Compare commits
No commits in common. "imports/c8s-stream-3.0/freeradius-3.0.20-3.module+el8.3.0+7597+67902674" and "c8-stream-3.0" have entirely different histories.
imports/c8
...
c8-stream-
|
@ -0,0 +1,39 @@
|
|||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
|
||||
|
||||
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
|
||||
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
|
||||
variable to 1 or else FR should exit at start.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
src/main/radiusd.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
|
||||
index 9739514509..58a48895e6 100644
|
||||
--- a/src/main/radiusd.c
|
||||
+++ b/src/main/radiusd.c
|
||||
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
|
||||
+ */
|
||||
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
|
||||
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
+ if (fips_file != NULL) {
|
||||
+ int fips_enabled = fgetc(fips_file) - '0';
|
||||
+ fclose(fips_file);
|
||||
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
|
||||
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* According to the talloc peeps, no two threads may modify any part of
|
||||
* a ctx tree with a common root without synchronisation.
|
|
@ -0,0 +1,32 @@
|
|||
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
|
||||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||
Subject: [PATCH] debug: don't set resource hard limit to zero
|
||||
|
||||
Setting the resource hard limit to zero is irreversible, meaning if it
|
||||
is set to zero then there is no way to set it higher. This means
|
||||
enabling core dump is not possible, since setting a new resource limit
|
||||
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
|
||||
can disable and enable core dumps without failures.
|
||||
|
||||
This fix is present in both main and 3.0.x upstream branches.
|
||||
|
||||
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
src/lib/debug.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/debug.c b/src/lib/debug.c
|
||||
index 576bcb2a65..6330c9cb66 100644
|
||||
--- a/src/lib/debug.c
|
||||
+++ b/src/lib/debug.c
|
||||
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
|
||||
struct rlimit no_core;
|
||||
|
||||
no_core.rlim_cur = 0;
|
||||
- no_core.rlim_max = 0;
|
||||
+ no_core.rlim_max = core_limits.rlim_max;
|
||||
|
||||
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
|
||||
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));
|
|
@ -0,0 +1,51 @@
|
|||
From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
|
||||
From: "Alan T. DeKok" <aland@freeradius.org>
|
||||
Date: Wed, 20 Nov 2019 13:59:54 -0500
|
||||
Subject: [PATCH] a better fix for commit 30ffd21
|
||||
|
||||
Which still runs post-proxy-type fail if all of the home servers
|
||||
are dead
|
||||
|
||||
[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
|
||||
[antorres@redhat.com: removed first hunk of commit, already present]
|
||||
---
|
||||
src/main/process.c | 9 +++------
|
||||
1 file changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/main/process.c b/src/main/process.c
|
||||
index c8b3af24e2..1a48517d43 100644
|
||||
--- a/src/main/process.c
|
||||
+++ b/src/main/process.c
|
||||
@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
|
||||
}
|
||||
|
||||
old_server = request->server;
|
||||
- rad_assert(request->home_server != NULL);
|
||||
|
||||
/*
|
||||
* If the home server is virtual, just run pre_proxy from
|
||||
* that section.
|
||||
*/
|
||||
- if (request->home_server->server) {
|
||||
+ if (request->home_server && request->home_server->server) {
|
||||
request->server = request->home_server->server;
|
||||
|
||||
} else {
|
||||
@@ -3182,13 +3180,12 @@ do_home:
|
||||
}
|
||||
|
||||
old_server = request->server;
|
||||
- rad_assert(request->home_server != NULL);
|
||||
|
||||
/*
|
||||
* If the home server is virtual, just run pre_proxy from
|
||||
* that section.
