diff --git a/.gitignore b/.gitignore index c9283f1..a178e76 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /freeradius-server-3.0.11.tar.bz2 /freeradius-server-3.0.12.tar.bz2 /freeradius-server-3.0.13.tar.bz2 +/freeradius-server-3.0.14.tar.bz2 diff --git a/freeradius-Fix-some-issues-found-with-static-analyzers.patch b/freeradius-Fix-some-issues-found-with-static-analyzers.patch deleted file mode 100644 index 759d9d3..0000000 --- a/freeradius-Fix-some-issues-found-with-static-analyzers.patch +++ /dev/null @@ -1,262 +0,0 @@ -From 7024d6ce061d57af65fe3a068803212581552f96 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Fri, 10 Mar 2017 09:11:03 -0500 -Subject: [PATCH] Fix some issues found with static analyzers - -Fix some issues found with static analyzers. Includes the following. - -Coverity. Closes #1937 - -(cherry picked from commit 521e2a9bd3b1b49555bcd9fb90b03c456f616070) - -Allo session resumption for RadSec connectins. Closes #1936 - -(cherry picked from commit 43efa4321d7cd9fca1184f999e1cadeff3afda02) - -request->packet cannot be NULL. Helps with #1935 - -(cherry picked from commit 7f22c30476be495438d5bc4dbec2f618f09c0b15) - -remove unused variable - -(cherry picked from commit d9bfc70efbf575258425d2ca86160490e0c36a45) - -close open FDs on error, and use error path in more situations - -(cherry picked from commit e51af914bc5fdf879f821e6a1ecfe700bff937ca) - -return RLM_MODULE_FAIL for default switch statement - -(cherry picked from commit cdfa6e15065a4a616c96af516936117124a1c293) - -Remove always-false condition in rlm_eap_fast - -(cherry picked from commit 96d7a5e2bb393b4fd1b6cb6e0a6858e6c18eb96a) - -Remove always-false condition from cf_item_parse - -(cherry picked from commit 92624adf8170fb133b330fe02d8940a8bac86189) - -Ensure that error is always initialized - -(cherry picked from commit c483d8456e44747621334b318483c3a33752aaac) ---- - src/main/command.c | 15 ++++++++------- - src/main/conffile.c | 2 -- - src/main/process.c | 5 +++-- - src/main/tls.c | 12 ++++++------ - src/main/xlat.c | 6 +++++- - src/modules/rlm_cache/rlm_cache.c | 3 ++- - src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c | 3 --- - src/modules/rlm_mschap/rlm_mschap.c | 2 +- - 8 files changed, 25 insertions(+), 23 deletions(-) - -diff --git a/src/main/command.c b/src/main/command.c -index d3b729f9a..34c5268d7 100644 ---- a/src/main/command.c -+++ b/src/main/command.c -@@ -345,7 +345,7 @@ static int fr_server_domain_socket_perm(UNUSED char const *path, UNUSED uid_t ui - */ - static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) - { -- int dir_fd = -1, path_fd = -1, sock_fd = -1, parent_fd = -1; -+ int dir_fd = -1, sock_fd = -1, parent_fd = -1; - char const *name; - char *buff = NULL, *dir = NULL, *p; - -@@ -392,8 +392,9 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) - fr_strerror_printf("Failed determining parent directory"); - error: - talloc_free(dir); -- close(dir_fd); -- close(path_fd); -+ if (sock_fd >= 0) close(sock_fd); -+ if (dir_fd >= 0) close(dir_fd); -+ if (parent_fd >= 0) close(parent_fd); - return -1; - } - -@@ -459,7 +460,7 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) - if (ret < 0) { - fr_strerror_printf("Failed changing ownership of control socket directory: %s", - fr_syserror(errno)); -- return -1; -+ goto error; - } - /* - * Control socket dir already exists, but we still need to -@@ -527,7 +528,7 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) - if (client_fd >= 0) { - fr_strerror_printf("Control socket '%s' is already in use", path); - close(client_fd); -- return -1; -+ goto error; - } - } - -@@ -676,8 +677,8 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) - if (uid != (uid_t)-1) rad_seuid(euid); - if (gid != (gid_t)-1) rad_segid(egid); - -- close(dir_fd); -- close(path_fd); -+ if (dir_fd >= 0) close(dir_fd); -+ if (parent_fd >= 0) close(parent_fd); - - return sock_fd; - } -diff --git a/src/main/conffile.c b/src/main/conffile.c -index df78184bd..10c029a0e 100644 ---- a/src/main/conffile.c -+++ b/src/main/conffile.c -@@ -1474,7 +1474,6 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d - - if (!value) { - if (required) { -- is_required: - cf_log_err(c_item, "Configuration item \"%s\" must have a value", name); - - return -1; -@@ -1620,7 +1619,6 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d - } - } - -- if (required && !value) goto is_required; - if (cant_be_empty && (value[0] == '\0')) goto cant_be_empty; - - if (attribute) { -diff --git a/src/main/process.c b/src/main/process.c -index c5a690672..c3856c7a1 100644 ---- a/src/main/process.c -+++ b/src/main/process.c -@@ -2122,8 +2122,9 @@ static void remove_from_proxy_hash_nl(REQUEST *request, bool yank) - } - - #ifdef WITH_TCP -- rad_assert(request->proxy_listener != NULL); -- request->proxy_listener->count--; -+ if (request->proxy_listener) { -+ request->proxy_listener->count--; -+ } - #endif - request->proxy_listener = NULL; - -diff --git a/src/main/tls.c b/src/main/tls.c -index caa7e62ed..a72be2b63 100644 ---- a/src/main/tls.c -+++ b/src/main/tls.c -@@ -1360,7 +1360,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) - blob_len = i2d_SSL_SESSION(sess, NULL); - if (blob_len < 1) { - /* something went wrong */ -- RWDEBUG("Session serialisation failed, couldn't determine required buffer length"); -+ if (request) RWDEBUG("Session serialisation failed, couldn't determine required buffer length"); - return 0; - } - -@@ -1375,7 +1375,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) - p = sess_blob; - rv = i2d_SSL_SESSION(sess, &p); - if (rv != blob_len) { -- RWDEBUG("Session serialisation failed"); -+ if (request) RWDEBUG("Session serialisation failed"); - goto error; - } - -@@ -1384,8 +1384,8 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) - conf->session_cache_path, FR_DIR_SEP, buffer); - fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd < 0) { -- RERROR("Session serialisation failed, failed opening session file %s: %s", -- filename, fr_syserror(errno)); -+ if (request) RERROR("Session serialisation failed, failed opening session file %s: %s", -+ filename, fr_syserror(errno)); - goto error; - } - -@@ -1409,7 +1409,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) - while (todo > 0) { - rv = write(fd, p, todo); - if (rv < 1) { -- RWDEBUG("Failed writing session: %s", fr_syserror(errno)); -+ if (request) RWDEBUG("Failed writing session: %s", fr_syserror(errno)); - close(fd); - goto error; - } -@@ -1417,7 +1417,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) - todo -= rv; - } - close(fd); -- RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len); -+ if (request) RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len); - } - - error: -diff --git a/src/main/xlat.c b/src/main/xlat.c -index 31987289c..aeac3a4c3 100644 ---- a/src/main/xlat.c -+++ b/src/main/xlat.c -@@ -1787,7 +1787,10 @@ static ssize_t xlat_tokenize_request(REQUEST *request, char const *fmt, xlat_exp - * much faster. - */ - tokens = talloc_typed_strdup(request, fmt); -- if (!tokens) return -1; -+ if (!tokens) { -+ error = "Out of memory"; -+ return -1; -+ } - - slen = xlat_tokenize_literal(request, tokens, head, false, &error); - -@@ -1806,6 +1809,7 @@ static ssize_t xlat_tokenize_request(REQUEST *request, char const *fmt, xlat_exp - */ - if (slen < 0) { - talloc_free(tokens); -+ - rad_assert(error != NULL); - - REMARKER(fmt, -slen, error); -diff --git a/src/modules/rlm_cache/rlm_cache.c b/src/modules/rlm_cache/rlm_cache.c -index 248de8bf9..54449747f 100644 ---- a/src/modules/rlm_cache/rlm_cache.c -+++ b/src/modules/rlm_cache/rlm_cache.c -@@ -126,7 +126,8 @@ static void CC_HINT(nonnull) cache_merge(rlm_cache_t *inst, REQUEST *request, rl - - RDEBUG2("Merging cache entry into request"); - -- if (c->packet && request->packet) { -+ if (c->packet) { -+ rad_assert(request->packet != NULL); - rdebug_pair_list(L_DBG_LVL_2, request, c->packet, "&request:"); - radius_pairmove(request, &request->packet->vps, fr_pair_list_copy(request->packet, c->packet), false); - } -diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c -index