From feb37930707107748a31300acb5f30189b7232a3 Mon Sep 17 00:00:00 2001 From: Haixiao Yan Date: Mon, 18 Nov 2024 15:07:49 +0800 Subject: [PATCH] freeradius: upgrade 3.0.21 -> 3.0.27 ChangeLog: https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_27 Configuration changes: BlastRADIUS mitigations have been added to the "security" section. See require_message_authenticator and also limit_proxy_state. BlastRADIUS mitigations have been added to radclient. See man radclient, and the -b option. Security fixes: CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3596 https://www.freeradius.org/security/ https://www.blastradius.fail/ https://www.inkbridgenetworks.com/web/content/2557?unique=47be02c8aed46c53b0765db185320249ad873d95 Signed-off-by: Haixiao Yan [Drop CVE-2024-3596 patch backported early] Signed-off-by: Armin Kuster --- .../files/0001-Add-autogen.sh.patch | 47 + ...-user-and-group-of-freeradius-serve.patch} | 12 +- ...onfigure.ac-allow-cross-compilation.patch} | 10 +- ...patch => 0004-Fix-libtool-detection.patch} | 33 +- ...-configure.ac-add-option-for-libcap.patch} | 12 +- ...h => 0006-Avoid-searching-host-dirs.patch} | 57 +- ...python-add-PY_INC_DIR-in-search-dir.patch} | 12 +- ...=> 0008-libtool-do-not-use-jlibtool.patch} | 24 +- ... => 0009-Fix-quoting-for-BUILD_WITH.patch} | 13 +- ...-for-expansion-of-macro-in-thread.h.patch} | 6 +- ...cludedir-instead-of-hardcoding-usr-.patch} | 17 +- ...ile-fix-the-existed-certificate-err.patch} | 10 +- ...ile-fix-the-occasional-verification.patch} | 17 +- ...-Workaround-error-with-autoconf-2.7.patch} | 14 +- ...rap-check-commands-of-openssl-exist.patch} | 10 +- ...6-version.c-don-t-print-build-flags.patch} | 6 +- .../freeradius/files/CVE-2022-41860.patch | 118 -- .../freeradius/files/CVE-2022-41861.patch | 53 - .../freeradius/files/CVE-2024-3596.patch | 1506 ----------------- ...eradius_3.0.21.bb => freeradius_3.0.27.bb} | 38 +- 20 files changed, 192 insertions(+), 1823 deletions(-) create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-enble-user-in-conf.patch => 0002-Enable-and-change-user-and-group-of-freeradius-serve.patch} (67%) rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-configure.ac-allow-cross-compilation.patch => 0003-configure.ac-allow-cross-compilation.patch} (85%) rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-libtool-detection.patch => 0004-Fix-libtool-detection.patch} (73%) rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-configure.ac-add-option-for-libcap.patch => 0005-configure.ac-add-option-for-libcap.patch} (87%) rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-avoid-searching-host-dirs.patch => 0006-Avoid-searching-host-dirs.patch} (85%) rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-rlm_python-add-PY_INC_DIR.patch => 0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch} (81%) rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-libtool-do-not-use-jlibtool.patch => 0008-libtool-do-not-use-jlibtool.patch} (91%) rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-fix-quoting-for-BUILT_WITH.patch => 0009-Fix-quoting-for-BUILD_WITH.patch} (87%) rename meta-networking/recipes-connectivity/freeradius/files/{freeradius-fix-error-for-expansion-of-macro.patch => 0010-fix-error-for-expansion-of-macro-in-thread.h.patch} (95%) rename meta-networking/recipes-connectivity/freeradius/files/{0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch => 0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch} (59%) rename meta-networking/recipes-connectivity/freeradius/files/{0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch => 0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch} (92%) rename meta-networking/recipes-connectivity/freeradius/files/{0001-raddb-certs-Makefile-fix-the-occasional-verification.patch => 0013-raddb-certs-Makefile-fix-the-occasional-verification.patch} (94%) rename meta-networking/recipes-connectivity/freeradius/files/{0001-workaround-error-with-autoconf-2.7.patch => 0014-Workaround-error-with-autoconf-2.7.patch} (77%) rename meta-networking/recipes-connectivity/freeradius/files/{check-openssl-cmds-in-script-bootstrap.patch => 0015-bootstrap-check-commands-of-openssl-exist.patch} (81%) rename meta-networking/recipes-connectivity/freeradius/files/{0001-version.c-don-t-print-build-flags.patch => 0016-version.c-don-t-print-build-flags.patch} (86%) delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch delete mode 100644 meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch rename meta-networking/recipes-connectivity/freeradius/{freeradius_3.0.21.bb => freeradius_3.0.27.bb} (89%) diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch new file mode 100644 index 0000000000..968998ddb6 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0001-Add-autogen.sh.patch @@ -0,0 +1,47 @@ +From 3be3b9a1345942d1578ec73efa9b2e3c41bd67c5 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 21 Jan 2022 13:22:24 +0800 +Subject: [PATCH] Add autogen.sh + +The autogen.sh has been removed since 3.0.22[1]. But we still need it in +do_configure. Add it back. + +[1] https://github.com/FreeRADIUS/freeradius-server/commit/2e9b6227efd19e2b0926541aa26874908e7b7314 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +Signed-off-by: Haixiao Yan +--- + autogen.sh | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + create mode 100755 autogen.sh + +diff --git a/autogen.sh b/autogen.sh +new file mode 100755 +index 0000000000..959182b39e +--- /dev/null ++++ b/autogen.sh +@@ -0,0 +1,19 @@ ++#!/bin/sh -e ++ ++parentdir=`dirname $0` ++ ++cd $parentdir ++parentdir=`pwd` ++m4include="-I$parentdir -I$parentdir/m4 -Im4" ++ ++autoreconf -Wcross --verbose --install --force ++ ++mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`" ++mysubdirs=`echo $mysubdirs` ++ ++for F in $mysubdirs ++do ++ echo "Configuring in $F..." ++ (cd $F && grep "^AC_CONFIG_HEADER" configure.ac > /dev/null || exit 0; autoheader $m4include) ++ (cd $F && autoconf $m4include) ++done +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch b/meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch similarity index 67% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch rename to meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch index 4a62bf1fa2..c57ee93c33 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-enble-user-in-conf.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0002-Enable-and-change-user-and-group-of-freeradius-serve.patch @@ -1,4 +1,8 @@ -Enable and change user and group of freeradius server to radiusd +From 2a74c10836c0d2d19248ca40d113936f4a56b039 Mon Sep 17 00:00:00 2001 +From: "Roy.Li" +Date: Sun, 8 Jan 2023 22:47:11 +0800 +Subject: [PATCH] Enable and change user and group of freeradius server to + radiusd Upstream-Status: Inappropriate [configuration] @@ -9,10 +13,10 @@ Signed-off-by: Jackie Huang 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in -index c62f4ff..0b4a84e 100644 +index 154b50d610..4594d6d2d2 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in -@@ -436,8 +436,8 @@ security { +@@ -557,8 +557,8 @@ security { # member. This can allow for some finer-grained access # controls. # @@ -24,5 +28,5 @@ index c62f4ff..0b4a84e 100644 # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. -- -1.9.1 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch b/meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch similarity index 85% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch rename to meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch index 38e7c36227..e5442360b3 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-allow-cross-compilation.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0003-configure.ac-allow-cross-compilation.patch @@ -1,4 +1,4 @@ -From 0780b7053fb0d33d721aa70ab2ecd75299e5ba31 Mon Sep 17 00:00:00 2001 +From ba1390a80662ff2ab7bfda978cde7df9a871f6ae Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Tue, 24 Jul 2018 15:03:39 +0800 Subject: [PATCH] configure.ac: allow cross-compilation @@ -7,7 +7,7 @@ The checking OpenSSL library and header version consistency will always fail in cross compiling, skip the check and give a warning instead for cross compiling. -Upstream-Status: Inappropriate[embedded specific] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Jackie Huang Signed-off-by: Yi Zhao @@ -19,10 +19,10 @@ Signed-off-by: Changqing Li 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/modules/rlm_krb5/configure.ac b/src/modules/rlm_krb5/configure.ac -index efc9f29..98a97e4 100644 +index a0f510cfb3..d2f3eca03e 100644 --- a/src/modules/rlm_krb5/configure.ac +++ b/src/modules/rlm_krb5/configure.ac -@@ -137,7 +137,8 @@ if test x$with_[]modname != xno; then +@@ -140,7 +140,8 @@ if test x$with_[]modname != xno; then FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe) if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" = xyes; then AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include ]], [[return krb5_is_thread_safe() ? 0 : 1]])], @@ -33,5 +33,5 @@ index efc9f29..98a97e4 100644 else krb5threadsafe="" -- -2.7.4 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch b/meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch similarity index 73% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch rename to meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch index 4265f9d0de..479e1ba76f 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-detection.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0004-Fix-libtool-detection.patch @@ -1,9 +1,7 @@ -From bfe4d7ed72edc9d4ae1a0f0d2dd84367d6214886 Mon Sep 17 00:00:00 2001 +From 5ba3d140842268cbbdd983266efecb1fba5bdd59 Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Thu, 22 Aug 2019 10:45:46 +0800 -Subject: [PATCH 1/2] Fix libtool detection - -Upstream-Status: pending +Subject: [PATCH] Fix libtool detection Use LT_INIT instead of the deprecated AC_PROG_LIBTOOL to detect libtool, so it can work with our libtoolize and libtool. @@ -12,37 +10,20 @@ Simplify the detection of ltdl. It will find the ltdl from the sysroot; the switch --with-system-libltdl is no longer needed. The code is copied from pulseaudio configure.ac, together with the comment paragraph. -Also patch autogen.sh so it uses autoreconf, which handles libtoolize better. +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Jesse Zhang Signed-off-by: Jackie Huang Signed-off-by: Changqing Li --- - autogen.sh | 5 +---- configure.ac | 36 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 37 insertions(+), 4 deletions(-) + 1 file changed, 36 insertions(+) -diff --git a/autogen.sh b/autogen.sh -index a1d08a6..959182b 100755 ---- a/autogen.sh -+++ b/autogen.sh -@@ -6,10 +6,7 @@ cd $parentdir - parentdir=`pwd` - m4include="-I$parentdir -I$parentdir/m4 -Im4" - --libtoolize -f -c --#aclocal --autoheader --autoconf -+autoreconf -Wcross --verbose --install --force - - mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`" - mysubdirs=`echo $mysubdirs` diff --git a/configure.ac b/configure.ac -index a7abf00..65db61e 100644 +index ad8bc8cdda..ef8fced680 100644 --- a/configure.ac +++ b/configure.ac -@@ -220,6 +220,42 @@ dnl # See if we have Git. +@@ -321,6 +321,42 @@ dnl # See if we have Git. dnl # AC_CHECK_PROG(GIT, git, yes, no) @@ -86,5 +67,5 @@ index a7abf00..65db61e 100644 dnl AC_ARG_WITH(disablemodulefoo, dnl [ --without-rlm_foo Disables module compilation. Module list:] -- -2.7.4 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch b/meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch similarity index 87% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch rename to meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch index 4719358722..8ef3c4bdf9 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-configure.ac-add-option-for-libcap.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0005-configure.ac-add-option-for-libcap.patch @@ -1,7 +1,7 @@ -From 98a9eff357959d1113e33a615c2178751d5b2054 Mon Sep 17 00:00:00 2001 +From 9548dc5e1a6c835cd4f387ba384d8f3f14c3fc8b Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Thu, 22 Aug 2019 10:50:21 +0800 -Subject: [PATCH 2/2] configure.ac: add option for libcap +Subject: [PATCH] configure.ac: add option for libcap Upstream-Status: Pending @@ -12,10 +12,10 @@ Signed-off-by: Changqing Li 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac -index 65db61e..6486aac 100644 +index ef8fced680..263098f7fd 100644 --- a/configure.ac +++ b/configure.ac -@@ -977,6 +977,22 @@ fi +@@ -1161,6 +1161,22 @@ fi dnl Set by FR_SMART_CHECKLIB LIBS="${old_LIBS}" @@ -38,7 +38,7 @@ index 65db61e..6486aac 100644 dnl Check for cap dnl extra argument: --with-cap-lib-dir=DIR cap_lib_dir= -@@ -1010,15 +1026,17 @@ AC_ARG_WITH(cap-include-dir, +@@ -1194,15 +1210,17 @@ AC_ARG_WITH(cap-include-dir, ;; esac]) @@ -66,5 +66,5 @@ index 65db61e..6486aac 100644 dnl # -- -2.7.4 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch b/meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch similarity index 85% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch rename to meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch index 9c997661fc..8fd0dca443 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-avoid-searching-host-dirs.