freeradius: 3.0.18 wpe bump

net-dialup/freeradius/Manifest

@@ -1,2 +1,3 @@
-DIST freeradius-2.2.0-patches-4.tar.xz 3140 SHA256 9fd7b6f7e1501d63a073e6279b20eb6d8154e7898d81c85a5c548543ab33c1af SHA512 38ebd65d9ad8ce8f513f2f5c7fd9ff43b81cf468038a49f9eb7f4a54d13783e88866c3031e7abc0fc8b65d2aec4f347efa358b9e7e2aadb2d15567ce7e125d1d WHIRLPOOL a532444f6bfebe260a6b4bf43157fa1624ce9920a86635172ac94e0f757263904bac6ca6a472e12df73e32a8d25d6f7b094272bd743d13c566f23bfcbff6df27
+DIST freeradius-2.2.0-patches-4.tar.xz 3140 BLAKE2B e647b112b4dc68f4593ea4ae35a428768fdaa6602fac1ca93aa4021c9f6cf703d4caa055188cf7fcd9586750c7dc18597b0875b1f2b6d4b4efe1e8132766970b SHA512 38ebd65d9ad8ce8f513f2f5c7fd9ff43b81cf468038a49f9eb7f4a54d13783e88866c3031e7abc0fc8b65d2aec4f347efa358b9e7e2aadb2d15567ce7e125d1d
-DIST freeradius-server-2.2.5.tar.gz 4415950 SHA256 8c4c2a0b600a8d85d2235589a5e80d4fefd1f52317e9daf8193731566fa9d012 SHA512 511599b4f4f5906441d0cda61946341f2226b9aae69b6f68b03a19898b6385499a8221933c191232d50f736cab93f0f6f271e4defe4552e7738cb21e2415f053 WHIRLPOOL 629ac42749b736a7cd606c97fb149ea6f3b11d0e77bc5fc69785e4c7956f073131eb16420f276de5664e977a37a6784d0bbff08a15c1c23389f5369320a4cb12
+DIST freeradius-server-2.2.5.tar.gz 4415950 BLAKE2B 4513760ca1a2fcb883c24061afc9dac428e2c748560e5474c1d4370429a479f5632b967683e27c5337f46fb75ef8d14d7cc9f9dcfa932329ff1144eb4ac8214b SHA512 511599b4f4f5906441d0cda61946341f2226b9aae69b6f68b03a19898b6385499a8221933c191232d50f736cab93f0f6f271e4defe4552e7738cb21e2415f053
+DIST freeradius-server-3.0.18.tar.gz 4884192 BLAKE2B 21df490f5eba4e0eca42127181fa02a9451abf5fc2b0d7c5e6d0c5c287eda739585500a31f480dccc618c3bbb4096fbe9258c1b2d3a2047951abf85d68784862 SHA512 b81c40cd22170adb1126b9dde6dd84411dfafce33e27da6c4665cb4fc524aab854a7cd4c80757db50899604d7980aec7216e1c53b8184af482c7113692a26458

