Merge branch 'master' into internal_encode_overflow_const

.github/actions/ci-tests/action.yml

@@ -57,6 +57,10 @@ inputs:
     description: SMTP server SMTP port
     default: 2525
 
+  memcached_test_server:
+    description: Memcached server host
+    default: 127.0.0.1
+
   use_docker:
     desription: True if running in a Docker container
     default: false
@@ -90,8 +94,9 @@ runs:
     - name: Set up repositories
       shell: bash
       run: |
-        wget -O - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
-        echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/openresty.list
+        sudo install -d -o root -g root -m 0755 /etc/apt/keyrings
+        curl -s https://openresty.org/package/pubkey.gpg | sudo tee /etc/apt/keyrings/openresty.asc
+        echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/openresty.asc] http://openresty.org/package/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/openresty.list
 
         sudo apt-get update
 
@@ -104,6 +109,7 @@ runs:
           389-ds \
           dovecot-imapd \
           exim4 \
+          memcached \
           openresty \
           redis-server \
           slapd
@@ -140,7 +146,7 @@ runs:
         sudo sh -c "echo host  all all 127.0.0.1/32 trust >  /etc/postgresql/$PG_VER/main/pg_hba.conf"
         sudo sh -c "echo local all all              trust >> /etc/postgresql/$PG_VER/main/pg_hba.conf"
 
-        sudo systemctl start mysql postgresql redis-server
+        sudo systemctl start mysql postgresql redis-server memcached
 
         mysql -h 127.0.0.1 -uroot -proot -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '';";
 
@@ -155,6 +161,7 @@ runs:
       run: |
         mysql -h ${{ inputs.sql_mysql_test_server }} -u root -e "CREATE USER 'radius'@'%' IDENTIFIED WITH mysql_native_password; ALTER USER 'radius'@'%' IDENTIFIED BY 'radpass';"
         mysql -h ${{ inputs.sql_mysql_test_server }} -u root -e "GRANT ALL ON radius.* TO 'radius'; FLUSH PRIVILEGES;"
+        memcached -u memcache -d
 
     - name: Setup databases
       shell: bash
@@ -229,6 +236,7 @@ runs:
         PERSISTENT_SEARCH_TEST_SERVER: ldap://${{ inputs.ldap389_test_server }}:${{ inputs.ldap389_test_server_port }}/
         ACTIVE_DIRECTORY_TEST_SERVER: ${{ inputs.active_directory_test_server }}
         WINBIND_TEST_SERVER: ${{ inputs.active_directory_test_server }}
+        MSCHAP_TEST_SERVER: ${{ inputs.active_directory_test_server }}
         REST_TEST_SERVER: ${{ inputs.rest_test_server }}
         REST_TEST_SERVER_PORT: ${{ inputs.rest_test_port }}
         REST_TEST_SERVER_SSL_PORT: ${{ inputs.rest_test_ssl_port }}
@@ -240,6 +248,7 @@ runs:
         IMAP_TEST_SERVER: ${{ inputs.imap_test_server }}
         IMAP_TEST_SERVER_PORT: ${{ inputs.imap_test_server_port }}
         IMAP_TEST_SERVER_SSL_PORT: ${{ inputs.imap_test_server_ssl_port }}
+        CACHE_MEMCACHED_TEST_SERVER: ${{ inputs.memcached_test_server }}
 
     # Restore ucf
     - name: Restore ucf

.github/actions/freeradius-deps/action.yml

@@ -71,15 +71,17 @@ runs:
     - name: NetworkRADIUS signing key
       if: ${{ runner.os != 'macOS' }}
       shell: bash
-      run: sudo /bin/sh -c "curl -sS https://packages.inkbridgenetworks.com/pgp/packages%40networkradius.com | APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=yes apt-key add -"
+      run: |
+        sudo install -d -o root -g root -m 0755 /etc/apt/keyrings
+        curl -s 'https://packages.inkbridgenetworks.com/pgp/packages.networkradius.com.asc' | sudo tee /etc/apt/keyrings/packages.networkradius.com.asc > /dev/null
 
     - name: Set up NetworkRADIUS extras repository
       if: ${{ runner.os != 'macOS' }}
       shell: bash
       run: |
         DIST=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
         RELEASE=$(lsb_release -cs)
-        sudo /bin/sh -c "echo \"deb http://packages.networkradius.com/extras/${DIST}/${RELEASE} ${RELEASE} main\" \
+        sudo /bin/sh -c "echo \"deb [arch=amd64 signed-by=/etc/apt/keyrings/packages.networkradius.com.asc] http://packages.networkradius.com/extras/${DIST}/${RELEASE} ${RELEASE} main\" \
           > /etc/apt/sources.list.d/networkradius-extras.list"
 
