File CVE-2024-3596.patch of Package freeradius-server

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-3596.patch of Package freeradius-server

Index: freeradius-server-3.0.21/raddb/radiusd.conf.in
===================================================================
--- freeradius-server-3.0.21.orig/raddb/radiusd.conf.in
+++ freeradius-server-3.0.21/raddb/radiusd.conf.in
@@ -583,6 +583,64 @@ security {
 	#
 	status_server = yes
 
+	#
+	#  Global configuration for requiring Message-Authenticator
+	#  in all Access-* packets sent over UDP or TCP.  This flag
+	#  is ignored for TLS.
+
+	#
+	#  This flag sets the global default for all clients and home
+	#  servers.  It can be over-ridden in an individual client or
+	#  home server definition by adding a flag to that section:
+	#
+	#	require_message_authenticator = no
+	#
+	#  If the server produces error message which says "Packet
+	#  does not contain required Message-Authenticator attribute",
+	#  then this configuration item has to be updated.
+	#
+	#  WARNING: This item should always be left as "yes",
+	#  otherwise it is possible for MITM attackers to create fake
+	#  Access-Accept packets to the NAS!
+	#
+	require_message_authenticator = yes
+
+	#
+	#  Global configuration for requiring Message-Authenticator
+	#  Access-Request packets from a NAS, but only if those
+	#  packets also contain Proxy-State.  This flag only applies
+	#  to packets sent over UDP or TCP.  This flag is ignored for
+	#  TLS.
+	#
+	#  This flag sets the global default for all clients.  It can
+	#  be over-ridden in an individual client definition by adding
+	#  a flag to that section:
+	#
+	#	limit_proxy_state = no
+	#
+	#  If "require_message_authenticator" is set to "yes", this
+	#  configuration item is ignored.
+	#
+	#  If "require_message_authenticator" is set to "no", this
+	#  configuration item is checked.
+	#
+	#  This configuration item should ALWAYS be set to "yes".
+	#
+	#  The only reason to set it to "no" is when the client is a
+	#  proxy, AND the proxy does not send Message-Authenticator in
+	#  Access-Request packets.  Even then, the best approach to
+	#  fix the issue is to (1) update the proxy to send
+	#  Message-Authenticator, and if that can't be done, then (2)
+	#  set this flag to "no", but ONLY on a per-client basis.
+	#
+	#  WARNING: Setting both this flag and the
+	#  "require_message_authenticator" flag to "no" will allow
+	#  MITM attackers to create fake Access-Accept packets to the
+	#  NAS!  At least one of them MUST be set to "yes" for the
+	#  system to have any protection against the attack.
+	#
+	limit_proxy_state = yes
+
 @openssl_version_check_config@
 }
 
Index: freeradius-server-3.0.21/src/include/radiusd.h
===================================================================
--- freeradius-server-3.0.21.orig/src/include/radiusd.h
+++ freeradius-server-3.0.21/src/include/radiusd.h
@@ -171,6 +171,9 @@ typedef struct main_config {
 
 	bool		exiting;			//!< are we exiting?
 
+	bool		require_ma;			//!< global configuration for all clients and home servers
+
+	bool		limit_proxy_state;		//!< global configuration for all clients
 
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 	char const	*allow_vulnerable_openssl;	//!< The CVE number of the last security issue acknowledged.
Index: freeradius-server-3.0.21/src/main/mainconfig.c
===================================================================
--- freeradius-server-3.0.21.orig/src/main/mainconfig.c
+++ freeradius-server-3.0.21/src/main/mainconfig.c
@@ -160,6 +160,8 @@ static const CONF_PARSER security_config
 	{ "max_attributes",  FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
 	{ "reject_delay",  FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
 	{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
+	{ "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.require_ma), "yes"},
+	{ "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.limit_proxy_state), "yes"},
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 	{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
 #endif
Index: freeradius-server-3.0.21/src/include/clients.h
===================================================================
--- freeradius-server-3.0.21.orig/src/include/clients.h
+++ freeradius-server-3.0.21/src/include/clients.h
@@ -39,7 +39,9 @@ typedef struct radclient {
 
 	char const		*secret;		//!< Secret PSK.
 
-	bool			message_authenticator;	//!< Require RADIUS message authenticator in requests.
+	bool			require_ma;		//!< Require RADIUS message authenticator in requests.
+
+	bool			limit_proxy_state;	//!< Limit Proxy-State in requests
 
 	char const		*nas_type;		//!< Type of client (arbitrary).
 