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0006-Avoid-searching-host-dirs.patch @@ -1,14 +1,15 @@ -From dc41591d5ceb18900ec85894f8f7b7bb44bb3bd9 Mon Sep 17 00:00:00 2001 +From 8fe25b30b6fbb3170705f4468eb4c92eef3a968f Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Mon, 4 Jan 2016 01:44:04 -0500 -Subject: [PATCH] avoid searching host dirs +Subject: [PATCH] Avoid searching host dirs Don't search the hardcoded host dirs to avoid host contamination. -Upstream-Status: Inappropriate [cross-compile specific] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Jackie Huang +Signed-off-by: Yi Zhao --- acinclude.m4 | 4 ++-- src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac | 4 ++-- @@ -21,19 +22,19 @@ Signed-off-by: Jackie Huang 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/acinclude.m4 b/acinclude.m4 -index da48acc..b513ae1 100644 +index a953d0e1b6..ede143d3c2 100644 --- a/acinclude.m4 +++ b/acinclude.m4 -@@ -178,7 +178,7 @@ if test "x$smart_lib" = "x"; then - FR_LOCATE_DIR(smart_lib_dir,[lib$1${libltdl_cv_shlibext}]) - FR_LOCATE_DIR(smart_lib_dir,[lib$1.a]) - -- for try in $smart_lib_dir /usr/local/lib /opt/lib; do +@@ -115,7 +115,7 @@ dnl # + dnl # Try to guess possible locations. + dnl # + if test "x$smart_lib" = "x"; then +- for try in /usr/local/lib /opt/lib; do + for try in $smart_lib_dir; do AC_MSG_CHECKING([for $2 in -l$1 in $try]) LIBS="-l$1 $old_LIBS" CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" -@@ -218,7 +218,7 @@ ac_safe=`echo "$1" | sed 'y%./+-%__pm%'` +@@ -155,7 +155,7 @@ ac_safe=`echo "$1" | sed 'y%./+-%__pm%'` old_CPPFLAGS="$CPPFLAGS" smart_include= dnl # The default directories we search in (in addition to the compilers search path) @@ -43,10 +44,10 @@ index da48acc..b513ae1 100644 dnl # Our local versions _smart_try_dir= diff --git a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac -index 75c851a..a262d71 100644 +index 44f84aa27e..23a1899591 100644 --- a/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac +++ b/src/modules/rlm_sql/drivers/rlm_sql_db2/configure.ac -@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then +@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then esac]) dnl Check for SQLConnect in -ldb2 @@ -64,10 +65,10 @@ index 75c851a..a262d71 100644 if test "x$ac_cv_header_sqlcli_h" != xyes; then fail="$fail sqlcli.h" diff --git a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac -index 4da57b3..752b043 100644 +index 4c2fd7ba9e..10c864def5 100644 --- a/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac +++ b/src/modules/rlm_sql/drivers/rlm_sql_firebird/configure.ac -@@ -56,14 +56,14 @@ if test x$with_[]modname != xno; then +@@ -60,14 +60,14 @@ if test x$with_[]modname != xno; then esac]) dnl Check for isc_attach_database in -lfbclient @@ -85,10 +86,10 @@ index 4da57b3..752b043 100644 if test "x$ac_cv_header_ibase_h" != xyes; then fail="$fail ibase.h" diff --git a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac -index ba6304f..3393557 100644 +index d26ac9c431..6e4500e948 100644 --- a/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac +++ b/src/modules/rlm_sql/drivers/rlm_sql_iodbc/configure.ac -@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then +@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then esac]) dnl Check for SQLConnect in -liodbc @@ -106,10 +107,10 @@ index ba6304f..3393557 100644 if test "x$ac_cv_header_isql_h" != xyes; then fail="$fail isql.h" diff --git a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac -index 1401677..2e7db44 100644 +index df36da77bf..31359041c7 100644 --- a/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac +++ b/src/modules/rlm_sql/drivers/rlm_sql_mysql/configure.ac -@@ -136,7 +136,7 @@ if test x$with_[]modname != xno; then +@@ -140,7 +140,7 @@ if test x$with_[]modname != xno; then dnl # Check for libmysqlclient_r if test "x$have_a_libmysqlclient" != "xyes"; then @@ -118,7 +119,7 @@ index 1401677..2e7db44 100644 FR_SMART_CHECK_LIB(mysqlclient_r, mysql_init) if test "x$ac_cv_lib_mysqlclient_r_mysql_init" = "xyes"; then have_a_libmysqlclient='yes' -@@ -145,7 +145,7 @@ if test x$with_[]modname != xno; then +@@ -149,7 +149,7 @@ if test x$with_[]modname != xno; then dnl # Check for libmysqlclient if test "x$have_a_libmysqlclient" != "xyes"; then @@ -127,7 +128,7 @@ index 1401677..2e7db44 100644 FR_SMART_CHECK_LIB(mysqlclient, mysql_init) if test "x$ac_cv_lib_mysqlclient_mysql_init" = "xyes"; then have_a_libmysqlclient='yes' -@@ -189,7 +189,7 @@ if test x$with_[]modname != xno; then +@@ -243,7 +243,7 @@ if test x$with_[]modname != xno; then fi if test "x$have_mysql_h" != "xyes"; then @@ -137,10 +138,10 @@ index 1401677..2e7db44 100644 if test "x$ac_cv_header_mysql_mysql_h" = "xyes"; then AC_DEFINE(HAVE_MYSQL_MYSQL_H, [], [Define if you have ]) diff --git a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac -index 3178462..5cbc8c2 100644 +index 3b45da582a..03e6607d2b 100644 --- a/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac +++ b/src/modules/rlm_sql/drivers/rlm_sql_oracle/configure.ac -@@ -63,7 +63,7 @@ if test x$with_[]modname != xno; then +@@ -68,7 +68,7 @@ if test x$with_[]modname != xno; then dnl # Check for header files dnl ############################################################ @@ -150,10 +151,10 @@ index 3178462..5cbc8c2 100644 if test "x$ORACLE_HOME" != "x"; then smart_try_dir="${smart_try_dir} ${ORACLE_HOME}/include" diff --git a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac -index 4f9a890..e1cf811 100644 +index 8ac1022e89..d46c0f66bf 100644 --- a/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac +++ b/src/modules/rlm_sql/drivers/rlm_sql_postgresql/configure.ac -@@ -41,7 +41,7 @@ if test x$with_[]modname != xno; then +@@ -45,7 +45,7 @@ if test x$with_[]modname != xno; then esac ] ) @@ -162,7 +163,7 @@ index 4f9a890..e1cf811 100644 FR_SMART_CHECK_INCLUDE(libpq-fe.h) if test "x$ac_cv_header_libpqmfe_h" != "xyes"; then fail="$fail libpq-fe.h" -@@ -76,7 +76,7 @@ if test x$with_[]modname != xno; then +@@ -94,7 +94,7 @@ if test x$with_[]modname != xno; then ]) fi @@ -172,10 +173,10 @@ index 4f9a890..e1cf811 100644 if test "x$ac_cv_lib_pq_PQconnectdb" != "xyes"; then fail="$fail libpq" diff --git a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac -index 3545387..c543ed4 100644 +index f10279fe1f..0081a338c8 100644 --- a/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac +++ b/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure.ac -@@ -57,14 +57,14 @@ if test x$with_[]modname != xno; then +@@ -61,14 +61,14 @@ if test x$with_[]modname != xno; then esac]) dnl Check for SQLConnect in -lodbc @@ -193,5 +194,5 @@ index 3545387..c543ed4 100644 if test "x$ac_cv_header_sql_h" != xyes; then fail="$fail sql.h" -- -1.9.1 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch b/meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch similarity index 81% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch rename to meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch index 675940dd6c..cb71fb1373 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-rlm_python-add-PY_INC_DIR.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch @@ -1,14 +1,14 @@ -From a0bf65e04d2bbd3271cab94bd5ac93f8e877bfc5 Mon Sep 17 00:00:00 2001 +From e4ff7a2a9834e2589bc7bdda4b74f5bc962b15e6 Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Wed, 27 Jan 2016 05:07:19 -0500 Subject: [PATCH] rlm_python: add PY_INC_DIR in search dir -Upstream-Status: Pending - configure option --with-rlm-python-include-dir is used to set PY_INC_DIR which is never used and it fails to find Python.h, so add it into search dir to fix it. +Upstream-Status: Inappropriate [embedded specific] + Signed-off-by: Jackie Huang Signed-off-by: Yi Zhao --- @@ -16,10 +16,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/rlm_python/configure.ac b/src/modules/rlm_python/configure.ac -index 831a33a..c3792d8 100644 +index 08ecb62518..d5c0944ff1 100644 --- a/src/modules/rlm_python/configure.ac +++ b/src/modules/rlm_python/configure.ac -@@ -93,7 +93,7 @@ if test x$with_[]modname != xno; then +@@ -98,7 +98,7 @@ if test x$with_[]modname != xno; then old_CFLAGS=$CFLAGS CFLAGS="$CFLAGS $PY_CFLAGS" @@ -29,5 +29,5 @@ index 831a33a..c3792d8 100644 CFLAGS=$old_CFLAGS -- -2.10.2 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch b/meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch similarity index 91% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch rename to meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch index 1954586b2b..559b857b63 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-libtool-do-not-use-jlibtool.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0008-libtool-do-not-use-jlibtool.patch @@ -1,4 +1,4 @@ -From 16bf899447fc1524ffc3c79e1d35380e5285a552 Mon Sep 17 00:00:00 2001 +From d0fa5b259c2dc942d0a43a9cf1bfc32f40c184f9 Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Thu, 7 Jan 2016 22:37:30 -0800 Subject: [PATCH] libtool: do not use jlibtool @@ -7,7 +7,7 @@ jlibtool is hardcoded to be used but we need to use our libtool, so fix the makfiles to make it compatible with our libtool. -Upstream-Status: Inappropriate [oe specific] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Jackie Huang Signed-off-by: Yi Zhao @@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao 4 files changed, 27 insertions(+), 15 deletions(-) diff --git a/Make.inc.in b/Make.inc.in -index 7a77625..fd8aa3e 100644 +index 05f82776ff..e78f3fe9dc 100644 --- a/Make.inc.in +++ b/Make.inc.in @@ -57,7 +57,7 @@ CPPFLAGS = @CPPFLAGS@ @@ -31,7 +31,7 @@ index 7a77625..fd8aa3e 100644 ACLOCAL = @ACLOCAL@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ -@@ -163,7 +163,7 @@ ANALYZE.c := @clang_path@ +@@ -168,7 +168,7 @@ ANALYZE.c := @clang_path@ # ifeq "$(USE_SHARED_LIBS)" "yes" TESTBINDIR = ./$(BUILD_DIR)/bin/local @@ -41,10 +41,10 @@ index 7a77625..fd8aa3e 100644 TESTBINDIR = ./$(BUILD_DIR)/bin TESTBIN = ./$(BUILD_DIR)/bin diff --git a/scripts/boiler.mk b/scripts/boiler.mk -index bccec5e..926a13e 100644 +index 2ce0c18f34..567cc0f22f 100644 --- a/scripts/boiler.mk +++ b/scripts/boiler.mk -@@ -266,6 +266,7 @@ define COMPILE_C_CMDS +@@ -272,6 +272,7 @@ define COMPILE_C_CMDS $(Q)$(ECHO) CC $< $(Q)$(strip ${COMPILE.c} -o $@ -c -MD ${CPPFLAGS} ${CFLAGS} ${SRC_CFLAGS} ${INCDIRS} \ $(addprefix -I, ${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} $<) @@ -52,7 +52,7 @@ index bccec5e..926a13e 100644 endef else # -@@ -281,6 +282,7 @@ define COMPILE_C_CMDS +@@ -287,6 +288,7 @@ define COMPILE_C_CMDS $(Q)cppcheck --enable=style -q ${CHECKFLAGS} $(filter -isystem%,${SRC_CFLAGS}) \ $(filter -I%,${SRC_CFLAGS}) $(filter -D%,${SRC_CFLAGS}) ${INCDIRS} \ $(addprefix -I,${SRC_INCDIRS}) ${SRC_DEFS} ${DEFS} --suppress=variableScope --suppress=invalidscanf $< @@ -61,7 +61,7 @@ index bccec5e..926a13e 100644 endif diff --git a/scripts/install.mk b/scripts/install.mk -index 9164115..e38c1ed 100644 +index 916411563b..e38c1ed697 100644 --- a/scripts/install.mk +++ b/scripts/install.mk @@ -46,7 +46,7 @@ define ADD_INSTALL_RULE.exe @@ -116,10 +116,10 @@ index 9164115..e38c1ed 100644 diff --git a/scripts/libtool.mk b/scripts/libtool.mk -index 57915e1..2cb2f7d 100644 +index 381127ec2d..e83d7e6ad7 100644 --- a/scripts/libtool.mk +++ b/scripts/libtool.mk -@@ -55,7 +55,9 @@ ifeq "${LIBTOOL}" "JLIBTOOL" +@@ -60,7 +60,9 @@ ifeq "${LIBTOOL}" "JLIBTOOL" # Tell GNU Make to use this value, rather than anything specified # on the command line. override LIBTOOL := ${JLIBTOOL} @@ -130,7 +130,7 @@ index 57915e1..2cb2f7d 100644 # When using libtool, it produces a '.libs' directory. Ensure that it # is removed on "make clean", too. -@@ -69,11 +71,19 @@ clean: .libs_clean +@@ -74,11 +76,19 @@ clean: .libs_clean # Re-define compilers and linkers # OBJ_EXT = lo @@ -156,5 +156,5 @@ index 57915e1..2cb2f7d 100644 # LIBTOOL_ENDINGS - Given a library ending in ".a" or ".so", replace that -- -2.10.2 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch b/meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch similarity index 87% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch rename to meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch index b0929c4b07..9386675e46 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-quoting-for-BUILT_WITH.