|
||||
*/
|
||||
- if (request->home_server->server) {
|
||||
+ if (request->home_server && request->home_server->server) {
|
||||
request->server = request->home_server->server;
|
||||
|
||||
} else {
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 12 Nov 2021 16:23:05 +0100
|
||||
Subject: [PATCH] Fix unterminated strings in SQL queries
|
||||
|
||||
Resolves: bz#2021247
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
raddb/mods-config/sql/ippool/mysql/queries.conf | 2 +-
|
||||
raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
index 2dfc6574dd..444812a047 100644
|
||||
--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
@@ -114,7 +114,7 @@ allocate_update = "\
|
||||
nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
|
||||
callingstationid = '%{Calling-Station-Id}', \
|
||||
username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
|
||||
- WHERE framedipaddress = '%I'
|
||||
+ WHERE framedipaddress = '%I'"
|
||||
|
||||
#
|
||||
# Use a stored procedure to find AND allocate the address. Read and customise
|
||||
diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
index 31a5df3659..e92466108b 100644
|
||||
--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
|
||||
@@ -89,7 +89,7 @@ allocate_update = "\
|
||||
callingstationid = '%{Calling-Station-Id}', \
|
||||
username = '%{User-Name}', \
|
||||
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
|
||||
- WHERE framedipaddress = '%I'
|
||||
+ WHERE framedipaddress = '%I'"
|
||||
|
||||
#
|
||||
# This series of queries frees an IP number when an accounting START record arrives
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
Author: Antonio Torres <antorres@redhat.com>
|
||||
Date: Wed Jul 20 2021
|
||||
Subject: [PATCH] ensure bootstrap script is run only once
|
||||
|
||||
The bootstrap script should only run once. By checking if there are
|
||||
certificates in the directory, we can exit early if certificates were
|
||||
already generated.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
|
||||
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||
---
|
||||
raddb/certs/README | 16 ++++++----------
|
||||
raddb/certs/bootstrap | 18 ++++++++++++------
|
||||
2 files changed, 18 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/README b/raddb/certs/README
|
||||
index 6288921da1..32413964dd 100644
|
||||
--- a/raddb/certs/README
|
||||
+++ b/raddb/certs/README
|
||||
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
|
||||
your users, and to issue client certificates for EAP-TLS.
|
||||
|
||||
If FreeRADIUS was configured to use OpenSSL, then simply starting
|
||||
-the server in root in debugging mode should also create test
|
||||
-certificates, i.e.:
|
||||
+the server in root mode should also create test certificates.
|
||||
|
||||
-$ radiusd -X
|
||||
-
|
||||
- That will cause the EAP-TLS module to run the "bootstrap" script in
|
||||
-this directory. The script will be executed only once, the first time
|
||||
-the server has been installed on a particular machine. This bootstrap
|
||||
-script SHOULD be run on installation of any pre-built binary package
|
||||
-for your OS. In any case, the script will ensure that it is not run
|
||||
-twice, and that it does not over-write any existing certificates.
|
||||
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
|
||||
+The script will be executed during every start of FreeRADIUS via systemd but
|
||||
+the script will ensure that it does not overwrite any existing certificates.
|
||||
+Ideally, the bootstrap script file should be deleted after new testing certificates
|
||||
+have been generated.
|
||||
|
||||
If you already have CA and server certificates, rename (or delete)
|
||||
this directory, and create a new "certs" directory containing your
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aafd4..92254dc936 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -1,12 +1,18 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
-# This is a wrapper script to create default certificates when the
|
||||
-# server first starts in debugging mode. Once the certificates have been
|
||||
-# created, this file should be deleted.
|
||||
+# Bootstrap script should be run only once. If there are already certificates
|
||||
+# generated, skip the execution.
|
||||
+#
|
||||
+cd `dirname $0`
|
||||
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
#
|
||||
-# Ideally, this program should be run as part of the installation of any
|
||||
-# binary package. The installation should also ensure that the permissions
|
||||
-# and owners are correct for the files generated by this script.
|
||||
+# This is a wrapper script to create default certificates when the
|
||||
+# server starts via systemd. It should also ensure that the
|
||||
+# permissions and owners are correct for the generated files. Once
|
||||
+# the certificates have been created, this file should be deleted.
