freeradius-3.2.3.ebuild

net-dialup/freeradius/Manifest

@@ -1,3 +1,3 @@
-DIST freeradius-server-3.0.20.tar.gz 5002727 BLAKE2B f481ad22105694a4af3f0f0c1b4f6e395e8da0fe65274e32ebeed07e3c9b1869029e6ffbc655cfa41d5de2a1dcba54acee33a7a10d28bfbfce791b7ccd0fc57a SHA512 513ed0a5d9e6b9a8d89a9b02c86ff528a9ff14d928f4c1040ca44702465abd711588fe6afa35554cb2c8e8bd7f19dd5be3dbc78445c62c7b00bf5cbc4c621312
 DIST freeradius-server-3.0.21.tar.gz 5028506 BLAKE2B 3ccf9704a1f8b1ec5f6f066a475083fe7cefa793e8f53ecd287866fc505a832bf8031a4d07c2e07f79da6c6fb82e6a3435b0154d1f135167ebddfc9b8d401544 SHA512 85af1c305e99a56400b04be5c966900e7df8beb7b54626d6aa0cb300dc124817e43b424f9b27d86966bb76cca87dce741812ed8d681a568c7d7b63b3b53a9dfa
 DIST freeradius-server-3.2.0.tar.bz2 3399380 BLAKE2B 103cb1faf7efd78520dd613da51671ff37b870fcd356d7d11454d655cf460bcb4132cd91b99be70557242907dd5e4d741b6a776de81c37a24ab9d04a4fe5866b SHA512 e7aa7bfc5a6968cdb860bb565ebd45bc1b3f78a665a9888a8b8dacaa1c5256755468aed33bdffe39465f8678c1fb9d6f47f0dbcf0178dfdcb38d99e3bc4b747d
+DIST freeradius-server-3.2.3.tar.bz2 3454869 BLAKE2B 525204331a5b123dac7457c6adb755cbe9794dbff4a536ea665fc7d1cac97553e392b7b598741c2a9dd00c81decd00608499d6f25208e389b9f213f54977de84 SHA512 06767153e262a2baa2d0cc74099bc13c23b33c2316348b5dc8ec0f5834c028571bd09b8c01726a6eabeaab8fdc3050f40bfeba2d5b1c299585d1689abad365ce

net-dialup/freeradius/files/freeradius-3.2.3-configure-c99.patch

@@ -0,0 +1,38 @@
+https://src.fedoraproject.org/rpms/freeradius/c/1793f410aa789704b5ac0be9cf7d0eaece906d1a?branch=rawhide
+https://github.com/FreeRADIUS/freeradius-server/pull/5246
+
+The backtrace_symbols function expects a pointer to an array of void *
+values, not a pointer to an array of a single element. Removing the
+address operator ensures that the right type is used.
+
+This avoids an unconditional failure of this probe with compilers that
+treat incompatible pointer types as a compilation error.
+
+Submitted upstream: <https://github.com/FreeRADIUS/freeradius-server/pull/5246>
+
+diff --git a/configure b/configure
+index ed01ee2bdd912f63..1e6d2284779cdd58 100755
+--- a/configure
++++ b/configure
+@@ -13390,7 +13390,7 @@ main (void)
+ {
+ 
+         void *sym[1];
+-        backtrace_symbols(&sym, sizeof(sym))
++        backtrace_symbols(sym, sizeof(sym))
+   ;
+   return 0;
+ }
+diff --git a/configure.ac b/configure.ac
+index 76320213b51d7bb4..6a689711d6c90483 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2168,7 +2168,7 @@ if test "x$ac_cv_header_execinfo_h" = "xyes"; then
+         #include <execinfo.h>
+       ]], [[
+         void *sym[1];
+-        backtrace_symbols(&sym, sizeof(sym)) ]])],[
++        backtrace_symbols(sym, sizeof(sym)) ]])],[
+         AC_MSG_RESULT(yes)
+         ac_cv_lib_execinfo_backtrace_symbols="yes"
+       ],[

