commit: 41f18a6ef06b61c87f5bdef4e4a7787636d39d0f Author: orbea <orbea <AT> riseup <DOT> net> AuthorDate: Sat Jan 4 16:15:26 2025 +0000 Commit: orbea <orbea <AT> riseup <DOT> net> CommitDate: Sat Jan 4 19:01:55 2025 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=41f18a6e
net-dialup/freeradius: add 3.2.6 Signed-off-by: orbea <orbea <AT> riseup.net> net-dialup/freeradius/Manifest | 1 + .../files/freeradius-3.2.6-libressl.patch | 123 ++++++++ net-dialup/freeradius/freeradius-3.2.6.ebuild | 321 +++++++++++++++++++++ 3 files changed, 445 insertions(+) diff --git a/net-dialup/freeradius/Manifest b/net-dialup/freeradius/Manifest index ebb8015..18bf6fc 100644 --- a/net-dialup/freeradius/Manifest +++ b/net-dialup/freeradius/Manifest @@ -1 +1,2 @@ DIST freeradius-server-3.2.3.tar.bz2 3454869 BLAKE2B 525204331a5b123dac7457c6adb755cbe9794dbff4a536ea665fc7d1cac97553e392b7b598741c2a9dd00c81decd00608499d6f25208e389b9f213f54977de84 SHA512 06767153e262a2baa2d0cc74099bc13c23b33c2316348b5dc8ec0f5834c028571bd09b8c01726a6eabeaab8fdc3050f40bfeba2d5b1c299585d1689abad365ce +DIST freeradius-server-3.2.6.tar.bz2 3500878 BLAKE2B 0af7cdf7fb784f2d5019f3bcb06d1d44dca046c9a4513d780ab032367001b6a67e9ea17a3a5b4609b9d7b936647e60c96e35188ba9644c4360071ac8d021bd58 SHA512 3fdd0c1bf82cf7ea2e9ee46cda1061ef06c97eddd70b75be17f05d9dc13771b339d01f140b4288632700d6315c1ac506d225d1e83a179b6f7e8338e2ae42d7e8 diff --git a/net-dialup/freeradius/files/freeradius-3.2.6-libressl.patch b/net-dialup/freeradius/files/freeradius-3.2.6-libressl.patch new file mode 100644 index 0000000..1ac75d2 --- /dev/null +++ b/net-dialup/freeradius/files/freeradius-3.2.6-libressl.patch @@ -0,0 +1,123 @@ +From OpenBSD: + +https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/freeradius/patches/patch-src_main_cb_c +https://github.com/openbsd/ports/blob/master/net/freeradius/patches/patch-src_main_tls_c +https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/freeradius/patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_rlm_eap_fast_c +https://github.com/openbsd/ports/blob/master/net/freeradius/patches/patch-src_modules_rlm_pap_rlm_pap_c + +--- a/src/main/cb.c ++++ b/src/main/cb.c +@@ -61,7 +61,7 @@ void cbtls_info(SSL const *s, int where, int ret) + /* + * After a ClientHello, list all the proposed ciphers from the client + */ +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (SSL_get_state(s) == TLS_ST_SR_CLNT_HELLO) { + int i; + int num_ciphers; +@@ -121,7 +121,7 @@ void cbtls_info(SSL const *s, int where, int ret) + return; + } + RERROR("(TLS) %s - %s: Error in %s", conf->name, role, state); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (RDEBUG_ENABLED3 && (SSL_get_state(s) == TLS_ST_SR_CLNT_HELLO)) goto report_ciphers; + #endif + } +@@ -208,7 +208,7 @@ void cbtls_msg(int write_p, int msg_version, int content_type, + state->info.alert_level = 0x00; + state->info.alert_description = 0x00; + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + } else if (content_type == SSL3_RT_INNER_CONTENT_TYPE && buf[0] == SSL3_RT_APPLICATION_DATA) { + /* let tls_ack_handler set application_data */ + state->info.content_type = SSL3_RT_HANDSHAKE; +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -701,7 +701,7 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQU + /* + * Swap empty store with the old one. + */ +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + conf->old_x509_store = SSL_CTX_get_cert_store(conf->ctx); + /* Bump refcnt so the store is kept allocated till next store replacement */ + X509_STORE_up_ref(conf->old_x509_store); +@@ -2069,7 +2069,7 @@ done: + return 0; + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + static SSL_SESSION *cbtls_get_session(SSL *ssl, unsigned char *data, int len, int *copy) + #else + static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int len, int *copy) +@@ -2453,7 +2453,7 @@ static int cbtls_cache_refresh(SSL *ssl, SSL_SESSION *sess) + return 0; + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + static SSL_SESSION *cbtls_cache_load(SSL *ssl, unsigned char *data, int len, int *copy) + #else + static SSL_SESSION *cbtls_cache_load(SSL *ssl, const unsigned char *data, int len, int *copy) +@@ -2985,7 +2985,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + char cn_str[1024]; + char buf[64]; + X509 *client_cert; +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const STACK_OF(X509_EXTENSION) *ext_list; + #else + STACK_OF(X509_EXTENSION) *ext_list; +@@ -3220,7 +3220,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + } + + if (lookup == 0) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ext_list = X509_get0_extensions(client_cert); + #else + X509_CINF *client_inf; +@@ -3273,7 +3273,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + value[0] = '0'; + value[1] = 'x'; + const unsigned char *srcp; +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const ASN1_STRING *srcasn1p; + srcasn1p = X509_EXTENSION_get_data(ext); + srcp = ASN1_STRING_get0_data(srcasn1p); +@@ -4346,7 +4346,7 @@ post_ca: + } + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) /* SSL_CTX_set1_sigalgs_list */ + if (conf->sigalgs_list) { + char *list; + +--- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c ++++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c +@@ -224,7 +224,7 @@ static int _session_secret(SSL *s, void *secret, int *secret_len, + + RDEBUG("processing PAC-Opaque"); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + eap_fast_session_ticket(tls_session, s->s3->client_random, s->s3->server_random, secret, secret_len); + #else + uint8_t client_random[SSL3_RANDOM_SIZE]; +--- a/src/modules/rlm_pap/rlm_pap.c ++++ b/src/modules/rlm_pap/rlm_pap.c +@@ -934,7 +934,7 @@ static inline rlm_rcode_t CC_HINT(nonnull) pap_auth_pbkdf2_parse(REQUEST *reques + digest_len = SHA512_DIGEST_LENGTH; + break; + +-# if OPENSSL_VERSION_NUMBER >= 0x10101000L ++# if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + case PW_SSHA3_224_PASSWORD: + evp_md = EVP_sha3_224(); + digest_len = SHA224_DIGEST_LENGTH; diff --git a/net-dialup/freeradius/freeradius-3.2.6.ebuild b/net-dialup/freeradius/freeradius-3.2.6.ebuild new file mode 100644 index 0000000..723f653 --- /dev/null +++ b/net-dialup/freeradius/freeradius-3.2.6.ebuild @@ -0,0 +1,321 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..13} python3_13t ) +AUTOTOOLS_DEPEND=">=dev-build/autoconf-2.69" +inherit autotools pam python-single-r1 systemd + +MY_PN=${PN}-server +MY_P=${MY_PN}-${PV} +MY_PV=$(ver_rs 1- "_") + +DESCRIPTION="Highly configurable free RADIUS server" +HOMEPAGE="https://www.freeradius.org/"; +SRC_URI="https://github.com/FreeRADIUS/freeradius-server/releases/download/release_${MY_PV}/${MY_P}.tar.bz2"; +S="${WORKDIR}"/${MY_P} + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86" + +IUSE=" + debug firebird iodbc kerberos ldap memcached mysql mongodb odbc oracle pam + postgres python readline redis samba selinux sqlite ssl systemd +" + +RESTRICT="firebird? ( bindist )" + +# NOTE: Temporary freeradius doesn't support linking with mariadb client +# libs also if code is compliant, will be available in the next release. +# (http://lists.freeradius.org/pipermail/freeradius-devel/2018-October/013228.html)a + +# TODO: rlm_mschap works with both samba library or without. I need to avoid +# linking of samba library if -samba is used. + +# TODO: unconditional json-c for now as automagic dep despite efforts to stop it +# ditto libpcap. Can