|
||||
#
|
||||
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
|
||||
#
|
|
@ -0,0 +1,47 @@
|
|||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 09 Dec 2022
|
||||
Subject: Fix crash on invalid abinary data
|
||||
|
||||
A malicious RADIUS client or home server can send a malformed abinary
|
||||
attribute which can cause the server to crash.
|
||||
|
||||
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151706
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/lib/filters.c b/src/lib/filters.c
|
||||
index 4868cd385d9f..3f3b63daeef3 100644
|
||||
--- a/src/lib/filters.c
|
||||
+++ b/src/lib/filters.c
|
||||
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||
}
|
||||
}
|
||||
} else if (filter->type == RAD_FILTER_GENERIC) {
|
||||
- int count;
|
||||
+ size_t count, masklen;
|
||||
+
|
||||
+ masklen = ntohs(filter->u.generic.len);
|
||||
+ if (masklen >= sizeof(filter->u.generic.mask)) {
|
||||
+ *p = '\0';
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
|
||||
p += i;
|
||||
|
||||
/* show the mask */
|
||||
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||
+ for (count = 0; count < masklen; count++) {
|
||||
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
|
||||
p += i;
|
||||
outlen -= i;
|
||||
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
|
||||
outlen--;
|
||||
|
||||
/* show the value */
|
||||
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
|
||||
+ for (count = 0; count < masklen; count++) {
|
||||
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
|
||||
p += i;
|
||||
outlen -= i;
|
|
@ -0,0 +1,115 @@
|
|||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 09 Dec 2022
|
||||
Subject: Fix crash on unknown option in EAP-SIM
|
||||
|
||||
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
|
||||
look that option up in the internal dictionaries. This lookup will fail, but the
|
||||
SIM code will not check for that failure. Instead, it will dereference a NULL
|
||||
pointer, and cause the server to crash.
|
||||
|
||||
Backport of:
|
||||
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
|
||||
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151704
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
index cf1e8a7dd92..e438a844eab 100644
|
||||
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
|
||||
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
|
||||
newvp->vp_length = 1;
|
||||
fr_pair_add(&(r->vps), newvp);
|
||||
|
||||
+ /*
|
||||
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
|
||||
+ * reserved.
|
||||
+ */
|
||||
attr += 3;
|
||||
attrlen -= 3;
|
||||
|
||||
- /* now, loop processing each attribute that we find */
|
||||
- while(attrlen > 0) {
|
||||
+ /*
|
||||
+ * Loop over each attribute. The format is:
|
||||
+ *
|
||||
+ * 1 octet of type
|
||||
+ * 1 octet of length (value 1..255)
|
||||
+ * ((4 * length) - 2) octets of data.
|
||||
+ */
|
||||
+ while (attrlen > 0) {
|
||||
uint8_t *p;
|
||||
|
||||
- if(attrlen < 2) {
|
||||
+ if (attrlen < 2) {
|
||||
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (!attr[1]) {
|
||||
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
|
||||
+ es_attribute_count);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
eapsim_attribute = attr[0];
|
||||
eapsim_len = attr[1] * 4;
|
||||
|
||||
+ /*
|
||||
+ * The length includes the 2-byte header.
|
||||
+ */
|
||||
if (eapsim_len > attrlen) {
|
||||
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
|
||||
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if(eapsim_len > MAX_STRING_LEN) {
|
||||
- eapsim_len = MAX_STRING_LEN;
|
||||
- }
|
||||
- if (eapsim_len < 2) {
|
||||
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
|
||||
- es_attribute_count);
|
||||
- return 0;
|
||||
- }
|
||||
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
|
||||
+ if (!newvp) {
|
||||
+ /*
|
||||
+ * RFC 4186 Section 8.1 says 0..127 are
|
||||
+ * "non-skippable". If one such
|
||||
+ * attribute is found and we don't
|
||||
+ * understand it, the server has to send:
|
||||
+ *
|
||||
+ * EAP-Request/SIM/Notification packet with an
|
||||
+ * (AT_NOTIFICATION code, which implies general failure ("General
|
||||
+ * failure after authentication" (0), or "General failure" (16384),
|
||||
+ * depending on the phase of the exchange), which terminates the
|
||||
+ * authentication exchange.
