diff --git a/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch b/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch new file mode 100644 index 0000000..9268392 --- /dev/null +++ b/SOURCES/freeradius-disable-internal-OpenSSL-cache.patch @@ -0,0 +1,109 @@ +From c76016d3b8051f8e4f55cd547d29d4ac9ec33062 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Mon, 8 May 2017 16:38:56 -0400 +Subject: [PATCH] disable internal OpenSSL cache + +(cherry picked from commit af030bd4e19c9149e2ffd898ad0c4dfde78c29be) +--- + raddb/mods-available/eap | 18 ++++++++---------- + raddb/sites-available/tls | 17 ++++++++--------- + src/main/tls.c | 4 ++-- + 3 files changed, 18 insertions(+), 21 deletions(-) + +diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap +index 95ef66619..e51860ac2 100644 +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -352,6 +352,13 @@ eap { + # Deleting the entire "cache" subsection + # also disables caching. + # ++ # As of version 3.0.4-8 (upstream 3.0.14), the ++ # session cache requires the use of the "name" and ++ # "persist_dir" configuration items, below. ++ # ++ # The internal OpenSSL session cache has been ++ # permanently disabled. ++ # + # You can disallow resumption for a + # particular user by adding the following + # attribute to the control item list: +@@ -362,7 +369,7 @@ eap { + # enable resumption for just one user + # by setting the above attribute to "yes". + # +- enable = yes ++ enable = no + + # + # Lifetime of the cached entries, in hours. +@@ -372,15 +379,6 @@ eap { + lifetime = 24 # hours + + # +- # The maximum number of entries in the +- # cache. Set to "0" for "infinite". +- # +- # This could be set to the number of users +- # who are logged in... which can be a LOT. +- # +- max_entries = 255 +- +- # + # Internal "name" of the session cache. + # Used to distinguish which TLS context + # sessions belong to. +diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls +index 1ba876745..df687584e 100644 +--- a/raddb/sites-available/tls ++++ b/raddb/sites-available/tls +@@ -231,6 +231,14 @@ listen { + # Deleting the entire "cache" subsection + # Also disables caching. + # ++ # ++ # As of version 3.0.4-8 (upstream 3.0.14), the session ++ # cache requires the use of the "name" and ++ # "persist_dir" configuration items, below. ++ # ++ # The internal OpenSSL session cache has been ++ # permanently disabled. ++ # + # You can disallow resumption for a + # particular user by adding the following + # attribute to the control item list: +@@ -251,15 +259,6 @@ listen { + lifetime = 24 # hours + + # +- # The maximum number of entries in the +- # cache. Set to "0" for "infinite". +- # +- # This could be set to the number of users +- # who are logged in... which can be a LOT. +- # +- max_entries = 255 +- +- # + # Internal "name" of the session cache. + # Used to distinguish which TLS context + # sessions belong to. +diff --git a/src/main/tls.c b/src/main/tls.c +index 42b538c4c..b790d2dc1 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -2489,9 +2489,9 @@ post_ca: + } + + /* +- * Cache it, and DON'T auto-clear it. ++ * Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache. + */ +- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR); ++ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL); + + SSL_CTX_set_session_id_context(ctx, + (unsigned char *) conf->session_context_id, +-- +2.11.0 + diff --git a/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file.patch b/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file.patch new file mode 100644 index 0000000..df8d501 --- /dev/null +++ b/SOURCES/freeradius-set-S_IWUSER-when-creating-the-file.patch @@ -0,0 +1,26 @@ +From 608943a10f589974191fe69ec6ab2b9b456fd85b Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" +Date: Mon, 8 May 2017 16:00:01 -0400 +Subject: [PATCH] set S_IWUSER when creating the file + +(cherry picked from commit 8f53382c64114936a0433d68101a24570783e13a) +--- + src/main/tls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index b790d2dc1..887f81755 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -1143,7 +1143,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) + /* open output file */ + snprintf(filename, sizeof(filename), "%s%c%s.asn1", + conf->session_cache_path, FR_DIR_SEP, buffer); +- fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); ++ fd = open(filename, O_RDWR|O_CREAT|O_EXCL, S_IWUSR); + if (fd < 0) { + DEBUG2(" SSL: could not open session file %s: %s", filename, fr_syserror(errno)); + goto error; +-- +2.11.0 + diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec index dc1e5d7..d10f52f 100644 --- a/SPECS/freeradius.spec +++ b/SPECS/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.4 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -53,6 +53,8 @@ Patch29: freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch Patch30: freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch Patch31: freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch Patch32: freeradius-Rename-lt_-symbols-to-fr_.patch +Patch33: freeradius-disable-internal-OpenSSL-cache.patch +Patch34: freeradius-set-S_IWUSER-when-creating-the-file.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -241,6 +243,8 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %patch30 -p1 %patch31 -p1 %patch32 -p1 +%patch33 -p1 +%patch34 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -825,6 +829,11 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc.so %changelog +* Thu Jun 15 2017 Nikolai Kondrashov - 3.0.4-8 +- Disable internal OpenSSL cache and fix session cache file permissions. + Resolves: Bug#1459131 CVE-2017-9148 freeradius: TLS resumption + authentication bypass + * Mon Nov 14 2016 Nikolai Kondrashov - 3.0.4-7 - Rename lt_ symbols to fr_ to avoid clashes with libltdl. Resolves: Bug#1394787