +1697,7 @@ static int load_dh_params(SSL_CTX *ctx, char *file) + * + * Change suggested by @t8m + */ +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + if (FIPS_mode() > 0) { + WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults."); + return 0; +@@ -1920,7 +1920,7 @@ done: + return 0; + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + static SSL_SESSION *cbtls_get_session(SSL *ssl, unsigned char *data, int len, int *copy) + #else + static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int len, int *copy) +@@ -2304,7 +2304,7 @@ static int cbtls_cache_refresh(SSL *ssl, SSL_SESSION * + return 0; + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + static SSL_SESSION *cbtls_cache_load(SSL *ssl, unsigned char *data, int len, int *copy) + #else + static SSL_SESSION *cbtls_cache_load(SSL *ssl, const unsigned char *data, int len, int *copy) +@@ -2840,7 +2840,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + char cn_str[1024]; + char buf[64]; + X509 *client_cert; +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const STACK_OF(X509_EXTENSION) *ext_list; + #else + STACK_OF(X509_EXTENSION) *ext_list; +@@ -3058,7 +3058,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + } + + if (lookup == 0) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ext_list = X509_get0_extensions(client_cert); + #else + X509_CINF *client_inf; +@@ -3111,7 +3111,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + value[0] = '0'; + value[1] = 'x'; + const unsigned char *srcp; +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const ASN1_STRING *srcasn1p; + srcasn1p = X509_EXTENSION_get_data(ext); + srcp = ASN1_STRING_get0_data(srcasn1p); +@@ -3203,13 +3203,13 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + */ + if (depth == 0) { + tls_session_t *ssn = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_SSN); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + STACK_OF(X509)* untrusted = NULL; + #endif + + rad_assert(ssn != NULL); + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* + * See if there are any untrusted certificates. + * If so, complain about them. +@@ -4169,7 +4169,7 @@ post_ca: + * disable early data. + * + */ +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_max_early_data(ctx, 0); + #endif + diff --git a/net-dialup/freeradius/files/radius.conf-r6 b/net-dialup/freeradius/files/radius.conf-r6 new file mode 100644 index 0000000..50d2a1c --- /dev/null +++ b/net-dialup/freeradius/files/radius.conf-r6 @@ -0,0 +1,22 @@ +# Config file for /etc/init.d/radiusd + +# see man pages for radiusd run `radiusd -h` +# for valid cmdline options +#RADIUSD_OPTS="" + +# Change this value if you change it in /etc/raddb/radiusd.conf +pidfile=/run/radiusd/radiusd.pid + +# Change these values if you change them in /etc/raddb/radiusd.conf +RADIUSD_USER=radius +RADIUSD_GROUP=radius + +RADIUSD_LOGPATH=/var/log/radius + +# If you set up logging to syslog in /etc/raddb/radiusd.conf, you want +# to uncomment the following line. +#rc_use="logger" + +# If you use ldap, start the ldap server prior to FreeRADIUS to avoid +# startup crashes. +#rc_use="ldap" diff --git a/net-dialup/freeradius/files/radius.init-r4 b/net-dialup/freeradius/files/radius.init-r4 new file mode 100644 index 0000000..dee1842 --- /dev/null +++ b/net-dialup/freeradius/files/radius.init-r4 @@ -0,0 +1,31 @@ +#!/sbin/openrc-run +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +command=/usr/sbin/radiusd +command_args="${RADIUSD_OPTS}" +pidfile="${pidfile:-/run/radiusd/radiusd.pid}" +extra_started_commands="reload" + +depend() { + need localmount + use dns +} + +start_pre() { + if [ ! -f /etc/raddb/radiusd.conf ] ; then + eerror "No /etc/raddb/radiusd.conf file exists!" + return 1 + fi + + checkpath -m0750 -o "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" -d \ + $(dirname ${pidfile}) "${RADIUSD_LOGPATH:-/var/log/radius}" + checkpath -m0750 -o "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" -d \ + $(dirname ${pidfile}) /run/radiusd +} + +reload() { + ebegin "Reloading radiusd" + kill -HUP $(cat ${pidfile}) + eend $? +} diff --git a/net-dialup/freeradius/freeradius-3.0.25-r2.ebuild b/net-dialup/freeradius/freeradius-3.0.25-r2.ebuild new