|
||||
+ */
|
||||
+ if (eapsim_attribute <= 127) {
|
||||
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
|
||||
+ eapsim_attribute);
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
|
||||
- newvp->vp_length = eapsim_len-2;
|
||||
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||
- memcpy(p, &attr[2], eapsim_len-2);
|
||||
- fr_pair_add(&(r->vps), newvp);
|
||||
- newvp = NULL;
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * It's known, ccount for header, and
|
||||
+ * copy the value over.
|
||||
+ */
|
||||
+ newvp->vp_length = eapsim_len - 2;
|
||||
+
|
||||
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
|
||||
+ memcpy(p, &attr[2], newvp->vp_length);
|
||||
+ fr_pair_add(&(r->vps), newvp);
|
||||
+ }
|
||||
|
||||
/* advance pointers, decrement length */
|
||||
attr += eapsim_len;
|
|
@ -0,0 +1,76 @@
|
|||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 09 Dec 2022
|
||||
Subject: Fix information leakage in EAP-PWD
|
||||
|
||||
The EAP-PWD function compute_password_element() leaks information about the
|
||||
password which allows an attacker to substantially reduce the size of an
|
||||
offline dictionary attack.
|
||||
|
||||
Patch adapted from: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151702
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
index d94851c3aa..9f86b62114 100644
|
||||
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
@@ -39,6 +39,8 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
|
||||
#include <freeradius-devel/radiusd.h>
|
||||
#include <freeradius-devel/modules.h>
|
||||
|
||||
+static uint8_t allzero[SHA256_DIGEST_LENGTH] = { 0x00 };
|
||||
+
|
||||
/* The random function H(x) = HMAC-SHA256(0^32, x) */
|
||||
static void H_Init(HMAC_CTX *ctx)
|
||||
{
|
||||
@@ -114,15 +116,13 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
uint32_t *token)
|
||||
{
|
||||
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||
- HMAC_CTX *ctx = NULL;
|
||||
+ EVP_MD_CTX *hmac_ctx;
|
||||
+ EVP_PKEY *hmac_pkey;
|
||||
uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr;
|
||||
int nid, is_odd, primebitlen, primebytelen, ret = 0;
|
||||
|
||||
- ctx = HMAC_CTX_new();
|
||||
- if (ctx == NULL) {
|
||||
- DEBUG("failed allocating HMAC context");
|
||||
- goto fail;
|
||||
- }
|
||||
+ MEM(hmac_ctx = EVP_MD_CTX_new());
|
||||
+ MEM(hmac_pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, allzero, sizeof(allzero)));
|
||||
|
||||
switch (grp_num) { /* from IANA registry for IKE D-H groups */
|
||||
case 19:
|
||||
@@ -203,13 +203,12 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
* pwd-seed = H(token | peer-id | server-id | password |
|
||||
* counter)
|
||||
*/
|
||||
- H_Init(ctx);
|
||||
- H_Update(ctx, (uint8_t *)token, sizeof(*token));
|
||||
- H_Update(ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||
- H_Update(ctx, (uint8_t const *)id_server, id_server_len);
|
||||
- H_Update(ctx, (uint8_t const *)password, password_len);
|
||||
- H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||
- H_Final(ctx, pwe_digest);
|
||||
+ EVP_DigestSignInit(hmac_ctx, NULL, EVP_sha256(), NULL, hmac_pkey);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)token, sizeof(*token));
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_peer, id_peer_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)id_server, id_server_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t const *)password, password_len);
|
||||
+ EVP_DigestSignUpdate(hmac_ctx, (uint8_t *)&ctr, sizeof(ctr));
|
||||
|
||||
BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd);
|
||||
if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking",
|
||||
@@ -282,7 +281,8 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
BN_clear_free(x_candidate);
|
||||
BN_clear_free(rnd);
|
||||
talloc_free(prfbuf);
