import freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9

This commit is contained in:
CentOS Sources 2023-03-28 10:19:47 +00:00 committed by Stepan Oksanichenko
parent 8f703895f5
commit 84f5013871
4 changed files with 256 additions and 1 deletions

View File

@ -0,0 +1,47 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix crash on invalid abinary data
A malicious RADIUS client or home server can send a malformed abinary
attribute which can cause the server to crash.
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/lib/filters.c b/src/lib/filters.c
index 4868cd385d9f..3f3b63daeef3 100644
--- a/src/lib/filters.c
+++ b/src/lib/filters.c
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
}
}
} else if (filter->type == RAD_FILTER_GENERIC) {
- int count;
+ size_t count, masklen;
+
+ masklen = ntohs(filter->u.generic.len);
+ if (masklen >= sizeof(filter->u.generic.mask)) {
+ *p = '\0';
+ return;
+ }
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
p += i;
/* show the mask */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
p += i;
outlen -= i;
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
outlen--;
/* show the value */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
p += i;
outlen -= i;

View File

@ -0,0 +1,115 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix crash on unknown option in EAP-SIM
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
look that option up in the internal dictionaries. This lookup will fail, but the
SIM code will not check for that failure. Instead, it will dereference a NULL
pointer, and cause the server to crash.
Backport of:
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
index cf1e8a7dd92..e438a844eab 100644
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
newvp->vp_length = 1;
fr_pair_add(&(r->vps), newvp);
+ /*
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
+ * reserved.
+ */
attr += 3;
attrlen -= 3;
- /* now, loop processing each attribute that we find */
- while(attrlen > 0) {
+ /*
+ * Loop over each attribute. The format is:
+ *
+ * 1 octet of type
+ * 1 octet of length (value 1..255)
+ * ((4 * length) - 2) octets of data.
+ */
+ while (attrlen > 0) {
uint8_t *p;
- if(attrlen < 2) {
+ if (attrlen < 2) {
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
return 0;
}
+ if (!attr[1]) {
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
+ es_attribute_count);
+ return 0;
+ }
+
eapsim_attribute = attr[0];
eapsim_len = attr[1] * 4;
+ /*
+ * The length includes the 2-byte header.
+ */
if (eapsim_len > attrlen) {
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
return 0;
}
- if(eapsim_len > MAX_STRING_LEN) {
- eapsim_len = MAX_STRING_LEN;
- }
- if (eapsim_len < 2) {
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
- es_attribute_count);
- return 0;
- }
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
+ if (!newvp) {
+ /*
+ * RFC 4186 Section 8.1 says 0..127 are
+ * "non-skippable". If one such
+ * attribute is found and we don't
+ * understand it, the server has to send:
+ *
+ * EAP-Request/SIM/Notification packet with an
+ * (AT_NOTIFICATION code, which implies general failure ("General
+ * failure after authentication" (0), or "General failure" (16384),
+ * depending on the phase of the exchange), which terminates the
+ * authentication exchange.
+ */
+ if (eapsim_attribute <= 127) {
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
+ eapsim_attribute);
+ return 0;
+ }
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
- newvp->vp_length = eapsim_len-2;
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
- memcpy(p, &attr[2], eapsim_len-2);
- fr_pair_add(&(r->vps), newvp);
- newvp = NULL;
+ } else {
+ /*
+ * It's known, ccount for header, and
+ * copy the value over.
+ */
+ newvp->vp_length = eapsim_len - 2;
+
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+ memcpy(p, &attr[2], newvp->vp_length);
+ fr_pair_add(&(r->vps), newvp);
+ }
/* advance pointers, decrement length */
attr += eapsim_len;

View File

@ -0,0 +1,76 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix information leakage in EAP-PWD
The EAP-PWD function compute_password_element() leaks information about the
password which allows an attacker to substantially reduce the size of an
offline dictionary attack.
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index d94851c3aa..9f86b62114 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
+
/* The random function H(x) = HMAC-SHA256(0^32, x) */
static void H_Init(HMAC_CTX *ctx)
{
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
uint32_t *token)
{
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
- HMAC_CTX *ctx = NULL;
+ EVP_MD_CTX *hmac_ctx;
+ EVP_PKEY *hmac_pkey;
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
int nid, is_odd, primebitlen, primebytelen, ret = 0;
- ctx = HMAC_CTX_new();
- if (ctx == NULL) {
- DEBUG("failed allocating HMAC context");
- goto fail;
- }
+ MEM(hmac_ctx = EVP_MD_CTX_new());
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
switch (grp_num) { /* from IANA registry for IKE D-H groups */
case 19:
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
* pwd-seed = H(token | peer-id | server-id | password |
* counter)
*/
- H_Init(ctx);
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
- H_Update(ctx, (uint8_t const *)password, password_len);
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
- H_Final(ctx, pwe_digest);
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
BN_clear_free(x_candidate);
BN_clear_free(rnd);
talloc_free(prfbuf);
- HMAC_CTX_free(ctx);
+ EVP_MD_CTX_free(hmac_ctx);
+ EVP_PKEY_free(hmac_pkey);
return ret;
}

View File

@ -9,7 +9,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.20
Release: 12%{?dist}
Release: 14%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@ -44,6 +44,9 @@ Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
Patch12: freeradius-bootstrap-run-only-once.patch
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -246,6 +249,9 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
# Add fixed dhparam file to the source to ensure `make tests` can run.
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
@ -896,6 +902,17 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
- Fix defect found by Covscan
Resolves: #2151704
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
- Fix multiple CVEs
- Add rpminspect configuration
Resolves: #2151702
Resolves: #2151704
Resolves: #2151706
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
- Fix segfault when home_server is null
Resolves: bz#2030173