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0009-Fix-quoting-for-BUILD_WITH.patch @@ -1,4 +1,7 @@ -Fix quoting for BUILD_WITH +From 3e701d6274924adaed568e22af2362aa5af1f055 Mon Sep 17 00:00:00 2001 +From: Peter Seebach +Date: Sun, 8 Jan 2023 23:01:28 +0800 +Subject: [PATCH] Fix quoting for BUILD_WITH The escaped quotes are to make the -D values produce strings which can be used to display these values. However, if the values are more @@ -16,7 +19,7 @@ Signed-off-by: Yi Zhao 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/libfreeradius-server.mk b/src/main/libfreeradius-server.mk -index 4495f72..07c28f1 100644 +index 4495f72481..07c28f1968 100644 --- a/src/main/libfreeradius-server.mk +++ b/src/main/libfreeradius-server.mk @@ -18,5 +18,5 @@ SOURCES := conffile.c \ @@ -27,7 +30,7 @@ index 4495f72..07c28f1 100644 +SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" endif diff --git a/src/main/unittest.mk b/src/main/unittest.mk -index 09f3938..ed33952 100644 +index edd4f133a7..b5b44d5e11 100644 --- a/src/main/unittest.mk +++ b/src/main/unittest.mk @@ -21,5 +21,5 @@ TGT_PREREQS += libfreeradius-eap.a @@ -38,7 +41,7 @@ index 09f3938..ed33952 100644 +SRC_CFLAGS += -DBUILT_WITH_CPPFLAGS="\"$(CPPFLAGS)\"" -DBUILT_WITH_CFLAGS="\"$(CFLAGS)\"" -DBUILT_WITH_LDFLAGS="\"$(LDFLAGS)\"" -DBUILT_WITH_LIBS="\"$(LIBS)\"" endif diff --git a/src/modules/rlm_eap/radeapclient.mk b/src/modules/rlm_eap/radeapclient.mk -index 6068f54..7d3c556 100644 +index 6068f54813..7d3c55625b 100644 --- a/src/modules/rlm_eap/radeapclient.mk +++ b/src/modules/rlm_eap/radeapclient.mk @@ -23,7 +23,7 @@ SRC_CFLAGS += -DWITH_EAPCLIENT @@ -51,5 +54,5 @@ index 6068f54..7d3c556 100644 endif -- -2.10.2 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch b/meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch similarity index 95% rename from meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch rename to meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch index af1bff051f..051b66af8f 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/freeradius-fix-error-for-expansion-of-macro.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0010-fix-error-for-expansion-of-macro-in-thread.h.patch @@ -1,4 +1,4 @@ -From 5b6d8b14f2696fcf1dca119212f9d0a0fa04defd Mon Sep 17 00:00:00 2001 +From 30ce5ccd62446349d432ff65d3fe8d46872423c8 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 18 Jan 2017 14:59:39 +0800 Subject: [PATCH] fix error for expansion of macro in thread.h @@ -22,7 +22,7 @@ Signed-off-by: Yi Zhao 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/include/threads.h b/src/include/threads.h -index e36d81d..2bcb6aa 100644 +index e36d81dac0..2bcb6aadcb 100644 --- a/src/include/threads.h +++ b/src/include/threads.h @@ -89,7 +89,7 @@ static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\ @@ -57,5 +57,5 @@ index e36d81d..2bcb6aa 100644 #endif #endif -- -2.10.2 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch b/meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch similarity index 59% rename from meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch rename to meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch index db8caab12e..69125eb3cb 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch @@ -1,4 +1,4 @@ -From 66e8bcdcca8971b5c43c31755d56d7f675d8b5ff Mon Sep 17 00:00:00 2001 +From f0e764826e3a85488047f7f4e94ebf91460d2c12 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Fri, 16 Jun 2017 20:10:49 -0700 Subject: [PATCH] rlm_mschap: Use includedir instead of hardcoding /usr/include @@ -13,12 +13,12 @@ Signed-off-by: Khem Raj src/modules/rlm_mschap/configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: freeradius-server-3.0.14/src/modules/rlm_mschap/configure.ac -=================================================================== ---- freeradius-server-3.0.14.orig/src/modules/rlm_mschap/configure.ac -+++ freeradius-server-3.0.14/src/modules/rlm_mschap/configure.ac -@@ -72,7 +72,7 @@ if test x$with_[]modname != xno; then - mod_ldflags="-framework DirectoryService" +diff --git a/src/modules/rlm_mschap/configure.ac b/src/modules/rlm_mschap/configure.ac +index 0fd105d7e6..6ab15509e5 100644 +--- a/src/modules/rlm_mschap/configure.ac ++++ b/src/modules/rlm_mschap/configure.ac +@@ -75,7 +75,7 @@ if test x$with_[]modname != xno; then + mod_ldflags="-F /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks -framework DirectoryService" fi - smart_try_dir="$winbind_include_dir /usr/include/samba-4.0" @@ -26,3 +26,6 @@ Index: freeradius-server-3.0.14/src/modules/rlm_mschap/configure.ac FR_SMART_CHECK_INCLUDE(wbclient.h, [#include #include ]) if test "x$ac_cv_header_wbclient_h" != "xyes"; then +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch b/meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch similarity index 92% rename from meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch rename to meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch index 669f363e72..cbac989284 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch @@ -1,4 +1,4 @@ -From 084f5467672f2ae37003b77e8f8706772f3da3ec Mon Sep 17 00:00:00 2001 +From 0f9f18fc330fe88080be13e43f300fbf7ba4a85a Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Mon, 13 Jul 2020 07:01:45 +0000 Subject: [PATCH] raddb/certs/Makefile: fix the existed certificate error @@ -29,13 +29,13 @@ Signed-off-by: Mingli Yu 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile -index 5cbfd467ce..77eec9baa1 100644 +index c9fbc9e864..d064fe252d 100644 --- a/raddb/certs/Makefile +++ b/raddb/certs/Makefile @@ -92,7 +92,7 @@ server.csr server.key: server.cnf chmod g+r server.key - server.crt: server.csr ca.key ca.pem + server.crt: ca.key ca.pem server.csr - $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf + @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf @@ -44,12 +44,12 @@ index 5cbfd467ce..77eec9baa1 100644 @@ -117,7 +117,7 @@ client.csr client.key: client.cnf chmod g+r client.key - client.crt: client.csr ca.pem ca.key + client.crt: ca.key ca.pem client.csr - $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf + @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) -- -2.26.2 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch b/meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch similarity index 94% rename from meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch rename to meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch index dce0427e1a..287e47adcc 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-raddb-certs-Makefile-fix-the-occasional-verification.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0013-raddb-certs-Makefile-fix-the-occasional-verification.patch @@ -1,4 +1,4 @@ -From 3eda5d35fbaf66ed6bdc86ada4320a0a18681b7e Mon Sep 17 00:00:00 2001 +From bb1cb2ffc7a31c0a2bb2de51ef82d304b0a107c3 Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Wed, 5 Aug 2020 07:23:11 +0000 Subject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure @@ -29,7 +29,7 @@ Signed-off-by: Mingli Yu 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile -index 77eec9baa1..3dcb63fe71 100644 +index d064fe252d..86f4547804 100644 --- a/raddb/certs/Makefile +++ b/raddb/certs/Makefile @@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf @@ -71,7 +71,7 @@ index 77eec9baa1..3dcb63fe71 100644 + @[ -f server.csr ] || $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf chmod g+r server.key - server.crt: server.csr ca.key ca.pem + server.crt: ca.key ca.pem server.csr @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf server.p12: server.crt @@ -85,7 +85,7 @@ index 77eec9baa1..3dcb63fe71 100644 chmod g+r server.pem .PHONY: server.vrfy -@@ -113,18 +113,18 @@ server.vrfy: ca.pem +@@ -113,19 +113,19 @@ server.vrfy: ca.pem # ###################################################################### client.csr client.key: client.cnf @@ -93,13 +93,14 @@ index 77eec9baa1..3dcb63fe71 100644 + @[ -f client.csr ] || $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf chmod g+r client.key - client.crt: client.csr ca.pem ca.key + client.crt: ca.key ca.pem client.csr @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt - $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) + @[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) chmod g+r client.p12 + cp client.p12 $(USER_NAME).p12 client.pem: client.p12 - $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) @@ -107,7 +108,7 @@ index 77eec9baa1..3dcb63fe71 100644 chmod g+r client.pem cp client.pem $(USER_NAME).pem -@@ -139,18 +139,18 @@ client.vrfy: ca.pem client.pem +@@ -140,18 +140,18 @@ client.vrfy: ca.pem client.pem # ###################################################################### inner-server.csr inner-server.key: inner-server.cnf @@ -115,7 +116,7 @@ index 77eec9baa1..3dcb63fe71 100644 + @[ -f inner-server.csr] || $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf chmod g+r inner-server.key - inner-server.crt: inner-server.csr ca.key ca.pem + inner-server.crt: ca.key ca.pem inner-server.csr - $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf + @[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf @@ -131,5 +132,5 @@ index 77eec9baa1..3dcb63fe71 100644 .PHONY: inner-server.vrfy -- -2.26.2 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch b/meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch similarity index 77% rename from meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch rename to meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch index 80c571df98..17eadc7e59 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-workaround-error-with-autoconf-2.7.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0014-Workaround-error-with-autoconf-2.7.patch @@ -1,7 +1,7 @@ -From 3b4ba29c7c5800df87eecd65214244619e01162b Mon Sep 17 00:00:00 2001 +From c591da4a361496eec93625cf8c4f89bddfedaca7 Mon Sep 17 00:00:00 2001 From: Hongxu Jia Date: Sun, 7 Feb 2021 16:02:36 +0800 -Subject: [PATCH] workaround error with autoconf 2.7 +Subject: [PATCH] Workaround error with autoconf 2.7 While using autoconf 2.7, the AM_MISSING_PROG caused unexpected error: ... @@ -11,7 +11,7 @@ configure.ac: error: required file 'missing' not found Since these tools were explicitly added by autotools bbclass, remove the testing to workaround the error with autoconf 2.7 -Upstream-Status: Inappropriate [oe specific] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Hongxu Jia --- @@ -19,10 +19,10 @@ Signed-off-by: Hongxu Jia 1 file changed, 8 deletions(-) diff --git a/configure.ac b/configure.ac -index 609efb104b..2d761cf62c 100644 +index 263098f7fd..fc296832d8 100644 --- a/configure.ac +++ b/configure.ac -@@ -693,14 +693,6 @@ fi +@@ -878,14 +878,6 @@ fi AC_PATH_PROG(RUSERS, rusers, /usr/bin/rusers) @@ -34,9 +34,9 @@ index 609efb104b..2d761cf62c 100644 -AM_MISSING_PROG(AUTOCONF, autoconf, $missing_dir) -AM_MISSING_PROG(AUTOHEADER, autoheader, $missing_dir) - - AC_PATH_PROG(LOCATE,locate) AC_PATH_PROG(DIRNAME,dirname) AC_PATH_PROG(GREP,grep) + -- -2.27.0 +2.25.1 diff --git a/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch b/meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch similarity index 81% rename from meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch rename to meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch index fcadae93a0..d1d0111607 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0015-bootstrap-check-commands-of-openssl-exist.patch @@ -1,4 +1,7 @@ -bootstrap: check commands of openssl exist +From 78494ea005bd38324953b05176d6eb2c3f55af2c Mon Sep 17 00:00:00 2001 +From: Kai Kang +Date: Sun, 8 Jan 2023 23:21:24 +0800 +Subject: [PATCH] bootstrap: check commands of openssl exist It calls openssl commands dhparam and pkcs12 in script bootstrap. These commands are configurable based on configure options 'no-dh' and @@ -18,7 +21,7 @@ Signed-off-by: Kai Kang 1 file changed, 8 insertions(+) diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap -index 0f719aafd4..17feddbeeb 100755 +index 57de8cf0d7..4641c71700 100755 --- a/raddb/certs/bootstrap +++ b/raddb/certs/bootstrap @@ -13,6 +13,14 @@ @@ -36,3 +39,6 @@ index 0f719aafd4..17feddbeeb 100755 make -h > /dev/null 2>&1 # +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch b/meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch similarity index 86% rename from meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch rename to meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch index 697205efe0..2d67fdef05 100644 --- a/meta-networking/recipes-connectivity/freeradius/files/0001-version.c-don-t-print-build-flags.patch +++ b/meta-networking/recipes-connectivity/freeradius/files/0016-version.c-don-t-print-build-flags.patch @@ -1,11 +1,11 @@ -From cbc64dcf6aa2a1be63f45ea6dd7d2c49b70a0bee Mon Sep 17 00:00:00 2001 +From cbbb62ddda5c189c225f96bf6b599b3b3e8c8252 Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Wed, 3 Aug 2022 16:44:29 +0800 Subject: [PATCH] version.c: don't print build flags Don't print the build flags to avoid collecting the build environment info. -Upstream-Status: Inappropriate [oe specific] +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Mingli Yu --- @@ -13,7 +13,7 @@ Signed-off-by: Mingli Yu 1 file changed, 13 deletions(-) diff --git a/src/main/version.c b/src/main/version.c -index 62972d9f53..cf81de72c9 100644 +index f1f1e87810..3ffcbb25a0 100644 --- a/src/main/version.c +++ b/src/main/version.c @@ -589,19 +589,6 @@ void version_print(void) diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch deleted file mode 100644 index 4ea519c752..