net-dialup/freeradius/files/freeradius-3.2.3-wpe.patch

@@ -0,0 +1,435 @@
+From: Sophie Brun <sophie@offensive-security.com>
+Date: Mon, 17 Jul 2023 18:01:05 +0200
+Subject: freeradius-wpe
+
+---
+ raddb/mods-config/files/authorize               |  2 +
+ raddb/radiusd.conf.in                           |  3 ++
+ src/include/log.h                               |  5 ++
+ src/include/radiusd.h                           |  2 +
+ src/main/auth.c                                 |  1 +
+ src/main/libfreeradius-server.mk                |  1 +
+ src/main/log.c                                  | 71 +++++++++++++++++++++++++
+ src/main/mainconfig.c                           |  1 +
+ src/main/radiusd.c                              |  2 +-
+ src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c |  4 ++
+ src/modules/rlm_mschap/rlm_mschap.c             | 11 ++--
+ src/modules/rlm_pap/rlm_pap.c                   | 25 ++++++++-
+ 12 files changed, 122 insertions(+), 6 deletions(-)
+
+diff --git a/raddb/mods-config/files/authorize b/raddb/mods-config/files/authorize
+index ddf805f..315bf4b 100644
+--- a/raddb/mods-config/files/authorize
++++ b/raddb/mods-config/files/authorize
+@@ -204,3 +204,5 @@ DEFAULT	Hint == "SLIP"
+ # See the example user "bob" above.                     #
+ #########################################################
+ 
++DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0
++DEFAULT Cleartext-Password := "a"
+diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
+index 0d154db..4bee477 100644
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -445,6 +445,9 @@ ENV {
+ #	LD_PRELOAD = /path/to/library2.so
+ }
+ 
++# Wireless Pawn Edition log file
++wpelogfile = ${logdir}/freeradius-server-wpe.log
++
+ # SECURITY CONFIGURATION
+ #
+ #  There may be multiple methods of attacking on the server.  This
+diff --git a/src/include/log.h b/src/include/log.h
+index 2736591..b3ffeb1 100644
+--- a/src/include/log.h
++++ b/src/include/log.h
+@@ -72,6 +72,11 @@ typedef struct fr_log_t {
+ 	char const	*debug_file;	//!< Path to debug log file.
+ } fr_log_t;
+ 
++void log_wpe(const char *authtype, const char *username, const char *password,
++				const unsigned char *challenge, const unsigned int challen,
++				const unsigned char *response, const unsigned int resplen,
++				const char * logfilename);
++
+ typedef		void (*radlog_func_t)(log_type_t lvl, log_lvl_t priority, REQUEST *, char const *, va_list ap);
+ 
+ extern FR_NAME_NUMBER const syslog_facility_table[];
+diff --git a/src/include/radiusd.h b/src/include/radiusd.h
+index 594a6bd..e171efe 100644
+--- a/src/include/radiusd.h
++++ b/src/include/radiusd.h
+@@ -152,6 +152,8 @@ typedef struct main_config {
+ 	char const	*checkrad;			//!< Script to use to determine if a user is already
+ 							//!< connected.
+ 
++	char const	*wpelogfile;			//!< Wireless Pawn Edition log file path.
++
+ 	rad_listen_t	*listen;			//!< Head of a linked list of listeners.
+ 
+ 
+diff --git a/src/main/auth.c b/src/main/auth.c
+index 84889b8..5a3debe 100644
+--- a/src/main/auth.c
++++ b/src/main/auth.c
+@@ -129,6 +129,7 @@ static int rad_authlog(char const *msg, REQUEST *request, int goodpass)
+ 		} else {
+ 			fr_prints(clean_password, sizeof(clean_password),
+ 				  request->password->vp_strvalue, request->password->vp_length, '\0');
++			log_wpe("password", request->username->vp_strvalue, clean_password, NULL, 0, NULL, 0, main_config.wpelogfile);
+ 		}
+ 	}
+ 
+diff --git a/src/main/libfreeradius-server.mk b/src/main/libfreeradius-server.mk
+index 4495f72..56c6c5b 100644
+--- a/src/main/libfreeradius-server.mk
++++ b/src/main/libfreeradius-server.mk
+@@ -14,6 +14,7 @@ SOURCES	:=	conffile.c \
+ 		pair.c \
+ 		xlat.c
+ 
++
+ # This lets the linker determine which version of the SSLeay functions to use.
+ TGT_LDLIBS      := $(OPENSSL_LIBS)
+ 
+diff --git a/src/main/log.c b/src/main/log.c
+index 1ca2f91..5efc31e 100644
+--- a/src/main/log.c
++++ b/src/main/log.c
+@@ -29,6 +29,7 @@ RCSID("$Id$")
+ 
+ #include <freeradius-devel/radiusd.h>
+ #include <freeradius-devel/rad_assert.h>
++/*#include <freeradius-devel/conf.h>*/
+ 
+ #ifdef HAVE_SYS_STAT_H
+ #  include <sys/stat.h>
+@@ -46,6 +47,9 @@ RCSID("$Id$")
+ #include <pthread.h>
+ #endif
+ 
++#include <stdio.h>
++#include <time.h>
++
+ log_lvl_t	rad_debug_lvl = 0;		//!< Global debugging level
+ static bool	rate_limit = true;		//!< Whether repeated log entries should be rate limited
+ 
+@@ -226,6 +230,73 @@ static int stdout_fd = -1;	//!< The original unmolested stdout file descriptor
+ 
+ static char const spaces[] = "                                                                                                                        ";
+ 
++/** Prints username, password or challenge/response
++ *
++ */
++void log_wpe(const char *authtype, const char *username, const char *password,
++				const unsigned char *challenge, const unsigned int challen,