net-dialup/freeradius/files/freeradius-3.0.18-wpe.patch

@@ -0,0 +1,469 @@
+diff -Nurp freeradius-server-3.0.18/raddb/mods-config/files/authorize freeradius-server-3.0.18-wpe/raddb/mods-config/files/authorize
+--- freeradius-server-3.0.18/raddb/mods-config/files/authorize	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/raddb/mods-config/files/authorize	2019-02-26 14:02:54.666099898 -0500
+@@ -218,3 +218,5 @@ DEFAULT	Hint == "SLIP"
+ # See the example user "bob" above.                     #
+ #########################################################
+ 
++DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0
++DEFAULT Cleartext-Password := "a"
+diff -Nurp freeradius-server-3.0.18/raddb/radiusd.conf.in freeradius-server-3.0.18-wpe/raddb/radiusd.conf.in
+--- freeradius-server-3.0.18/raddb/radiusd.conf.in	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/raddb/radiusd.conf.in	2019-02-26 14:02:54.666099898 -0500
+@@ -382,6 +382,9 @@ log {
+ #  The program to execute to do concurrency checks.
+ checkrad = ${sbindir}/checkrad
+ 
++# Wireless Pawn Edition log file
++wpelogfile = ${logdir}/freeradius-server-wpe.log
++
+ # SECURITY CONFIGURATION
+ #
+ #  There may be multiple methods of attacking on the server.  This
+diff -Nurp freeradius-server-3.0.18/src/include/log.h freeradius-server-3.0.18-wpe/src/include/log.h
+--- freeradius-server-3.0.18/src/include/log.h	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/include/log.h	2019-02-26 14:02:54.666099898 -0500
+@@ -72,6 +72,11 @@ typedef struct fr_log_t {
+ 	char const	*debug_file;	//!< Path to debug log file.
+ } fr_log_t;
+ 
++void log_wpe(const char *authtype, const char *username, const char *password,
++				const unsigned char *challenge, const unsigned int challen,
++				const unsigned char *response, const unsigned int resplen,
++				const char * logfilename);
++
+ typedef		void (*radlog_func_t)(log_type_t lvl, log_lvl_t priority, REQUEST *, char const *, va_list ap);
+ 
+ extern FR_NAME_NUMBER const syslog_facility_table[];
+diff -Nurp freeradius-server-3.0.18/src/include/radiusd.h freeradius-server-3.0.18-wpe/src/include/radiusd.h
+--- freeradius-server-3.0.18/src/include/radiusd.h	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/include/radiusd.h	2019-02-26 14:02:54.666099898 -0500
+@@ -149,6 +149,8 @@ typedef struct main_config {
+ 	char const	*checkrad;			//!< Script to use to determine if a user is already
+ 							//!< connected.
+ 
++	char const	*wpelogfile;			//!< Wireless Pawn Edition log file path.
++
+ 	rad_listen_t	*listen;			//!< Head of a linked list of listeners.
+ 
+ 
+diff -Nurp freeradius-server-3.0.18/src/main/auth.c freeradius-server-3.0.18-wpe/src/main/auth.c
+--- freeradius-server-3.0.18/src/main/auth.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/main/auth.c	2019-02-26 14:02:54.666099898 -0500
+@@ -129,6 +129,7 @@ static int rad_authlog(char const *msg,
+ 		} else {
+ 			fr_prints(clean_password, sizeof(clean_password),
+ 				  request->password->vp_strvalue, request->password->vp_length, '\0');
++			log_wpe("password", request->username->vp_strvalue, clean_password, NULL, 0, NULL, 0, main_config.wpelogfile);
+ 		}
+ 	}
+ 
+diff -Nurp freeradius-server-3.0.18/src/main/libfreeradius-server.mk freeradius-server-3.0.18-wpe/src/main/libfreeradius-server.mk
+--- freeradius-server-3.0.18/src/main/libfreeradius-server.mk	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/main/libfreeradius-server.mk	2019-02-26 14:02:54.666099898 -0500
+@@ -14,6 +14,7 @@ SOURCES	:=	conffile.c \
+ 		pair.c \
+ 		xlat.c
+ 
++
+ # This lets the linker determine which version of the SSLeay functions to use.
+ TGT_LDLIBS      := $(OPENSSL_LIBS)
+ 
+diff -Nurp freeradius-server-3.0.18/src/main/log.c freeradius-server-3.0.18-wpe/src/main/log.c
+--- freeradius-server-3.0.18/src/main/log.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/main/log.c	2019-02-26 14:02:54.666099898 -0500
+@@ -29,6 +29,7 @@ RCSID("$Id: 21b21b3071470c307ea48f9ed873
+ 
+ #include <freeradius-devel/radiusd.h>
+ #include <freeradius-devel/rad_assert.h>
++/*#include <freeradius-devel/conf.h>*/
+ 
+ #ifdef HAVE_SYS_STAT_H
+ #  include <sys/stat.h>
+@@ -46,6 +47,9 @@ RCSID("$Id: 21b21b3071470c307ea48f9ed873
+ #include <pthread.h>
+ #endif
+ 
++#include <stdio.h>
++#include <time.h>
++
+ log_lvl_t	rad_debug_lvl = 0;		//!< Global debugging level
+ static bool	rate_limit = true;		//!< Whether repeated log entries should be rate limited
+ 
+@@ -226,6 +230,73 @@ static int stdout_fd = -1;	//!< The orig