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch +++ /dev/null @@ -1,118 +0,0 @@ -From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Mon, 7 Feb 2022 22:26:05 -0500 -Subject: [PATCH] it's probably wrong to be completely retarded. Let's fix - that. - -CVE: CVE-2022-41860 - -Upstream-Status: Backport -[https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708] - -Signed-off-by: Yi Zhao ---- - src/modules/rlm_eap/libeap/eapsimlib.c | 69 +++++++++++++++++++------- - 1 file changed, 52 insertions(+), 17 deletions(-) - -diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c -index cf1e8a7dd9..e438a844ea 100644 ---- a/src/modules/rlm_eap/libeap/eapsimlib.c -+++ b/src/modules/rlm_eap/libeap/eapsimlib.c -@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r, - newvp->vp_length = 1; - fr_pair_add(&(r->vps), newvp); - -+ /* -+ * EAP-SIM has a 1 octet of subtype, and 2 octets -+ * reserved. -+ */ - attr += 3; - attrlen -= 3; - -- /* now, loop processing each attribute that we find */ -- while(attrlen > 0) { -+ /* -+ * Loop over each attribute. The format is: -+ * -+ * 1 octet of type -+ * 1 octet of length (value 1..255) -+ * ((4 * length) - 2) octets of data. -+ */ -+ while (attrlen > 0) { - uint8_t *p; - -- if(attrlen < 2) { -+ if (attrlen < 2) { - fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen); - return 0; - } - -+ if (!attr[1]) { -+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute, -+ es_attribute_count); -+ return 0; -+ } -+ - eapsim_attribute = attr[0]; - eapsim_len = attr[1] * 4; - -+ /* -+ * The length includes the 2-byte header. -+ */ - if (eapsim_len > attrlen) { - fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)", - eapsim_attribute, es_attribute_count, eapsim_len, attrlen); - return 0; - } - -- if(eapsim_len > MAX_STRING_LEN) { -- eapsim_len = MAX_STRING_LEN; -- } -- if (eapsim_len < 2) { -- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute, -- es_attribute_count); -- return 0; -- } -+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0); -+ if (!newvp) { -+ /* -+ * RFC 4186 Section 8.1 says 0..127 are -+ * "non-skippable". If one such -+ * attribute is found and we don't -+ * understand it, the server has to send: -+ * -+ * EAP-Request/SIM/Notification packet with an -+ * (AT_NOTIFICATION code, which implies general failure ("General -+ * failure after authentication" (0), or "General failure" (16384), -+ * depending on the phase of the exchange), which terminates the -+ * authentication exchange. -+ */ -+ if (eapsim_attribute <= 127) { -+ fr_strerror_printf("Unknown mandatory attribute %d, failing", -+ eapsim_attribute); -+ return 0; -+ } - -- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0); -- newvp->vp_length = eapsim_len-2; -- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); -- memcpy(p, &attr[2], eapsim_len-2); -- fr_pair_add(&(r->vps), newvp); -- newvp = NULL; -+ } else { -+ /* -+ * It's known, ccount for header, and -+ * copy the value over. -+ */ -+ newvp->vp_length = eapsim_len - 2; -+ -+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); -+ memcpy(p, &attr[2], newvp->vp_length); -+ fr_pair_add(&(r->vps), newvp); -+ } - - /* advance pointers, decrement length */ - attr += eapsim_len; --- -2.25.1 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch deleted file mode 100644 index 352c02137a..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001 -From: "Alan T. DeKok" -Date: Mon, 28 Feb 2022 10:34:15 -0500 -Subject: [PATCH] manual port of commit 5906bfa1 - -CVE: CVE-2022-41861 - -Upstream-Status: Backport -[https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62] - -Signed-off-by: Yi Zhao ---- - src/lib/filters.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/lib/filters.c b/src/lib/filters.c -index 4868cd385d..3f3b63daee 100644 ---- a/src/lib/filters.c -+++ b/src/lib/filters.c -@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in - } - } - } else if (filter->type == RAD_FILTER_GENERIC) { -- int count; -+ size_t count, masklen; -+ -+ masklen = ntohs(filter->u.generic.len); -+ if (masklen >= sizeof(filter->u.generic.mask)) { -+ *p = '\0'; -+ return; -+ } - - i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset)); - p += i; - - /* show the mask */ -- for (count = 0; count < ntohs(filter->u.generic.len); count++) { -+ for (count = 0; count < masklen; count++) { - i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]); - p += i; - outlen -= i; -@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in - outlen--; - - /* show the value */ -- for (count = 0; count < ntohs(filter->u.generic.len); count++) { -+ for (count = 0; count < masklen; count++) { - i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]); - p += i; - outlen -= i; --- -2.25.1 - diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch deleted file mode 100644 index 1778e8e927..0000000000 --- a/meta-networking/recipes-connectivity/freeradius/files/CVE-2024-3596.patch +++ /dev/null @@ -1,1506 +0,0 @@ -From 441967ba1d1ec28aa9582ab0253ad01e14b42148 Mon Sep 17 00:00:00 2001 -From: Arran Cudbard-Bell -Date: Sun, 30 Jun 2024 14:03:17 -0600 -Subject: [PATCH] CVE-2024-3596: Backport fix for BlastRADIUS - -Upstream-Status: Backport from v3.0.x branch, commit range 3a00a6ecc188629b0441fd45ad61ca8986de156e..da643f1edc267ce95260dc36069e6f1a7a4d66f8 -CVE: CVE-2024-3596 - -Signed-off-by: Rohini Sangam ---- - man/man1/radclient.1 | 10 ++- - man/man1/radtest.1 | 11 ++- - raddb/clients.conf | 47 ++++++++-- - raddb/proxy.conf | 19 +++++ - raddb/radiusd.conf.in | 185 ++++++++++++++++++++++++++++++++++++++++ - src/include/clients.h | 6 +- - src/include/conffile.h | 1 + - src/include/libradius.h | 19 ++++- - src/include/radius.h | 1 + - src/include/radiusd.h | 6 ++ - src/include/realms.h | 1 + - src/lib/radius.c | 87 +++++++++++++++++-- - src/main/client.c | 45 ++++++++-- - src/main/conffile.c | 4 +- - src/main/listen.c | 141 +++++++++++++++++++++++++++++- - src/main/mainconfig.c | 70 +++++++++++++++ - src/main/process.c | 65 ++++++++++++++ - src/main/radclient.c | 147 ++++++++++++++++++++++++++++++- - src/main/radtest.in | 6 +- - src/main/realms.c | 11 +++ - src/main/tls_listen.c | 5 ++ - 21 files changed, 855 insertions(+), 32 deletions(-) - -diff --git a/man/man1/radclient.1 b/man/man1/radclient.1 -index 229dcae0c7..b83bee931a 100644 ---- a/man/man1/radclient.1 -+++ b/man/man1/radclient.1 -@@ -1,10 +1,11 @@ --.TH RADCLIENT 1 "22 March 2019" "" "FreeRADIUS Daemon" -+.TH RADCLIENT 1 "21 May 2024" "" "FreeRADIUS Daemon" - .SH NAME - radclient - send packets to a RADIUS server, show reply - .SH SYNOPSIS - .B radclient - .RB [ \-4 ] - .RB [ \-6 ] -+.RB [ \-b ] - .RB [ \-c - .IR count ] - .RB [ \-d -@@ -52,6 +53,13 @@ automatically encrypted before the packet is sent to the server. - Use IPv4 (default) - .IP \-6 - Use IPv6 -+.IP \-b -+Enforce the Blast RADIUS checks. All replies to an Access-Request packet -+must contain a Message-Authenticator as the first attribute. -+ -+For compatibility with old servers, this flag is not set by default. -+However, radclient still checks for the Blast RADIUS signature, and -+discards packets which match the attack. - .IP \-c\ \fIcount\fP - Send each packet \fIcount\fP times. - .IP \-d\ \fIraddb_directory\fP -diff --git a/man/man1/radtest.1 b/man/man1/radtest.1 -index b3184779c0..6bfab75944 100644 ---- a/man/man1/radtest.1 -+++ b/man/man1/radtest.1 -@@ -1,4 +1,4 @@ --.TH RADTEST 1 "5 April 2010" "" "FreeRADIUS Daemon" -+.TH RADTEST 1 "21 May 2024" "" "FreeRADIUS Daemon" - .SH NAME - radtest - send packets to a RADIUS server, show reply - .SH SYNOPSIS -@@ -15,6 +15,8 @@ radtest - send packets to a RADIUS server, show reply - .IR ] - .RB [ \-6 - .IR ] -+.RB [ \-b -+.IR - .I user password radius-server nas-port-number secret - .RB [ ppphint ] - .RB [ nasname ] -@@ -26,6 +28,13 @@ way to test a radius server. - - .SH OPTIONS - -+.IP \-b -+Enforce the Blast RADIUS checks. All replies to an Access-Request packet -+must contain a Message-Authenticator as the first attribute. -+ -+For compatibility with old servers, this flag is not set by default. -+However, radclient still checks for the Blast RADIUS signature, and -+discards packets which match the attack. - .IP "\-d \fIraddb_directory\fP" - The directory that contains the RADIUS dictionary files. Defaults to - \fI/etc/raddb\fP. -diff --git a/raddb/clients.conf b/raddb/clients.conf -index 76b300d3c5..d55414b7d2 100644 ---- a/raddb/clients.conf -+++ b/raddb/clients.conf -@@ -100,15 +100,44 @@ client localhost { - secret = testing123 - - # -- # Old-style clients do not send a Message-Authenticator -- # in an Access-Request. RFC 5080 suggests that all clients -- # SHOULD include it in an Access-Request. The configuration -- # item below allows the server to require it. If a client -- # is required to include a Message-Authenticator and it does -- # not, then the packet will be silently discarded. -- # -- # allowed values: yes, no -- require_message_authenticator = no -+ # The global configuration "security.require_message_authenticator" -+ # flag sets the default for all clients. That default can be -+ # over-ridden here, by setting it to a value. If no value is set, -+ # then the default from the "radiusd.conf" file is used. -+ # -+ # See that file for full documentation on the flag, along -+ # with allowed values and meanings. -+ # -+ # This flag exists solely for legacy clients which do not send -+ # Message-Authenticator in all Access-Request packets. We do not -+ # recommend setting it to "no". -+ # -+ # The number one way to protect yourself from the BlastRADIUS -+ # attack is to update all RADIUS servers, and then set this -+ # flag to "yes". If all RADIUS servers are updated, and if -+ # all of them have this flag set to "yes" for all clients, -+ # then your network is safe. You can then upgrade the -+ # clients when it is convenient, instead of rushing the -+ # upgrades. -+ # -+ # allowed values: yes, no, auto -+# require_message_authenticator = no -+ -+ # -+ # The global configuration "security.limit_proxy_state" -+ # flag sets the default for all clients. That default can be -+ # over-ridden here, by setting it to "no". -+ # -+ # See that file for full documentation on the flag, along -+ # with allowed values,and meanings. -+ # -+ # This flag exists solely for legacy clients which do not send -+ # Message-Authenticator in all Access-Request packets. We do not -+ # recommend setting it to "no". -+ # -+ # allowed values: yes, no, auto -+ # -+# limit_proxy_state = yes - - # - # The short name is used as an alias for the fully qualified -diff --git a/raddb/proxy.conf b/raddb/proxy.conf -index 91b4b37930..fa362b8a74 100644 ---- a/raddb/proxy.conf -+++ b/raddb/proxy.conf -@@ -204,6 +204,25 @@ home_server localhost { - # - secret = testing123 - -+ -+ # -+ # The global configuration "security.require_message_authenticator" -+ # flag sets the default for all home servers. That default can be -+ # over-ridden here, by setting it to a value. If no value is set, -+ # then the default from the "radiusd.conf" file is used. -+ # -+ # See that file for full documentation on the flag, along -+ # with allowed values and