From c68771eff52b92a0bc94bebbb4bed62992268141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kolbj=C3=B8rn=20Barmen?= Date: Mon, 14 Dec 2015 16:04:00 +0100 Subject: [PATCH] Debian-katalogen for radsecproxy 1.6.2 --- files/debian/changelog | 68 ++++++++++++ files/debian/compat | 1 + files/debian/control | 19 ++++ files/debian/copyright | 62 +++++++++++ files/debian/dirs | 1 + files/debian/docs | 1 + files/debian/examples | 2 + files/debian/init.d | 68 ++++++++++++ files/debian/lintian-overrides | 1 + files/debian/manpages | 2 + files/debian/patches/fix_manpages | 24 ++++ files/debian/patches/series | 1 + files/debian/radsecproxy.conf | 179 ++++++++++++++++++++++++++++++ files/debian/rules | 20 ++++ files/debian/source/format | 1 + files/debian/watch | 5 + 16 files changed, 455 insertions(+) create mode 100644 files/debian/changelog create mode 100644 files/debian/compat create mode 100644 files/debian/control create mode 100644 files/debian/copyright create mode 100644 files/debian/dirs create mode 100644 files/debian/docs create mode 100644 files/debian/examples create mode 100644 files/debian/init.d create mode 100644 files/debian/lintian-overrides create mode 100644 files/debian/manpages create mode 100644 files/debian/patches/fix_manpages create mode 100644 files/debian/patches/series create mode 100644 files/debian/radsecproxy.conf create mode 100755 files/debian/rules create mode 100644 files/debian/source/format create mode 100644 files/debian/watch diff --git a/files/debian/changelog b/files/debian/changelog new file mode 100644 index 0000000..bbe20ce --- /dev/null +++ b/files/debian/changelog @@ -0,0 +1,68 @@ +radsecproxy (1.6.2-1) unstable; urgency=high + + * Urgency set to high for a security release. + * New upstream release, fixing two security issues: + - When verifying clients, don't consider config blocks with CA settings + ('tls') which differ from the one used for verifying the certificate + chain (RADSECPROXY-43, CVE-2012-4523). Reported by Ralf Paffrath. + - Fix the issue with verification of clients when using multiple 'tls' + config blocks for DTLS too (RADSECPROXY-43, CVE-2012-4566). Reported by + Raphael Geissert. + * Drop most of debian/patches/fix_manpages, merged upstream. + + -- Faidon Liambotis Tue, 06 Nov 2012 12:56:27 +0200 + +radsecproxy (1.6-1) unstable; urgency=low + + * New upstream release. + * Enable F-Ticks, a new upstream feature. + - Add build dependency on nettle-dev. + * Ship upstream's manpages. + - Add build dependency on docbook2x. + - Add debian/patches/fix_manpages to adapt the manpage to our filepaths. + * Ship the radsecproxy-hash binary, used to calculate hashed CSI values. + * Use unapply-patches & abort-on-upstream-changes local-options. + * Bump debhelper compat to 9, mainly to enable hardening flags. + * Bump Standards-Version to 3.9.3, no changes needed. + * Add NORDUnet A/S copyright notice to debian/copyright. + + -- Faidon Liambotis Mon, 28 May 2012 15:56:52 +0300 + +radsecproxy (1.5-1) unstable; urgency=low + + * New upstream release. + + -- Faidon Liambotis Wed, 16 Nov 2011 20:49:19 +0200 + +radsecproxy (1.4.3-1) unstable; urgency=low + + * New upstream release. + * Change upstream author to Linus Nordberg in debian/copyright. + * Switch to 3.0 (quilt) source package format. + * Bump debhelper compatibility level to 8. + * Update Standards-Version to 3.9.2, no changes needed. + + -- Faidon Liambotis Fri, 22 Jul 2011 20:04:47 +0300 + +radsecproxy (1.4-1) unstable; urgency=low + + * New upstream release. + * Add $remote_fs and $syslog to init script's Required-Start and $named to + Should-Start. + * Ship naptr-eduroam.sh script along with the README in examples. + + -- Faidon Liambotis Sat, 12 Jun 2010 18:30:04 +0300 + +radsecproxy (1.3.1-1) unstable; urgency=low + + * New upstream release. + * Bump Standards-Version to 3.8.2, no changed needed. + * Build-Depend on debhelper >= 7.0.50 because of the use of overrides in dh. + + -- Faidon Liambotis Wed, 05 Aug 2009 12:49:20 +0300 + +radsecproxy (1.3-1) unstable; urgency=low + + * Initial release. (Closes: #532481) + + -- Faidon Liambotis Tue, 16 Jun 2009 05:13:48 +0300 diff --git a/files/debian/compat b/files/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/files/debian/compat @@ -0,0 +1 @@ +9 diff --git a/files/debian/control b/files/debian/control new file mode 100644 index 0000000..7f9a6ce --- /dev/null +++ b/files/debian/control @@ -0,0 +1,19 @@ +Source: radsecproxy +Section: net +Priority: optional +Maintainer: Faidon Liambotis +Build-Depends: debhelper (>= 9), autotools-dev, libssl-dev, nettle-dev, docbook2x +Standards-Version: 3.9.3 +Homepage: http://software.uninett.no/radsecproxy/ + +Package: radsecproxy +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Provides: radius-server +Description: RADIUS protocol proxy supporting RadSec + A generic RADIUS proxy that in addition to usual RADIUS UDP transport also + supports TLS (RadSec). It aims to be flexible while at the same time small in + size and memory footprint, efficient and easy to configure. + . + It can be useful as a proxy on site boundaries or in other complex RADIUS + routing topologies. It supports both IPv4 and IPv6. diff --git a/files/debian/copyright b/files/debian/copyright new file mode 100644 index 0000000..ac4ee41 --- /dev/null +++ b/files/debian/copyright @@ -0,0 +1,62 @@ +This package was debianized by Faidon Liambotis on +Sun, 14 Jun 2009 23:17:51 +0300 + +It was downloaded from: http://software.uninett.no/radsecproxy/ + +Upstream Author: Linus Nordberg + +Copyright: + Copyright (c) 2006-2009 Stig Venaas + Copyright (c) 2006-2010 UNINETT AS + Copyright (c) 2010-2012 NORDUnet A/S + +The Debian packaging is: + Copyright (C) 2009-2012 Faidon Liambotis + +License: + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +Alternatively, you can use the following BSD-like license: + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with distribution. + * Neither the name of the UNINETT AS nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY UNINETT AS ``AS IS'' AND ANY + EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL UNINETT AS BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +Please note that for the purpose of this distribution, only the BSD license +applies. This is due to the fact that this package is linking against the +OpenSSL library, which has conflicting terms with the GNU GPL and thus would +render the combined binaries as undistributable. The BSD license has no such +problems and hence this work can be legally distributed. diff --git a/files/debian/dirs b/files/debian/dirs new file mode 100644 index 0000000..2a19875 --- /dev/null +++ b/files/debian/dirs @@ -0,0 +1 @@ +/etc diff --git a/files/debian/docs b/files/debian/docs new file mode 100644 index 0000000..e845566 --- /dev/null +++ b/files/debian/docs @@ -0,0 +1 @@ +README diff --git a/files/debian/examples b/files/debian/examples new file mode 100644 index 0000000..63fd6e7 --- /dev/null +++ b/files/debian/examples @@ -0,0 +1,2 @@ +radsecproxy.conf-example +tools/* diff --git a/files/debian/init.d b/files/debian/init.d new file mode 100644 index 0000000..5ed8f40 --- /dev/null +++ b/files/debian/init.d @@ -0,0 +1,68 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: radsecproxy +# Required-Start: $remote_fs $syslog $network +# Required-Stop: $remote_fs $syslog +# Should-Start: $time $named +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: RADIUS proxy +# Description: RADIUS protocol proxy supporting RadSec +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/radsecproxy +NAME="radsecproxy" +DESC="RadSec proxy" +PIDFILE=/var/run/$NAME.pid + +. /lib/lsb/init-functions + +test -x $DAEMON || exit 0 + +DAEMON_OPTS="-i $PIDFILE" + +case "$1" in + start) + if pidofproc -p $PIDFILE $DAEMON > /dev/null; then + log_failure_msg "Starting $DESC (already started)" + exit 0 + fi + if ! $DAEMON -p $DAEMON_OPTS 2> /dev/null; then + log_failure_msg "Checking $DESC config syntax" + exit 1 + fi + log_daemon_msg "Starting $DESC" "$NAME" + start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --exec $DAEMON -- $DAEMON_OPTS + log_end_msg $? + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + start-stop-daemon --stop --quiet --pidfile $PIDFILE \ + --exec $DAEMON + case "$?" in + 0) log_end_msg 0 ;; + 1) log_progress_msg "(already stopped)" + log_end_msg 0 ;; + *) log_end_msg 1 ;; + esac + ;; + force-reload|restart) + if ! $DAEMON -p $DAEMON_OPTS 2> /dev/null; then + log_failure_msg "Checking $DESC config syntax" + exit 1 + fi + $0 stop + $0 start + ;; + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; + *) + echo "Usage: ${0} {start|stop|restart|force-reload|status}" >&2 + exit 1 + ;; +esac diff --git a/files/debian/lintian-overrides b/files/debian/lintian-overrides new file mode 100644 index 0000000..5f7c20a --- /dev/null +++ b/files/debian/lintian-overrides @@ -0,0 +1 @@ +radsecproxy: possible-gpl-code-linked-with-openssl diff --git a/files/debian/manpages b/files/debian/manpages new file mode 100644 index 0000000..536c5d0 --- /dev/null +++ b/files/debian/manpages @@ -0,0 +1,2 @@ +radsecproxy.1 +radsecproxy.conf.5 diff --git a/files/debian/patches/fix_manpages b/files/debian/patches/fix_manpages new file mode 100644 index 0000000..08a80e4 --- /dev/null +++ b/files/debian/patches/fix_manpages @@ -0,0 +1,24 @@ +Description: Minor fixes to the manpages (paths) +Author: Faidon Liambotis +Last-Update: 2012-11-06 + +--- a/radsecproxy.conf.5.xml ++++ b/radsecproxy.conf.5.xml +@@ -23,7 +23,7 @@ + When the proxy server starts, it will first check the command + line arguments, and then read the configuration file. Normally + radsecproxy will read the configuration file +- /usr/local/etc/radsecproxy.conf. The command line ++ /etc/radsecproxy.conf. The command line + option can be used to instead read an + alternate file (see + +@@ -103,7 +103,7 @@ blocktype name { + shell globbing to specify multiple files, e.g.: +