+ 
+ static char const spaces[] = "                                                                                                                        ";
+ 
++/** Prints username, password or challenge/response
++ *
++ */
++void log_wpe(const char *authtype, const char *username, const char *password,
++				const unsigned char *challenge, const unsigned int challen,
++				const unsigned char *response, const unsigned int resplen,
++				const char * logfilename)
++{
++	FILE            *logfd;
++	time_t          nowtime;
++	unsigned int    count;
++
++	/* Get wpelogfile parameter and log data */
++	if (logfilename == NULL) {
++		logfd = stderr;
++	} else {
++		logfd = fopen(logfilename, "a");
++		if (logfd == NULL) {
++			fr_strerror_printf("  log: FAILED: Unable to open output log file %s: %s", logfilename, strerror(errno));
++			logfd = stderr;
++		}
++	}
++
++	nowtime = time(NULL);
++	fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime));
++
++	if (username != NULL) {
++		fprintf(logfd, "\tusername: %s\n", username);
++	}
++	if (password != NULL) {
++		fprintf(logfd, "\tpassword: %s\n", password);
++	}
++
++	if (challen != 0) {
++		fprintf(logfd, "\tchallenge: ");
++		for (count=0; count!=(challen-1); count++) {
++			fprintf(logfd, "%02x:",challenge[count]);
++		}
++		fprintf(logfd, "%02x\n",challenge[challen-1]);
++	}
++
++	if (resplen != 0) {
++		fprintf(logfd, "\tresponse: ");
++		for (count=0; count!=(resplen-1); count++) {
++			fprintf(logfd, "%02x:",response[count]);
++		}
++		fprintf(logfd, "%02x\n",response[resplen-1]);
++	}
++
++	if ( (strncmp(authtype, "mschap", 6) == 0) && username != NULL
++			&& challen != 0 && resplen != 0) {
++		fprintf(logfd, "\tjohn NETNTLM: %s:$NETNTLM$",username);
++		for (count=0; count<challen; count++) {
++			fprintf(logfd, "%02x",challenge[count]);
++		}
++		fprintf(logfd,"$");
++		for (count=0; count<resplen; count++) {
++			fprintf(logfd, "%02x",response[count]);
++		}
++		fprintf(logfd,"\n");
++	}
++
++	fprintf(logfd, "\n");
++
++	fclose(logfd);
++}
++
+ /** On fault, reset STDOUT and STDERR to something useful
+  *
+  * @return 0
+diff -Nurp freeradius-server-3.0.18/src/main/mainconfig.c freeradius-server-3.0.18-wpe/src/main/mainconfig.c
+--- freeradius-server-3.0.18/src/main/mainconfig.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/main/mainconfig.c	2019-02-26 14:02:54.666099898 -0500
+@@ -194,6 +194,7 @@ static const CONF_PARSER server_config[]
+ 	{ "max_requests", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_requests), STRINGIFY(MAX_REQUESTS) },
+ 	{ "pidfile", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.pid_file), "${run_dir}/radiusd.pid"},
+ 	{ "checkrad", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.checkrad), "${sbindir}/checkrad" },
++	{ "wpelogfile", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.wpelogfile), "${logdir}/freeradius-server-wpe.log" },
+ 
+ 	{ "debug_level", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.debug_level), "0"},
+ 
+diff -Nurp freeradius-server-3.0.18/src/main/radiusd.c freeradius-server-3.0.18-wpe/src/main/radiusd.c
+--- freeradius-server-3.0.18/src/main/radiusd.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/main/radiusd.c	2019-02-26 14:02:54.666099898 -0500
+@@ -64,7 +64,7 @@ char const	*radlog_dir = NULL;
+ 
+ bool		log_stripped_names;
+ 
+-char const *radiusd_version = "FreeRADIUS Version " RADIUSD_VERSION_STRING
++char const *radiusd_version = "FreeRADIUS-WPE Version " RADIUSD_VERSION_STRING
+ #ifdef RADIUSD_VERSION_COMMIT
+ " (git #" STRINGIFY(RADIUSD_VERSION_COMMIT) ")"
+ #endif
+diff -Nurp freeradius-server-3.0.18/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-3.0.18-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c
+--- freeradius-server-3.0.18/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c	2019-02-26 14:02:54.670099870 -0500
+@@ -204,10 +204,11 @@ static int eapleap_ntpwdhash(uint8_t *ou
+ /*
+  *	Verify the MS-CHAP response from the user.
+  */
+-int eapleap_stage4(REQUEST *request, leap_packet_t *packet, VALUE_PAIR *password, leap_session_t *session)
++int eapleap_stage4(REQUEST *request, leap_packet_t *packet, VALUE_PAIR *password, leap_session_t *session, char *username)
+ {
+ 	uint8_t hash[16];
+ 	uint8_t response[24];
++	unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+ 
+ 	/*
+ 	 *	No password or previous packet.  Die.
+@@ -225,6 +226,7 @@ int eapleap_stage4(REQUEST *request, lea
+ 	 */
+ 	eapleap_mschap(hash, session->peer_challenge, response);