meanings. -+ # -+ # This flag exists solely for legacy home servers which do -+ # not send Message-Authenticator in all Access-Accept, -+ # Access-Reject, or Access-Challenge packets. We do not -+ # recommend setting it to "no". -+ # -+ # allowed values: yes, no, auto -+ # -+# require_message_authenticator = no -+ - ############################################################ - # - # The rest of the configuration items listed here are optional, -diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in -index e8aee3c001..5b8800bfc8 100644 ---- a/raddb/radiusd.conf.in -+++ b/raddb/radiusd.conf.in -@@ -564,6 +564,191 @@ security { - # - status_server = yes - -+ # -+ # Global configuration for requiring Message-Authenticator in -+ # all Access-* packets sent over UDP or TCP. This flag is -+ # ignored for TLS. -+ # -+ # The number one way to protect yourself from the BlastRADIUS -+ # attack is to update all RADIUS servers, and then set this -+ # flag to "yes". If all RADIUS servers are updated, and if -+ # all of them have this flag set to "yes" for all clients, -+ # then your network is safe. You can then upgrade the -+ # clients when it is convenient, instead of rushing the -+ # upgrades. -+ # -+ # This flag sets the global default for all clients and home -+ # servers. It can be over-ridden in an individual client or -+ # home_server definition by adding the same flag to that -+ # section with an appropriate value. -+ # -+ # All upgraded RADIUS implementations should send -+ # Message-Authenticator in all Access-Request, Access-Accept, -+ # Access-Reject, and Access-Challenge packets. Once all -+ # systems are upgraded, setting this flag to "yes" is the -+ # best protection from the attack. -+ # -+ # The possible values and meanings for -+ # "require_message_authenticator" are; -+ # -+ # * "no" - allow Access-* packet which do not contain -+ # Message-Authenticator -+ # -+ # For a client, if this flag is set to "no", then the -+ # "limit_proxy_state" flag, below, is also checked. -+ # -+ # For a home_server, if this flag is set to "no", then the -+ # Access-Accept, Access-Reject, and Access-Challenge -+ # packets do not need to contain Message-Authenticator. -+ # -+ # The only reason to set this flag to "no" is when the -+ # RADIUS client or home server has not been updated. It is -+ # always safer to set this flag "no" in the individual -+ # client or home_server definition. The global flag SHOULD -+ # still be set to a safe value: "yes". -+ # -+ # WARNING: Setting this flag and the "limit_proxy_state" -+ # flag to "no" will allow MITM attackers to create fake -+ # Access-Accept packets to the NAS! At least one of them -+ # MUST be set to "yes" for the system to have any -+ # protection against the attack. -+ # -+ # * "yes" - Require that all Access-* packets (client and -+ # home_server) contain Message-Authenticator. If a packet -+ # does not contain Message-Authenticator, then it is -+ # discarded. -+ # -+ # * "auto" - Automatically determine the value of the flag, -+ # based on the first packet received from that client or -+ # home_server. -+ # -+ # If the packet does not contain Message-Authenticator, -+ # then the value of the flag is automatically switched to -+ # "no". -+ # -+ # If the packet contains Message-Authenticator but not -+ # EAP-Message, then the value of the flag is automatically -+ # switched to "yes". The server has to check for -+ # EAP-Message, because the previous RFCs require that the -+ # packet contains Message-Authenticator when it also -+ # contains EAP-Message. So having a Message-Authenticator -+ # in those packets doesn't give the server enough -+ # information to determined if the client or home_server -+ # has been updated. -+ # -+ # If the packet contains Message-Authenticator and -+ # EAP-Message, then the flag is left at the "auto" value. -+ # -+ # WARNING: This switch is done for the first packet -+ # received from that client or home server. The change -+ # does NOT persist across server restarts. You MUST change -+ # the to "yes" manually, in order to make a permanent -+ # change to the configuration. -+ # -+ # WARNING: If there are multiple NASes with the same source -+ # IP and client definitions, BUT the NASes have different -+ # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK. -+ # -+ # That is, when there are multiple different RADIUS clients -+ # behind one NATed IP address, then these security settings -+ # have to be set to allow the MOST INSECURE packets to be -+ # processed. This is a terrible idea, and will leave your -+ # network vulnerable to the attack. Please upgrade all -+ # clients immediately. -+ # -+ # The only solution to that rare configuration is to set -+ # this flag to "no", in which case the network will work, -+ # but will be vulnerable to the attack. -+ # -+ require_message_authenticator = auto -+ -+ # -+ # Global configuration for limiting the combination of -+ # Proxy-State and Message-Authenticator. This flag only -+ # applies to packets sent over UDP or TCP. This flag is -+ # ignored for TLS. -+ # -+ # This flag sets the global default for all clients. It can -+ # be over-ridden in an individual client definition by adding -+ # the same flag to that section with an appropriate value. -+ # -+ # If "require_message_authenticator" is set to "yes", this -+ # configuration item is ignored. -+ # -+ # If "require_message_authenticator" is set to "no", this -+ # configuration item is checked. -+ # -+ # The possible values and meanings for "limit_proxy_state" are; -+ # -+ # * "no" - allow any packets from the client, even packets -+ # which contain the BlastRADIUS attack. Please be aware -+ # that in this configuration the server will complain for -+ # EVERY packet which it receives. -+ # -+ # The only reason to set this flag to "no" is when the -+ # client is a proxy, AND the proxy does not send -+ # Message-Authenticator in Access-Request packets. Even -+ # then, the best approach to fix the issue is to (1) update -+ # the proxy to send Message-Authenticator, and if that -+ # can't be done, then (2) set this flag to "no", but ONLY -+ # for that one client. The global flag SHOULD still be set -+ # to a safe value: "yes". -+ # -+ # WARNING: Setting both this flag and the -+ # "require_message_authenticator" flag to "no" will allow -+ # MITM attackers to create fake Access-Accept packets to the -+ # NAS! At least one of them MUST be set to "yes" for the -+ # system to have any protection against the attack. -+ # -+ # * "yes" - Allow packets without Message-Authenticator, -+ # but only when they do not contain Proxy-State. -+ # packets which contain Proxy-State MUST also contain -+ # Message-Authenticator, otherwise they are discarded. -+ # -+ # This setting is safe for most NASes, GGSNs, BRAS, etc. -+ # Most regular RADIUS clients do not send Proxy-State -+ # attributes for Access-Request packets that they originate. -+ # However some aggregators (e.g. Wireless LAN Controllers) -+ # may act as a RADIUS proxy for requests from their cohort -+ # of managed devices, and in such cases will provide a -+ # Proxy-State attribute. For those systems, you _must_ look -+ # at the actual packets to determine what to do. It may be -+ # that the only way to fix the vulnerability is to upgrade -+ # the WLC, and set "require_message_authenticator" to "yes". -+ # -+ # * "auto" - Automatically determine the value of the flag, -+ # based on the first packet received from that client. -+ # -+ # If the packet contains Proxy-State but no -+ # Message-Authenticator, then the value of the flag is -+ # automatically switched to "no". -+ # -+ # For all other situations, the value of the flag is -+ # automatically switched to "yes". -+ # -+ # WARNING: This switch is done for the first packet -+ # received from that client. The change does NOT persist -+ # across server restarts. You MUST change the to "yes" -+ # manually, in order to make a permanent change to the -+ # configuration. -+ # -+ # WARNING: If there are multiple NASes with the same source -+ # IP and client definitions, BUT the NASes have different -+ # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK. -+ # -+ # That is, when there are multiple different RADIUS clients -+ # behind one NATed IP address, then these security settings -+ # have to be set to allow the MOST INSECURE packets to be -+ # processed. This is a terrible idea, and will leave your -+ # network vulnerable to the attack. Please upgrade all -+ # clients immediately. -+ # -+ # The only solution to that rare configuration is to set -+ # this flag to "no", in which case the network will work, -+ # but will be vulnerable to the attack. -+ # -+ limit_proxy_state = auto -+ - @openssl_version_check_config@ - } - -diff --git a/src/include/clients.h b/src/include/clients.h -index 560211557f..0aeb1da8d9 100644 ---- a/src/include/clients.h -+++ b/src/include/clients.h -@@ -39,7 +39,11 @@ typedef struct radclient { - - char const *secret; //!< Secret PSK. - -- bool message_authenticator; //!< Require RADIUS message authenticator in requests. -+ fr_bool_auto_t require_ma; //!< Require RADIUS message authenticator in requests. -+ -+ bool dynamic_require_ma; //!< for dynamic clients -+ -+ fr_bool_auto_t limit_proxy_state; //!< Limit Proxy-State in requests - - char const *nas_type; //!< Type of client (arbitrary). - -diff --git a/src/include/conffile.h b/src/include/conffile.h -index 8cb045c946..ddbcae4e4f 100644 ---- a/src/include/conffile.h -+++ b/src/include/conffile.h -@@ -140,6 +140,7 @@ typedef struct timeval _timeval_t; - #define PW_TYPE_MULTI (1 << 18) //!< CONF_PAIR can have multiple copies. - #define PW_TYPE_NOT_EMPTY (1 << 19) //!< CONF_PAIR is required to have a non zero length value. - #define PW_TYPE_FILE_EXISTS ((1 << 20) | PW_TYPE_STRING) //!< File matching value must exist -+#define PW_TYPE_IGNORE_DEFAULT (1 << 21) //!< don't set from .dflt if the CONF_PAIR is missing - /* @} **/ - - #define FR_INTEGER_COND_CHECK(_name, _var, _cond, _new)\ -diff --git a/src/include/libradius.h b/src/include/libradius.h -index ce2f713de1..2efef8b1d3 100644 ---- a/src/include/libradius.h -+++ b/src/include/libradius.h -@@ -402,6 +402,10 @@ typedef struct radius_packet { - size_t partial; - int proto; - #endif -+ bool tls; //!< uses secure transport -+ bool message_authenticator; -+ bool proxy_state; -+ bool eap_message; - } RADIUS_PACKET; - - typedef enum { -@@ -507,6 +511,13 @@ DICT_VENDOR *dict_vendorbyvalue(int vendor); - /* radius.c */ - int rad_send(RADIUS_PACKET *, RADIUS_PACKET const *, char const *secret); - bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason); -+ -+/* -+ * 1 == require_ma -+ * 2 == msg_peek -+ * 4 == limit_proxy_state -+ * 8 == require_ma for Access-* replies and Protocol-Error -+ */ - RADIUS_PACKET *rad_recv(TALLOC_CTX *ctx, int fd, int flags); - ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, int *code); - void rad_recv_discard(int sockfd); -@@ -694,7 +705,7 @@ extern bool fr_dns_lookups; /* do IP -> hostname lookups? */ - extern bool fr_hostname_lookups; /* do hostname -> IP lookups? */ - extern int fr_debug_lvl; /* 0 = no debugging information */ - extern uint32_t fr_max_attributes; /* per incoming packet */ --#define FR_MAX_PACKET_CODE (52) -+#define FR_MAX_PACKET_CODE (53) - extern char const *fr_packet_codes[FR_MAX_PACKET_CODE]; - #define is_radius_code(_x) ((_x > 0) && (_x < FR_MAX_PACKET_CODE)) - extern FILE *fr_log_fp; -@@ -932,6 +943,12 @@ int fr_socket_wait_for_connect(int sockfd, struct timeval *timeout); - } - #endif - -+typedef enum { -+ FR_BOOL_FALSE = 0, -+ FR_BOOL_TRUE, -+ FR_BOOL_AUTO, -+} fr_bool_auto_t; -+ - #include - - #ifdef WITH_TCP -diff --git a/src/include/radius.h b/src/include/radius.h -index 473528d65d..147d674eed 100644 ---- a/src/include/radius.h -+++ b/src/include/radius.h -@@ -61,6 +61,7 @@ typedef enum { - PW_CODE_COA_REQUEST = 43, //!< RFC3575/RFC5176 - CoA-Request - PW_CODE_COA_ACK = 44, //!< RFC3575/RFC5176 - CoA-Ack (positive) - PW_CODE_COA_NAK = 45, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform) -+ PW_CODE_PROTOCOL_ERROR = 52, //!< RFC7930 - Protocol layer issue - PW_CODE_MAX = 255, //!< Maximum possible code - } PW_CODE; - -diff --git a/src/include/radiusd.h b/src/include/radiusd.h -index b2a0a0f642..e429c5be7a 100644 ---- a/src/include/radiusd.h -+++ b/src/include/radiusd.h -@@ -171,6 +171,10 @@ typedef struct main_config { - - bool exiting; //!< are we exiting? - -+ fr_bool_auto_t require_ma; //!< global configuration for all clients and home servers -+ -+ fr_bool_auto_t limit_proxy_state; //!