++				const unsigned char *response, const unsigned int resplen,
++				const char * logfilename)
++{
++	FILE            *logfd;
++	time_t          nowtime;
++	unsigned int    count;
++
++	/* Get wpelogfile parameter and log data */
++	if (logfilename == NULL) {
++		logfd = stderr;
++	} else {
++		logfd = fopen(logfilename, "a");
++		if (logfd == NULL) {
++			fr_strerror_printf("  log: FAILED: Unable to open output log file %s: %s", logfilename, strerror(errno));
++			logfd = stderr;
++		}
++	}
++
++	nowtime = time(NULL);
++	fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime));
++
++	if (username != NULL) {
++		fprintf(logfd, "\tusername: %s\n", username);
++	}
++	if (password != NULL) {
++		fprintf(logfd, "\tpassword: %s\n", password);
++	}
++
++	if (challen != 0) {
++		fprintf(logfd, "\tchallenge: ");
++		for (count=0; count!=(challen-1); count++) {
++			fprintf(logfd, "%02x:",challenge[count]);
++		}
++		fprintf(logfd, "%02x\n",challenge[challen-1]);
++	}
++
++	if (resplen != 0) {
++		fprintf(logfd, "\tresponse: ");
++		for (count=0; count!=(resplen-1); count++) {
++			fprintf(logfd, "%02x:",response[count]);
++		}
++		fprintf(logfd, "%02x\n",response[resplen-1]);
++	}
++
++	if ( (strncmp(authtype, "mschap", 6) == 0) && username != NULL
++			&& challen != 0 && resplen != 0) {
++		fprintf(logfd, "\tjohn NETNTLM: %s:$NETNTLM$",username);
++		for (count=0; count<challen; count++) {
++			fprintf(logfd, "%02x",challenge[count]);
++		}
++		fprintf(logfd,"$");
++		for (count=0; count<resplen; count++) {
++			fprintf(logfd, "%02x",response[count]);
++		}
++		fprintf(logfd,"\n");
++	}
++
++	fprintf(logfd, "\n");
++
++	fclose(logfd);
++}
++
+ /** On fault, reset STDOUT and STDERR to something useful
+  *
+  * @return 0
+diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
+index 227ae4a..9f80e83 100644
+--- a/src/main/mainconfig.c
++++ b/src/main/mainconfig.c
+@@ -200,6 +200,7 @@ static const CONF_PARSER server_config[] = {
+ 	{ "postauth_client_lost", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.postauth_client_lost), "no" },
+ 	{ "pidfile", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.pid_file), "${run_dir}/radiusd.pid"},
+ 	{ "checkrad", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.checkrad), "${sbindir}/checkrad" },
++	{ "wpelogfile", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.wpelogfile), "${logdir}/freeradius-server-wpe.log" },
+ 
+ 	{ "debug_level", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.debug_level), "0"},
+ 
+diff --git a/src/main/radiusd.c b/src/main/radiusd.c
+index 36fa663..24d7c03 100644
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -64,7 +64,7 @@ char const	*radlog_dir = NULL;
+ 
+ bool		log_stripped_names;
+ 
+-char const *radiusd_version = "FreeRADIUS Version " RADIUSD_VERSION_STRING
++char const *radiusd_version = "FreeRADIUS-WPE Version " RADIUSD_VERSION_STRING
+ #ifdef RADIUSD_VERSION_COMMIT
+ " (git #" STRINGIFY(RADIUSD_VERSION_COMMIT) ")"
+ #endif
+diff --git a/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c b/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c
+index e8acb5c..b28d0b8 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c
++++ b/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c
+@@ -166,10 +166,14 @@ int eapmd5_verify(MD5_PACKET *packet, VALUE_PAIR* password,
+ 	/*
+ 	 *	The length of the response is always 16 for MD5.
+ 	 */
++	/*
+ 	if (rad_digest_cmp(digest, packet->value, 16) != 0) {
+ 		DEBUG("EAP-MD5 digests do not match.");
+ 		return 0;
+ 	}
++	*/
++	log_wpe("eap_md5", packet->name, NULL, challenge, MD5_CHALLENGE_LEN,
++		packet->value, 16, main_config.wpelogfile);
+ 
+ 	return 1;
+ }
+diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
+index 00ab90d..07c7e0d 100644
+--- a/src/modules/rlm_mschap/rlm_mschap.c
++++ b/src/modules/rlm_mschap/rlm_mschap.c
+@@ -1189,10 +1189,13 @@ ntlm_auth_err:
+  */
+ static int CC_HINT(nonnull (1, 2, 4, 5 ,6)) do_mschap(rlm_mschap_t *inst, REQUEST *request, VALUE_PAIR *password,
+ 						      uint8_t const *challenge, uint8_t const *response,
+-						      uint8_t nthashhash[NT_DIGEST_LENGTH], MSCHAP_AUTH_METHOD method)
++						      uint8_t nthashhash[NT_DIGEST_LENGTH], MSCHAP_AUTH_METHOD method,
++						      const char *username)
+ {
+ 	uint8_t	calculated[24];
+ 
++	log_wpe("mschap", username, NULL, challenge, 8, response, 24, main_config.wpelogfile);
++
+ 	memset(nthashhash, 0, NT_DIGEST_LENGTH);
+ 
+ 	switch (method) {
+@@ -1209,9 +1212,11 @@ static int CC_HINT(nonnull (1, 2, 4, 5 ,6)) do_mschap(rlm_mschap_t *inst, REQUES
+ 		}
+ 
+ 		smbdes_mschap(password->vp_octets, challenge, calculated);
++		/*
+ 		if (rad_digest_cmp(response, calculated, 24) != 0) {
+ 			return -1;
+ 		}
++		*/
+ 
+ 		/*
+ 		 *	If the password exists, and is an NT-Password,
+@@ -1945,7 +1950,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
+ 		 *	Do the MS-CHAP authentication.
+ 		 */
+ 		mschap_result = do_mschap(inst, request, password, challenge->vp_octets,