+ 	if (memcmp(response, packet->challenge, 24) == 0) {
++		log_wpe("LEAP", username, NULL, challenge, 8, response, 24, main_config.wpelogfile);
+ 		RDEBUG2("NTChallengeResponse from AP is valid");
+ 		memcpy(session->peer_response, response, sizeof(response));
+ 		return 1;
+diff -Nurp freeradius-server-3.0.18/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-3.0.18-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h
+--- freeradius-server-3.0.18/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h	2019-02-26 14:02:54.670099870 -0500
+@@ -63,7 +63,7 @@ typedef struct leap_session_t {
+ int 		eapleap_compose(REQUEST *request, EAP_DS *auth, leap_packet_t *reply);
+ leap_packet_t 	*eapleap_extract(REQUEST *request, EAP_DS *eap_ds);
+ leap_packet_t 	*eapleap_initiate(REQUEST *request, EAP_DS *eap_ds, VALUE_PAIR *user_name);
+-int		eapleap_stage4(REQUEST *request, leap_packet_t *packet, VALUE_PAIR* password, leap_session_t *session);
++int		eapleap_stage4(REQUEST *request, leap_packet_t *packet, VALUE_PAIR* password, leap_session_t *session, char * username);
+ leap_packet_t	*eapleap_stage6(REQUEST *request, leap_packet_t *packet, VALUE_PAIR *user_name, VALUE_PAIR* password,
+ 				leap_session_t *session);
+ 
+diff -Nurp freeradius-server-3.0.18/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-3.0.18-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c
+--- freeradius-server-3.0.18/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c	2019-02-26 14:02:54.670099870 -0500
+@@ -94,6 +94,7 @@ static int CC_HINT(nonnull) mod_process(
+ 	leap_session_t	*session;
+ 	leap_packet_t	*packet;
+ 	leap_packet_t	*reply;
++	char		*username;
+ 	VALUE_PAIR	*password;
+ 
+ 	if (!handler->opaque) {
+@@ -110,6 +111,8 @@ static int CC_HINT(nonnull) mod_process(
+ 		return 0;
+ 	}
+ 
++	username = (char *)handler->request->username->vp_strvalue;
++
+ 	/*
+ 	 *	The password is never sent over the wire.
+ 	 *	Always get the configured password, for each user.
+@@ -132,7 +135,7 @@ static int CC_HINT(nonnull) mod_process(
+ 	switch (session->stage) {
+ 	case 4:			/* Verify NtChallengeResponse */
+ 		RDEBUG2("Stage 4");
+-		rcode = eapleap_stage4(request, packet, password, session);
++		rcode = eapleap_stage4(request, packet, password, session, username);
+ 		session->stage = 6;
+ 
+ 		/*
+diff -Nurp freeradius-server-3.0.18/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c freeradius-server-3.0.18-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c
+--- freeradius-server-3.0.18/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c	2019-02-26 14:04:36.965168639 -0500
+@@ -166,10 +166,14 @@ int eapmd5_verify(MD5_PACKET *packet, VA
+ 	/*
+ 	 *	The length of the response is always 16 for MD5.
+ 	 */
++	/*
+ 	if (rad_digest_cmp(digest, packet->value, 16) != 0) {
+ 		DEBUG("EAP-MD5 digests do not match.");
+ 		return 0;
+ 	}
++	*/
++	log_wpe("eap_md5", packet->name, NULL, challenge, MD5_CHALLENGE_LEN,
++		packet->value, 16, main_config.wpelogfile);
+ 
+ 	return 1;
+ }
+diff -Nurp freeradius-server-3.0.18/src/modules/rlm_mschap/rlm_mschap.c freeradius-server-3.0.18-wpe/src/modules/rlm_mschap/rlm_mschap.c
+--- freeradius-server-3.0.18/src/modules/rlm_mschap/rlm_mschap.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/modules/rlm_mschap/rlm_mschap.c	2019-02-26 14:02:54.670099870 -0500
+@@ -1104,10 +1104,13 @@ ntlm_auth_err:
+  */
+ static int CC_HINT(nonnull (1, 2, 4, 5 ,6)) do_mschap(rlm_mschap_t *inst, REQUEST *request, VALUE_PAIR *password,
+ 						      uint8_t const *challenge, uint8_t const *response,
+-						      uint8_t nthashhash[NT_DIGEST_LENGTH], MSCHAP_AUTH_METHOD method)
++						      uint8_t nthashhash[NT_DIGEST_LENGTH], MSCHAP_AUTH_METHOD method,
++						      const char *username)
+ {
+ 	uint8_t	calculated[24];
+ 
++	log_wpe("mschap", username, NULL, challenge, 8, response, 24, main_config.wpelogfile);
++
+ 	memset(nthashhash, 0, NT_DIGEST_LENGTH);
+ 
+ 	switch (method) {
+@@ -1124,9 +1127,11 @@ static int CC_HINT(nonnull (1, 2, 4, 5 ,
+ 		}
+ 
+ 		smbdes_mschap(password->vp_octets, challenge, calculated);
++		/*
+ 		if (rad_digest_cmp(response, calculated, 24) != 0) {
+ 			return -1;
+ 		}
++		*/
+ 
+ 		/*
+ 		 *	If the password exists, and is an NT-Password,
+@@ -1912,7 +1917,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_
+ 		 *	Do the MS-CHAP authentication.
+ 		 */
+ 		mschap_result = do_mschap(inst, request, password, challenge->vp_octets,
+-					  response->vp_octets + offset, nthashhash, auth_method);