Index: freeradius-server-3.0.21/src/main/client.c
===================================================================
--- freeradius-server-3.0.21.orig/src/main/client.c
+++ freeradius-server-3.0.21/src/main/client.c
@@ -283,7 +283,8 @@ bool client_add(RADCLIENT_LIST *clients,
 		    (old->coa_server == client->coa_server) &&
 		    (old->coa_pool == client->coa_pool) &&
 #endif
-		    (old->message_authenticator == client->message_authenticator)) {
+		    (old->require_ma == client->require_ma) &&
+		    (old->limit_proxy_state == client->limit_proxy_state)) {
 			WARN("Ignoring duplicate client %s", client->longname);
 			client_free(client);
 			return true;
@@ -467,7 +468,8 @@ static const CONF_PARSER client_config[]
 
 	{ "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL },
 
-	{ "require_message_authenticator",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, message_authenticator), "no" },
+	{ "require_message_authenticator",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, require_ma), NULL },
+	{ "limit_proxy_state",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, limit_proxy_state), NULL },
 
 	{ "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL },
 	{ "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL },
@@ -663,7 +665,7 @@ static const CONF_PARSER dynamic_config[
 	{ "FreeRADIUS-Client-Src-IP-Address", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, RADCLIENT, src_ipaddr), NULL },
 	{ "FreeRADIUS-Client-Src-IPv6-Address", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, RADCLIENT, src_ipaddr), NULL },
 
-	{ "FreeRADIUS-Client-Require-MA", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, message_authenticator), NULL },
+	{ "FreeRADIUS-Client-Require-MA", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, RADCLIENT, require_ma), NULL },
 
 	{ "FreeRADIUS-Client-Secret",  FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, secret), "" },
 	{ "FreeRADIUS-Client-Shortname",  FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), "" },
@@ -845,6 +847,15 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *c
 	c = talloc_zero(ctx, RADCLIENT);
 	c->cs = cs;
 
+	/*
+	 *	Set the "require message authenticator" and "limit
+	 *	proxy state" flags from the global default.  If the
+	 *	configuration item exists, AND is set, it will
+	 *	over-ride the flag.
+	 */
+	c->require_ma = main_config.require_ma;
+	c->limit_proxy_state = main_config.limit_proxy_state;
+
 	memset(&cl_ipaddr, 0, sizeof(cl_ipaddr));
 	cl_netmask = 255;
 
@@ -1158,7 +1169,7 @@ RADCLIENT *client_afrom_query(TALLOC_CTX
 	if (shortname) c->shortname = talloc_typed_strdup(c, shortname);
 	if (type) c->nas_type = talloc_typed_strdup(c, type);
 	if (server) c->server = talloc_typed_strdup(c, server);
-	c->message_authenticator = require_ma;
+	c->require_ma = require_ma;
 
 	return c;
 }
Index: freeradius-server-3.0.21/src/main/listen.c
===================================================================
--- freeradius-server-3.0.21.orig/src/main/listen.c
+++ freeradius-server-3.0.21/src/main/listen.c
@@ -1562,7 +1562,7 @@ static int auth_socket_recv(rad_listen_t
 	 *	Now that we've sanity checked everything, receive the
 	 *	packet.
 	 */
-	packet = rad_recv(ctx, listener->fd, client->message_authenticator);
+	packet = rad_recv(ctx, listener->fd, client->require_ma | (((int) client->limit_proxy_state) << 2));
 	if (!packet) {
 		FR_STATS_INC(auth, total_malformed_requests);
 		if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
@@ -1955,7 +1955,7 @@ static int coa_socket_recv(rad_listen_t
 	 *	Now that we've sanity checked everything, receive the
 	 *	packet.
 	 */
-	packet = rad_recv(ctx, listener->fd, client->message_authenticator);
+	packet = rad_recv(ctx, listener->fd, client->require_ma);
 	if (!packet) {
 		FR_STATS_INC(coa, total_malformed_requests);
 		if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
Index: freeradius-server-3.0.21/src/include/conffile.h
===================================================================
--- freeradius-server-3.0.21.orig/src/include/conffile.h
+++ freeradius-server-3.0.21/src/include/conffile.h
@@ -140,6 +140,7 @@ typedef struct timeval _timeval_t;
 #define PW_TYPE_MULTI		(1 << 18) //!< CONF_PAIR can have multiple copies.
 #define PW_TYPE_NOT_EMPTY	(1 << 19) //!< CONF_PAIR is required to have a non zero length value.
 #define PW_TYPE_FILE_EXISTS	((1 << 20) | PW_TYPE_STRING) //!< File matching value must exist
+#define PW_TYPE_IGNORE_DEFAULT	(1 << 21) //!< don't set from .dflt if the CONF_PAIR is missing
 /* @} **/
 
