Upgrade to upstream v3.0.14 release

.gitignore

@@ -18,3 +18,4 @@
 /freeradius-server-3.0.11.tar.bz2
 /freeradius-server-3.0.12.tar.bz2
 /freeradius-server-3.0.13.tar.bz2
+/freeradius-server-3.0.14.tar.bz2

freeradius-Fix-some-issues-found-with-static-analyzers.patch

@@ -1,262 +0,0 @@
-From 7024d6ce061d57af65fe3a068803212581552f96 Mon Sep 17 00:00:00 2001
-From: "Alan T. DeKok" <aland@freeradius.org>
-Date: Fri, 10 Mar 2017 09:11:03 -0500
-Subject: [PATCH] Fix some issues found with static analyzers
-
-Fix some issues found with static analyzers. Includes the following.
-
-Coverity.  Closes #1937
-
-(cherry picked from commit 521e2a9bd3b1b49555bcd9fb90b03c456f616070)
-
-Allo session resumption for RadSec connectins.  Closes #1936
-
-(cherry picked from commit 43efa4321d7cd9fca1184f999e1cadeff3afda02)
-
-request->packet cannot be NULL. Helps with #1935
-
-(cherry picked from commit 7f22c30476be495438d5bc4dbec2f618f09c0b15)
-
-remove unused variable
-
-(cherry picked from commit d9bfc70efbf575258425d2ca86160490e0c36a45)
-
-close open FDs on error, and use error path in more situations
-
-(cherry picked from commit e51af914bc5fdf879f821e6a1ecfe700bff937ca)
-
-return RLM_MODULE_FAIL for default switch statement
-
-(cherry picked from commit cdfa6e15065a4a616c96af516936117124a1c293)
-
-Remove always-false condition in rlm_eap_fast
-
-(cherry picked from commit 96d7a5e2bb393b4fd1b6cb6e0a6858e6c18eb96a)
-
-Remove always-false condition from cf_item_parse
-
-(cherry picked from commit 92624adf8170fb133b330fe02d8940a8bac86189)
-
-Ensure that error is always initialized
-
-(cherry picked from commit c483d8456e44747621334b318483c3a33752aaac)
----
- src/main/command.c                                | 15 ++++++++-------
- src/main/conffile.c                               |  2 --
- src/main/process.c                                |  5 +++--
- src/main/tls.c                                    | 12 ++++++------
- src/main/xlat.c                                   |  6 +++++-
- src/modules/rlm_cache/rlm_cache.c                 |  3 ++-
- src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c |  3 ---
- src/modules/rlm_mschap/rlm_mschap.c               |  2 +-
- 8 files changed, 25 insertions(+), 23 deletions(-)
-
-diff --git a/src/main/command.c b/src/main/command.c
-index d3b729f9a..34c5268d7 100644
---- a/src/main/command.c
-+++ b/src/main/command.c
-@@ -345,7 +345,7 @@ static int fr_server_domain_socket_perm(UNUSED char const *path, UNUSED uid_t ui
-  */
- static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid)
- {
--	int			dir_fd = -1, path_fd = -1, sock_fd = -1, parent_fd = -1;
-+	int			dir_fd = -1, sock_fd = -1, parent_fd = -1;
- 	char const		*name;
- 	char			*buff = NULL, *dir = NULL, *p;
- 
-@@ -392,8 +392,9 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid)
- 		fr_strerror_printf("Failed determining parent directory");
- 	error:
- 		talloc_free(dir);
--		close(dir_fd);
--		close(path_fd);
-+		if (sock_fd >= 0) close(sock_fd);
-+		if (dir_fd >= 0) close(dir_fd);
-+		if (parent_fd >= 0) close(parent_fd);
- 		return -1;
- 	}
- 
-@@ -459,7 +460,7 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid)
- 		if (ret < 0) {
- 			fr_strerror_printf("Failed changing ownership of control socket directory: %s",
- 					   fr_syserror(errno));
--			return -1;
-+			goto error;
- 		}
- 	/*
- 	 *	Control socket dir already exists, but we still need to
-@@ -527,7 +528,7 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid)
- 		if (client_fd >= 0) {
- 			fr_strerror_printf("Control socket '%s' is already in use", path);
- 			close(client_fd);
--			return -1;
-+			goto error;
- 		}
- 	}
- 
-@@ -676,8 +677,8 @@ static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid)
- 	if (uid != (uid_t)-1) rad_seuid(euid);
- 	if (gid != (gid_t)-1) rad_segid(egid);
- 
--	close(dir_fd);
--	close(path_fd);
-+	if (dir_fd >= 0) close(dir_fd);
-+	if (parent_fd >= 0) close(parent_fd);
- 
- 	return sock_fd;
- }
-diff --git a/src/main/conffile.c b/src/main/conffile.c
-index df78184bd..10c029a0e 100644
---- a/src/main/conffile.c
-+++ b/src/main/conffile.c
-@@ -1474,7 +1474,6 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d
- 
- 	if (!value) {
- 		if (required) {
--		is_required:
- 			cf_log_err(c_item, "Configuration item \"%s\" must have a value", name);
- 
- 			return -1;
-@@ -1620,7 +1619,6 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d
- 			}
- 		}
- 
--		if (required && !value) goto is_required;
- 		if (cant_be_empty && (value[0] == '\0')) goto cant_be_empty;
- 
- 		if (attribute) {
-diff --git a/src/main/process.c b/src/main/process.c