file mode 100644 index 0000000..8e473f0 --- /dev/null +++ b/net-dialup/freeradius/freeradius-3.0.25-r2.ebuild @@ -0,0 +1,268 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{8..10} ) +inherit autotools pam python-single-r1 systemd + +MY_PV=$(ver_rs 1- "_") + +DESCRIPTION="Highly configurable free RADIUS server" +HOMEPAGE="https://freeradius.org/"; +SRC_URI="https://github.com/FreeRADIUS/freeradius-server/archive/release_${MY_PV}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/freeradius-server-release_${MY_PV}" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ~ppc ~ppc64 ~sparc x86" + +IUSE=" + debug firebird iodbc kerberos ldap memcached mysql mongodb odbc oracle pam + pcap postgres python readline redis rest samba sqlite ssl systemd +" + +RESTRICT="test firebird? ( bindist )" + +# NOTE: Temporary freeradius doesn't support linking with mariadb client +# libs also if code is compliant, will be available in the next release. +# (http://lists.freeradius.org/pipermail/freeradius-devel/2018-October/013228.html)a + +# TODO: rlm_mschap works with both samba library or without. I need to avoid +# linking of samba library if -samba is used. +RDEPEND="acct-group/radius + acct-user/radius + !net-dialup/cistronradius + dev-lang/perl:= + sys-libs/gdbm:= + sys-libs/talloc + virtual/libcrypt:= + firebird? ( dev-db/firebird ) + iodbc? ( dev-db/libiodbc ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap:= ) + memcached? ( dev-libs/libmemcached ) + mysql? ( dev-db/mysql-connector-c:= ) + mongodb? ( >=dev-libs/mongo-c-driver-1.13.0-r1 ) + odbc? ( dev-db/unixODBC ) + oracle? ( dev-db/oracle-instantclient[sdk] ) + pam? ( sys-libs/pam ) + pcap? ( net-libs/libpcap ) + postgres? ( dev-db/postgresql:= ) + python? ( ${PYTHON_DEPS} ) + readline? ( sys-libs/readline:0= ) + redis? ( dev-libs/hiredis:= ) + rest? ( dev-libs/json-c:= ) + samba? ( net-fs/samba ) + sqlite? ( dev-db/sqlite:3 ) + ssl? ( + dev-libs/openssl:0=[-bindist(-)] + ) + systemd? ( sys-apps/systemd )" +DEPEND="${RDEPEND}" + +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +# 721040 +QA_SONAME="usr/lib.*/libfreeradius-.*.so" + +PATCHES=( + "${FILESDIR}"/${PN}-3.0.25-libressl.patch + "${FILESDIR}"/${PN}-3.0.20-systemd-service.patch +) + +pkg_setup() { + if use python ; then + python-single-r1_pkg_setup + export PYTHONBIN="${EPYTHON}" + fi +} + +src_prepare() { + # most of the configuration options do not appear as ./configure + # switches. Instead it identifies the directories that are available + # and run through them. These might check for the presence of + # various libraries, in which case they are not built. To avoid + # automagic dependencies, we just remove all the modules that we're + # not interested in using. + + eapply_user + default + + use ssl || { rm -r src/modules/rlm_eap/types/rlm_eap_{tls,ttls,peap} || die ; } + use ldap || { rm -r src/modules/rlm_ldap || die ; } + use kerberos || { rm -r src/modules/rlm_krb5 || die ; } + use memcached || { rm -r src/modules/rlm_cache/drivers/rlm_cache_memcached || die ; } + use pam || { rm -r src/modules/rlm_pam || die ; } + # Drop support of python2 + rm -r src/modules/rlm_python || die + use python || { rm -r src/modules/rlm_python3 || die ; } + use rest || { rm -r src/modules/rlm_rest || die ; } + use redis || { rm -r src/modules/rlm_redis{,who} || die ; } + # Do not install ruby rlm module, bug #483108 + rm -r src/modules/rlm_ruby || die + + # these are all things we don't have in portage/I don't want to deal + # with myself + rm -r src/modules/rlm_eap/types/rlm_eap_tnc || die # requires TNCS library + rm -r src/modules/rlm_eap/types/rlm_eap_ikev2 || die # requires libeap-ikev2 + rm -r src/modules/rlm_opendirectory || die # requires some membership.h + rm -r src/modules/rlm_sql/drivers/rlm_sql_{db2,freetds} || die + + # sql drivers that are not part of experimental are loaded from a + # file, so we have to remove them from the file itself when we + # remove them. + usesqldriver() { + local flag=$1 + local driver=rlm_sql_${2:-${flag}} + + if ! use ${flag}; then + rm -r src/modules/rlm_sql/drivers/${driver} || die + sed -i -e /${driver}/d src/modules/rlm_sql/stable || die + fi + } + + sed -i \ + -e 's:^#\tuser = :\tuser = :g' \ + -e 's:^#\tgroup = :\tgroup = :g' \ + -e 's:/var/run/radiusd:/run/radiusd:g' \ + -e '/^run_dir/s:${localstatedir}::g' \ + raddb/radiusd.conf.in || die + + # verbosity + # build shared libraries using jlibtool -shared + sed -i \ + -e '/$(LIBTOOL)/s|--quiet ||g' \ + -e 's:--mode=\(compile\|link\):& -shared:g' \ + Make.inc.in || die + + sed -i \ + -e 's|--silent ||g' \ + -e 's:--mode=\(compile\|link\):& -shared:g' \ + scripts/libtool.mk || die + + # crude measure to stop jlibtool from running ranlib and ar + sed -i \ + -e '/LIBRARIAN/s|".