 #define FR_INTEGER_COND_CHECK(_name, _var, _cond, _new)\
Index: freeradius-server-3.0.21/src/main/conffile.c
===================================================================
--- freeradius-server-3.0.21.orig/src/main/conffile.c
+++ freeradius-server-3.0.21/src/main/conffile.c
@@ -1418,6 +1418,7 @@ int cf_item_parse(CONF_SECTION *cs, char
 {
 	int rcode;
 	bool deprecated, required, attribute, secret, file_input, cant_be_empty, tmpl, multi, file_exists;
+	bool ignore_dflt;
 	char **q;
 	char const *value;
 	CONF_PAIR *cp = NULL;
@@ -1441,6 +1442,7 @@ int cf_item_parse(CONF_SECTION *cs, char
 	cant_be_empty = (type & PW_TYPE_NOT_EMPTY);
 	tmpl = (type & PW_TYPE_TMPL);
 	multi = (type & PW_TYPE_MULTI);
+	ignore_dflt = (type & PW_TYPE_IGNORE_DEFAULT);
 
 	if (attribute) required = true;
 	if (required) cant_be_empty = true;	/* May want to review this in the future... */
@@ -1464,7 +1466,7 @@ int cf_item_parse(CONF_SECTION *cs, char
 	 *	section, use the default value.
 	 */
 	if (!cp) {
-		if (deprecated) return 0;	/* Don't set the default value */
+		if (deprecated || ignore_dflt) return 0;	/* Don't set the default value */
 
 		rcode = 1;
 		value = dflt;
Index: freeradius-server-3.0.21/raddb/clients.conf
===================================================================
--- freeradius-server-3.0.21.orig/raddb/clients.conf
+++ freeradius-server-3.0.21/raddb/clients.conf
@@ -100,15 +100,30 @@ client localhost {
 	secret = testing123
 
 	#
-	#  Old-style clients do not send a Message-Authenticator
-	#  in an Access-Request.  RFC 5080 suggests that all clients
-	#  SHOULD include it in an Access-Request.  The configuration
-	#  item below allows the server to require it.  If a client
-	#  is required to include a Message-Authenticator and it does
-	#  not, then the packet will be silently discarded.
+	#  The global configuration "security.require_message_authenticator"
+	#  flag sets the default for all clients.  That default can be
+	#  over-ridden here, by setting it to "no".
+	#
+	#  This flag exists solely for legacy clients which do not send
+	#  Message-Authenticator in all Access-Request packets.  We do not
+	#  recommend setting it to "no".
+	#
+	#  allowed values: yes, no
+	#
+#	require_message_authenticator = yes
+
+	#
+	#  The global configuration "security.limit_proxy_state"
+	#  flag sets the default for all clients.  That default can be
+	#  over-ridden here, by setting it to "no".
+	#
+	#  This flag exists solely for legacy clients which do not send
+	#  Message-Authenticator in all Access-Request packets.  We do not
+	#  recommend setting it to "no".
 	#
 	#  allowed values: yes, no
-	require_message_authenticator = no
+	#
+#      limit_proxy_state = yes
 
 	#
 	#  The short name is used as an alias for the fully qualified
Index: freeradius-server-3.0.21/src/include/libradius.h
===================================================================
--- freeradius-server-3.0.21.orig/src/include/libradius.h
+++ freeradius-server-3.0.21/src/include/libradius.h
@@ -404,6 +404,7 @@ typedef struct radius_packet {
 	size_t			partial;
 	int			proto;
 #endif
+	bool			tls;		//!< uses secure transport
 } RADIUS_PACKET;
 
 typedef enum {
@@ -509,6 +510,11 @@ DICT_VENDOR	*dict_vendorbyvalue(int vend
 /* radius.c */
 int		rad_send(RADIUS_PACKET *, RADIUS_PACKET const *, char const *secret);
 bool		rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason);
+/*
+ *     1 == require_ma
+ *     2 == msg_peek
+ *     3 == limit_proxy_state
+ */
 RADIUS_PACKET	*rad_recv(TALLOC_CTX *ctx, int fd, int flags);
 ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, int *code);
 void		rad_recv_discard(int sockfd);
Index: freeradius-server-3.0.21/src/main/tls_listen.c
===================================================================
--- freeradius-server-3.0.21.orig/src/main/tls_listen.c
+++ freeradius-server-3.0.21/src/main/tls_listen.c
@@ -299,6 +299,8 @@ get_application_data:
 	packet->vps = NULL;
 	PTHREAD_MUTEX_UNLOCK(&sock->mutex);
 