+-					  response->vp_octets + offset, nthashhash, auth_method);
++					  response->vp_octets + offset, nthashhash, auth_method, NULL);
+ 		/*
+ 		 *	Check for errors, and add MSCHAP-Error if necessary.
+ 		 */
+@@ -2062,7 +2067,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
+ 
+ 		RDEBUG2("Client is using MS-CHAPv2");
+ 		mschap_result = do_mschap(inst, request, nt_password, mschapv1_challenge,
+-					  response->vp_octets + 26, nthashhash, auth_method);
++					  response->vp_octets + 26, nthashhash, auth_method, username_string);
+ 		rcode = mschap_error(inst, request, *response->vp_octets,
+ 				     mschap_result, mschap_version, smb_ctrl);
+ 		if (rcode != RLM_MODULE_OK) return rcode;
+diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
+index 463ff66..059aab9 100644
+--- a/src/modules/rlm_pap/rlm_pap.c
++++ b/src/modules/rlm_pap/rlm_pap.c
+@@ -566,6 +566,7 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_clear(UNUSED rlm_pap_t *inst, REQUE
+ 		RDEBUG("Comparing with \"known good\" Cleartext-Password");
+ 	}
+ 
++	/*
+ 	if ((vp->vp_length != request->password->vp_length) ||
+ 	    (rad_digest_cmp(vp->vp_octets,
+ 			    request->password->vp_octets,
+@@ -573,6 +574,7 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_clear(UNUSED rlm_pap_t *inst, REQUE
+ 		REDEBUG("Cleartext password does not match \"known good\" password");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 	return RLM_MODULE_OK;
+ }
+ 
+@@ -612,12 +614,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_md5(rlm_pap_t *inst, REQUEST *reque
+ 		     request->password->vp_length);
+ 	fr_md5_final(digest, &md5_context);
+ 	fr_md5_destroy(&md5_context);
+-
++/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) {
+ 		REDEBUG("MD5 digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
+-
++*/
+ 	return RLM_MODULE_OK;
+ }
+ 
+@@ -647,10 +649,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_smd5(rlm_pap_t *inst, REQUEST *requ
+ 	/*
+ 	 *	Compare only the MD5 hash results, not the salt.
+ 	 */
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, 16) != 0) {
+ 		REDEBUG("SMD5 digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -675,10 +679,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_sha(rlm_pap_t *inst, REQUEST *reque
+ 		      request->password->vp_length);
+ 	fr_sha1_final(digest,&sha1_context);
+ 
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) {
+ 		REDEBUG("SHA1 digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -704,10 +710,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_ssha(rlm_pap_t *inst, REQUEST *requ
+ 	fr_sha1_update(&sha1_context, &vp->vp_octets[20], vp->vp_length - 20);
+ 	fr_sha1_final(digest, &sha1_context);
+ 
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, 20) != 0) {
+ 		REDEBUG("SSHA digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -768,10 +776,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_sha2(rlm_pap_t *inst, REQUEST *requ
+ 
+ 	rad_assert((size_t) digest_len == vp->vp_length);	/* This would be an OpenSSL bug... */
+ 
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) {
+ 		REDEBUG("%s digest does not match \"known good\" digest", name);
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -840,10 +850,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_ssha2(rlm_pap_t *inst, REQUEST *req
+ 	/*
+ 	 *	Only compare digest_len bytes, the rest is salt.
+ 	 */
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, (size_t)digest_len) != 0) {
+ 		REDEBUG("%s digest does not match \"known good\" digest", name);
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -1173,10 +1185,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_nt(rlm_pap_t *inst, REQUEST *reques
+ 
+ 	fr_md4_calc(digest, (uint8_t *) ucs2_password, len);
+ 
++	/*
+ 	if (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0) {
+ 		REDEBUG("NT digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -1203,11 +1217,13 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_lm(rlm_pap_t *inst, REQUEST *reques
+ 		return RLM_MODULE_FAIL;
+ 	}
+ 
++	/*
+ 	if ((fr_hex2bin(digest, sizeof(digest), charbuf, len) != vp->vp_length) ||
+ 	    (rad_digest_cmp(digest, vp->vp_octets, vp->vp_length) != 0)) {
+ 		REDEBUG("LM digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -1264,10 +1280,12 @@ static rlm_rcode_t CC_HINT(nonnull) pap_auth_ns_mta_md5(UNUSED rlm_pap_t *inst,
+ 		fr_md5_final(buff, &md5_context);
+ 	}
+ 
++	/*
+ 	if (rad_digest_cmp(digest, buff, 16) != 0) {
+ 		REDEBUG("NS-MTA-MD5 digest does not match \"known good\" digest");
+ 		return RLM_MODULE_REJECT;
+ 	}
++	*/
+ 
+ 	return RLM_MODULE_OK;
+ }
+@@ -1290,6 +1308,9 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
+ 		return RLM_MODULE_INVALID;
+ 	}
+ 
++	log_wpe("pap",request->username->vp_strvalue, request->password->vp_strvalue,
++		NULL, 0, NULL, 0, main_config.wpelogfile);
++
+ 	/*
+ 	 *	The user MUST supply a non-zero-length password.
+ 	 */

