From df082d59b6255f2844a722ca2401050b6f0f6a4e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 09 2019 14:32:55 +0000 Subject: import freeradius-3.0.13-10.el7_6 --- diff --git a/SOURCES/freeradius-EAP-PWD-curve-handling.patch b/SOURCES/freeradius-EAP-PWD-curve-handling.patch new file mode 100644 index 0000000..3b24a48 --- /dev/null +++ b/SOURCES/freeradius-EAP-PWD-curve-handling.patch @@ -0,0 +1,45 @@ +diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +index 7f91e4b230..848ca2055e 100644 +--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c ++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ + data_len = BN_num_bytes(session->order); + BN_bin2bn(ptr, data_len, session->peer_scalar); + ++ /* validate received scalar */ ++ if (BN_is_zero(session->peer_scalar) || ++ BN_is_one(session->peer_scalar) || ++ BN_cmp(session->peer_scalar, session->order) >= 0) { ++ ERROR("Peer's scalar is not within the allowed range"); ++ goto finish; ++ } ++ + if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) { + DEBUG2("pwd: unable to get coordinates of peer's element"); + goto finish; + } + ++ /* validate received element */ ++ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) || ++ EC_POINT_is_at_infinity(session->group, session->peer_element)) { ++ ERROR("Peer's element is not a point on the elliptic curve"); ++ goto finish; ++ } ++ + /* check to ensure peer's element is not in a small sub-group */ + if (BN_cmp(cofactor, BN_value_one())) { + if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) { +@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ + } + } + ++ /* detect reflection attacks */ ++ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 || ++ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) { ++ ERROR("Reflection attack detected"); ++ goto finish; ++ } ++ + /* compute the shared key, k */ + if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) || + (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) || diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec index da5e9ac..1b22f88 100644 --- a/SPECS/freeradius.spec +++ b/SPECS/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.13 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -37,6 +37,7 @@ Patch13: freeradius-FR-GV-303-do-memchr-of-end-p-not-q-p.patch Patch14: freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch Patch15: freeradius-FR-GV-201-check-input-output-length-in-make_secret.patch Patch16: freeradius-Fix-double-free-in-rlm_sql-acct_redundant.patch +Patch17: freeradius-EAP-PWD-curve-handling.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -209,6 +210,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -809,6 +811,10 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc.so %changelog +* Thu Apr 25 2019 Alexander Scheel - 3.0.13-10 +- Fixes two EAP-PWD security issues + Resolves: bz#1699413 authentication bypass with an invalid curve attack + * Thu Feb 22 2018 Nikolai Kondrashov - 3.0.13-9 - Fix double free in rlm_sql acct_redundant Resolves: Bug#1551069 Radius service crashes with "Bad talloc magic value -