|
||||
- HMAC_CTX_free(ctx);
|
||||
+ EVP_MD_CTX_free(hmac_ctx);
|
||||
+ EVP_PKEY_free(hmac_pkey);
|
||||
|
||||
return ret;
|
||||
}
|
|
@ -0,0 +1,93 @@
|
|||
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 11:53:28 +0300
|
||||
Subject: [PATCH] man: Fix some typos
|
||||
|
||||
---
|
||||
man/man1/radzap.1 | 4 ++--
|
||||
man/man5/unlang.5 | 6 +++---
|
||||
man/man8/radcrypt.8 | 2 +-
|
||||
man/man8/radiusd.8 | 4 ++--
|
||||
4 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
|
||||
index a2d529d064..03b9a43a54 100644
|
||||
--- a/man/man1/radzap.1
|
||||
+++ b/man/man1/radzap.1
|
||||
@@ -1,4 +1,4 @@
|
||||
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
|
||||
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
|
||||
.SH NAME
|
||||
radzap - remove rogue entries from the active sessions database
|
||||
.SH SYNOPSIS
|
||||
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
|
||||
.RB [ \-x ]
|
||||
\fIserver[:port] secret\fP
|
||||
.SH DESCRIPTION
|
||||
-The FreeRadius server can be configured to maintain an active session
|
||||
+The FreeRADIUS server can be configured to maintain an active session
|
||||
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
|
||||
use this database. Sometimes that database can get out of sync, and
|
||||
then it might contain rogue entries. \fBradzap\fP can clean up this
|
||||
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
|
||||
index 40db5fa6e7..5f765f1787 100644
|
||||
--- a/man/man5/unlang.5
|
||||
+++ b/man/man5/unlang.5
|
||||
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
|
||||
of Version 3, the <list> can be omitted, in which case "request" is
|
||||
assumed.
|
||||
|
||||
-The "control" list is the list of attributes maintainted internally by
|
||||
+The "control" list is the list of attributes maintained internally by
|
||||
the server that controls how the server processes the request. Any
|
||||
attribute that does not go in a packet on the network will generally
|
||||
be placed in the "control" list.
|
||||
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
|
||||
quotes, or back-quoted). Also evaluates to true if 'foo' is a
|
||||
non-zero number. Note that the language is poorly typed, so the
|
||||
string "0000" can be interpreted as a numerical zero. This issue can
|
||||
-be avoided by comparings strings to an empty string, rather than by
|
||||
+be avoided by comparing strings to an empty string, rather than by
|
||||
evaluating the string by itself.
|
||||
|
||||
If the word 'foo' is not a quoted string, then it can be taken as a
|
||||
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
|
||||
.IP ok
|
||||
Instructs the server that the request was processed properly. This
|
||||
keyword can be used to over-ride earlier failures, if the local
|
||||
-administrator determines that the faiures are not catastrophic.
|
||||
+administrator determines that the failures are not catastrophic.
|
||||
.IP reject
|
||||
Causes the request to be immediately rejected
|
||||
.SH MODULE RETURN CODES
|
||||
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
|
||||
index 08336c66f2..2917f60c46 100644
|
||||
--- a/man/man8/radcrypt.8
|
||||
+++ b/man/man8/radcrypt.8
|
||||
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
|
||||
Ignored if performing a password check.
|
||||
.IP "\-c --check"
|
||||
Perform a validation check on a password hash to verify if it matches
|
||||
-the plantext password.
|
||||
+the plaintext password.
|
||||
|
||||
.SH EXAMPLES
|
||||
.nf
|
||||
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||
index 98aef5e1be..2ef5ccf789 100644
|
||||
--- a/man/man8/radiusd.8
|
||||
+++ b/man/man8/radiusd.8
|
||||
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
|
||||
used in the other configuration files. You don't have to modify it.