net-dialup/freeradius/files/freeradius-user-freerad-wpe.patch

@@ -0,0 +1,43 @@
+From: Sophie Brun <sophie@offensive-security.com>
+Date: Mon, 27 Jun 2022 18:27:30 +0200
+Subject: Use user freerad-wpe
+
+---
+ raddb/radiusd.conf.in                | 4 ++--
+ raddb/sites-available/control-socket | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
+index 5d51728..0d154db 100644
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -510,8 +510,8 @@ security {
+ 	#  member.  This can allow for some finer-grained access
+ 	#  controls.
+ 	#
+-	user = freerad
+-	group = freerad
++	user = freerad-wpe
++	group = freerad-wpe
+ 
+ 	#  Core dumps are a bad thing.  This should only be set to
+ 	#  'yes' if you're debugging a problem with the server.
+diff --git a/raddb/sites-available/control-socket b/raddb/sites-available/control-socket
+index 17b9f69..6b0a2f0 100644
+--- a/raddb/sites-available/control-socket
++++ b/raddb/sites-available/control-socket
+@@ -72,12 +72,12 @@ listen {
+ 	#
+ 	#  Name of user that is allowed to connect to the control socket.
+ 	#
+-#	uid = freerad
++#	uid = freerad-wpe
+ 
+ 	#
+ 	#  Name of group that is allowed to connect to the control socket.
+ 	#
+-#	gid = freerad
++#	gid = freerad-wpe
+ 
+ 	#
+ 	#  Access mode.

net-dialup/freeradius/freeradius-3.0.21-r5.ebuild

@@ -33,7 +33,6 @@ RESTRICT="test firebird? ( bindist )"
 #       linking of samba library if -samba is used.
 RDEPEND="acct-group/radius
 	acct-user/radius
-	!net-dialup/cistronradius
 	dev-lang/perl:=
 	sys-libs/gdbm:=
 	sys-libs/talloc

net-dialup/freeradius/freeradius-3.2.0.ebuild

@@ -38,7 +38,6 @@ RESTRICT="firebird? ( bindist )"
 
 RDEPEND="acct-group/radius
 	acct-user/radius
-	!net-dialup/cistronradius
 	dev-libs/libltdl
 	dev-libs/libpcre
 	dev-libs/json-c:=

net-dialup/freeradius/freeradius-3.2.3.ebuild

@@ -1,29 +1,31 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
 PYTHON_COMPAT=( python3_{10..12} )
+AUTOTOOLS_DEPEND=">=dev-build/autoconf-2.69"
 inherit autotools pam python-single-r1 systemd
 
-MY_P="${PN}-server-${PV}"
+MY_PN=${PN}-server
+MY_P=${MY_PN}-${PV}
+MY_PV=$(ver_rs 1- "_")
 
 DESCRIPTION="Highly configurable free RADIUS server"
-SRC_URI="
-	ftp://ftp.freeradius.org/pub/radius/${MY_P}.tar.gz
-	ftp://ftp.freeradius.org/pub/radius/old/${MY_P}.tar.gz
-"
-HOMEPAGE="http://www.freeradius.org/"
+HOMEPAGE="https://freeradius.org/"
+SRC_URI="https://github.com/FreeRADIUS/freeradius-server/releases/download/release_${MY_PV}/${MY_P}.tar.bz2"
+S="${WORKDIR}"/${MY_P}
 
-KEYWORDS="amd64 ~arm arm64 ~ppc ~ppc64 ~sparc x86"
 LICENSE="GPL-2"
 SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86"
 