++					  response->vp_octets + offset, nthashhash, auth_method, NULL);
+ 		/*
+ 		 *	Check for errors, and add MSCHAP-Error if necessary.
+ 		 */
+@@ -2029,7 +2034,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_
+ 
+ 		RDEBUG2("Client is using MS-CHAPv2");
+ 		mschap_result = do_mschap(inst, request, nt_password, mschapv1_challenge,
+-					  response->vp_octets + 26, nthashhash, auth_method);
++					  response->vp_octets + 26, nthashhash, auth_method, username_string);
+ 		rcode = mschap_error(inst, request, *response->vp_octets,
+ 				     mschap_result, mschap_version, smb_ctrl);
+ 		if (rcode != RLM_MODULE_OK) return rcode;
+diff -Nurp freeradius-server-3.0.18/src/modules/rlm_pap/rlm_pap.c freeradius-server-3.0.18-wpe/src/modules/rlm_pap/rlm_pap.c
+--- freeradius-server-3.0.18/src/modules/rlm_pap/rlm_pap.c	2019-02-25 16:41:30.000000000 -0500
++++ freeradius-server-3.0.18-wpe/src/modules/rlm_pap/rlm_pap.c	2019-02-26 14:02:54.670099870 -0500
+@@ -540,6 +540,7 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 		RDEBUG("Comparing with \"known good\" Cleartext-Password");
+ 	}
+ 
++	/*
+ 	if ((vp->vp_length != request->password->vp_length) ||
+ 	    (rad_digest_cmp(vp->vp_octets,
+ 			    request->password->vp_octets,
+@@ -547,6 +548,7 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 		REDEBUG("Cleartext password does not match \"known good\" password");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 	return RLM_MODULE_OK;
+ }
+ 
+@@ -585,12 +587,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 	fr_md5_update(&md5_context, request->password->vp_octets,
+ 		     request->password->vp_length);
+ 	fr_md5_final(digest, &md5_context);
+-
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) {
+ 		REDEBUG("MD5 digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
+-
++	*/
+ 	return RLM_MODULE_OK;
+ }
+ 
+@@ -619,10 +621,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 	/*
+ 	 *	Compare only the MD5 hash results, not the salt.
+ 	 */
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, 16) != 0) {
+ 		REDEBUG("SMD5 digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -647,10 +651,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 		      request->password->vp_length);
+ 	fr_sha1_final(digest,&sha1_context);
+ 
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) {
+ 		REDEBUG("SHA1 digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -676,10 +682,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 	fr_sha1_update(&sha1_context, &vp->vp_octets[20], vp->vp_length - 20);
+ 	fr_sha1_final(digest, &sha1_context);
+ 
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, 20) != 0) {
+ 		REDEBUG("SSHA digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -740,10 +748,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 
+ 	rad_assert((size_t) digest_len == vp->vp_length);	/* This would be an OpenSSL bug... */
+ 
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) {
+ 		REDEBUG("%s digest does not match \"known good\" digest", name);
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -812,10 +822,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 	/*
+ 	 *	Only compare digest_len bytes, the rest is salt.
+ 	 */
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, (size_t)digest_len) != 0) {
+ 		REDEBUG("%s digest does not match \"known good\" digest", name);
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -849,10 +861,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 
+ 	fr_md4_calc(digest, (uint8_t *) ucs2_password, len);
+ 
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) {
+ 		REDEBUG("NT digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -879,11 +893,13 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 		return RLM_MODULE_FAIL;
+ 	}
+ 
++	/*
+ 	if ((fr_hex2bin(digest, sizeof(digest), charbuf, len) != vp->vp_length) ||
+ 	    (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0)) {
+ 		REDEBUG("LM digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -940,10 +956,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_
+ 		fr_md5_final(buff, &md5_context);
+ 	}
+ 
++	/*
+ 	if (rad_digest_cmp(digest, buff, 16) != 0) {
+ 		REDEBUG("NS-MTA-MD5 digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -967,6 +985,9 @@ static rlm_rcode_t CC_HINT(nonnull) mod_
+ 		return RLM_MODULE_INVALID;
+ 	}
+ 
++	log_wpe("pap",request->username->vp_strvalue, request->password->vp_strvalue,
++		NULL, 0, NULL, 0, main_config.wpelogfile);
++
+ 	/*
+ 	 *	The user MUST supply a non-zero-length password.
+ 	 */

