From 8860ba35d17a39c3413eb8e354163c4355217af8 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 16 May 2023 06:11:38 +0000
Subject: [PATCH] import freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9

---
 ...us-fix-crash-on-invalid-abinary-data.patch |  47 +++++++
 ...freeradius-fix-crash-unknown-eap-sim.patch | 115 ++++++++++++++++++
 .../freeradius-fix-info-leakage-eap-pwd.patch |  76 ++++++++++++
 SPECS/freeradius.spec                         |  19 ++-
 4 files changed, 256 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
 create mode 100644 SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
 create mode 100644 SOURCES/freeradius-fix-info-leakage-eap-pwd.patch

diff --git a/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch b/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
new file mode 100644
index 0000000..4269fc2
--- /dev/null
+++ b/SOURCES/freeradius-fix-crash-on-invalid-abinary-data.patch
@@ -0,0 +1,47 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix crash on invalid abinary data
+
+A malicious RADIUS client or home server can send a malformed abinary
+attribute which can cause the server to crash.
+
+Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/lib/filters.c b/src/lib/filters.c
+index 4868cd385d9f..3f3b63daeef3 100644
+--- a/src/lib/filters.c
++++ b/src/lib/filters.c
+@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ 			}
+ 		}
+ 	} else if (filter->type == RAD_FILTER_GENERIC) {
+-		int count;
++		size_t count, masklen;
++
++		masklen = ntohs(filter->u.generic.len);
++		if (masklen >= sizeof(filter->u.generic.mask)) {
++			*p = '\0';
++			return;
++		}
+ 
+ 		i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
+ 		p += i;
+ 
+ 		/* show the mask */
+-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
++		for (count = 0; count < masklen; count++) {
+ 			i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
+ 			p += i;
+ 			outlen -= i;
+@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+ 		outlen--;
+ 
+ 		/* show the value */
+-		for (count = 0; count < ntohs(filter->u.generic.len); count++) {
++		for (count = 0; count < masklen; count++) {
+ 			i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
+ 			p += i;
+ 			outlen -= i;
diff --git a/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch b/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
new file mode 100644
index 0000000..4a2c2d1
--- /dev/null
+++ b/SOURCES/freeradius-fix-crash-unknown-eap-sim.patch
@@ -0,0 +1,115 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix crash on unknown option in EAP-SIM
+
+When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
+look that option up in the internal dictionaries. This lookup will fail, but the
+SIM code will not check for that failure. Instead, it will dereference a NULL
+pointer, and cause the server to crash.
+
+Backport of:
+https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
+https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
+index cf1e8a7dd92..e438a844eab 100644
+--- a/src/modules/rlm_eap/libeap/eapsimlib.c
++++ b/src/modules/rlm_eap/libeap/eapsimlib.c
+@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
+ 	newvp->vp_length = 1;
+ 	fr_pair_add(&(r->vps), newvp);
+ 
++	/*
++	 *	EAP-SIM has a 1 octet of subtype, and 2 octets
++	 *	reserved.
++	 */
+ 	attr     += 3;
+ 	attrlen  -= 3;
+ 
+-	/* now, loop processing each attribute that we find */
+-	while(attrlen > 0) {
++	/*
++	 *	Loop over each attribute.  The format is:
++	 *
++	 *	1 octet of type
++	 *	1 octet of length (value 1..255)
++	 *	((4 * length) - 2) octets of data.
++	 */
++	while (attrlen > 0) {
+ 		uint8_t *p;
+ 
+-		if(attrlen < 2) {
++		if (attrlen < 2) {
+ 			fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
+ 			return 0;
+ 		}
+ 
++		if (!attr[1]) {
++			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
++					   es_attribute_count);
++			return 0;
++		}
++
+ 		eapsim_attribute = attr[0];
+ 		eapsim_len = attr[1] * 4;
+ 
++		/*
++		 *	The length includes the 2-byte header.
++		 */
+ 		if (eapsim_len > attrlen) {
+ 			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
+ 					   eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
+ 			return 0;
+ 		}
+ 
+-		if(eapsim_len > MAX_STRING_LEN) {
+-			eapsim_len = MAX_STRING_LEN;
+-		}
+-		if (eapsim_len < 2) {
+-			fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
+-					   es_attribute_count);
+-			return 0;
+-		}
++		newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
++		if (!newvp) {
++			/*
++			 *	RFC 4186 Section 8.1 says 0..127 are
++			 *	"non-skippable".  If one such
++			 *	attribute is found and we don't
++			 *	understand it, the server has to send:
++			 *
++			 *	EAP-Request/SIM/Notification packet with an
++			 *	(AT_NOTIFICATION code, which implies general failure ("General