     #  Currently GitHub runners have a conflicting version of libhashkit2 installed which breaks dependency installation

.github/workflows/ci-deb.yml

@@ -102,7 +102,9 @@ jobs:
         apt-get install -y --no-install-recommends make gcc libc6-dev equivs file curl gnupg2 lsb-release
 
     - name: NetworkRADIUS signing key
-      run: curl -sS https://packages.inkbridgenetworks.com/pgp/packages%40networkradius.com | APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=yes apt-key add -
+      run: |
+        install -d -o root -g root -m 0755 /etc/apt/keyrings
+        curl -s 'https://packages.inkbridgenetworks.com/pgp/packages.networkradius.com.asc' | tee /etc/apt/keyrings/packages.networkradius.com.asc > /dev/null
 
     - name: Set up NetworkRADIUS extras repository
       run: |
@@ -112,7 +114,7 @@ jobs:
             RELEASE=$(cat /etc/debian_version | awk -F \/ '{ print $(NF) }')
         fi
         [ "$RELEASE" != "trixie" ] || RELEASE=sid
-        echo "deb http://packages.networkradius.com/extras/${DIST}/${RELEASE} ${RELEASE} main" \
+        echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/packages.networkradius.com.asc] http://packages.networkradius.com/extras/${DIST}/${RELEASE} ${RELEASE} main" \
           > /etc/apt/sources.list.d/networkradius-extras.list
 
     - name: Update apt repository lists
@@ -224,7 +226,9 @@ jobs:
         apt-get install -y --no-install-recommends procps curl gnupg2 ca-certificates lsb-release
 
     - name: NetworkRADIUS signing key
-      run: curl -sS https://packages.inkbridgenetworks.com/pgp/packages%40networkradius.com | APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=yes apt-key add -
+      run: |
+        install -d -o root -g root -m 0755 /etc/apt/keyrings
+        curl -s 'https://packages.inkbridgenetworks.com/pgp/packages.networkradius.com.asc' | tee /etc/apt/keyrings/packages.networkradius.com.asc > /dev/null
 
     - name: Set up NetworkRADIUS extras repository
       run: |
@@ -234,7 +238,7 @@ jobs:
             RELEASE=$(cat /etc/debian_version | awk -F \/ '{ print $(NF) }')
         fi
         [ "$RELEASE" != "trixie" ] || RELEASE=sid
-        echo "deb http://packages.networkradius.com/extras/${DIST}/${RELEASE} ${RELEASE} main" \
+        echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/packages.networkradius.com.asc] http://packages.networkradius.com/extras/${DIST}/${RELEASE} ${RELEASE} main" \
           > /etc/apt/sources.list.d/networkradius-extras.list
 
     - name: Update apt repository lists

.github/workflows/ci-freebsd.yml

@@ -82,7 +82,7 @@ jobs:
             openldap25-client    \
             python3              \
             py311-pip            \
-            postgresql12-client  \
+            postgresql14-client  \
             sqlite3              \
             talloc               \
             unixODBC

.github/workflows/ci-macos.yml

@@ -46,7 +46,7 @@ jobs:
       fail-fast: false
       matrix:
         env:
-          - { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG",         LIBS_OPTIONAL: yes, LIBS_ALT: no,  TEST_TYPE: macos,    OS: macos-12,     NAME: macos-clang         }
+          - { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG",         LIBS_OPTIONAL: yes, LIBS_ALT: no,  TEST_TYPE: macos,    OS: macos-14,     NAME: macos-clang         }
 
     env: ${{ matrix.env }}
 
@@ -98,7 +98,6 @@ jobs:
           mariadb \
           make \
           mruby \
-          [email protected] \
           openssl \
           [email protected] \
           talloc

.github/workflows/ci-scheduled-fuzzing.yml

@@ -273,7 +273,10 @@ jobs:
       run: |
         export FILE=src/tests/fuzzer-corpus/$PROTOCOL.tar
         if ! git diff --exit-code "$FILE"; then
-          sudo pip3 install --force-reinstall -I -U pyOpenSSL
+          sudo apt-get install -y python3-venv
+          python3 -m venv ~/.venv
+          . ~/.venv/bin/activate
+          pip install --force-reinstall -I -U pyOpenSSL
           pip install PyGithub
           git add "$FILE"
           OID="$(git lfs ls-files -l -I "$FILE" | cut -f1 -d ' ')"