< global configuration for all clients -+ - - #ifdef ENABLE_OPENSSL_VERSION_CHECK - char const *allow_vulnerable_openssl; //!< The CVE number of the last security issue acknowledged. -@@ -558,6 +562,8 @@ int main_config_free(void); - void main_config_hup(void); - void hup_logfile(void); - -+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str); -+ - /* listen.c */ - void listen_free(rad_listen_t **head); - int listen_init(CONF_SECTION *cs, rad_listen_t **head, bool spawn_flag); -diff --git a/src/include/realms.h b/src/include/realms.h -index 6dae8b4f85..e643818e43 100644 ---- a/src/include/realms.h -+++ b/src/include/realms.h -@@ -59,6 +59,7 @@ typedef struct home_server { - //!< stats or when specifying home servers for a pool. - - bool dual; //!< One of a pair of homeservers on consecutive ports. -+ fr_bool_auto_t require_ma; //!< for all replies to Access-Request and Status-Server - char const *server; //!< For internal proxying - char const *parent_server; - -diff --git a/src/lib/radius.c b/src/lib/radius.c -index 3881111f7d..7b91a4bde2 100644 ---- a/src/lib/radius.c -+++ b/src/lib/radius.c -@@ -142,8 +142,9 @@ char const *fr_packet_codes[FR_MAX_PACKET_CODE] = { - "47", - "48", - "49", -- "IP-Address-Allocate", -- "IP-Address-Release", //!< 50 -+ "IP-Address-Allocate", //!< 50 -+ "IP-Address-Release", -+ "Protocol-Error", - }; - - -@@ -1700,6 +1701,15 @@ int rad_vp2attr(RADIUS_PACKET const *packet, RADIUS_PACKET const *original, - return rad_vp2vsa(packet, original, secret, pvp, start, room); - } - -+static const bool code2ma[FR_MAX_PACKET_CODE] = { -+ [ PW_CODE_ACCESS_REQUEST ] = true, -+ [ PW_CODE_ACCESS_ACCEPT ] = true, -+ [ PW_CODE_ACCESS_REJECT ] = true, -+ [ PW_CODE_ACCESS_CHALLENGE ] = true, -+ [ PW_CODE_STATUS_SERVER ] = true, -+ [ PW_CODE_PROTOCOL_ERROR ] = true, -+}; -+ - - /** Encode a packet - * -@@ -1712,6 +1722,7 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original, - uint16_t total_length; - int len; - VALUE_PAIR const *reply; -+ bool seen_ma = false; - - /* - * A 4K packet, aligned on 64-bits. -@@ -1775,6 +1786,27 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original, - * memcpy. - */ - -+ /* -+ * Always add Message-Authenticator for replies to -+ * Access-Request packets, and for all Access-Accept, -+ * Access-Reject, Access-Challenge. -+ * -+ * It must be the FIRST attribute in the packet. -+ */ -+ if (!packet->tls && -+ ((code2ma[packet->code]) || (original && code2ma[original->code]))) { -+ seen_ma = true; -+ -+ packet->offset = RADIUS_HDR_LEN; -+ -+ ptr[0] = PW_MESSAGE_AUTHENTICATOR; -+ ptr[1] = 18; -+ memset(ptr + 2, 0, 16); -+ -+ ptr += 18; -+ total_length += 18; -+ } -+ - /* - * Loop over the reply attributes for the packet. - */ -@@ -1832,6 +1864,13 @@ int rad_encode(RADIUS_PACKET *packet, RADIUS_PACKET const *original, - * length and initial value. - */ - if (!reply->da->vendor && (reply->da->attr == PW_MESSAGE_AUTHENTICATOR)) { -+ /* -+ * We have already encoded the Message-Authenticator, don't do it again. -+ */ -+ if (seen_ma) { -+ reply = reply->next; -+ continue; -+ } - if (room < 18) break; - - /* -@@ -2323,6 +2362,8 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - radius_packet_t *hdr; - char host_ipaddr[128]; - bool require_ma = false; -+ bool limit_proxy_state = false; -+ bool seen_proxy_state = false; - bool seen_ma = false; - uint32_t num_attributes; - decode_fail_t failure = DECODE_FAIL_NONE; -@@ -2371,15 +2412,26 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - } - - /* -- * Message-Authenticator is required in Status-Server -- * packets, otherwise they can be trivially forged. -+ * If the caller requires Message-Authenticator, then set -+ * the flag. - */ -- if (hdr->code == PW_CODE_STATUS_SERVER) require_ma = true; - - /* -- * It's also required if the caller asks for it. -+ * We also require Message-Authenticator if the packet -+ * code is Status-Server. -+ * -+ * If we're receiving packets from a proxy socket, then -+ * require Message-Authenticator for Access-* replies, -+ * and for Protocol-Error. - */ -- if (flags) require_ma = true; -+ require_ma = ((flags & 0x01) != 0) || (hdr->code == PW_CODE_STATUS_SERVER) || (((flags & 0x08) != 0) && code2ma[hdr->code]); -+ -+ /* -+ * -+ * We only limit Proxy-State if we're not requiring -+ * Message-Authenticator. -+ */ -+ limit_proxy_state = ((flags & 0x04) != 0) && !require_ma; - - /* - * Repeat the length checks. This time, instead of -@@ -2534,6 +2586,7 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - case PW_EAP_MESSAGE: - require_ma = true; - eap = true; -+ packet->eap_message = true; - break; - - case PW_USER_PASSWORD: -@@ -2542,6 +2595,11 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - non_eap = true; - break; - -+ case PW_PROXY_STATE: -+ seen_proxy_state = true; -+ packet->proxy_state = true; -+ break; -+ - case PW_MESSAGE_AUTHENTICATOR: - if (attr[1] != 2 + AUTH_VECTOR_LEN) { - FR_DEBUG_STRERROR_PRINTF("Malformed RADIUS packet from host %s: Message-Authenticator has invalid length %d", -@@ -2553,6 +2611,7 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - goto finish; - } - seen_ma = true; -+ packet->message_authenticator = true; - break; - } - -@@ -2609,7 +2668,19 @@ bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason) - * Message-Authenticator attributes. - */ - if (require_ma && !seen_ma) { -- FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute", -+ FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute. You may need to set \"require_message_authenticator = no\" in the configuration.", -+ inet_ntop(packet->src_ipaddr.af, -+ &packet->src_ipaddr.ipaddr, -+ host_ipaddr, sizeof(host_ipaddr))); -+ failure = DECODE_FAIL_MA_MISSING; -+ goto finish; -+ } -+ -+ /* -+ * The client is a NAS which shouldn't send Proxy-State, but it did! -+ */ -+ if (limit_proxy_state && seen_proxy_state && !seen_ma) { -+ FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s: Packet does not contain required Message-Authenticator attribute, but still has one or more Proxy-State attributes", - inet_ntop(packet->src_ipaddr.af, - &packet->src_ipaddr.ipaddr, - host_ipaddr, sizeof(host_ipaddr))); -diff --git a/src/main/client.c b/src/main/client.c -index 6228438c47..875dc37d60 100644 ---- a/src/main/client.c -+++ b/src/main/client.c -@@ -283,7 +283,8 @@ bool client_add(RADCLIENT_LIST *clients, RADCLIENT *client) - (old->coa_server == client->coa_server) && - (old->coa_pool == client->coa_pool) && - #endif -- (old->message_authenticator == client->message_authenticator)) { -+ (old->require_ma == client->require_ma) && -+ (old->limit_proxy_state == client->limit_proxy_state)) { - WARN("Ignoring duplicate client %s", client->longname); - client_free(client); - return true; -@@ -445,6 +446,8 @@ static fr_ipaddr_t cl_ipaddr; - static uint32_t cl_netmask; - static char const *cl_srcipaddr = NULL; - static char const *hs_proto = NULL; -+static char const *require_message_authenticator = NULL; -+static char const *limit_proxy_state = NULL; - - #ifdef WITH_TCP - static CONF_PARSER limit_config[] = { -@@ -467,7 +470,8 @@ static const CONF_PARSER client_config[] = { - - { "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL }, - -- { "require_message_authenticator", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, message_authenticator), "no" }, -+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &require_message_authenticator), NULL }, -+ { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &limit_proxy_state), NULL }, - - { "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL }, - { "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL }, -@@ -663,7 +667,7 @@ static const CONF_PARSER dynamic_config[] = { - { "FreeRADIUS-Client-Src-IP-Address", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, RADCLIENT, src_ipaddr), NULL }, - { "FreeRADIUS-Client-Src-IPv6-Address", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, RADCLIENT, src_ipaddr), NULL }, - -- { "FreeRADIUS-Client-Require-MA", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, message_authenticator), NULL }, -+ { "FreeRADIUS-Client-Require-MA", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, dynamic_require_ma), NULL }, - - { "FreeRADIUS-Client-Secret", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, secret), "" }, - { "FreeRADIUS-Client-Shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), "" }, -@@ -845,8 +849,19 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo - c = talloc_zero(ctx, RADCLIENT); - c->cs = cs; - -+ /* -+ * Set the "require message authenticator" and "limit -+ * proxy state" flags from the global default. If the -+ * configuration item exists, AND is set, it will -+ * over-ride the flag. -+ */ -+ c->require_ma = main_config.require_ma; -+ c->limit_proxy_state = main_config.limit_proxy_state; -+ - memset(&cl_ipaddr, 0, sizeof(cl_ipaddr)); - cl_netmask = 255; -+ require_message_authenticator = NULL; -+ limit_proxy_state = NULL; - - if (cf_section_parse(cs, c, client_config) < 0) { - cf_log_err_cs(cs, "Error parsing client section"); -@@ -857,6 +872,9 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo - cl_srcipaddr = NULL; - #endif - -+ require_message_authenticator = NULL; -+ limit_proxy_state = NULL; -+ - return NULL; - } - -@@ -1114,6 +1132,16 @@ done_coa: - } - #endif - -+ if (fr_bool_auto_parse(cf_pair_find(cs, "require_message_authenticator"), &c->require_ma, require_message_authenticator) < 0) { -+ goto error; -+ } -+ -+ if (c->require_ma != FR_BOOL_TRUE) { -+ if (fr_bool_auto_parse(cf_pair_find(cs, "limit_proxy_state"), &c->limit_proxy_state, limit_proxy_state) < 0) { -+ goto error; -+ } -+ } -+ - return c; - } - -@@ -1158,7 +1186,7 @@ RADCLIENT *client_afrom_query(TALLOC_CTX *ctx, char const *identifier, char cons - if (shortname) c->shortname = talloc_typed_strdup(c, shortname); - if (type) c->nas_type = talloc_typed_strdup(c, type); - if (server) c->server = talloc_typed_strdup(c, server); -- c->message_authenticator = require_ma; -+ c->require_ma = require_ma; - - return c; - } -@@ -1344,10 +1372,10 @@ RADCLIENT *client_afrom_request(RADCLIENT_LIST *clients, REQUEST *request) - *pi = vp->vp_integer; - - /* -- * Same nastiness as above. -+ * Same nastiness as above, but hard-coded for require Message-Authenticator. - */ - for (parse = client_config; parse->name; parse++) { -- if (parse->offset == dynamic_config[i].offset) break; -+ if (parse->type == PW_TYPE_BOOLEAN) break; - } - if (!parse) break; - -@@ -1436,6 +1464,11 @@ validate: - goto error; - } - -+ /* -+ * It can't be set to "auto". Too bad. -+ */ -+ c->require_ma = (fr_bool_auto_t) c->dynamic_require_ma; -+ - if (!client_add_dynamic(clients, request->client, c)) { - return NULL; - } -diff --git a/src/main/conffile.c b/src/main/conffile.c -index a8c667bfb5..61754e991f 100644 ---- a/src/main/conffile.c -+++ b/src/main/conffile.c -@@ -1418,6 +1418,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d - { - int rcode; - bool deprecated, required, attribute, secret, file_input, cant_be_empty, tmpl, multi, file_exists; -+ bool ignore_dflt; - char **q; - char const *value; - CONF_PAIR *cp = NULL; -@@ -1441,6 +1442,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d - cant_be_empty = (type & PW_TYPE_NOT_EMPTY); - tmpl = (type & PW_TYPE_TMPL); - multi = (type & PW_TYPE_MULTI); -+ ignore_dflt = (type & PW_TYPE_IGNORE_DEFAULT); - - if (attribute) required = true; - if (required) cant_be_empty = true; /* May want to review this in the future... */ -@@ -1464,7 +1466,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, unsigned int type, void *d - * section, use the default value. - */ - if (!cp) { -- if (deprecated) return 0; /* Don't set the default value */ -+ if (deprecated || ignore_dflt) return 0; /* Don't set the default value */ - - rcode = 1; - value = dflt; -diff --git a/src/main/listen.c b/src/main/listen.c -index ebf7f5221c..c20fea243d 100644 ---- a/src/main/listen.c -+++ b/src/main/listen.c -@@ -456,6 +456,122 @@ int rad_status_server(REQUEST *request) - return 0; - } - -+static void blastradius_checks(RADIUS_PACKET *packet, RADCLIENT *client) -+{ -+ if (client->require_ma == FR_BOOL_TRUE) return; -+ -+ if (client->require_ma == FR_BOOL_AUTO) { -+ if (!packet->message_authenticator) { -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("BlastRADIUS check: Received packet without Message-Authenticator."); -+ ERROR("Setting \"require_message_authenticator = false\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ ERROR("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ client->require_ma = FR_BOOL_FALSE; -+ -+ /* -+ * And fall through to the -+ * limit_proxy_state checks, which might -+ * complain again. Oh well, maybe that -+ * will make people read the messages. -+ */ -+ -+ } else if (packet->eap_message) { -+ /* -+ * Don't set it to "true" for packets -+ * with EAP-Message. It's already -+ * required there, and we might get a -+ * non-EAP packet with (or without) -+ * Message-Authenticator -+ */ -+ return; -+ } else { -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("BlastRADIUS check: Received packet with Message-Authenticator."); -+ ERROR("Setting \"require_message_authenticator = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("It looks like the client has been updated to protect from the BlastRADIUS attack."); -+ ERROR("Please set \"require_message_authenticator = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ client->require_ma = FR_BOOL_TRUE; -+ return; -+ } -+ -+ } -+ -+ /* -+ * If all of the checks are turned off, then complain for every packet we receive. -+ */ -+ if (client->limit_proxy_state == FR_BOOL_FALSE) { -+ /* -+ * We have a Message-Authenticator, and it's valid. We don't need to compain. -+ */ -+ if (!fr_debug_lvl) return; /* easier than checking for each line below */ -+ -+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ DEBUG("BlastRADIUS check: Received packet without Message-Authenticator."); -+ DEBUG("YOU MUST SET \"require_message_authenticator = true\", or"); -+ DEBUG("YOU MUST SET \"limit_proxy_state = true\" for client %s", client->shortname); -+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ DEBUG("The packet does not contain Message-Authenticator, which is a security issue"); -+ DEBUG("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname); -+ DEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ return; -+ } -+ -+ /* -+ * Don't complain here. rad_packet_ok() will instead -+ * complain about every packet with Proxy-State but which -+ * is missing Message-Authenticator. -+ */ -+ if (client->limit_proxy_state == FR_BOOL_TRUE) { -+ return; -+ } -+ -+ if (packet->proxy_state && !packet->message_authenticator) { -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("BlastRADIUS check: Received packet with Proxy-State, but without Message-Authenticator."); -+ ERROR("This is either a BlastRADIUS attack, OR"); -+ ERROR("the client is a proxy RADIUS server which has not been upgraded."); -+ ERROR("Setting \"limit_proxy_state = false\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ client->limit_proxy_state = FR_BOOL_FALSE; -+ -+ } else { -+ client->limit_proxy_state = FR_BOOL_TRUE; -+ -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ if (!packet->proxy_state) { -+ ERROR("BlastRADIUS check: Received packet without Proxy-State."); -+ } else { -+ ERROR("BlastRADIUS check: Received packet with Proxy-State and Message-Authenticator."); -+ } -+ -+ ERROR("Setting \"limit_proxy_state = true\" for client %s", client->shortname); -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ if (!packet->message_authenticator) { -+ ERROR("The packet does not contain Message-Authenticator, which is a security issue."); -+ ERROR("UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ DEBUG("Once the client is upgraded, set \"require_message_authenticator = true\" for client %s", client->shortname); -+ } else { -+ ERROR("The packet contains Message-Authenticator."); -+ if (!packet->eap_message) ERROR("The client has likely been upgraded to protect from the attack."); -+ ERROR("Please set \"require_message_authenticator = true\" for client %s", client->shortname); -+ } -+ ERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ } -+} -+ -+ - #ifdef WITH_TCP - static int dual_tcp_recv(rad_listen_t *listener) - { -@@ -532,6 +648,21 @@ static int dual_tcp_recv(rad_listen_t *listener) - switch (packet->code) { - case PW_CODE_ACCESS_REQUEST: - if (listener->type != RAD_LISTEN_AUTH) goto bad_packet; -+ -+ /* -+ * Enforce BlastRADIUS checks on TCP, too. -+ */ -+ if (!rad_packet_ok(packet, (client->require_ma == FR_BOOL_TRUE) | ((client->limit_proxy_state == FR_BOOL_TRUE) << 2), NULL)) { -+ FR_STATS_INC(auth, total_malformed_requests); -+ rad_free(&sock->packet); -+ return 0; -+ } -+ -+ /* -+ * Perform BlastRADIUS checks and warnings. -+ */ -+ if (packet->code == PW_CODE_ACCESS_REQUEST) blastradius_checks(packet, client); -+ - FR_STATS_INC(auth, total_requests); - fun = rad_authenticate; - break; -@@ -1562,7 +1693,7 @@ static int auth_socket_recv(rad_listen_t *listener) - * Now that we've sanity checked everything, receive the - * packet. - */ -- packet = rad_recv(ctx, listener->fd, client->message_authenticator); -+ packet = rad_recv(ctx, listener->fd, (client->require_ma == FR_BOOL_TRUE) | ((client->limit_proxy_state == FR_BOOL_TRUE) << 2)); - if (!packet) { - FR_STATS_INC(auth, total_malformed_requests); - if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); -@@ -1570,6 +1701,12 @@ static int auth_socket_recv(rad_listen_t *listener) - return 0; - } - -+ -+ /* -+ * Perform BlastRADIUS checks and warnings. -+ */ -+ if (packet->code == PW_CODE_ACCESS_REQUEST) blastradius_checks(packet, client); -+ - #ifdef __APPLE__ - #ifdef WITH_UDPFROMTO - /* -@@ -1955,7 +2092,7 @@ static int coa_socket_recv(rad_listen_t *listener) - * Now that we've sanity checked everything, receive the - * packet. - */ -- packet = rad_recv(ctx, listener->fd, client->message_authenticator); -+ packet = rad_recv(ctx, listener->fd, client->require_ma | (((int) client->limit_proxy_state) << 2)); - if (!packet) { - FR_STATS_INC(coa, total_malformed_requests); - if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); -diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c -index e9dd412dee..520d7fa474 100644 ---- a/src/main/mainconfig.c -+++ b/src/main/mainconfig.c -@@ -73,6 +73,8 @@ static char const *gid_name = NULL; - static char const *chroot_dir = NULL; - static bool allow_core_dumps = false; - static char const *radlog_dest = NULL; -+static char const *require_message_authenticator = NULL; -+static char const *limit_proxy_state = NULL; - - /* - * These are not used anywhere else.. -@@ -87,6 +89,53 @@ static bool do_colourise = false; - - static char const *radius_dir = NULL; //!< Path to raddb directory - -+static const FR_NAME_NUMBER fr_bool_auto_names[] = { -+ { "false", FR_BOOL_FALSE }, -+ { "no", FR_BOOL_FALSE }, -+ { "0", FR_BOOL_FALSE }, -+ -+ { "true", FR_BOOL_TRUE }, -+ { "yes", FR_BOOL_TRUE }, -+ { "1", FR_BOOL_TRUE }, -+ -+ { "auto", FR_BOOL_AUTO }, -+ -+ { NULL, 0 } -+}; -+ -+/* -+ * Get decent values for false / true / auto -+ */ -+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str) -+{ -+ int value; -+ -+ /* -+ * Don't change anything. -+ */ -+ if (!str) return 0; -+ -+ value = fr_str2int(fr_bool_auto_names, str, -1); -+ if (value >= 0) { -+ *out = value; -+ return 0; -+ } -+ -+ /* -+ * This should never happen, as the defaults are in the -+ * source code. If there's no CONF_PAIR, and there's a -+ * parse error, then the source code is wrong. -+ */ -+ if (!cp) { -+ fprintf(stderr, "%s: Error - Invalid value in configuration", main_config.name); -+ return -1; -+ } -+ -+ cf_log_err(cf_pair_to_item(cp), "Invalid value for \"%s\"", cf_pair_attr(cp)); -+ return -1; -+} -+ -+ - /********************************************************************** - * - * We need to figure out where the logs go, before doing anything -@@ -159,6 +208,8 @@ static const CONF_PARSER security_config[] = { - { "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) }, - { "reject_delay", FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) }, - { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"}, -+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING, &require_message_authenticator), "auto"}, -+ { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING, &limit_proxy_state), "auto"}, - #ifdef ENABLE_OPENSSL_VERSION_CHECK - { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"}, - #endif -@@ -838,6 +889,8 @@ int main_config_init(void) - if (!main_config.dictionary_dir) { - main_config.dictionary_dir = DICTDIR; - } -+ main_config.require_ma = FR_BOOL_AUTO; -+ main_config.limit_proxy_state = FR_BOOL_AUTO; - - /* - * About sizeof(REQUEST) + sizeof(RADIUS_PACKET) * 2 + sizeof(VALUE_PAIR) * 400 -@@ -1127,6 +1180,23 @@ do {\ - main_config.init_delay.tv_sec = 0; - main_config.init_delay.tv_usec = 2* (1000000 / 3); - -+ { -+ CONF_PAIR *cp = NULL; -+ -+ subcs = cf_section_sub_find(cs, "security"); -+ if (subcs) cp = cf_pair_find(subcs, "require_message_authenticator"); -+ if (fr_bool_auto_parse(cp, &main_config.require_ma, require_message_authenticator) < 0) { -+ cf_file_free(cs); -+ return -1; -+ } -+ -+ if (subcs) cp = cf_pair_find(subcs, "limit_proxy_state"); -+ if (fr_bool_auto_parse(cp, &main_config.limit_proxy_state, limit_proxy_state) < 0) { -+ cf_file_free(cs); -+ return -1; -+ } -+ } -+ - /* - * Free the old configuration items, and replace them - * with the new ones. -diff --git a/src/main/process.c b/src/main/process.c -index 1a48517d43..401033bdd6 100644 ---- a/src/main/process.c -+++ b/src/main/process.c -@@ -2593,6 +2593,23 @@ int request_proxy_reply(RADIUS_PACKET *packet) - - PTHREAD_MUTEX_UNLOCK(&proxy_mutex); - -+ if (!request->proxy_reply) { -+ decode_fail_t reason; -+ -+ /* -+ * If the home server configuration requires a Message-Authenticator, then set the flag, -+ * but only if the proxied packet is Access-Request or Status-Sercer. -+ * -+ * The realms.c file already clears require_ma for TLS connections. -+ */ -+ bool require_ma = (request->home_server->require_ma == FR_BOOL_TRUE) && (request->proxy->code == PW_CODE_ACCESS_REQUEST); -+ -+ if(!rad_packet_ok(packet, require_ma, &reason)) { -+ DEBUG("Ignoring invalid packet - %s", fr_strerror()); -+ return 0; -+ } -+ } -+ - /* - * No reply, BUT the current packet fails verification: - * ignore it. This does the MD5 calculations in the -@@ -2618,6 +2635,54 @@ int request_proxy_reply(RADIUS_PACKET *packet) - return 0; - } - -+ -+ /* -+ * BlastRADIUS checks. We're running in the main -+ * listener thread, so there's no conflict -+ * checking or setting these fields. -+ */ -+ if (!request->proxy_reply && (request->proxy->code == PW_CODE_ACCESS_REQUEST) && -+#ifdef WITH_TLS -+ !request->home_server->tls && -+#endif -+ !packet->eap_message) { -+ if (request->home_server->require_ma == FR_BOOL_AUTO) { -+ if (!packet->message_authenticator) { -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RERROR("BlastRADIUS check: Received response to Access-Request without Message-Authenticator."); -+ RERROR("Setting \"require_message_authenticator = false\" for home_server %s", request->home_server->name); -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RERROR("UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ RERROR("Once the home_server is upgraded, set \"require_message_authenticator = true\" for home_server %s.", request->home_server->name); -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ request->home_server->require_ma = FR_BOOL_FALSE; -+ } else { -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RERROR("BlastRADIUS check: Received response to Access-Request with Message-Authenticator."); -+ RERROR("Setting \"require_message_authenticator = true\" for home_server %s", request->home_server->name); -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RERROR("It looks like the home server has been updated to protect from the BlastRADIUS attack."); -+ RERROR("Please set \"require_message_authenticator = true\" for home_server %s", request->home_server->name); -+ RERROR("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ -+ request->home_server->require_ma = FR_BOOL_TRUE; -+ } -+ -+ } else if (fr_debug_lvl && (request->home_server->require_ma == FR_BOOL_FALSE) && !packet->message_authenticator) { -+ /* -+ * If it's "no" AND we don't have a Message-Authenticator, then complain on every packet. -+ */ -+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RDEBUG("BlastRADIUS check: Received packet without Message-Authenticator from home_server %s", request->home_server->name); -+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ RDEBUG("The packet does not contain Message-Authenticator, which is a security issue"); -+ RDEBUG("UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK."); -+ RERROR("Once the home_server is upgraded, set \"require_message_authenticator = true\" for home_server %s.", request->home_server->name); -+ RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); -+ } -+ } -+ - /* - * This shouldn't happen, but threads and race - * conditions. -diff --git a/src/main/radclient.c b/src/main/radclient.c -index 52d2872b13..47d5f07785 100644 ---- a/src/main/radclient.c -+++ b/src/main/radclient.c -@@ -54,6 +54,7 @@ static fr_ipaddr_t server_ipaddr; - static int resend_count = 1; - static bool done = true; - static bool print_filename = false; -+static bool blast_radius = false; - - static fr_ipaddr_t client_ipaddr; - static uint16_t client_port = 0; -@@ -89,6 +90,7 @@ static void NEVER_RETURNS usage(void) - fprintf(stderr, " One of auth, acct, status, coa, disconnect or auto.