From b70e15694d48489d30c8e96f9828829286045766 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Tue, 26 Nov 2013 18:33:56 -0500 Subject: [PATCH] - resolves: bug#1031035 remove radeapclient man page, upstream no longer supports radeapclient, use eapol_test instead - resolves: bug#1031061 rlm_eap_leap memory corruption, see freeradius-rlm_leap.patch - move man pages for utils into utils subpackage from doc subpackage - fix HAVE_EC_CRYPTO test to include f20 - add new directory /var/run/radiusd/tmp update mods-available/eap so tls-common.verify.tmpdir to point to it --- freeradius-redhat-config.patch | 30 ++++++++++-- freeradius-rlm_leap.patch | 88 ++++++++++++++++++++++++++++++++++ freeradius.spec | 42 +++++++++++----- 3 files changed, 142 insertions(+), 18 deletions(-) create mode 100644 freeradius-rlm_leap.patch diff --git a/freeradius-redhat-config.patch b/freeradius-redhat-config.patch index 6b3ce4e..3a7e428 100644 --- a/freeradius-redhat-config.patch +++ b/freeradius-redhat-config.patch @@ -1,14 +1,35 @@ +diff -r -u freeradius-server-3.0.0.orig/raddb/mods-available/eap freeradius-server-3.0.0/raddb/mods-available/eap +--- freeradius-server-3.0.0.orig/raddb/mods-available/eap 2013-10-07 15:49:47.000000000 -0400 ++++ freeradius-server-3.0.0/raddb/mods-available/eap 2013-11-26 17:48:56.081183431 -0500 +@@ -435,7 +435,7 @@ + # + # You should also delete all of the files + # in the directory when the server starts. +- # tmpdir = /tmp/radiusd ++ # tmpdir = /var/run/radiusd/tmp + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line +@@ -449,7 +449,7 @@ + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. +- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" ++ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + # diff -r -u freeradius-server-3.0.0.orig/raddb/radiusd.conf.in freeradius-server-3.0.0/raddb/radiusd.conf.in --- freeradius-server-3.0.0.orig/raddb/radiusd.conf.in 2013-10-07 15:49:47.000000000 -0400 -+++ freeradius-server-3.0.0/raddb/radiusd.conf.in 2013-10-09 14:10:18.595543308 -0400 ++++ freeradius-server-3.0.0/raddb/radiusd.conf.in 2013-11-26 17:24:52.263467793 -0500 @@ -71,8 +71,7 @@ cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} - + -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} +db_dir = ${localstatedir}/lib/radiusd - + # # libdir: Where to find the rlm_* modules. @@ -376,8 +375,8 @@ @@ -19,7 +40,6 @@ diff -r -u freeradius-server-3.0.0.orig/raddb/radiusd.conf.in freeradius-server- -# group = radius + user = radiusd + group = radiusd - + # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. -Only in freeradius-server-3.0.0/raddb: radiusd.conf.in~ diff --git a/freeradius-rlm_leap.patch b/freeradius-rlm_leap.patch new file mode 100644 index 0000000..abf6426 --- /dev/null +++ b/freeradius-rlm_leap.patch @@ -0,0 +1,88 @@ +This patch is the collective application of the following 3 +upstream git commits for the v3.0.x branch. + +d8f91f97 Missed PAD macro +4203125 Proper fix for calculating encoded session-key length +e96eeea Increase size of LEAP session key buffer +457beab Sanity checks for leap + +These are fixes for the following bugs: +1031061 1031052 + +diff -r -u freeradius-server-3.0.0.pre-patch/src/include/libradius.h freeradius-server-3.0.0/src/include/libradius.h +--- freeradius-server-3.0.0.pre-patch/src/include/libradius.h 2013-11-26 12:33:38.894517298 -0500 ++++ freeradius-server-3.0.0/src/include/libradius.h 2013-11-26 13:22:48.215581799 -0500 +@@ -103,6 +103,8 @@ + #define TAG_ANY -128 /* minimum signed char */ + #define TAG_UNUSED 0 + ++#define PAD(_x, _y) (_y - ((_x) % _y)) ++ + #if defined(__GNUC__) + # define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1))) + # define NEVER_RETURNS __attribute__ ((noreturn)) +@@ -424,6 +426,8 @@ + uint8_t const *vector); + int rad_pwdecode(char *encpw, size_t len, char const *secret, + uint8_t const *vector); ++ ++#define FR_TUNNEL_PW_ENC_LENGTH(_x) (2 + 1 + _x + PAD(_x + 1, 16)) + int rad_tunnel_pwencode(char *encpw, size_t *len, char const *secret, + uint8_t const *vector); + int rad_tunnel_pwdecode(uint8_t *encpw, size_t *len, +diff -r -u freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c +--- freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2013-11-26 12:33:38.645517611 -0500 ++++ freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2013-11-26 13:22:44.218580815 -0500 +@@ -324,7 +324,7 @@ + */ + fr_md5_calc(hash, buffer, 16 + 8 + 24 + 8 + 24); + +- q = talloc_array(vp, char, 16 + sizeof("leap:session-key=")); ++ q = talloc_array(vp, char, FR_TUNNEL_PW_ENC_LENGTH(16) + sizeof("leap:session-key=")); + strcpy(q, "leap:session-key="); + + memcpy(q + 17, hash, 16); +@@ -395,6 +395,9 @@ + { + leap_packet_raw_t *data; + ++ rad_assert(eap_ds->request); ++ rad_assert(reply); ++ + /* + * We need the name and the challenge. + */ +diff -r -u freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h +--- freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2013-11-26 12:33:38.645517611 -0500 ++++ freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2013-11-26 13:22:36.311578784 -0500 +@@ -41,10 +41,10 @@ + typedef struct leap_packet { + unsigned char code; + unsigned char id; +- int length; ++ size_t length; + int count; + unsigned char *challenge; +- int name_len; ++ size_t name_len; + char *name; + } leap_packet_t; + +diff -r -u freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c +--- freeradius-server-3.0.0.pre-patch/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2013-11-26 12:33:38.645517611 -0500 ++++ freeradius-server-3.0.0/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2013-11-26 13:22:36.312578784 -0500 +@@ -96,11 +96,13 @@ + leap_packet_t *reply; + VALUE_PAIR *password; + ++ rad_assert(request); ++ + if (!handler->opaque) { + REDEBUG("Cannot authenticate without LEAP history"); + return 0; + } +- session = (leap_session_t *) handler->opaque; ++ session = talloc_get_type_abort(handler->opaque, leap_session_t); + reply = NULL; + + /* diff --git a/freeradius.spec b/freeradius.spec index eb069aa..42025c1 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,13 +1,13 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.0 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ # Is elliptic curve cryptography supported? -%if 0%{?rhel} >= 7 +%if 0%{?rhel} >= 7 || 0%{fedora} >= 20 %global HAVE_EC_CRYPTO 1 %else %global HAVE_EC_CRYPTO 0 @@ -23,6 +23,7 @@ Source104: freeradius-tmpfiles.conf Patch1: freeradius-redhat-config.patch Patch2: freeradius-bool-config.patch +Patch3: freeradius-rlm_leap.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -177,8 +178,9 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %prep %setup -q -n %{dist_base} -%patch1 -p1 -b .redhat-config -%patch2 -p1 -b .bool-config +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -219,6 +221,7 @@ install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp install -m 0644 %{SOURCE104} %{buildroot}%{_sysconfdir}/tmpfiles.d/radiusd.conf # remove unneeded stuff @@ -233,6 +236,8 @@ rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/serial* rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/dh rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/random +rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/radeapclient.1 + rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.a rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la @@ -314,6 +319,7 @@ exit 0 %{_unitdir}/radiusd.service %config %{_sysconfdir}/tmpfiles.d/radiusd.conf %dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd +%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp %dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd # configs (raddb) @@ -570,10 +576,6 @@ exit 0 %{_libdir}/freeradius/rlm_wimax.so %{_libdir}/freeradius/rlm_yubikey.so -%files doc - -%doc %{docdir}/ - # main man pages %doc %{_mandir}/man5/clients.conf.5.gz %doc %{_mandir}/man5/dictionary.5.gz @@ -601,9 +603,16 @@ exit 0 %doc %{_mandir}/man8/radmin.8.gz %doc %{_mandir}/man8/radrelay.8.gz +%files doc + +%doc %{docdir}/ + + +%files utils +/usr/bin/* + # utils man pages %doc %{_mandir}/man1/radclient.1.gz -%doc %{_mandir}/man1/radeapclient.1.gz %doc %{_mandir}/man1/radlast.1.gz %doc %{_mandir}/man1/radtest.1.gz %doc %{_mandir}/man1/radwho.1.gz @@ -616,10 +625,6 @@ exit 0 %doc %{_mandir}/man8/radsqlrelay.8.gz %doc %{_mandir}/man8/rlm_ippool_tool.8.gz - -%files utils -/usr/bin/* - %files devel /usr/include/freeradius @@ -722,6 +727,17 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc.so %changelog +* Tue Nov 26 2013 John Dennis - 3.0.0-4 +- resolves: bug#1031035 + remove radeapclient man page, + upstream no longer supports radeapclient, use eapol_test instead +- resolves: bug#1031061 + rlm_eap_leap memory corruption, see freeradius-rlm_leap.patch +- move man pages for utils into utils subpackage from doc subpackage +- fix HAVE_EC_CRYPTO test to include f20 +- add new directory /var/run/radiusd/tmp + update mods-available/eap so tls-common.verify.tmpdir to point to it + * Wed Nov 13 2013 John Dennis - 3.0.0-3 - resolves: bug#1029941 PW_TYPE_BOOLEAN config item should be declared int, not bool