File CVE-2019-17185.patch of Package freeradius-server.14503

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-17185.patch of Package freeradius-server.14503

ported from:

From 6b522f8780813726799e6b8cf0f1f8e0ce2c8ebf Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@nyu.edu>
Date: Fri, 4 Oct 2019 17:53:52 +0400
Subject: [PATCH] EAP-pwd: fix DoS due to multithreaded BN_CTX access

The EAP-pwd module created one global OpenSSL BN_CTX instance, and
used this instance in all incoming requests. This means that different
threads used the same BN_CTX instance, which can result in a crash.
An adversary can trigger these crashes by concurrently initiating
multiple EAP-pwd handshakes from different clients.

Fix this bug by creating a separate BN_CTX instance for each request.
---
 .../rlm_eap/types/rlm_eap_pwd/eap_pwd.h       |  1 +
 .../rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c   | 24 +++++++++----------
 .../rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h   |  2 --
 3 files changed, 13 insertions(+), 14 deletions(-)

Index: freeradius-server-3.0.3/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h
===================================================================
--- freeradius-server-3.0.3.orig/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h
+++ freeradius-server-3.0.3/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h
@@ -90,6 +90,7 @@ typedef struct _pwd_session_t {
     uint8_t *out_buf;     /* message to fragment */
     int out_buf_pos;
     int out_buf_len;
+    BN_CTX *bnctx;
     EC_GROUP *group;
     EC_POINT *pwe;
     BIGNUM *order;
Index: freeradius-server-3.0.3/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
===================================================================
--- freeradius-server-3.0.3.orig/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
+++ freeradius-server-3.0.3/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
@@ -60,10 +60,6 @@ mod_detach (void *arg)
 
     inst = (eap_pwd_t *) arg;
 
-    if (inst->bnctx) {
-	BN_CTX_free(inst->bnctx);
-    }
-
     return 0;
 }
 
@@ -82,11 +78,6 @@ eap_pwd_attach (CONF_SECTION *cs, void *
 	return -1;
     }
 
-    if ((inst->bnctx = BN_CTX_new()) == NULL) {
-	ERROR("rlm_eap_pwd: failed to get BN context!");
-	return -1;
-    }
-
     return 0;
 }
 
@@ -109,6 +100,7 @@ free_session (void *data)
     EC_POINT_free(session->pwe);
     BN_free(session->order);
     BN_free(session->prime);
+    BN_CTX_free(session->bnctx);
 }
 
 static int
@@ -227,6 +219,12 @@ eap_pwd_initiate (void *instance, eap_ha
     pwd_session->order = NULL;
     pwd_session->prime = NULL;
 
+    pwd_session->bnctx = BN_CTX_new();
+    if (pwd_session->bnctx == NULL) {
+        ERROR("rlm_eap_pwd: Failed to get BN context");
+        return 0;
+    }
+
     /*
      * figure out the MTU (basically do what eap-tls does)
      */
@@ -488,7 +486,7 @@ mod_authenticate (void *arg, eap_handler
 	    /*
 	     * compute our scalar and element
 	     */
-	    if (compute_scalar_element(pwd_session, inst->bnctx)) {
+	    if (compute_scalar_element(pwd_session, pwd_session->bnctx)) {
 		DEBUG2("failed to compute server's scalar and element");
 		return 0;
 	    }
@@ -502,7 +500,7 @@ mod_authenticate (void *arg, eap_handler
 	     */
 	    if (!EC_POINT_get_affine_coordinates_GFp(pwd_session->group,
 						     pwd_session->my_element, x, y,
-						     inst->bnctx)) {
+						     pwd_session->bnctx)) {
 		DEBUG2("server point assignment failed");
 		BN_free(x);
 		BN_free(y);
@@ -542,7 +540,7 @@ mod_authenticate (void *arg, eap_handler
 	    /*
 	     * process the peer's commit and generate the shared key, k
 	     */
-	    if (process_peer_commit(pwd_session, buf, inst->bnctx)) {
+	    if (process_peer_commit(pwd_session, buf, pwd_session->bnctx)) {
 		RDEBUG2("failed to process peer's commit");
 		return 0;
 	    }
@@ -550,7 +548,7 @@ mod_authenticate (void *arg, eap_handler
 	    /*
 	     * compute our confirm blob
 	     */
-	    if (compute_server_confirm(pwd_session, pwd_session->my_confirm, inst->bnctx)) {
+	    if (compute_server_confirm(pwd_session, pwd_session->my_confirm, pwd_session->bnctx)) {
 		ERROR("rlm_eap_pwd: failed to compute confirm!");
 		return 0;
 	    }
@@ -573,7 +571,7 @@ mod_authenticate (void *arg, eap_handler
 		RDEBUG2("pwd exchange is incorrect: not commit!");
 		return 0;
 	    }
-	    if (compute_peer_confirm(pwd_session, peer_confirm, inst->bnctx)) {
+	    if (compute_peer_confirm(pwd_session, peer_confirm, pwd_session->bnctx)) {
 		RDEBUG2("pwd exchange cannot compute peer's confirm");
 		return 0;
 	    }
Index: freeradius-server-3.0.3/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
===================================================================
--- freeradius-server-3.0.3.orig/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
+++ freeradius-server-3.0.3/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
@@ -48,7 +48,6 @@ typedef struct eap_pwd_conf {
 
 typedef struct _eap_pwd_t {
     EAP_PWD_CONF *conf;
-    BN_CTX *bnctx;
 } eap_pwd_t;
 
 #endif  /* _RLM_EAP_PWD_H */

Places

File CVE-2019-17185.patch of Package freeradius-server.14503

Places