Avoid segfault when trying to use MD4 with legacy provider disabled

OpenSSL legacy provider should be enabled in order to use MD4 algorithm.

Related: #1978216
Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
Antonio Torres 2022-01-13 14:04:05 +01:00
parent 76fc6be83c
commit 39a61df66f
2 changed files with 17 additions and 7 deletions

View File

@ -4,6 +4,9 @@ Subject: [PATCH] Backport OpenSSL3 fixes from 3.0.26
Backport TLS and OpenSSL3 fixes from the future 3.0.26 FreeRADIUS release. Backport TLS and OpenSSL3 fixes from the future 3.0.26 FreeRADIUS release.
Additionally include checks to avoid segfault when trying to use MD4 algorithm
while having OpenSSL legacy provider disabled.
Related: rhbz#1978216 Related: rhbz#1978216
Signed-off-by: Antonio Torres <antorres@redhat.com> Signed-off-by: Antonio Torres <antorres@redhat.com>
--- ---
@ -11,7 +14,7 @@ Signed-off-by: Antonio Torres <antorres@redhat.com>
src/include/build.h | 25 +- src/include/build.h | 25 +-
src/include/libradius.h | 23 +- src/include/libradius.h | 23 +-
src/include/listen.h | 24 +- src/include/listen.h | 24 +-
src/include/md4.h | 46 +- src/include/md4.h | 49 +-
src/include/md5.h | 29 +- src/include/md5.h | 29 +-
src/include/openssl3.h | 109 ++ src/include/openssl3.h | 109 ++
src/include/tls-h | 32 +- src/include/tls-h | 32 +-
@ -61,7 +64,7 @@ Signed-off-by: Antonio Torres <antorres@redhat.com>
src/modules/rlm_wimax/milenage.h | 128 ++ src/modules/rlm_wimax/milenage.h | 128 ++
src/modules/rlm_wimax/rlm_wimax.c | 429 ++++- src/modules/rlm_wimax/rlm_wimax.c | 429 ++++-
src/tests/keywords/md4 | 58 + src/tests/keywords/md4 | 58 +
54 files changed, 5580 insertions(+), 1114 deletions(-) 54 files changed, 5583 insertions(+), 1114 deletions(-)
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 724e1f7ff6..53dd04ec9a 100644 index 724e1f7ff6..53dd04ec9a 100644
@ -377,10 +380,10 @@ index 4f50bbf808..b395aeb046 100644
RADCLIENT_LIST *clients; RADCLIENT_LIST *clients;
diff --git a/src/include/md4.h b/src/include/md4.h diff --git a/src/include/md4.h b/src/include/md4.h
index b7bdd6a15e..21317f2c72 100644 index b7bdd6a15e..f3801728c8 100644
--- a/src/include/md4.h --- a/src/include/md4.h
+++ b/src/include/md4.h +++ b/src/include/md4.h
@@ -71,14 +71,58 @@ void fr_md4_final(uint8_t out[MD4_DIGEST_LENGTH], FR_MD4_CTX *ctx) @@ -71,14 +71,61 @@ void fr_md4_final(uint8_t out[MD4_DIGEST_LENGTH], FR_MD4_CTX *ctx)
void fr_md4_transform(uint32_t buf[4], uint8_t const inc[MD4_BLOCK_LENGTH]) void fr_md4_transform(uint32_t buf[4], uint8_t const inc[MD4_BLOCK_LENGTH])
CC_BOUNDED(__size__, 1, 4, 4) CC_BOUNDED(__size__, 1, 4, 4)
CC_BOUNDED(__minbytes__, 2, MD4_BLOCK_LENGTH); CC_BOUNDED(__minbytes__, 2, MD4_BLOCK_LENGTH);
@ -416,7 +419,10 @@ index b7bdd6a15e..21317f2c72 100644
+ ctx->len = MD4_DIGEST_LENGTH; + ctx->len = MD4_DIGEST_LENGTH;
+ +
+ EVP_MD_CTX_set_flags(ctx->ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_MD_CTX_set_flags(ctx->ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(ctx->ctx, ctx->md, NULL); + if (EVP_DigestInit_ex(ctx->ctx, ctx->md, NULL) != 1) {
+ fprintf(stderr, "Couldn't init MD4 algorithm. Enable OpenSSL legacy provider.\n");
+ exit(EXIT_FAILURE);
+ }
+} +}
+ +
+static inline void fr_md4_update(FR_MD4_CTX *ctx, uint8_t const *in, size_t inlen) +static inline void fr_md4_update(FR_MD4_CTX *ctx, uint8_t const *in, size_t inlen)

View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.21 Version: 3.0.21
Release: 23%{?dist} Release: 24%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -855,7 +855,11 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog %changelog
* Mon Oct 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-23 * Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
- Avoid segfault when trying to use MD4 without legacy provider
Related: rhbz#1978216
* Wed Jan 12 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-23
- Backport OpenSSL3 fixes - Backport OpenSSL3 fixes
Related: rhbz#1978216 Related: rhbz#1978216