Bug#863673: [Pkg-freeradius-maintainers] Bug#863673: CVE-2017-9148: FreeRADIUS TLS resumption authentication bypass

Wed, 31 May 2017 23:57:30 -0700 

I got the idea from https://www.debian.org/security/faq#upload. Is the FAQ
outdated, or did I read it wrong? If the latter, please elaborate so that
we can update the docs to be more clear.

Note that FreeRADIUS is not complex to test. The only functional tests I do
before uploading are running autopkgtest and checking whether a freshly
installed FreeRADIUS starts up.

Also note that the patch is rather simple — it permanently disables the TLS
session caching by replacing the config option with “false” in the code. I
have attached the corresponding patches for the jessie and wheezy version.

Please let me know how to proceed from here.

On Wed, May 31, 2017 at 10:32 PM, Moritz Muehlenhoff <j...@debian.org> wrote:

> On Tue, May 30, 2017 at 05:50:20PM +0200, Michael Stapelberg wrote:
> > security-team, can you take care of applying the patch to stable and
> > oldstable please? Thank you.
>
> No, we generally expect maintainers to prepare/test security updates,
> particularly for packages which are complex to test like freeradius.
>
> Cheers,
>         Moritz
>



-- 
Best regards,
Michael

diff --git i/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c w/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 53955ba..1564238 100644
--- i/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ w/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -1000,7 +1000,7 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
 	/*
 	 *	Callbacks, etc. for session resumption.
 	 */						      
-	if (conf->session_cache_enable) {
+	if (/*conf->session_cache_enable*/0) {
 		SSL_CTX_sess_set_new_cb(ctx, cbtls_new_session);
 		SSL_CTX_sess_set_get_cb(ctx, cbtls_get_session);
 		SSL_CTX_sess_set_remove_cb(ctx, cbtls_remove_session);
@@ -1056,7 +1056,7 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
 	/*
 	 *	Setup session caching
 	 */
-	if (conf->session_cache_enable) {
+	if (/*conf->session_cache_enable*/0) {
 		/*
 		 *	Create a unique context Id per EAP-TLS configuration.
 		 */
@@ -1333,7 +1333,7 @@ static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler)
 	 *
 	 *	FIXME: Also do it every N sessions?
 	 */
-	if (inst->conf->session_cache_enable &&
+	if (/*inst->conf->session_cache_enable*/0 &&
 	    ((inst->conf->session_last_flushed + (inst->conf->session_timeout * 1800)) <= request->timestamp)) {
 		RDEBUG2("Flushing SSL sessions (of #%ld)",
 			SSL_CTX_sess_number(inst->ctx));
@@ -1471,7 +1471,7 @@ static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler)
 		break;
 	}
 
-	if (inst->conf->session_cache_enable) {
+	if (/*inst->conf->session_cache_enable*/0) {
 		ssn->allow_session_resumption = 1; /* otherwise it's zero */
 	}
 
@@ -1558,7 +1558,7 @@ static int eaptls_authenticate(void *arg, EAP_HANDLER *handler)
 		 *	the client can't re-use it.
 		 */
 	default:
-		if (inst->conf->session_cache_enable) {	
+		if (/*inst->conf->session_cache_enable*/0) {
 			SSL_CTX_remove_session(inst->ctx,
 					       tls_session->ssl->session);
 		}

diff --git i/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c w/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 04640e9..450b6ff 100644
--- i/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ w/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -1183,7 +1183,7 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
 	/*
 	 *	Callbacks, etc. for session resumption.
 	 */
-	if (conf->session_cache_enable) {
+	if (/*conf->session_cache_enable*/0) {
 		SSL_CTX_sess_set_new_cb(ctx, cbtls_new_session);
 		SSL_CTX_sess_set_get_cb(ctx, cbtls_get_session);
 		SSL_CTX_sess_set_remove_cb(ctx, cbtls_remove_session);
@@ -1241,7 +1241,7 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
 	/*
 	 *	Setup session caching
 	 */
-	if (conf->session_cache_enable) {
+	if (/*conf->session_cache_enable*/0) {
 		/*
 		 *	Create a unique context Id per EAP-TLS configuration.
 		 */
@@ -1507,7 +1507,7 @@ static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler)
 	 *
 	 *	FIXME: Also do it every N sessions?
 	 */
-	if (inst->conf.session_cache_enable &&
+	if (/*inst->conf.session_cache_enable*/0 &&
 	    ((inst->conf.session_last_flushed + (inst->conf.session_timeout * 1800)) <= request->timestamp)) {
 		RDEBUG2("Flushing SSL sessions (of #%ld)",
 			SSL_CTX_sess_number(inst->ctx));
@@ -1645,7 +1645,7 @@ static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler)
 		break;
 	}
 
-	if (inst->conf.session_cache_enable) {
+	if (/*inst->conf.session_cache_enable*/0) {
 		ssn->allow_session_resumption = 1; /* otherwise it's zero */
 	}
 
@@ -1774,7 +1774,7 @@ static int eaptls_authenticate(void *arg, EAP_HANDLER *handler)
 		 *	the client can't re-use it.
 		 */
 	default:
-		if (inst->conf.session_cache_enable) {
+		if (/*inst->conf.session_cache_enable*/0) {
 			SSL_CTX_remove_session(inst->ctx,
 					       tls_session->ssl->session);
 		}

Reply via email to