.github/workflows/ci.yml

@@ -226,81 +226,25 @@ jobs:
 #                            FREERADIUS CORE DEVELOPERS ONLY
 ##########################################################################################
 #
-#  Direct push access to the main freeradius-server repo will be disabled in an attempt
-#  to keep CI passing reliably.
+#  If the above CI checks pass on a branch named after the developer, then the branch will
+#  automatically be merged into master.
 #
-#  If the above CI checks pass then we auto-merge into the same upstream branch
-#  (only on push) if a PERSONAL_ACCESS_TOKEN secret is defined, i.e. when
-#  the actor claims to be a FreeRADIUS developer with push access.
+#  This allows developers to access the significantly faster self-hosted runners, with
+#  minimal additional work.  It also prevents them inadvertently from introducing changes
+#  that break the CI for everyone else.
 #
-#  Personal access tokens can be generated via the GitHub website:
+#  Note: Changes will ONLY be merged into master if CI passes.
 #
-#  - Click on the Profile menu (top right)
-#    > Settings
-#    > Developer settings
-#    > Personal access tokens
-#    > Generate New Token
-#  - Next, add the following settings and scopes:
-#    Note: FreeRADIUS CI Push
-#    repo (checked)
-#    workflow (checked)
+#  Multiple automatic-merge behaviours are supported:
+#  - If the branch name ends in '/merge', then the branch will be merged into master, potentially
+#    creating a merge commit.
+#  - If the branch name ends in '/ff', then master will be fast forwarded to the HEAD commit of
+#    the branch.  This is the default if no suffix is provided.
 #
-#  This will allow any git operations using this PERSONAL_ACCESS_TOKEN to commit code to any
-#  public repository you have access to.
-#
-#  As this PERSONAL_ACCESS_TOKEN will only ever be accessible from GitHub actions when they are
-#  running from your fork of the FreeRADIUS repo, this shouldn't be a security issue.
-#
-#  After generating your PERSONAL_ACCESS_TOKEN you will need to add it as a secret to your
-#  repository.
-#
-#  - Copy your new token
-#  - Click on the Profile menu (top right)
-#    > Your repositories
-#  - Search for freeradius-server
-#    > Click freeradius-server
-#  - Click settings in the tabs on the left
-#  - Click secrets in the menu items on the left
-#  - Click New repository secret
-#  - Name: PERSONAL_ACCESS_TOKEN
-#    Value: <value you copied>
-#  - Click Add secret
-#
-#  You may also wish to set a different pushurl for your local repository to make integration
-#  more seamless:
-#
-#  git config remote.origin.pushurl [email protected]:<github_user>/freeradius-server.git
-#
-#  git pull will then pull from the upstream repo, whilst git push will be directed to your fork.
-#
-
-  #
-  #  Needed because secrets are not available for evaluation in if conditions
-  #  at the job level, so we evaluate the existence of the PERSONAL_ACCESS_TOKEN secret
-  #  within a step and export the result instead. We also extract the short
-  #  branch name here because it's convenient to do so.
-  #
-  merge-preflight:
-    needs:
-      - ci
-    if: ( github.event_name == 'push' ) && ( github.repository_owner != 'FreeRADIUS' ) && ( github.ref == 'refs/heads/master' || github.ref == 'refs/heads/v3.0.x' )
-    name: "Merge preflight"
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Report whether PERSONAL_ACCESS_TOKEN secret exists"
-        id: merge-preflight
-        run: |
-          if [ -n "$PERSONAL_ACCESS_TOKEN" ]; then echo "PERSONAL_ACCESS_TOKEN_EXISTS=1" >> $GITHUB_OUTPUT; fi
-        env:
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
-    outputs:
-      PERSONAL_ACCESS_TOKEN_EXISTS: ${{ steps.merge-preflight.outputs.PERSONAL_ACCESS_TOKEN_EXISTS }}
-
   merge-upstream:
+    if: ${{ ( github.repository_owner == 'FreeRADIUS' ) && ( github.event_name == 'push' ) && (startsWith(github.ref, format('refs/heads/developer/{0}', github.actor))) }}
     needs:
       - ci
-      - merge-preflight
-    if: needs.merge-preflight.outputs.PERSONAL_ACCESS_TOKEN_EXISTS == '1'
     runs-on: ubuntu-latest
     name: "Merge into upstream"
     steps:
@@ -309,26 +253,42 @@ jobs:
           fetch-depth: 0
           lfs: false
           persist-credentials: false
-      #  Note: This also opportunistically updates the developer's branch with commits from
-      #  the main repository.
-      #  This update may fail if the developer has pushed additional commits since the
-      #  workflow started.  This is normal, and we ignore the failure.
+
+      - name: Set up Git with `GITHUB_TOKEN`
+        run: |
+          git config --global url."https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
+          git config --global user.name "GitHub Actions"
+          git config --global user.email "[email protected]"
+          git config --global commit.gpgSign true
+          git config --global gpg.format ssh
+
+      # First, as this was a shallow checkout, and only the user's branch was fetched, we need
+      # to fetch the rest of the branches, and more history.
       #
-      #  We fixup the origin URL as the default remote fails on push with:
-      #    fatal: could not read Username for 'https://github.com': No such device or address
+      # Then, we attempt to checkout the master branch, and merge the user's branch into it.
       - name: "Merge into upstream dev branch and update local branch"
+        if: endsWith(github.ref, '/merge')
         run: |
-          BRANCH=${GITHUB_REF#refs/heads/}
-          git config --local user.name "github-actions[bot]"
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git remote add upstream https://$USERNAME:[email protected]/FreeRADIUS/freeradius-server.git
-          git remote set-url origin https://$USERNAME:[email protected]/$REPO_NAME
-          git fetch --no-recurse-submodules upstream +refs/heads/*:refs/remotes/upstream/* +refs/tags/*:refs/tags/upstream/*
-          git checkout --progress --force -B upstream-branch "refs/remotes/upstream/$BRANCH"
-          git merge "$BRANCH" --ff-only
-          git push upstream "upstream-branch:$BRANCH"
-          git push origin "upstream-branch:$BRANCH" || true
-        env:
-          USERNAME: ${{ github.repository_owner }}
-          REPO_NAME: ${{ github.repository }}
-          REPO_KEY: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          git fetch --depth=1000 --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/*
+
+          echo "Merging master into user branch: ${GITHUB_REF_NAME}"
+          git checkout --progress --force -B master origin/master
+          git merge --no-commit --no-edit "${GITHUB_REF_NAME}"
+
+          echo "Pushing to user branch: ${GITHUB_REF_NAME}"
+          git push origin "HEAD:${GITHUB_REF_NAME}"
+
+          echo "Pushing to master"
+          git push origin HEAD:master
+
+      - name: "Fast forward upstream"
+        if: endsWith(github.ref, "/${{ github.actor }}") || endsWith(github.ref, '/ff')
+        run: |
+          git fetch --depth=1000 --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/*
+
+          echo "Fast forwarding local copy of master to match developer's branch: ${GITHUB_REF_NAME}"
+          git checkout --progress --force -B master origin/master
+          git merge --ff-only "${GITHUB_REF_NAME}"
+
+          echo "Pushing to master"
+          git push origin HEAD:master

