rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import freeradius-3.0.17-4.module+el8.0.0+3108+851cb559

Browse Source
This commit is contained in:
CentOS Sources 2019-05-13 00:48:54 -04:00 committed by Andrew Lukoshko
parent 33b3a1c498
commit 1c0a56a4ad
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
SOURCES/freeradius-EAP-PWD-curve-handling.patch Normal file
View File

@ -0,0 +1,45 @@
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||

8
SPECS/freeradius.spec
View File

@ -9,7 +9,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.17
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@ -36,6 +36,7 @@ Patch4: freeradius-Add-missing-option-descriptions.patch
Patch5: freeradius-OpenSSL-HMAC-MD5.patch
Patch6: freeradius-OpenSSL-HMAC-SHA1.patch
Patch7: freeradius-python2-shebangs.patch
Patch8: freeradius-EAP-PWD-curve-handling.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -221,6 +222,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
# Force compile/link options, extra security for network facing daemon
@ -848,6 +850,10 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-4
- Fixes two EAP-PWD security issues
Resolves: bz#1699416 authentication bypass with an invalid curve attack
* Fri Dec 14 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-2
- Updates radiusd.service to start after network-online.target
Resolves: bz#1637275