dba2c1462..95e521718 100644 ---- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c -+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c -@@ -1235,9 +1235,6 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session) - - eap_fast_append_result(tls_session, code); - -- if (code == PW_CODE_ACCESS_REJECT) -- break; -- - if (t->pac.send) { - RDEBUG("Peer requires new PAC"); - eap_fast_send_pac_tunnel(request, tls_session); -diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c -index aba15f826..c702f1b45 100644 ---- a/src/modules/rlm_mschap/rlm_mschap.c -+++ b/src/modules/rlm_mschap/rlm_mschap.c -@@ -1471,7 +1471,7 @@ static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned c - break; - - default: -- rad_assert(0); -+ return RLM_MODULE_FAIL; - } - mschap_add_reply(request, ident, "MS-CHAP-Error", buffer, strlen(buffer)); - --- -2.11.0 - diff --git a/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch b/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch deleted file mode 100644 index 8dac6ed..0000000 --- a/freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch +++ /dev/null @@ -1,30 +0,0 @@ -From bd67f9fc09690f0b3ac195cb9c57d51bd7a7dc23 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Wed, 29 Mar 2017 10:43:14 +0300 -Subject: [PATCH] Handle connection error in rlm_ldap_cacheable_groupobj - -Closes #1951 - -(cherry picked from commit 208681c80e1149de888affdb87f34de0c371db50) ---- - src/modules/rlm_ldap/groups.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/modules/rlm_ldap/groups.c b/src/modules/rlm_ldap/groups.c -index 12f34da2a..5e0a1819e 100644 ---- a/src/modules/rlm_ldap/groups.c -+++ b/src/modules/rlm_ldap/groups.c -@@ -461,8 +461,10 @@ rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request - - case LDAP_PROC_NO_RESULT: - RDEBUG2("No cacheable group memberships found in group objects"); -+ goto finish; - - default: -+ rcode = RLM_MODULE_FAIL; - goto finish; - } - --- -2.11.0 - diff --git a/freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch b/freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch deleted file mode 100644 index 8b4fa6e..0000000 --- a/freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 5a83dc7697eb354b2a75ed36c6a39446cf020b87 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Tue, 14 Mar 2017 14:55:57 +0200 -Subject: [PATCH] Relax OpenSSL permissions for default key files - -Recent versions of OpenSSL appear to create keys with owner-only -permissions. Allow owning group to read the created default key files -in raddb/certs, so that they stay the same as with older OpenSSL, and -that the server can read its key. - -(cherry picked from commit 29add135c8d1f1f7ccc6ab6ca25af87b48575a5b) ---- - raddb/certs/Makefile | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile -index 8141ae2b2..ef243c9b3 100644 ---- a/raddb/certs/Makefile -+++ b/raddb/certs/Makefile -@@ -62,6 +62,7 @@ ca.key ca.pem: ca.cnf - @[ -f serial ] || $(MAKE) serial - $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ - -days $(CA_DEFAULT_DAYS) -config ./ca.cnf -+ chmod g+r ca.key - - ca.der: ca.pem - $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der -@@ -73,15 +74,18 @@ ca.der: ca.pem - ###################################################################### - server.csr server.key: server.cnf - $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -+ chmod g+r server.key - - server.crt: server.csr ca.key ca.pem - $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf - - server.p12: server.crt - $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) -+ chmod g+r server.p12 - - server.pem: server.p12 - $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) -+ chmod g+r server.pem - - .PHONY: server.vrfy - server.vrfy: ca.pem -@@ -95,15 +99,18 @@ server.vrfy: ca.pem - ###################################################################### - client.csr client.key: client.cnf - $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -+ chmod g+r client.key - - client.crt: client.csr ca.pem ca.key - $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf - - client.p12: client.crt - $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) -+ chmod g+r client.p12 - - client.pem: client.p12 - $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) -+ chmod g+r client.pem - cp client.pem $(USER_NAME).pem - - .PHONY: client.vrfy --- -2.11.0 - diff --git a/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch b/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch deleted file mode 100644 index 3787926..0000000 --- a/freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 362533a64646cce89799ba0759d4304b8de1e917 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Tue, 7 Mar 2017 09:22:10 -0500 -Subject: [PATCH] radtest should use Cleartext-Password for EAP - -(cherry picked from commit 0251c6c9d049f06c8f10974f9e67ef8142b17047) ---- - src/main/radtest.in | 2 +- - src/modules/rlm_eap/radeapclient.c | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/main/radtest.in b/src/main/radtest.in -index 7f009ae68..38b1ba9a0 100644 ---- a/src/main/radtest.in -+++ b/src/main/radtest.in -@@ -81,7 +81,7 @@ do - PASSWORD="MS-CHAP-Password" - ;; - eap-md5) -- PASSWORD="User-Password" -+ PASSWORD="Cleartext-Password" - if [ ! -x "$radeapclient" ] - then - echo "radtest: No 'radeapclient' program was found. Cannot perform EAP-MD5." >&1 -diff --git a/src/modules/rlm_eap/radeapclient.c b/src/modules/rlm_eap/radeapclient.c -index 020d252f1..ff69361e4 100644 ---- a/src/modules/rlm_eap/radeapclient.c -+++ b/src/modules/rlm_eap/radeapclient.c -@@ -468,6 +468,7 @@ static int rc_init_packet(rc_transaction_t *trans) - /* - * Keep a copy of the the password attribute. - */ -+ case PW_CLEARTEXT_PASSWORD: - case PW_USER_PASSWORD: - case PW_CHAP_PASSWORD: - case PW_MS_CHAP_PASSWORD: --- -2.11.0 - diff --git a/freeradius.spec b/freeradius.spec index bf4e214..be66d05 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius -Version: 3.0.13 -Release: 3%{?dist} +Version: 3.0.14 +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -23,10 +23,6 @@ Source104: freeradius-tmpfiles.conf Patch1: freeradius-redhat-config.patch Patch2: freeradius-Use-system-crypto-policy-by-default.patch -Patch3: freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch -Patch4: freeradius-Fix-some-issues-found-with-static-analyzers.patch -Patch5: freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch -Patch6: freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -196,10 +192,6 @@ This plugin provides the REST support for the FreeRADIUS server project. # mistakenly includes the backup files, especially problematic for raddb config files. %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -275,11 +267,13 @@ rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle +rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/unbound rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/abfab* +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/moonshot-targeted-ids rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/abfab* rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/moonshot-targeted-ids rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab* @@ -802,6 +796,11 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Tue May 30 2017 Nikolai Kondrashov - 3.0.14-1 +- Upgrade to upstream v3.0.14 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). +- Fix TLS resumption authentication bypass (CVE-2017-9148) + * Wed Mar 29 2017 Nikolai Kondrashov - 3.0.13-3 - Explicitly disable rlm_cache_memcached to avoid error when the module's dependencies are installed, and it is built, but not packaged. diff --git a/sources b/sources index 1106d05..c7d7642 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (freeradius-server-3.0.13.tar.bz2) = 3184eb19e70a217706fceb22675be0e51f713f60d7341e7ee6e4e87d58e7efb948192d6206433d76de6b440633b31f4f897839751597370fe9c784d7c3eef30b +SHA512 (freeradius-server-3.0.14.tar.bz2) = 8d42b7a5fd7ed0491c01ed9ed5f9994598c9ff2fd45eb3960abdfffffdf8084fe59bfc6eda84c3ef22bb045206b5f8f3dc7de47310d0582961796440ef4a1301