+ +- include /usr/local/etc/radsecproxy.conf.d/*.conf ++ include /etc/radsecproxy.conf.d/*.conf + +
+ The files are sorted alphabetically. Included files are read in diff --git a/files/debian/patches/series b/files/debian/patches/series new file mode 100644 index 0000000..a0dcb96 --- /dev/null +++ b/files/debian/patches/series @@ -0,0 +1 @@ +fix_manpages diff --git a/files/debian/radsecproxy.conf b/files/debian/radsecproxy.conf new file mode 100644 index 0000000..fab0578 --- /dev/null +++ b/files/debian/radsecproxy.conf @@ -0,0 +1,179 @@ +# Master config file for radsecproxy + +# First you may define any global options, these are: +# +# You can optionally specify addresses and ports to listen on +# Multiple statements can be used for multiple ports/addresses +#ListenUDP *:1814 +#ListenUDP localhost +#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 +#ListenTLS 10.10.10.10:2084 +#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 +#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 + +# To specify a certain address/port for UDP/TLS requests you can use e.g. +#SourceUDP 127.0.0.1:33000 +#SourceTCP *:33000 +#SourceTLS *:33001 +#SourceDTLS *:33001 + +# Optional log level. 3 is default, 1 is less, 5 is more +#LogLevel 3 +# Optional LogDestination, else stderr used for logging +# Logging to file +#LogDestination file:///tmp/rp.log +# Or logging with Syslog. LOG_DAEMON used if facility not specified +# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and +# LOG_LOCAL0, ..., LOG_LOCAL7 +#LogDestination x-syslog:/// +#LogDestination x-syslog:///log_local2 + +# For generating log entries conforming to the F-Ticks system, specify +# FTicksReporting with one of the following values. +# None -- Do not log in F-Ticks format. This is the default. +# Basic -- Do log in F-Ticks format but do not log VISINST. +# Full -- Do log in F-Ticks format and do log VISINST. +# Please note that in order to get F-Ticks logging for a given client, +# its matching client configuration block has to contain the +# fticksVISCOUNTRY option. + +# You can optionally specify FTicksMAC in order to determine if and +# how Calling-Station-Id (users Ethernet MAC address) is being logged. +# Static -- Use a static string as a placeholder for +# Calling-Station-Id. +# Original -- Log Calling-Station-Id as-is. +# VendorHashed -- Keep first three segments as-is, hash the rest. +# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This +# is the default. +# FullyHashed -- Hash the entire string. +# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. + +# In order to use FTicksMAC with one of VendorKeyHashed or +# FullyKeyHashed, specify a key with FTicksKey. +# FTicksKey + +# Default F-Ticks configuration: +#FTicksReporting None +#FTicksMAC Static + +# You can optionally specify FTicksSyslogFacility to use a dedicated +# syslog facility for F-Ticks messages. This allows for easier filtering +# of F-Ticks messages. +# F-Ticks messages are always logged using the log level LOG_DEBUG. +# Note that specifying a file (using the file:/// prefix) is not supported. +#FTicksSyslogFacility log_local1 +#FTicksSyslogFacility x-syslog:///log_local1 + +# There is an option for doing some simple loop prevention. Note that +# the LoopPrevention directive can be used in server blocks too, +# overriding what's set here in the basic settings. +#LoopPrevention on +# Add TTL attribute with value 20 if not present (prevents endless loops) +#AddTTL 20 + +# If we have TLS clients or servers we must define at least one tls block. +# You can name them whatever you like and then reference them by name when +# specifying clients or servers later. There are however three special names +# "default", "defaultclient" and "defaultserver". If no name is defined for +# a client, the "defaultclient" block will be used if it exists, if not the +# "default" will be used. For a server, "defaultserver" followed by "default" +# will be checked. +# +# The simplest configuration you can do is: +#tls default { + # You must specify at least one of CACertificateFile or CACertificatePath + # for TLS to work. We always verify peer certificate (client and server) + # CACertificateFile /etc/ssl/certs/ca-certificates.crt + # CACertificatePath /etc/ssl/certs + + # You must specify the below for TLS, we always present our certificate + # CertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + # CertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + # Optionally specify password if key is encrypted (not very secure) + # CertificateKeyPassword "follow the white rabbit" + # + # Optionally enable CRL checking + # CRLCheck on + # Optionally specify how long CAs and CRLs are cached, default forever + # CacheExpiry 3600 + # + # Optionally require that peer certs have one of the specified policyOIDs + # policyoid 1.2.3 # this option can be used multiple times + # policyoid 1.3.4 +#} + +# If you want one cert for all clients and another for all servers, use +# defaultclient and defaultserver instead of default. If we wanted some +# particular server to use something else you could specify a block +# "tls myserver" and then reference that for that server. If you always +# name the tls block in the client/server config you don't need a default + +# Now we configure clients, servers and realms. Note that these and +# also the lines above may be in any order, except that a realm +# can only be configured to use a server that is previously configured. + +# A realm can be a literal domain name, * which matches all, or a +# regexp. A regexp is specified by the character prefix / +# For regexp we do case insensitive matching of the entire username string. +# The matching of realms is done in the order they are specified, using the +# first match found. Some examples are +# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". +# To treat local users separately you might try first specifying "@" +# and after that "*". + +# Configure a rewrite block if you want to add/remove/modify attributes +# rewrite example { +# # Remove NAS-Port. +# removeAttribute 5 +# # Remove vendor attribute 100. +# removeVendorAttribute 99:100 +# # Called-Station-Id = "123456" +# addAttribute 30:123456 +# # Vendor-99-Attr-101 = 0x0f +# addVendorAttribute 99:101:%0f +# # Change users @local to @example.com. +# modifyAttribute 1:/^(.*)@local$/\1@example.com/ +# } + +# An example client +#client [2001:db8::1] { +# # type can be one of tcp, udp, tls, dtls +# type udp +# # secret is optional for TLS/DTLS +# secret secret +# # Might do rewriting of incoming messages using rewrite block example +# rewriteIn example +# # Can also do rewriting of outgoing messages +# rewriteOut example +# # if also want to use this server for accounting, specify +# accountingServer 127.0.0.1 +# # statusserver is optional, can be on or off. Off is default +# StatusServer on +#} + +# Equivalent to example.com +#realm /@example\.com$ { +# server 2001:db8::1 +#} + +# One can define a realm without servers, the proxy will then reject +# and requests matching this. Optionally one can specify ReplyMessage +# attribute to be included in the reject message. One can also use +# AccountingResponse option to specify that the proxy should send such. +#realm /\.com$ { +#} +# +#realm /^anonymous$ { +# replymessage "No Access" +# AccountingResponse On +#} + +# example config for localhost, rejecting all users +client 127.0.0.1 { + type udp + secret testing123 +} + +realm * { + replymessage "User unknown" +} diff --git a/files/debian/rules b/files/debian/rules new file mode 100755 index 0000000..5482554 --- /dev/null +++ b/files/debian/rules @@ -0,0 +1,20 @@ +#!/usr/bin/make -f +#export DH_VERBOSE=1 + +%: + dh $@ + +override_dh_auto_configure: + dh_auto_configure -- --enable-fticks + +override_dh_auto_install: + dh_auto_install + # remove useless/sparsely used binary + rm -f debian/radsecproxy/usr/bin/radsecproxy-conf + # while they don't need root, they're not really users' material + mv -n debian/radsecproxy/usr/bin/* debian/radsecproxy/usr/sbin/ + rmdir --ignore-fail-on-non-empty debian/radsecproxy/usr/bin + # remove the example config with the wrong filename + # and install a prepared config that works by default + rm -f debian/radsecproxy/etc/radsecproxy.conf-example + cp debian/radsecproxy.conf debian/radsecproxy/etc/radsecproxy.conf diff --git a/files/debian/source/format b/files/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/files/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/files/debian/watch b/files/debian/watch new file mode 100644 index 0000000..eefcb7c --- /dev/null +++ b/files/debian/watch @@ -0,0 +1,5 @@ +# Compulsory line, this is a version 3 file +version=3 + +opts="uversionmangle=s/-(alpha|beta)/~$1/" \ +http://software.uninett.no/radsecproxy/index.php?page=download radsecproxy-(.*)\.tar\.gz -- GitLab