++			 *	failure after authentication" (0), or "General failure" (16384),
++			 *	depending on the phase of the exchange), which terminates the
++			 *	authentication exchange.
++			 */
++			if (eapsim_attribute <= 127) {
++				fr_strerror_printf("Unknown mandatory attribute %d, failing",
++						   eapsim_attribute);
++				return 0;
++			}
+ 
+-		newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
+-		newvp->vp_length = eapsim_len-2;
+-		newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+-		memcpy(p, &attr[2], eapsim_len-2);
+-		fr_pair_add(&(r->vps), newvp);
+-		newvp = NULL;
++		} else {
++			/*
++			 *	It's known, ccount for header, and
++			 *	copy the value over.
++			 */
++			newvp->vp_length = eapsim_len - 2;
++
++			newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
++			memcpy(p, &attr[2], newvp->vp_length);
++			fr_pair_add(&(r->vps), newvp);
++		}
+ 
+ 		/* advance pointers, decrement length */
+ 		attr += eapsim_len;
diff --git a/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch b/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
new file mode 100644
index 0000000..b236705
--- /dev/null
+++ b/SOURCES/freeradius-fix-info-leakage-eap-pwd.patch
@@ -0,0 +1,76 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 09 Dec 2022
+Subject: Fix information leakage in EAP-PWD
+
+The EAP-PWD function compute_password_element() leaks information about the 
+password which allows an attacker to substantially reduce the size of an 
+offline dictionary attack.
+
+Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index d94851c3aa..9f86b62114 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
+ #include <freeradius-devel/radiusd.h>
+ #include <freeradius-devel/modules.h>
+ 
++static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
++
+ /* The random function H(x) = HMAC-SHA256(0^32, x) */
+ static void H_Init(HMAC_CTX *ctx)
+ {
+@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 			      uint32_t *token)
+ {
+ 	BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
+-	HMAC_CTX *ctx = NULL;
++	EVP_MD_CTX *hmac_ctx;
++	EVP_PKEY *hmac_pkey;
+ 	uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
+ 	int nid, is_odd, primebitlen, primebytelen, ret = 0;
+ 
+-	ctx = HMAC_CTX_new();
+-	if (ctx == NULL) {
+-		DEBUG("failed allocating HMAC context");
+-		goto fail;
+-	}
++	MEM(hmac_ctx = EVP_MD_CTX_new());
++	MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
+ 
+ 	switch (grp_num) { /* from IANA registry for IKE D-H groups */
+ 	case 19:
+@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 		 *    pwd-seed = H(token | peer-id | server-id | password |
+ 		 *		   counter)
+ 		 */
+-		H_Init(ctx);
+-		H_Update(ctx, (uint8_t *)token, sizeof(*token));
+-		H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
+-		H_Update(ctx, (uint8_t const *)id_server, id_server_len);
+-		H_Update(ctx, (uint8_t const *)password, password_len);
+-		H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
+-		H_Final(ctx, pwe_digest);
++		EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
++		EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
+ 
+ 		BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
+ 		if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
+@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
+ 	BN_clear_free(x_candidate);
+ 	BN_clear_free(rnd);
+ 	talloc_free(prfbuf);
+-	HMAC_CTX_free(ctx);
++	EVP_MD_CTX_free(hmac_ctx);
++	EVP_PKEY_free(hmac_pkey);
+ 
+ 	return ret;
+ }
diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec
index 154f7a0..a7b02fe 100644
--- a/SPECS/freeradius.spec
+++ b/SPECS/freeradius.spec
@@ -9,7 +9,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.20
-Release: 12%{?dist}
+Release: 14%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -44,6 +44,9 @@ Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
 Patch12: freeradius-bootstrap-run-only-once.patch
 Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
 Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
+Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
+Patch16: freeradius-fix-crash-unknown-eap-sim.patch
+Patch17: freeradius-fix-info-leakage-eap-pwd.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -246,6 +249,9 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
 
 # Add fixed dhparam file to the source to ensure `make tests` can run.
 cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
@@ -896,6 +902,17 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
+- Fix defect found by Covscan
+  Resolves: #2151704
+
+* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
+- Fix multiple CVEs
+- Add rpminspect configuration
+  Resolves: #2151702
+  Resolves: #2151704
+  Resolves: #2151706
+
 * Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
 - Fix segfault when home_server is null
   Resolves: bz#2030173