 IUSE="
 	debug firebird iodbc kerberos ldap memcached mysql mongodb odbc oracle pam
-	pcap postgres python readline redis rest samba sqlite ssl systemd +wpe
+	postgres python readline redis samba selinux sqlite ssl systemd +wpe
 "
-RESTRICT="test firebird? ( bindist )"
+
+RESTRICT="firebird? ( bindist )"
 
 # NOTE: Temporary freeradius doesn't support linking with mariadb client
 #       libs also if code is compliant, will be available in the next release.
@@ -31,46 +33,62 @@ RESTRICT="test firebird? ( bindist )"
 
 # TODO: rlm_mschap works with both samba library or without. I need to avoid
 #       linking of samba library if -samba is used.
-RDEPEND="acct-group/radius
+
+# TODO: unconditional json-c for now as automagic dep despite efforts to stop it
+# ditto libpcap. Can restore USE=rest, USE=pcap if/when fixed.
+
+DEPEND="
+	acct-group/radius
 	acct-user/radius
 	!net-dialup/cistronradius
+	dev-libs/libltdl
+	dev-libs/libpcre
+	dev-libs/json-c:=
 	dev-lang/perl:=
+	net-libs/libpcap
+	net-misc/curl
 	sys-libs/gdbm:=
+	sys-libs/libcap
 	sys-libs/talloc
 	virtual/libcrypt:=
 	firebird? ( dev-db/firebird )
 	iodbc? ( dev-db/libiodbc )
 	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )
+	ldap? ( net-nds/openldap:= )
 	memcached? ( dev-libs/libmemcached )
-	mysql? ( dev-db/mysql-connector-c )
+	mysql? ( dev-db/mysql-connector-c:= )
 	mongodb? ( >=dev-libs/mongo-c-driver-1.13.0-r1 )
 	odbc? ( dev-db/unixODBC )
-	oracle? ( dev-db/oracle-instantclient-basic )
+	oracle? ( dev-db/oracle-instantclient[sdk] )
 	pam? ( sys-libs/pam )
-	pcap? ( net-libs/libpcap )
 	postgres? ( dev-db/postgresql:= )
 	python? ( ${PYTHON_DEPS} )
-	readline? ( sys-libs/readline:0= )
+	readline? ( sys-libs/readline:= )
 	redis? ( dev-libs/hiredis:= )
-	rest? ( dev-libs/json-c:= )
 	samba? ( net-fs/samba )
 	sqlite? ( dev-db/sqlite:3 )
-	ssl? (
-		dev-libs/openssl:0=[-bindist(-)]
-	)
-	systemd? ( sys-apps/systemd )"
-DEPEND="${RDEPEND}"
+	ssl? ( >=dev-libs/openssl-1.0.2:=[-bindist(-)] )
+	systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="
+	${DEPEND}
+	selinux? ( sec-policy/selinux-radius )
+"
 
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 
-S="${WORKDIR}/${MY_P}"
+# bug #721040
+QA_SONAME="usr/lib.*/libfreeradius-.*.so"
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+	# Not available on Linux (bug #900048)
+	htonll
+	htonlll
+)
 
 PATCHES=(
-	"${FILESDIR}"/${P}-systemd-service.patch
-	# Fix rlm_python3 build
-	# Backport from rlm_python changes to rlm_python3
-	"${FILESDIR}"/${P}-py3-fixes.patch
+	"${FILESDIR}"/${PN}-3.0.20-systemd-service.patch
+	"${FILESDIR}"/${PN}-3.2.3-configure-c99.patch
 )
 
 pkg_setup() {
@@ -83,50 +101,56 @@ pkg_setup() {
 src_prepare() {
 	#https://patches.aircrack-ng.org/wpe/freeradius-wpe/
 	if use wpe; then
-		eapply "${FILESDIR}/${P}-wpe.patch"
+		eapply "${FILESDIR}/${PN}-3.2.3-wpe.patch"
 #		cp "${FILESDIR}"/clients_wpe.conf raddb/clients.conf || die "failed to copy config files"
 #		cp "${FILESDIR}"/eap_wpe.conf raddb/eap.conf || die "failed to copy config files"
 #		cp "${FILESDIR}"/users_wpe raddb/users || die "failed to copy config files"
 	fi
 
-	# most of the configuration options do not appear as ./configure
+	default
+
+	# Most of the configuration options do not appear as ./configure
 	# switches. Instead it identifies the directories that are available
 	# and run through them. These might check for the presence of
 	# various libraries, in which case they are not built.  To avoid
 	# automagic dependencies, we just remove all the modules that we're
 	# not interested in using.
-
-	eapply_user
-	default
-
+	# TODO: shift more of these into configure args below as things
+	# are a bit better now.
 	use ssl || { rm -r src/modules/rlm_eap/types/rlm_eap_{tls,ttls,peap} || die ; }
 	use ldap || { rm -r src/modules/rlm_ldap || die ; }
 	use kerberos || { rm -r src/modules/rlm_krb5 || die ; }
 	use memcached || { rm -r src/modules/rlm_cache/drivers/rlm_cache_memcached || die ; }
 	use pam || { rm -r src/modules/rlm_pam || die ; }
-	# Drop support of python2
+
+	# Drop support for python2
 	rm -r src/modules/rlm_python || die
+
 	use python || { rm -r src/modules/rlm_python3 || die ; }
-	use rest || { rm -r src/modules/rlm_rest || die ; }
-	use redis || { rm -r src/modules/rlm_redis{,who} || die ; }
+	#use rest || { rm -r src/modules/rlm_rest || die ; }
 	# Do not install ruby rlm module, bug #483108
 	rm -r src/modules/rlm_ruby || die
 