restore USE=rest, USE=pcap if/when fixed. + +DEPEND=" + acct-group/radius + acct-user/radius + dev-libs/libltdl + dev-libs/libpcre + dev-libs/json-c:= + dev-lang/perl:= + net-libs/libpcap + net-misc/curl + sys-libs/gdbm:= + sys-libs/libcap + sys-libs/talloc + virtual/libcrypt:= + firebird? ( dev-db/firebird ) + iodbc? ( dev-db/libiodbc ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap:= ) + memcached? ( dev-libs/libmemcached ) + mysql? ( dev-db/mysql-connector-c:= ) + mongodb? ( >=dev-libs/mongo-c-driver-1.13.0-r1 ) + odbc? ( dev-db/unixODBC ) + oracle? ( dev-db/oracle-instantclient[sdk] ) + pam? ( sys-libs/pam ) + postgres? ( dev-db/postgresql:= ) + python? ( ${PYTHON_DEPS} ) + readline? ( sys-libs/readline:= ) + redis? ( dev-libs/hiredis:= ) + samba? ( net-fs/samba ) + sqlite? ( dev-db/sqlite:3 ) + ssl? ( >=dev-libs/openssl-1.0.2:=[-bindist(-)] ) + systemd? ( sys-apps/systemd:= ) +" +RDEPEND=" + ${DEPEND} + selinux? ( sec-policy/selinux-radius ) +" + +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +# bug #721040 +QA_SONAME="usr/lib.*/libfreeradius-.*.so" + +QA_CONFIG_IMPL_DECL_SKIP=( + # Not available on Linux (bug #900048) + htonll + htonlll +) + +PATCHES=( + "${FILESDIR}"/${PN}-3.2.6-libressl.patch + "${FILESDIR}"/${PN}-3.0.20-systemd-service.patch + "${FILESDIR}"/${PN}-3.2.3-configure-c99.patch +) + +pkg_setup() { + if use python ; then + python-single-r1_pkg_setup + export PYTHONBIN="${EPYTHON}" + fi +} + +src_prepare() { + default + + # Most of the configuration options do not appear as ./configure + # switches. Instead it identifies the directories that are available + # and run through them. These might check for the presence of + # various libraries, in which case they are not built. To avoid + # automagic dependencies, we just remove all the modules that we're + # not interested in using. + # TODO: shift more of these into configure args below as things + # are a bit better now. + use ssl || { rm -r src/modules/rlm_eap/types/rlm_eap_{tls,ttls,peap} || die ; } + use ldap || { rm -r src/modules/rlm_ldap || die ; } + use kerberos || { rm -r src/modules/rlm_krb5 || die ; } + use memcached || { rm -r src/modules/rlm_cache/drivers/rlm_cache_memcached || die ; } + use pam || { rm -r src/modules/rlm_pam || die ; } + + # Drop support for python2 + rm -r src/modules/rlm_python || die + + use python || { rm -r src/modules/rlm_python3 || die ; } + #use rest || { rm -r src/modules/rlm_rest || die ; } + # Do not install ruby rlm module, bug #483108 + rm -r src/modules/rlm_ruby || die + + # These are all things we don't have in portage/I don't want to deal + # with myself. + # + # Requires TNCS library + rm -r src/modules/rlm_eap/types/rlm_eap_tnc || die + # Requires libeap-ikev2 + rm -r src/modules/rlm_eap/types/rlm_eap_ikev2 || die + # Requires some membership.h + rm -r src/modules/rlm_opendirectory || die + # ? + rm -r src/modules/rlm_sql/drivers/rlm_sql_{db2,freetds} || die + + # SQL drivers that are not part of experimental are loaded from a + # file, so we have to remove them from the file itself when we + # remove them. + usesqldriver() { + local flag=$1 + local driver=rlm_sql_${2:-${flag}} + + if ! use ${flag} ; then + rm -r src/modules/rlm_sql/drivers/${driver} || die + sed -i -e /${driver}/d src/modules/rlm_sql/stable || die + fi + } + + sed -i \ + -e 's:^#\tuser = :\tuser = :g' \ + -e 's:^#\tgroup = :\tgroup = :g' \ + -e 's:/var/run/radiusd:/run/radiusd:g' \ + -e '/^run_dir/s:${localstatedir}::g' \ + raddb/radiusd.conf.in || die + + # - Verbosity + # - B uild shared libraries using jlibtool -shared + sed -i \ + -e 's|--silent ||g' \ + -e 's:--mode=\(compile\|link\):& -shared:g' \ + scripts/libtool.mk || die + + # Crude measure to stop jlibtool from running ranlib and ar + sed -i \ + -e '/LIBRARIAN/s|".