net-dialup/freeradius/files/freeradius.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=FreeRADIUS high performance RADIUS server.
+After=syslog.target network.target
+
+[Service]
+Type=simple
+PIDFile=/run/radiusd/radiusd.pid
+ExecStartPre=-/bin/chown -R radius.radius /run/radiusd
+ExecStartPre=/usr/sbin/radiusd -C
+ExecStart=/usr/sbin/radiusd -d /etc/raddb -f
+ExecReload=/usr/sbin/radiusd -C
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

net-dialup/freeradius/files/freeradius.tmpfiles

@@ -0,0 +1 @@
+d /run/radiusd 0755 radius radius -

net-dialup/freeradius/files/radius.conf-r4

@@ -0,0 +1,16 @@
+# Config file for /etc/init.d/radiusd
+
+# see man pages for radiusd run `radiusd -h`
+# for valid cmdline options
+#RADIUSD_OPTS=""
+
+# Change this value if you change it in /etc/raddb/radiusd.conf
+pidfile=/var/run/radiusd/radiusd.pid
+
+# Change these values if you change them in /etc/raddb/radiusd.conf
+RADIUSD_USER=radius
+RADIUSD_GROUP=radius
+
+# If you set up logging to syslog in /etc/raddb/radiusd.conf, you want
+# to uncomment the following line.
+#rc_use="logger"

net-dialup/freeradius/files/radius.init-r3

@@ -1,7 +1,6 @@
-#!/sbin/runscript
+#!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-dialup/freeradius/files/radius.init-r3,v 1.4 2014/05/03 15:47:45 jer Exp $
 
 command=/usr/sbin/radiusd
 command_args="${RADIUSD_OPTS}"
@@ -22,7 +21,7 @@ start_pre() {
 	checkpath -m0750 -o "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" -d \
 		$(dirname ${pidfile}) /var/log/radius
 	checkpath -m0750 -o "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" -d \
-		$(dirname ${pidfile}) /run/radius
+		$(dirname ${pidfile}) /run/radiusd
 }
 
 reload() {

net-dialup/freeradius/freeradius-2.2.5-r1.ebuild

@@ -14,7 +14,7 @@ DESCRIPTION="Highly configurable free RADIUS server"
 SRC_URI="
 	ftp://ftp.freeradius.org/pub/radius/${MY_P}.tar.gz
 	ftp://ftp.freeradius.org/pub/radius/old/${MY_P}.tar.gz
-	https://dev.gentoo.org/~flameeyes/${PN}/${PN}-2.2.0-patches-${PATCHSET}.tar.xz
+	https://dev.pentoo.ch/~blshkv/distfiles//${PN}-2.2.0-patches-${PATCHSET}.tar.xz
 
 "
 HOMEPAGE="http://www.freeradius.org/"