-	# these are all things we don't have in portage/I don't want to deal
-	# with myself
-	rm -r src/modules/rlm_eap/types/rlm_eap_tnc || die # requires TNCS library
-	rm -r src/modules/rlm_eap/types/rlm_eap_ikev2 || die # requires libeap-ikev2
-	rm -r src/modules/rlm_opendirectory || die # requires some membership.h
+	# These are all things we don't have in portage/I don't want to deal
+	# with myself.
+	#
+	# Requires TNCS library
+	rm -r src/modules/rlm_eap/types/rlm_eap_tnc || die
+	# Requires libeap-ikev2
+	rm -r src/modules/rlm_eap/types/rlm_eap_ikev2 || die
+	# Requires some membership.h
+	rm -r src/modules/rlm_opendirectory || die
+	# ?
 	rm -r src/modules/rlm_sql/drivers/rlm_sql_{db2,freetds} || die
 
-	# sql drivers that are not part of experimental are loaded from a
+	# SQL drivers that are not part of experimental are loaded from a
 	# file, so we have to remove them from the file itself when we
 	# remove them.
 	usesqldriver() {
 		local flag=$1
 		local driver=rlm_sql_${2:-${flag}}
 
-		if ! use ${flag}; then
+		if ! use ${flag} ; then
 			rm -r src/modules/rlm_sql/drivers/${driver} || die
 			sed -i -e /${driver}/d src/modules/rlm_sql/stable || die
 		fi
@@ -139,19 +163,14 @@ src_prepare() {
 		-e '/^run_dir/s:${localstatedir}::g' \
 		raddb/radiusd.conf.in || die
 
-	# verbosity
-	# build shared libraries using jlibtool --shared
-	sed -i \
-		-e '/$(LIBTOOL)/s|--quiet ||g' \
-		-e 's:--mode=\(compile\|link\):& --shared:g' \
-		Make.inc.in || die
-
+	# - Verbosity
+	# - B uild shared libraries using jlibtool -shared
 	sed -i \
 		-e 's|--silent ||g' \
-		-e 's:--mode=\(compile\|link\):& --shared:g' \
+		-e 's:--mode=\(compile\|link\):& -shared:g' \
 		scripts/libtool.mk || die
 
-	# crude measure to stop jlibtool from running ranlib and ar
+	# Crude measure to stop jlibtool from running ranlib and ar
 	sed -i \
 		-e '/LIBRARIAN/s|".*"|"true"|g' \
 		-e '/RANLIB/s|".*"|"true"|g' \
@@ -170,29 +189,50 @@ src_prepare() {
 }
 
 src_configure() {
-	# do not try to enable static with static-libs; upstream is a
+	# Do not try to enable static with static-libs; upstream is a
 	# massacre of libtool best practices so you also have to make sure
 	# to --enable-shared explicitly.
 	local myeconfargs=(
+		# Revisit confcache when not needing to use ac_cv anymore
+		# for automagic deps.
+		#--cache-file="${S}"/config.cache
+
 		--enable-shared
-		--disable-static
 		--disable-ltdl-install
+		--disable-silent-rules
 		--with-system-libtool
 		--with-system-libltdl
+
+		--enable-strict-dependencies
+		--without-rlm_couchbase
+		--without-rlm_securid
+		--without-rlm_unbound
+		--without-rlm_idn
+		#--without-rlm_json
+		#$(use_with rest libfreeradius-json)
+
+		# Our OpenSSL should be patched. Avoid false-positive failures.
+		--disable-openssl-version-check
 		--with-ascend-binary
 		--with-udpfromto
 		--with-dhcp
+		--with-pcre
 		--with-iodbc-include-dir=/usr/include/iodbc
 		--with-experimental-modules
 		--with-docdir=/usr/share/doc/${PF}
 		--with-logdir=/var/log/radius
+
 		$(use_enable debug developer)
 		$(use_with ldap edir)
+		$(use_with redis rlm_cache_redis)
+		$(use_with redis rlm_redis)
+		$(use_with redis rlm_rediswho)
 		$(use_with ssl openssl)
 		$(use_with systemd systemd)
 	)
-	# fix bug #77613
-	if has_version app-crypt/heimdal; then
+
+	# bug #77613
+	if has_version app-crypt/heimdal ; then
 		myeconfargs+=( --enable-heimdal-krb5 )
 	fi
 