debian/freeradius.service

@@ -46,8 +46,19 @@ RestartSec=5
 #  Don't elevate privileges after starting
 NoNewPrivileges=true
 
+# Control socket virtual servers typically create files in
+# the runtime directory.  If this is not kept, FreeRADIUS can't
+# be started in debug mode if those virtual servers are enabled.
+RuntimeDirectoryPreserve=yes
+
 # Allow binding to secure ports, broadcast addresses, and raw interfaces.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
+#
+# As the process starts as an unprivileged user, we need to assign all capabilities that
+# the process may need.
+#
+# If FreeRADIUS needs to be run as root, AmbientCapabilities should be swapped from
+# CapabilityBoundingSet to limit the capabilities the process is given.
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
 
 # Private /tmp that isn't shared by other processes
 PrivateTmp=true

debian/libfreeradius4.install

@@ -1,6 +1,7 @@
 usr/lib/freeradius/libfreeradius-arp.so
 usr/lib/freeradius/libfreeradius-bfd.so
 usr/lib/freeradius/libfreeradius-bio.so
+usr/lib/freeradius/libfreeradius-bio-config.so
 usr/lib/freeradius/libfreeradius-control.so
 usr/lib/freeradius/libfreeradius-dhcpv4.so
 usr/lib/freeradius/libfreeradius-dhcpv6.so
@@ -12,6 +13,7 @@ usr/lib/freeradius/libfreeradius-internal.so
 usr/lib/freeradius/libfreeradius-io.so
 usr/lib/freeradius/libfreeradius-json.so
 usr/lib/freeradius/libfreeradius-radius.so
+usr/lib/freeradius/libfreeradius-radius-bio.so
 usr/lib/freeradius/libfreeradius-server.so
 usr/lib/freeradius/libfreeradius-sim.so
 usr/lib/freeradius/libfreeradius-tacacs.so