*"|"true"|g' \ + -e '/RANLIB/s|".*"|"true"|g' \ + scripts/jlibtool.c || die + + usesqldriver mysql + usesqldriver postgres postgresql + usesqldriver firebird + usesqldriver iodbc + usesqldriver odbc unixodbc + usesqldriver oracle + usesqldriver sqlite + usesqldriver mongodb mongo + + eautoreconf +} + +src_configure() { + # do not try to enable static with static-libs; upstream is a + # massacre of libtool best practices so you also have to make sure + # to --enable-shared explicitly. + local myeconfargs=( + --enable-shared + --disable-static + --disable-ltdl-install + --with-system-libtool + --with-system-libltdl + --with-ascend-binary + --with-udpfromto + --with-dhcp + --with-iodbc-include-dir=/usr/include/iodbc + --with-experimental-modules + --with-docdir=/usr/share/doc/${PF} + --with-logdir=/var/log/radius + $(use_enable debug developer) + $(use_with ldap edir) + $(use_with ssl openssl) + $(use_with systemd systemd) + ) + # fix bug #77613 + if has_version app-crypt/heimdal; then + myeconfargs+=( --enable-heimdal-krb5 ) + fi + + if use python ; then + myeconfargs+=( + --with-rlm-python3-bin=${EPYTHON} + --with-rlm-python3-config-bin=${EPYTHON}-config + ) + fi + + use readline || export ac_cv_lib_readline=no + use pcap || export ac_cv_lib_pcap_pcap_open_live=no + + econf "${myeconfargs[@]}" +} + +src_compile() { + # verbose, do not generate certificates + emake \ + Q='' ECHO=true \ + LOCAL_CERT_PRODUCTS='' +} + +src_install() { + dodir /etc + diropts -m0750 -o root -g radius + dodir /etc/raddb + diropts -m0750 -o radius -g radius + dodir /var/log/radius + keepdir /var/log/radius/radacct + diropts + + # verbose, do not install certificates + # Parallel install fails (#509498) + emake -j1 \ + Q='' ECHO=true \ + LOCAL_CERT_PRODUCTS='' \ + R="${D}" \ + install + + if use pam; then + pamd_mimic_system radiusd auth account password session + fi + + # fix #711756 + fowners -R radius:radius /etc/raddb + fowners -R radius:radius /var/log/radius + + dodoc CREDITS + + rm "${ED}/usr/sbin/rc.radiusd" || die + + newinitd "${FILESDIR}/radius.init-r4" radiusd + newconfd "${FILESDIR}/radius.conf-r6" radiusd + + if ! use systemd ; then + # If systemd builtin is not enabled we need use Type=Simple + # as systemd .service + sed -i -e 's:^Type=.*::g' \ + -e 's:^WatchdogSec=.*::g' -e 's:^NotifyAccess=all.*::g' \ + "${S}"/debian/freeradius.service + fi + systemd_dounit "${S}"/debian/freeradius.service + + find "${ED}" \( -name "*.a" -o -name "*.la" \) -delete || die +} + +pkg_config() { + if use ssl; then + cd "${ROOT}"/etc/raddb/certs || die + ./bootstrap || die "Error while running ./bootstrap script." + chown root:radius "${ROOT}"/etc/raddb/certs || die + chown root:radius "${ROOT}"/etc/raddb/certs/ca.pem || die + chown root:radius "${ROOT}"/etc/raddb/certs/server.{key,crt,pem} || die + fi +} + +pkg_preinst() { + if ! has_version ${CATEGORY}/${PN} && use ssl; then + elog "You have to run \`emerge --config =${CATEGORY}/${PF}\` to be able" + elog "to start the radiusd service." + fi +} diff --git a/net-dialup/freeradius/metadata.xml b/net-dialup/freeradius/metadata.xml index 6d8b1cc..2ae2372 100644 --- a/net-dialup/freeradius/metadata.xml +++ b/net-dialup/freeradius/metadata.xml @@ -1,14 +1,7 @@ <?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd";> <pkgmetadata> - <maintainer type="person"> - <email>gea...@gmail.com</email> - <name>Daniele Rondina</name> - </maintainer> - <maintainer type="project"> - <email>proxy-ma...@gentoo.org</email> - <name>Proxy Maintainers</name> - </maintainer> + <!-- maintainer-needed --> <use> <flag name="memcached"> Include <pkg>dev-libs/libmemcached</pkg> in caching drivers