|
||||
It includes other dictionary files in the same directory.
|
||||
.IP hints
|
||||
-Defines certain hints to the radius server based on the users's loginname
|
||||
+Defines certain hints to the radius server based on the users' loginname
|
||||
or other attributes sent by the access server. It also provides for
|
||||
mapping user names (such as Pusername -> username). This provides the
|
||||
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
|
||||
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
|
||||
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
|
||||
the Livingston way of doing things is also supported, and you can even use
|
||||
both at the same time (within certain limits).
|
||||
.IP huntgroups
|
|
@ -6,7 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
|
|||
Type=forking
|
||||
PIDFile=/var/run/radiusd/radiusd.pid
|
||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||
ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
|
||||
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
|
||||
ExecStartPre=/usr/sbin/radiusd -C
|
||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||
ExecReload=/usr/sbin/radiusd -C
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.20
|
||||
Release: 3%{?dist}
|
||||
Release: 14%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.freeradius.org/
|
||||
|
@ -38,6 +38,15 @@ Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
|
|||
Patch6: freeradius-bootstrap-make-permissions.patch
|
||||
Patch7: freeradius-no-dh-param-load-FIPS.patch
|
||||
Patch8: freeradius-bootstrap-fixed-dhparam.patch
|
||||
Patch9: freeradius-man-Fix-some-typos.patch
|
||||
Patch10: freeradius-Fix-resource-hard-limit-error.patch
|
||||
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
|
||||
Patch12: freeradius-bootstrap-run-only-once.patch
|
||||
Patch13: freeradius-Fix-unterminated-strings-in-SQL-queries.patch
|
||||
Patch14: freeradius-Fix-segfault-when-home_server-is-null.patch
|
||||
Patch15: freeradius-fix-crash-on-invalid-abinary-data.patch
|
||||
Patch16: freeradius-fix-crash-unknown-eap-sim.patch
|
||||
Patch17: freeradius-fix-info-leakage-eap-pwd.patch
|
||||
|
||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||
|
||||
|
@ -234,6 +243,15 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
|||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
|
||||
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
||||
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
|
@ -884,6 +902,53 @@ exit 0
|
|||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Fri Dec 14 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-14
|
||||
- Fix defect found by Covscan
|
||||
Resolves: #2151704
|
||||
|
||||
* Fri Dec 09 2022 Antonio Torres <antorres@redhat.com> - 3.0.20-13
|
||||
- Fix multiple CVEs
|
||||
- Add rpminspect configuration
|
||||
Resolves: #2151702
|
||||
Resolves: #2151704
|
||||
Resolves: #2151706
|
||||
|
||||
* Thu Dec 9 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-12
|
||||
- Fix segfault when home_server is null
|
||||
Resolves: bz#2030173
|
||||
|
||||
* Thu Nov 18 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-11
|
||||
- Fix unterminated strings in SQL queries
|
||||
Resolves: bz#2021247
|
||||
|
||||
* Fri Nov 12 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-10
|
||||
- Rebuild to pick up latest json-c
|
||||
Resolves: bz#2021818
|
||||
|
||||
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
|
||||
- radiusd.service: don't fail if bootstrap script is not present
|
||||
Resolves: bz#1954521
|
||||
|
||||
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
|
||||
- Extend info about boostrap script in README and comments
|
||||
Resolves: bz#1954521
|
||||
|
||||
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
|
||||
- Ensure bootstrap script is run only once
|
||||
Resolves: bz#1954521
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
|
||||
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
|
||||
Resolves: bz#1958979
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
|
||||
- Fix coredump not being able to be enabled
|
||||
Resolves: bz#1977572
|
||||
|
||||
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
|
||||
- Fix some manpage typos
|
||||
Resolves: bz#1843807
|
||||
|
||||
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
|
||||
- Require make for proper bootstrap execution, removes post script
|
||||
Resolves: bz#1672285
|
||||
|
|
Loading…
Reference in New Issue