main/freeradius: fix permissions of certs

ref #10958 also remove unused patch
author: Natanael Copa <ncopa@alpinelinux.org> 2019-11-19 12:26:41 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-11-19 12:27:40 +0000
commit: 7bcdd8e223cc015441dcf8f2177818bf5d82badc (patch)
tree: cffc69c4d32b98849d00f216659e0cef2cbdef3e /main/freeradius
parent: 0772430696562eedf32104d2b396ded14a5d219e (diff)
download: aports-7bcdd8e223cc015441dcf8f2177818bf5d82badc.tar.bz2
aports-7bcdd8e223cc015441dcf8f2177818bf5d82badc.tar.xz
3 files changed, 47 insertions, 81 deletions
diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD
index afb8167d8d..5fda4999c1 100644
--- a/main/freeradius/APKBUILD
+++ b/main/freeradius/APKBUILD
@@ -5,7 +5,7 @@
 pkgname=freeradius
 _realname=freeradius
 pkgver=3.0.20
-pkgrel=0
+pkgrel=1
 pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"
 url="https://freeradius.org/"
 arch="all"
@@ -30,6 +30,7 @@ source="ftp://ftp.freeradius.org/pub/freeradius/$_realname-server-$pkgver.tar.gz
 	musl-fix-headers.patch
 	fix-scopeid.patch
 	freeradius-313-default-config.patch
+	Fix-permissions-of-certs-in-bootstrap-fallback.patch
 	"
 builddir="$srcdir"/$_realname-server-$pkgver
 
@@ -288,4 +289,5 @@ e248159c0a44f722e405c51c8015d9ad672e42ad0d38ca28f8a051ff911aa4d3e630b9bd4543e9d6
 ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a7420246ca06bf0b93d0a6f23ec198f5e48647f9d25b40067e852a  freeradius.initd
 c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d  musl-fix-headers.patch
 41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234  fix-scopeid.patch
-666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e  freeradius-313-default-config.patch"
+666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e  freeradius-313-default-config.patch
+f88cb4ae335d67211c8563b6df88e20ee3729e57aa56423f99b518f83b190479b38bb189a0ab53c70ef9709a6229ccaa506ea6b79844cbfd4f2a7f0c7c292045  Fix-permissions-of-certs-in-bootstrap-fallback.patch"
diff --git a/main/freeradius/CVE-2015-4680.patch b/main/freeradius/CVE-2015-4680.patch
deleted file mode 100644
index ade38c9ee7..0000000000
--- a/main/freeradius/CVE-2015-4680.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 874b39451702338389260edbfc52b381b20352ec Mon Sep 17 00:00:00 2001
-From: "Alan T. DeKok" <aland@freeradius.org>
-Date: Mon, 22 Jun 2015 15:27:10 -0400
-Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL
-
----
- raddb/mods-available/eap |  6 +++++-
- src/include/tls-h        |  1 +
- src/main/tls.c           | 12 ++++++++++++
- 3 files changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
-index 165971a..10026ec 100644
---- a/raddb/mods-available/eap
-+++ b/raddb/mods-available/eap
-@@ -269,9 +269,13 @@ eap {
- 		#  1) Copy CA certificates and CRLs to same directory.
- 		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
- 		#    'c_rehash' is OpenSSL's command.
--		#  3) uncomment the line below.
-+		#  3) uncomment the lines below.
- 		#  5) Restart radiusd
- 	#	check_crl = yes
-+
-+		# Check if intermediate CAs have been revoked.
-+	#	check_all_crl = yes
-+
- 		ca_path = ${cadir}
- 
- 		#
-diff --git a/src/include/tls-h b/src/include/tls-h
-index 9fdc775..a41c6f5 100644
---- a/src/include/tls-h
-+++ b/src/include/tls-h
-@@ -347,6 +347,7 @@ struct fr_tls_server_conf_t {
- 	 */
- 	uint32_t	fragment_size;
- 	bool		check_crl;
-+	bool		check_all_crl;
- 	bool		allow_expired_crl;
- 	char const	*check_cert_cn;
- 	char const	*cipher_list;
-diff --git a/src/main/tls.c b/src/main/tls.c
-index 692651f..9df48b4 100644
---- a/src/main/tls.c
-+++ b/src/main/tls.c
-@@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = {
- 	{ "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
- 	{ "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
- 	{ "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
-+#ifdef X509_V_FLAG_CRL_CHECK_ALL
-+	{ "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
-+#endif
- 	{ "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
- 	{ "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
- 	{ "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
-@@ -2104,6 +2107,10 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
- 	if (conf->check_crl)
- 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
- #endif
-+#ifdef X509_V_FLAG_CRL_CHECK_ALL
-+	if (conf->check_all_crl)
-+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
-+#endif
- 	return store;
- }
- #endif	/* HAVE_OPENSSL_OCSP_H */
-@@ -2591,6 +2598,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
- 	    		return NULL;
- 		}
- 		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
-+
-+#ifdef X509_V_FLAG_CRL_CHECK_ALL
-+		if (conf->check_all_crl)
-+			X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
-+#endif
- 	}
- #endif
- 
diff --git a/main/freeradius/Fix-permissions-of-certs-in-bootstrap-fallback.patch b/main/freeradius/Fix-permissions-of-certs-in-bootstrap-fallback.patch
new file mode 100644
index 0000000000..9f80f76e09
--- /dev/null
+++ b/main/freeradius/Fix-permissions-of-certs-in-bootstrap-fallback.patch
@@ -0,0 +1,43 @@
+From 6bdb22ef951b4b3e83c788fcb20e4dddf8301ad3 Mon Sep 17 00:00:00 2001
+From: Jorge Pereira <jpereiran@gmail.com>
+Date: Mon, 18 Nov 2019 12:43:29 -0300
+Subject: [PATCH] Fix permissions of certs in bootstrap fallback. ref #3132
+
+---
+ raddb/certs/bootstrap | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 0f719aafd4..57de8cf0d7 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -42,6 +42,7 @@ fi
+ 
+ if [ ! -f server.key ]; then
+   openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
++  chmod g+r server.key
+ fi
+ 
+ if [ ! -f ca.key ]; then
+@@ -62,11 +63,13 @@ fi
+ 
+ if [ ! -f server.p12 ]; then
+   openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
++  chmod g+r server.p12
+ fi
+ 
+ if [ ! -f server.pem ]; then
+   openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+   openssl verify -CAfile ca.pem server.pem || exit 1
++  chmod g+r server.pem
+ fi
+ 
+ if [ ! -f ca.der ]; then
+@@ -75,6 +78,7 @@ fi
+ 
+ if [ ! -f client.key ]; then
+   openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
++  chmod g+r client.key
+ fi
+ 
+ if [ ! -f client.crt ]; then
author	Natanael Copa <ncopa@alpinelinux.org>	2019-11-19 12:26:41 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-11-19 12:27:40 +0000
commit	7bcdd8e223cc015441dcf8f2177818bf5d82badc (patch)
tree	cffc69c4d32b98849d00f216659e0cef2cbdef3e /main/freeradius
parent	0772430696562eedf32104d2b396ded14a5d219e (diff)
download	aports-7bcdd8e223cc015441dcf8f2177818bf5d82badc.tar.bz2 aports-7bcdd8e223cc015441dcf8f2177818bf5d82badc.tar.xz