\n"); - fprintf(stderr, " -4 Use IPv4 address of server\n"); - fprintf(stderr, " -6 Use IPv6 address of server.\n"); -+ fprintf(stderr, " -b Mandate checks for Blast RADIUS (this is not set by default).\n"); - fprintf(stderr, " -c Send each packet 'count' times.\n"); - fprintf(stderr, " -d Set user dictionary directory (defaults to " RADDBDIR ").\n"); - fprintf(stderr, " -D Set main dictionary directory (defaults to " DICTDIR ").\n"); -@@ -1000,6 +1002,130 @@ static int send_one_packet(rc_request_t *request) - return 0; - } - -+/* -+ * Do Blast RADIUS checks. -+ * -+ * The request is an Access-Request, and does NOT contain Proxy-State. -+ * -+ * The reply is a raw packet, and is NOT yet decoded. -+ */ -+static int blast_radius_check(rc_request_t *request, RADIUS_PACKET *reply) -+{ -+ uint8_t *attr, *end; -+ VALUE_PAIR *vp; -+ bool have_message_authenticator = false; -+ -+ /* -+ * We've received a raw packet. Nothing has (as of yet) checked -+ * anything in it other than the length, and that it's a -+ * well-formed RADIUS packet. -+ */ -+ switch (reply->data[0]) { -+ case PW_CODE_ACCESS_ACCEPT: -+ case PW_CODE_ACCESS_REJECT: -+ case PW_CODE_ACCESS_CHALLENGE: -+ if (reply->data[1] != request->packet->id) { -+ ERROR("Invalid reply ID %d to Access-Request ID %d", reply->data[1], request->packet->id); -+ return -1; -+ } -+ break; -+ -+ default: -+ ERROR("Invalid reply code %d to Access-Request", reply->data[0]); -+ return -1; -+ } -+ -+ /* -+ * If the reply has a Message-Authenticator, then it MIGHT be fine. -+ */ -+ attr = reply->data + 20; -+ end = reply->data + reply->data_len; -+ -+ /* -+ * It should be the first attribute, so we warn if it isn't there. -+ * -+ * But it's not a fatal error. -+ */ -+ if (blast_radius && (attr[0] != PW_MESSAGE_AUTHENTICATOR)) { -+ RDEBUG("WARNING The %s reply packet does not have Message-Authenticator as the first attribute. The packet may be vulnerable to Blast RADIUS attacks.", -+ fr_packet_codes[reply->data[0]]); -+ } -+ -+ /* -+ * Set up for Proxy-State checks. -+ * -+ * If we see a Proxy-State in the reply which we didn't send, then it's a Blast RADIUS attack. -+ */ -+ vp = fr_pair_find_by_num(request->packet->vps, PW_PROXY_STATE, 0, TAG_ANY); -+ -+ while (attr < end) { -+ /* -+ * Blast RADIUS work-arounds require that -+ * Message-Authenticator is the first attribute in the -+ * reply. Note that we don't check for it being the -+ * first attribute, but simply that it exists. -+ * -+ * That check is a balance between securing the reply -+ * packet from attacks, and not violating the RFCs which -+ * say that there is no order to attributes in the -+ * packet. -+ * -+ * However, no matter the status of the '-b' flag we -+ * still can check for the signature of the attack, and -+ * discard packets which are suspicious. This behavior -+ * protects radclient from the attack, without mandating -+ * new behavior on the server side. -+ * -+ * Note that we don't set the '-b' flag by default. -+ * radclient is intended for testing / debugging, and is -+ * not intended to be used as part of a secure login / -+ * user checking system. -+ */ -+ if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { -+ have_message_authenticator = true; -+ goto next; -+ } -+ -+ /* -+ * If there are Proxy-State attributes in the reply, they must -+ * match EXACTLY the Proxy-State attributes in the request. -+ * -+ * Note that we don't care if there are more Proxy-States -+ * in the request than in the reply. The Blast RADIUS -+ * issue requires _adding_ Proxy-State attributes, and -+ * cannot work when the server _deletes_ Proxy-State -+ * attributes. -+ */ -+ if (attr[0] == PW_PROXY_STATE) { -+ if (!vp || (vp->length != (size_t) (attr[1] - 2)) || (memcmp(vp->vp_octets, attr + 2, vp->length) != 0)) { -+ ERROR("Invalid reply to Access-Request ID %d - Discarding packet due to Blast RADIUS attack being detected.", request->packet->id); -+ ERROR("We received a Proxy-State in the reply which we did not send, or which is different from what we sent."); -+ return -1; -+ } -+ -+ vp = fr_pair_find_by_num(vp->next, PW_PROXY_STATE, 0, TAG_ANY); -+ } -+ -+ next: -+ attr += attr[1]; -+ } -+ -+ /* -+ * If "-b" is set, then we require Message-Authenticator in the reply. -+ */ -+ if (blast_radius && !have_message_authenticator) { -+ ERROR("The %s reply packet does not contain Message-Authenticator - discarding packet due to Blast RADIUS checks.", -+ fr_packet_codes[reply->data[0]]); -+ return -1; -+ } -+ -+ /* -+ * The packet doesn't look like it's a Blast RADIUS attack. The -+ * caller will now verify the packet signature. -+ */ -+ return 0; -+} -+ - /* - * Receive one packet, maybe. - */ -@@ -1051,6 +1177,21 @@ static int recv_one_packet(int wait_time) - } - request = fr_packet2myptr(rc_request_t, packet, packet_p); - -+ -+ /* -+ * We want radclient to be able to send any packet, including -+ * imperfect ones. However, we do NOT want to be vulnerable to -+ * the "Blast RADIUS" issue. Instead of adding command-line -+ * flags to enable/disable similar flags to what the server -+ * sends, we just do a few more smart checks to double-check -+ * things. -+ */ -+ if ((request->packet->code == PW_CODE_ACCESS_REQUEST) && -+ blast_radius_check(request, reply) < 0) { -+ rad_free(&reply); -+ return -1; -+ } -+ - /* - * Fails the signature validation: not a real reply. - * FIXME: Silently drop it and listen for another packet. -@@ -1183,7 +1324,7 @@ int main(int argc, char **argv) - exit(1); - } - -- while ((c = getopt(argc, argv, "46c:d:D:f:Fhn:p:qr:sS:t:vx" -+ while ((c = getopt(argc, argv, "46bc:d:D:f:Fhn:p:qr:sS:t:vx" - #ifdef WITH_TCP - "P:" - #endif -@@ -1192,6 +1333,10 @@ int main(int argc, char **argv) - force_af = AF_INET; - break; - -+ case 'b': -+ blast_radius = true; -+ break; -+ - case '6': - force_af = AF_INET6; - break; -diff --git a/src/main/radtest.in b/src/main/radtest.in -index 38b1ba9a0f..8a6741a26c 100644 ---- a/src/main/radtest.in -+++ b/src/main/radtest.in -@@ -19,6 +19,7 @@ usage() { - echo " -x Enable debug output" >&2 - echo " -4 Use IPv4 for the NAS address (default)" >&2 - echo " -6 Use IPv6 for the NAS address" >&2 -+ echo " -6 Mandate checks for Blast RADIUS (this is not set by default)." >&2 - exit 1 - } - -@@ -55,6 +56,10 @@ do - NAS_ADDR_ATTR="NAS-IPv6-Address" - shift - ;; -+ -b) -+ OPTIONS="$OPTIONS -b" -+ shift -+ ;; - -d) - OPTIONS="$OPTIONS -d $2" - shift;shift -@@ -120,7 +125,6 @@ fi - echo "$PASSWORD = \"$2\"" - echo "$NAS_ADDR_ATTR = $nas" - echo "NAS-Port = $4" -- echo "Message-Authenticator = 0x00" - if [ "$radclient" = "$radeapclient" ] - then - echo "EAP-Code = Response" -diff --git a/src/main/realms.c b/src/main/realms.c -index eb42598116..5e1215c0bb 100644 ---- a/src/main/realms.c -+++ b/src/main/realms.c -@@ -366,7 +366,10 @@ static CONF_PARSER home_server_coa[] = { - }; - #endif - -+static const char *require_message_authenticator = NULL; -+ - static CONF_PARSER home_server_config[] = { -+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING| PW_TYPE_IGNORE_DEFAULT, &require_message_authenticator), NULL }, - { "ipaddr", FR_CONF_OFFSET(PW_TYPE_COMBO_IP_ADDR, home_server_t, ipaddr), NULL }, - { "ipv4addr", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, home_server_t, ipaddr), NULL }, - { "ipv6addr", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, home_server_t, ipaddr), NULL }, -@@ -640,6 +643,9 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE - home->cs = cs; - home->state = HOME_STATE_UNKNOWN; - home->proto = IPPROTO_UDP; -+ home->require_ma = main_config.require_ma; -+ -+ require_message_authenticator = false; - - /* - * Parse the configuration into the home server -@@ -647,6 +653,10 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE - */ - if (cf_section_parse(cs, home, home_server_config) < 0) goto error; - -+ if (fr_bool_auto_parse(cf_pair_find(cs, "require_message_authenticator"), &home->require_ma, require_message_authenticator) < 0) { -+ goto error; -+ } -+ - /* - * It has an IP address, it must be a remote server. - */ -@@ -924,6 +934,7 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE - * Parse the SSL client configuration. - */ - if (tls) { -+ home->require_ma = false; - home->tls = tls_client_conf_parse(tls); - if (!home->tls) { - goto error; -diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c -index 0eed87b64f..4ae3c5b975 100644 ---- a/src/main/tls_listen.c -+++ b/src/main/tls_listen.c -@@ -299,6 +299,8 @@ get_application_data: - packet->vps = NULL; - PTHREAD_MUTEX_UNLOCK(&sock->mutex); - -+ packet->tls = true; -+ - if (!rad_packet_ok(packet, 0, NULL)) { - if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror()); - DEBUG("Closing TLS socket from client"); -@@ -713,6 +715,8 @@ int proxy_tls_recv(rad_listen_t *listener) - memcpy(packet->data, data, packet->data_len); - memcpy(packet->vector, packet->data + 4, 16); - -+ packet->tls = true; -+ - /* - * FIXME: Client MIB updates? - */ -@@ -765,6 +769,7 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request) - * if there's no packet, encode it here. - */ - if (!request->proxy->data) { -+ request->reply->tls = true; - request->proxy_listener->encode(request->proxy_listener, - request); - } --- -2.35.7 - diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb similarity index 89% rename from meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb rename to meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb index 01d23fdf83..27cc12c347 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.27.bb @@ -16,31 +16,31 @@ DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc" SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;;protocol=https \ file://freeradius \ file://volatiles.58_radiusd \ - file://freeradius-enble-user-in-conf.patch \ - file://freeradius-configure.ac-allow-cross-compilation.patch \ - file://freeradius-libtool-detection.patch \ - file://freeradius-configure.ac-add-option-for-libcap.patch \ - file://freeradius-avoid-searching-host-dirs.patch \ - file://freeradius-rlm_python-add-PY_INC_DIR.patch \ - file://freeradius-libtool-do-not-use-jlibtool.patch \ - file://freeradius-fix-quoting-for-BUILT_WITH.patch \ - file://freeradius-fix-error-for-expansion-of-macro.patch \ - file://0001-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \ - file://0001-raddb-certs-Makefile-fix-the-existed-certificate-err.patch \ - file://0001-raddb-certs-Makefile-fix-the-occasional-verification.patch \ - file://0001-workaround-error-with-autoconf-2.7.patch \ file://radiusd.service \ file://radiusd-volatiles.conf \ - file://check-openssl-cmds-in-script-bootstrap.patch \ - file://0001-version.c-don-t-print-build-flags.patch \ - file://CVE-2022-41860.patch \ - file://CVE-2022-41861.patch \ - file://CVE-2024-3596.patch \ + file://0001-Add-autogen.sh.patch \ + file://0002-Enable-and-change-user-and-group-of-freeradius-serve.patch \ + file://0003-configure.ac-allow-cross-compilation.patch \ + file://0004-Fix-libtool-detection.patch \ + file://0005-configure.ac-add-option-for-libcap.patch \ + file://0006-Avoid-searching-host-dirs.patch \ + file://0007-rlm_python-add-PY_INC_DIR-in-search-dir.patch \ + file://0008-libtool-do-not-use-jlibtool.patch \ + file://0009-Fix-quoting-for-BUILD_WITH.patch \ + file://0010-fix-error-for-expansion-of-macro-in-thread.h.patch \ + file://0011-rlm_mschap-Use-includedir-instead-of-hardcoding-usr-.patch \ + file://0012-raddb-certs-Makefile-fix-the-existed-certificate-err.patch \ + file://0013-raddb-certs-Makefile-fix-the-occasional-verification.patch \ + file://0014-Workaround-error-with-autoconf-2.7.patch \ + file://0015-bootstrap-check-commands-of-openssl-exist.patch \ + file://0016-version.c-don-t-print-build-flags.patch \ " raddbdir="${sysconfdir}/${MLPREFIX}raddb" -SRCREV = "af428abda249b2279ba0582180985a9f6f4a144a" +SRCREV = "f317c5b2668a4de7065df46b31267cd6ff32ddf1" + +UPSTREAM_CHECK_GITTAGREGEX = "release_(?P\d+(\_\d+)+)" CVE_CHECK_IGNORE = "\ CVE-2002-0318 \