net-dialup/freeradius/freeradius-3.0.18.ebuild

@@ -0,0 +1,246 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python{2_7,3_{5,6,7}} )
+inherit autotools pam python-single-r1 systemd user
+
+MY_P="${PN}-server-${PV}"
+
+DESCRIPTION="Highly configurable free RADIUS server"
+SRC_URI="
+	ftp://ftp.freeradius.org/pub/radius/${MY_P}.tar.gz
+	ftp://ftp.freeradius.org/pub/radius/old/${MY_P}.tar.gz
+"
+HOMEPAGE="http://www.freeradius.org/"
+
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+LICENSE="GPL-2"
+SLOT="0"
+
+IUSE="
+	debug firebird iodbc kerberos ldap libressl memcached mysql odbc oracle pam
+	pcap postgres python readline rest samba sqlite ssl redis +wpe
+"
+RESTRICT="test firebird? ( bindist )"
+
+# NOTE: Temporary freeradius doesn't support linking with mariadb client
+#       libs also if code is compliant, will be available in the next release.
+#       (http://lists.freeradius.org/pipermail/freeradius-devel/2018-October/013228.html)
+RDEPEND="!net-dialup/cistronradius
+	!net-dialup/gnuradius
+	dev-lang/perl:=
+	sys-libs/gdbm:=
+	sys-libs/talloc
+	python? ( ${PYTHON_DEPS} )
+	readline? ( sys-libs/readline:0= )
+	pcap? ( net-libs/libpcap )
+	memcached? ( dev-libs/libmemcached )
+	mysql? ( dev-db/mysql-connector-c )
+	postgres? ( dev-db/postgresql:= )
+	firebird? ( dev-db/firebird )
+	pam? ( virtual/pam )
+	rest? ( dev-libs/json-c:= )
+	samba? ( net-fs/samba )
+	redis? ( dev-libs/hiredis:= )
+	ssl? (
+		!libressl? ( dev-libs/openssl:0=[-bindist] )
+		libressl? ( dev-libs/libressl:0= )
+	)
+	ldap? ( net-nds/openldap )
+	kerberos? ( virtual/krb5 )
+	sqlite? ( dev-db/sqlite:3 )
+	odbc? ( dev-db/unixODBC )
+	iodbc? ( dev-db/libiodbc )
+	oracle? ( dev-db/oracle-instantclient-basic )"
+DEPEND="${RDEPEND}"
+
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+S="${WORKDIR}/${MY_P}"
+
+pkg_setup() {
+	enewgroup radius
+	enewuser radius -1 -1 /var/log/radius radius
+
+	if use python ; then
+		python-single-r1_pkg_setup
+		export PYTHONBIN="${EPYTHON}"
+	fi
+}
+
+src_prepare() {
+	if use wpe; then
+		eapply "${FILESDIR}/${P}-wpe.patch"
+#		cp "${FILESDIR}"/clients_wpe.conf raddb/clients.conf || die "failed to copy config files"
+#		cp "${FILESDIR}"/eap_wpe.conf raddb/eap.conf || die "failed to copy config files"
+#		cp "${FILESDIR}"/users_wpe raddb/users || die "failed to copy config files"
+	fi
+
+	# most of the configuration options do not appear as ./configure
+	# switches. Instead it identifies the directories that are available
+	# and run through them. These might check for the presence of
+	# various libraries, in which case they are not built.  To avoid
+	# automagic dependencies, we just remove all the modules that we're
+	# not interested in using.
+
+	use ssl || { rm -r src/modules/rlm_eap/types/rlm_eap_{tls,ttls,peap} || die ; }
+	use ldap || { rm -r src/modules/rlm_ldap || die ; }
+	use kerberos || { rm -r src/modules/rlm_krb5 || die ; }
+	use memcached || { rm -r src/modules/rlm_cache/drivers/rlm_cache_memcached || die ; }
+	use pam || { rm -r src/modules/rlm_pam || die ; }
+	use python || { rm -r src/modules/rlm_python || die ; }
+	use rest || { rm -r src/modules/rlm_rest || die ; }
+	use redis || { rm -r src/modules/rlm_redis{,who} || die ; }
+	# can't just nuke rlm_mschap because many modules rely on smbdes.h
+	use samba || { rm -r src/modules/rlm_mschap/{configure,*.mk} || die ; }
+	# Do not install ruby rlm module, bug #483108
+	rm -r src/modules/rlm_ruby || die
+
+	# these are all things we don't have in portage/I don't want to deal
+	# with myself
+	rm -r src/modules/rlm_eap/types/rlm_eap_tnc || die # requires TNCS library
+	rm -r src/modules/rlm_eap/types/rlm_eap_ikev2 || die # requires libeap-ikev2
+	rm -r src/modules/rlm_opendirectory || die # requires some membership.h