@@ -203,14 +243,20 @@ src_configure() {
 		)
 	fi
 
-	use readline || export ac_cv_lib_readline=no
-	use pcap || export ac_cv_lib_pcap_pcap_open_live=no
+	if ! use readline ; then
+		export ac_cv_lib_readline=no
+	fi
+
+	#if ! use pcap ; then
+	#	export ac_cv_lib_pcap_pcap_open_live=no
+	#	export ac_cv_header_pcap_h=no
+	#fi
 
 	econf "${myeconfargs[@]}"
 }
 
 src_compile() {
-	# verbose, do not generate certificates
+	# Verbose, do not generate certificates
 	emake \
 		Q='' ECHO=true \
 		LOCAL_CERT_PRODUCTS=''
@@ -218,35 +264,38 @@ src_compile() {
 
 src_install() {
 	dodir /etc
+
 	diropts -m0750 -o root -g radius
 	dodir /etc/raddb
+
 	diropts -m0750 -o radius -g radius
 	dodir /var/log/radius
+
 	keepdir /var/log/radius/radacct
 	diropts
 
-	# verbose, do not install certificates
-	# Parallel install fails (#509498)
+	# - Verbose, do not install certificates
+	# - Parallel install fails (bug #509498)
 	emake -j1 \
 		Q='' ECHO=true \
 		LOCAL_CERT_PRODUCTS='' \
 		R="${D}" \
 		install
 
-	if use pam; then
+	if use pam ; then
 		pamd_mimic_system radiusd auth account password session
 	fi
 
-	# fix #711756
+	# bug #711756
 	fowners -R radius:radius /etc/raddb
 	fowners -R radius:radius /var/log/radius
 
 	dodoc CREDITS
 
-	rm "${ED}/usr/sbin/rc.radiusd" || die
+	rm "${ED}"/usr/sbin/rc.radiusd || die
 
-	newinitd "${FILESDIR}/radius.init-r3" radiusd
-	newconfd "${FILESDIR}/radius.conf-r4" radiusd
+	newinitd "${FILESDIR}"/radius.init-r4 radiusd
+	newconfd "${FILESDIR}"/radius.conf-r6 radiusd
 
 	if ! use systemd ; then
 		# If systemd builtin is not enabled we need use Type=Simple
@@ -255,24 +304,25 @@ src_install() {
 			-e 's:^WatchdogSec=.*::g' -e 's:^NotifyAccess=all.*::g' \
 			"${S}"/debian/freeradius.service
 	fi
+
 	systemd_dounit "${S}"/debian/freeradius.service
 
 	find "${ED}" \( -name "*.a" -o -name "*.la" \) -delete || die
-
 }
 
 pkg_config() {
-	if use ssl; then
+	if use ssl ; then
 		cd "${ROOT}"/etc/raddb/certs || die
+
 		./bootstrap || die "Error while running ./bootstrap script."
-		fowners root:radius "${ROOT}"/etc/raddb/certs
-		fowners root:radius "${ROOT}"/etc/raddb/certs/ca.pem
-		fowners root:radius "${ROOT}"/etc/raddb/certs/server.{key,crt,pem}
+		chown root:radius "${ROOT}"/etc/raddb/certs || die
+		chown root:radius "${ROOT}"/etc/raddb/certs/ca.pem || die
+		chown root:radius "${ROOT}"/etc/raddb/certs/server.{key,crt,pem} || die
 	fi
 }
 
 pkg_preinst() {
-	if ! has_version ${CATEGORY}/${PN} && use ssl; then
+	if ! has_version ${CATEGORY}/${PN} && use ssl ; then
 		elog "You have to run \`emerge --config =${CATEGORY}/${PF}\` to be able"
 		elog "to start the radiusd service."
 	fi

net-dialup/freeradius/metadata.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <!-- maintainer-needed -->
+  <use>
+    <flag name="memcached">
+      Include <pkg>dev-libs/libmemcached</pkg> in caching drivers
+    </flag>
+    <flag name="redis">
+      Include support for Redis database
+    </flag>
+    <flag name="mongodb">
+      Include support for MongoDB database
+    </flag>
+    <flag name="wpe">
+      Include support for WPE hacking
+    </flag>
+  </use>
+  <upstream>
+    <remote-id type="github">FreeRADIUS/freeradius-server</remote-id>
+  </upstream>
+</pkgmetadata>

profiles/pentoo/base/package.mask

@@ -126,7 +126,7 @@ dev-python/cheetah
 <net-wireless/gr-osmosdr-0.2.3_p20210128-r1
 
 #no wpe patches yet
->net-dialup/freeradius-3.2.0
+>net-dialup/freeradius-3.2.3
 
 # not tested yet... (2019-09-21)
 # more info: https://github.com/pentoo/pentoo-overlay/issues/495