*"|"true"|g' \ + -e '/RANLIB/s|".*"|"true"|g' \ + scripts/jlibtool.c || die + + usesqldriver mysql + usesqldriver postgres postgresql + usesqldriver firebird + usesqldriver iodbc + usesqldriver odbc unixodbc + usesqldriver oracle + usesqldriver sqlite + usesqldriver mongodb mongo + + eautoreconf +} + +src_configure() { + # Do not try to enable static with static-libs; upstream is a + # massacre of libtool best practices so you also have to make sure + # to --enable-shared explicitly. + local myeconfargs=( + # Revisit confcache when not needing to use ac_cv anymore + # for automagic deps. + #--cache-file="${S}"/config.cache + + --enable-shared + --disable-ltdl-install + --disable-silent-rules + --with-system-libtool + --with-system-libltdl + + --enable-strict-dependencies + --without-rlm_couchbase + --without-rlm_securid + --without-rlm_unbound + --without-rlm_idn + #--without-rlm_json + #$(use_with rest libfreeradius-json) + + # Our OpenSSL should be patched. Avoid false-positive failures. + --disable-openssl-version-check + --with-ascend-binary + --with-udpfromto + --with-dhcp + --with-pcre + --with-iodbc-include-dir=/usr/include/iodbc + --with-experimental-modules + --with-docdir=/usr/share/doc/${PF} + --with-logdir=/var/log/radius + + $(use_enable debug developer) + $(use_with ldap edir) + $(use_with redis rlm_cache_redis) + $(use_with redis rlm_redis) + $(use_with redis rlm_rediswho) + $(use_with ssl openssl) + $(use_with systemd systemd) + ) + + # bug #77613 + if has_version app-crypt/heimdal ; then + myeconfargs+=( --enable-heimdal-krb5 ) + fi + + if use python ; then + myeconfargs+=( + --with-rlm-python3-bin=${EPYTHON} + --with-rlm-python3-config-bin=${EPYTHON}-config + ) + fi + + if ! use readline ; then + export ac_cv_lib_readline=no + fi + + #if ! use pcap ; then + # export ac_cv_lib_pcap_pcap_open_live=no + # export ac_cv_header_pcap_h=no + #fi + + econf "${myeconfargs[@]}" +} + +src_compile() { + # Verbose, do not generate certificates + emake \ + Q='' ECHO=true \ + LOCAL_CERT_PRODUCTS='' +} + +src_install() { + dodir /etc + + diropts -m0750 -o root -g radius + dodir /etc/raddb + + diropts -m0750 -o radius -g radius + dodir /var/log/radius + + keepdir /var/log/radius/radacct + diropts + + # - Verbose, do not install certificates + # - Parallel install fails (bug #509498) + emake -j1 \ + Q='' ECHO=true \ + LOCAL_CERT_PRODUCTS='' \ + R="${D}" \ + install + + if use pam ; then + pamd_mimic_system radiusd auth account password session + fi + + # bug #711756 + fowners -R radius:radius /etc/raddb + fowners -R radius:radius /var/log/radius + + dodoc CREDITS + + rm "${ED}"/usr/sbin/rc.radiusd || die + + newinitd "${FILESDIR}"/radius.init-r4 radiusd + newconfd "${FILESDIR}"/radius.conf-r6 radiusd + + if ! use systemd ; then + # If systemd builtin is not enabled we need use Type=Simple + # as systemd .service + sed -i -e 's:^Type=.*::g' \ + -e 's:^WatchdogSec=.*::g' -e 's:^NotifyAccess=all.*::g' \ + "${S}"/debian/freeradius.service + fi + + systemd_dounit "${S}"/debian/freeradius.service + + find "${ED}" \( -name "*.a" -o -name "*.la" \) -delete || die +} + +pkg_config() { + if use ssl ; then + cd "${ROOT}"/etc/raddb/certs || die + + ./bootstrap || die "Error while running ./bootstrap script." + chown root:radius "${ROOT}"/etc/raddb/certs || die + chown root:radius "${ROOT}"/etc/raddb/certs/ca.pem || die + chown root:radius "${ROOT}"/etc/raddb/certs/server.{key,crt,pem} || die + fi +} + +pkg_preinst() { + if ! has_version ${CATEGORY}/${PN} && use ssl ; then + elog "You have to run \`emerge --config =${CATEGORY}/${PF}\` to be able" + elog "to start the radiusd service." + fi +}