-index c5a690672..c3856c7a1 100644
---- a/src/main/process.c
-+++ b/src/main/process.c
-@@ -2122,8 +2122,9 @@ static void remove_from_proxy_hash_nl(REQUEST *request, bool yank)
- 	}
- 
- #ifdef WITH_TCP
--	rad_assert(request->proxy_listener != NULL);
--	request->proxy_listener->count--;
-+	if (request->proxy_listener) {
-+		request->proxy_listener->count--;
-+	}
- #endif
- 	request->proxy_listener = NULL;
- 
-diff --git a/src/main/tls.c b/src/main/tls.c
-index caa7e62ed..a72be2b63 100644
---- a/src/main/tls.c
-+++ b/src/main/tls.c
-@@ -1360,7 +1360,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess)
- 		blob_len = i2d_SSL_SESSION(sess, NULL);
- 		if (blob_len < 1) {
- 			/* something went wrong */
--			RWDEBUG("Session serialisation failed, couldn't determine required buffer length");
-+			if (request) RWDEBUG("Session serialisation failed, couldn't determine required buffer length");
- 			return 0;
- 		}
- 
-@@ -1375,7 +1375,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess)
- 		p = sess_blob;
- 		rv = i2d_SSL_SESSION(sess, &p);
- 		if (rv != blob_len) {
--			RWDEBUG("Session serialisation failed");
-+			if (request) RWDEBUG("Session serialisation failed");
- 			goto error;
- 		}
- 
-@@ -1384,8 +1384,8 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess)
- 			 conf->session_cache_path, FR_DIR_SEP, buffer);
- 		fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600);
- 		if (fd < 0) {
--			RERROR("Session serialisation failed, failed opening session file %s: %s",
--			      filename, fr_syserror(errno));
-+			if (request) RERROR("Session serialisation failed, failed opening session file %s: %s",
-+					    filename, fr_syserror(errno));
- 			goto error;
- 		}
- 
-@@ -1409,7 +1409,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess)
- 		while (todo > 0) {
- 			rv = write(fd, p, todo);
- 			if (rv < 1) {
--				RWDEBUG("Failed writing session: %s", fr_syserror(errno));
-+				if (request) RWDEBUG("Failed writing session: %s", fr_syserror(errno));
- 				close(fd);
- 				goto error;
- 			}
-@@ -1417,7 +1417,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess)
- 			todo -= rv;
- 		}
- 		close(fd);
--		RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len);
-+		if (request) RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len);
- 	}
- 
- error:
-diff --git a/src/main/xlat.c b/src/main/xlat.c
-index 31987289c..aeac3a4c3 100644
---- a/src/main/xlat.c
-+++ b/src/main/xlat.c
-@@ -1787,7 +1787,10 @@ static ssize_t xlat_tokenize_request(REQUEST *request, char const *fmt, xlat_exp
- 	 *	much faster.
- 	 */
- 	tokens = talloc_typed_strdup(request, fmt);
--	if (!tokens) return -1;
-+	if (!tokens) {
-+		error = "Out of memory";
-+		return -1;
-+	}
- 
- 	slen = xlat_tokenize_literal(request, tokens, head, false, &error);
- 
-@@ -1806,6 +1809,7 @@ static ssize_t xlat_tokenize_request(REQUEST *request, char const *fmt, xlat_exp
- 	 */
- 	if (slen < 0) {
- 		talloc_free(tokens);
-+
- 		rad_assert(error != NULL);
- 
- 		REMARKER(fmt, -slen, error);
-diff --git a/src/modules/rlm_cache/rlm_cache.c b/src/modules/rlm_cache/rlm_cache.c
-index 248de8bf9..54449747f 100644
---- a/src/modules/rlm_cache/rlm_cache.c
-+++ b/src/modules/rlm_cache/rlm_cache.c
-@@ -126,7 +126,8 @@ static void CC_HINT(nonnull) cache_merge(rlm_cache_t *inst, REQUEST *request, rl
- 
- 	RDEBUG2("Merging cache entry into request");
- 
--	if (c->packet && request->packet) {
-+	if (c->packet) {
-+		rad_assert(request->packet != NULL);
- 		rdebug_pair_list(L_DBG_LVL_2, request, c->packet, "&request:");
- 		radius_pairmove(request, &request->packet->vps, fr_pair_list_copy(request->packet, c->packet), false);
- 	}
-diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
-index dba2c1462..95e521718 100644
---- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
-+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
-@@ -1235,9 +1235,6 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session)
- 
- 		eap_fast_append_result(tls_session, code);
- 
--		if (code == PW_CODE_ACCESS_REJECT)
--			break;
--
- 		if (t->pac.send) {
- 			RDEBUG("Peer requires new PAC");
- 			eap_fast_send_pac_tunnel(request, tls_session);
-diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
-index aba15f826..c702f1b45 100644
---- a/src/modules/rlm_mschap/rlm_mschap.c
-+++ b/src/modules/rlm_mschap/rlm_mschap.c
-@@ -1471,7 +1471,7 @@ static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned c
- 		break;
- 
- 	default:
--		rad_assert(0);
-+		return RLM_MODULE_FAIL;
- 	}
- 	mschap_add_reply(request, ident, "MS-CHAP-Error", buffer, strlen(buffer));
- 
--- 
-2.11.0
-

freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch

@@ -1,30 +0,0 @@
-From bd67f9fc09690f0b3ac195cb9c57d51bd7a7dc23 Mon Sep 17 00:00:00 2001
-From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
-Date: Wed, 29 Mar 2017 10:43:14 +0300
-Subject: [PATCH] Handle connection error in rlm_ldap_cacheable_groupobj
-
-Closes #1951
-
-(cherry picked from commit 208681c80e1149de888affdb87f34de0c371db50)
----
- src/modules/rlm_ldap/groups.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/modules/rlm_ldap/groups.c b/src/modules/rlm_ldap/groups.c
-index 12f34da2a..5e0a1819e 100644
---- a/src/modules/rlm_ldap/groups.c
-+++ b/src/modules/rlm_ldap/groups.c
-@@ -461,8 +461,10 @@ rlm_rcode_t rlm_ldap_cacheable_groupobj(rlm_ldap_t const *inst, REQUEST *request
- 
- 	case LDAP_PROC_NO_RESULT:
- 		RDEBUG2("No cacheable group memberships found in group objects");
-+		goto finish;
- 
- 	default:
-+		rcode = RLM_MODULE_FAIL;
- 		goto finish;
- 	}
- 
--- 
-2.11.0
-

freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch

@@ -1,68 +0,0 @@
-From 5a83dc7697eb354b2a75ed36c6a39446cf020b87 Mon Sep 17 00:00:00 2001
-From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
-Date: Tue, 14 Mar 2017 14:55:57 +0200
-Subject: [PATCH] Relax OpenSSL permissions for default key files
-
-Recent versions of OpenSSL appear to create keys with owner-only
-permissions. Allow owning group to read the created default key files
-in raddb/certs, so that they stay the same as with older OpenSSL, and
-that the server can read its key.
-
-(cherry picked from commit 29add135c8d1f1f7ccc6ab6ca25af87b48575a5b)
----
- raddb/certs/Makefile | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
-index 8141ae2b2..ef243c9b3 100644
---- a/raddb/certs/Makefile
-+++ b/raddb/certs/Makefile
-@@ -62,6 +62,7 @@ ca.key ca.pem: ca.cnf
- 	@[ -f serial ] || $(MAKE) serial
- 	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
- 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
-+	chmod g+r ca.key
- 
- ca.der: ca.pem
- 	$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
-@@ -73,15 +74,18 @@ ca.der: ca.pem
- ######################################################################
- server.csr server.key: server.cnf
- 	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
-+	chmod g+r server.key
- 
- server.crt: server.csr ca.key ca.pem
- 	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
- 
- server.p12: server.crt
- 	$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
-+	chmod g+r server.p12
- 
- server.pem: server.p12
- 	$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
-+	chmod g+r server.pem
- 
- .PHONY: server.vrfy
- server.vrfy: ca.pem
-@@ -95,15 +99,18 @@ server.vrfy: ca.pem
- ######################################################################
- client.csr client.key: client.cnf
- 	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
-+	chmod g+r client.key
- 
- client.crt: client.csr ca.pem ca.key
- 	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
- 
- client.p12: client.crt
- 	$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
-+	chmod g+r client.p12
- 
- client.pem: client.p12
- 	$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
-+	chmod g+r client.pem
- 	cp client.pem $(USER_NAME).pem
- 
- .PHONY: client.vrfy
--- 
-2.11.0
-

freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch

@@ -1,39 +0,0 @@
-From 362533a64646cce89799ba0759d4304b8de1e917 Mon Sep 17 00:00:00 2001
-From: "Alan T. DeKok" <aland@freeradius.org>
-Date: Tue, 7 Mar 2017 09:22:10 -0500
-Subject: [PATCH] radtest should use Cleartext-Password for EAP
-
-(cherry picked from commit 0251c6c9d049f06c8f10974f9e67ef8142b17047)
----
- src/main/radtest.in                | 2 +-
- src/modules/rlm_eap/radeapclient.c | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/main/radtest.in b/src/main/radtest.in
-index 7f009ae68..38b1ba9a0 100644
---- a/src/main/radtest.in
-+++ b/src/main/radtest.in
-@@ -81,7 +81,7 @@ do
- 				PASSWORD="MS-CHAP-Password"
- 				;;
- 			eap-md5)
--				PASSWORD="User-Password"
-+				PASSWORD="Cleartext-Password"
- 				if [ ! -x "$radeapclient" ]
- 				then
- 				    echo "radtest: No 'radeapclient' program was found.  Cannot perform EAP-MD5." >&1
-diff --git a/src/modules/rlm_eap/radeapclient.c b/src/modules/rlm_eap/radeapclient.c
-index 020d252f1..ff69361e4 100644
---- a/src/modules/rlm_eap/radeapclient.c
-+++ b/src/modules/rlm_eap/radeapclient.c
-@@ -468,6 +468,7 @@ static int rc_init_packet(rc_transaction_t *trans)
- 		/*
- 		 *	Keep a copy of the the password attribute.
- 		 */
-+		case PW_CLEARTEXT_PASSWORD:
- 		case PW_USER_PASSWORD:
- 		case PW_CHAP_PASSWORD:
- 		case PW_MS_CHAP_PASSWORD:
--- 
-2.11.0
-

freeradius.spec

@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
-Version: 3.0.13
-Release: 3%{?dist}
+Version: 3.0.14
+Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -23,10 +23,6 @@ Source104: freeradius-tmpfiles.conf
 
 Patch1: freeradius-redhat-config.patch
 Patch2: freeradius-Use-system-crypto-policy-by-default.patch
-Patch3: freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch
-Patch4: freeradius-Fix-some-issues-found-with-static-analyzers.patch
-Patch5: freeradius-Handle-connection-error-in-rlm_ldap_cacheable_groupo.patch
-Patch6: freeradius-radtest-should-use-Cleartext-Password-for-EAP.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -196,10 +192,6 @@ This plugin provides the REST support for the FreeRADIUS server project.
 # mistakenly includes the backup files, especially problematic for raddb config files.
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
 
 %build
 # Force compile/link options, extra security for network facing daemon
@@ -275,11 +267,13 @@ rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql
 rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle
 rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle
 rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
+rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids
 
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/unbound
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/abfab*
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/moonshot-targeted-ids
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/abfab*
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/moonshot-targeted-ids
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
@@ -802,6 +796,11 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Tue May 30 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.14-1
+- Upgrade to upstream v3.0.14 release.
+  See upstream ChangeLog for details (in freeradius-doc subpackage).
+- Fix TLS resumption authentication bypass (CVE-2017-9148)
+
 * Wed Mar 29 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-3
 - Explicitly disable rlm_cache_memcached to avoid error when the module's
   dependencies are installed, and it is built, but not packaged.

sources

@@ -1 +1 @@
-SHA512 (freeradius-server-3.0.13.tar.bz2) = 3184eb19e70a217706fceb22675be0e51f713f60d7341e7ee6e4e87d58e7efb948192d6206433d76de6b440633b31f4f897839751597370fe9c784d7c3eef30b
+SHA512 (freeradius-server-3.0.14.tar.bz2) = 8d42b7a5fd7ed0491c01ed9ed5f9994598c9ff2fd45eb3960abdfffffdf8084fe59bfc6eda84c3ef22bb045206b5f8f3dc7de47310d0582961796440ef4a1301