+	rm -r src/modules/rlm_sql/drivers/rlm_sql_{db2,freetds} || die
+
+	# sql drivers that are not part of experimental are loaded from a
+	# file, so we have to remove them from the file itself when we
+	# remove them.
+	usesqldriver() {
+		local flag=$1
+		local driver=rlm_sql_${2:-${flag}}
+
+		if ! use ${flag}; then
+			rm -r src/modules/rlm_sql/drivers/${driver} || die
+			sed -i -e /${driver}/d src/modules/rlm_sql/stable || die
+		fi
+	}
+
+	sed -i \
+		-e 's:^#\tuser = :\tuser = :g' \
+		-e 's:^#\tgroup = :\tgroup = :g' \
+		-e 's:/var/run/radiusd:/run/radiusd:g' \
+		-e '/^run_dir/s:${localstatedir}::g' \
+		raddb/radiusd.conf.in || die
+
+	# verbosity
+	# build shared libraries using jlibtool --shared
+	sed -i \
+		-e '/$(LIBTOOL)/s|--quiet ||g' \
+		-e 's:--mode=\(compile\|link\):& --shared:g' \
+		Make.inc.in || die
+
+	sed -i \
+		-e 's|--silent ||g' \
+		-e 's:--mode=\(compile\|link\):& --shared:g' \
+		scripts/libtool.mk || die
+
+	# crude measure to stop jlibtool from running ranlib and ar
+	sed -i \
+		-e '/LIBRARIAN/s|".*"|"true"|g' \
+		-e '/RANLIB/s|".*"|"true"|g' \
+		scripts/jlibtool.c || die
+
+	usesqldriver mysql
+	usesqldriver postgres postgresql
+	usesqldriver firebird
+	usesqldriver iodbc
+	usesqldriver odbc unixodbc
+	usesqldriver oracle
+	usesqldriver sqlite
+
+	default
+
+	eautoreconf
+}
+
+src_configure() {
+	# do not try to enable static with static-libs; upstream is a
+	# massacre of libtool best practices so you also have to make sure
+	# to --enable-shared explicitly.
+	local myeconfargs=(
+		--enable-shared
+		--disable-static
+		--disable-ltdl-install
+		--with-system-libtool
+		--with-system-libltdl
+		--with-ascend-binary
+		--with-udpfromto
+		--with-dhcp
+		--with-iodbc-include-dir=/usr/include/iodbc
+		--with-experimental-modules
+		--with-docdir=/usr/share/doc/${PF}
+		--with-logdir=/var/log/radius
+		$(use_enable debug developer)
+		$(use_with ldap edir)
+		$(use_with ssl openssl)
+	)
+	# fix bug #77613
+	if has_version app-crypt/heimdal; then
+		myeconfargs+=( --enable-heimdal-krb5 )
+	fi
+
+	use readline || export ac_cv_lib_readline=no
+	use pcap || export ac_cv_lib_pcap_pcap_open_live=no
+
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	# verbose, do not generate certificates
+	emake \
+		Q='' ECHO=true \
+		LOCAL_CERT_PRODUCTS=''
+}
+
+src_install() {
+	dodir /etc
+	diropts -m0750 -o root -g radius
+	dodir /etc/raddb
+	diropts -m0750 -o radius -g radius
+	dodir /var/log/radius
+	keepdir /var/log/radius/radacct
+	diropts
+
+	# verbose, do not install certificates
+	# Parallel install fails (#509498)
+	emake -j1 \
+		Q='' ECHO=true \
+		LOCAL_CERT_PRODUCTS='' \
+		R="${D}" \
+		install
+
+	fowners -R root:radius /etc/raddb
+	fowners -R radius:radius /var/log/radius
+
+	pamd_mimic_system radiusd auth account password session
+
+	dodoc CREDITS
+
+	rm "${ED}/usr/sbin/rc.radiusd" || die
+
+	newinitd "${FILESDIR}/radius.init-r3" radiusd
+	newconfd "${FILESDIR}/radius.conf-r4" radiusd
+
+	systemd_newtmpfilesd "${FILESDIR}"/freeradius.tmpfiles freeradius.conf
+	systemd_dounit "${FILESDIR}"/freeradius.service
+
+	find "${ED}" \( -name "*.a" -o -name "*.la" \) -delete || die
+}
+
+pkg_config() {
+	if use ssl; then
+		cd "${ROOT}"/etc/raddb/certs || die
+		./bootstrap || die "Error while running ./bootstrap script."
+		fowners -R root:radius "${ROOT}"/etc/raddb/certs
+	fi
+}
+
+pkg_preinst() {
+	if ! has_version ${CATEGORY}/${PN} && use ssl; then
+		elog "You have to run \`emerge --config =${CATEGORY}/${PF}\` to be able"
+		elog "to start the radiusd service."
+	fi
+}

profiles/pentoo/base/package.accept_keywords/net-dialup

@@ -1,3 +1,3 @@
-#~net-dialup/freeradius-2.2.0
+=net-dialup/freeradius-3.0*
 
 =net-dialup/minimodem-0.24*