+	packet->tls = true;
+
 	if (!rad_packet_ok(packet, 0, NULL)) {
 		if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
 		DEBUG("Closing TLS socket from client");
@@ -713,6 +715,8 @@ int proxy_tls_recv(rad_listen_t *listene
 	memcpy(packet->data, data, packet->data_len);
 	memcpy(packet->vector, packet->data + 4, 16);
 
+    packet->tls = true;
+
 	/*
 	 *	FIXME: Client MIB updates?
 	 */
@@ -765,6 +769,7 @@ int proxy_tls_send(rad_listen_t *listene
 	 *	if there's no packet, encode it here.
 	 */
 	if (!request->proxy->data) {
+		request->reply->tls = true;
 		request->proxy_listener->encode(request->proxy_listener,
 						request);
 	}
Index: freeradius-server-3.0.21/src/lib/radius.c
===================================================================
--- freeradius-server-3.0.21.orig/src/lib/radius.c
+++ freeradius-server-3.0.21/src/lib/radius.c
@@ -1712,6 +1712,7 @@ int rad_encode(RADIUS_PACKET *packet, RA
 	uint16_t		total_length;
 	int			len;
 	VALUE_PAIR const	*reply;
+	bool			seen_ma = false;
 
 	/*
 	 *	A 4K packet, aligned on 64-bits.
@@ -1776,6 +1777,27 @@ int rad_encode(RADIUS_PACKET *packet, RA
 	 */
 
 	/*
+	 *      Always add Message-Authenticator for replies to
+	 *      Access-Request packets.
+	 *
+	 *      It must be the FIRST attribute in the packet.
+	 */
+	if (!packet->tls &&
+	    ((original && (original->code == PW_CODE_ACCESS_REQUEST)) ||
+	     (packet->code == PW_CODE_ACCESS_REQUEST))) {
+	        seen_ma = true;
+	
+	        packet->offset = RADIUS_HDR_LEN;
+	
+	        ptr[0] = PW_MESSAGE_AUTHENTICATOR;
+	        ptr[1] = 18;
+	        memset(ptr + 2, 0, 16);
+	
+	        ptr += 18;
+	        total_length += 18;
+	}
+
+	/*
 	 *	Loop over the reply attributes for the packet.
 	 */
 	reply = packet->vps;
@@ -1832,6 +1854,11 @@ int rad_encode(RADIUS_PACKET *packet, RA
 		 *	length and initial value.
 		 */
 		if (!reply->da->vendor && (reply->da->attr == PW_MESSAGE_AUTHENTICATOR)) {
+			// don't encode Message-Authenticator twice
+			if (seen_ma) {
+			    reply = reply->next;
+			    continue;
+			}
 			if (room < 18) break;
 
 			/*
@@ -2323,6 +2350,8 @@ bool rad_packet_ok(RADIUS_PACKET *packet
 	radius_packet_t		*hdr;
 	char			host_ipaddr[128];
 	bool			require_ma = false;
+	bool			limit_proxy_state = false;
+	bool			seen_proxy_state = false;
 	bool			seen_ma = false;
 	uint32_t		num_attributes;
 	decode_fail_t		failure = DECODE_FAIL_NONE;
@@ -2373,13 +2402,14 @@ bool rad_packet_ok(RADIUS_PACKET *packet
 	/*
 	 *	Message-Authenticator is required in Status-Server
 	 *	packets, otherwise they can be trivially forged.
-	 */
-	if (hdr->code == PW_CODE_STATUS_SERVER) require_ma = true;
-
-	/*
+	 *
 	 *	It's also required if the caller asks for it.
+	 *
+	 *	We only limit Proxy-State if we're not requiring
+	 *	Message-Authenticator.
 	 */
-	if (flags) require_ma = true;
+	require_ma = ((flags & 0x01) != 0) || (hdr->code == PW_CODE_STATUS_SERVER);
+	limit_proxy_state = ((flags & 0x04) != 0) & !require_ma;
 
 	/*
 	 *	Repeat the length checks.  This time, instead of
@@ -2542,6 +2572,10 @@ bool rad_packet_ok(RADIUS_PACKET *packet
 			non_eap = true;
 			break;
 
+		case PW_PROXY_STATE:
+			seen_proxy_state = true;
+			break;
+
 		case PW_MESSAGE_AUTHENTICATOR:
 			if (attr[1] != 2 + AUTH_VECTOR_LEN) {
 				FR_DEBUG_STRERROR_PRINTF("Malformed RADIUS packet from host %s: Message-Authenticator has invalid length %d",
@@ -2613,6 +2647,18 @@ bool rad_packet_ok(RADIUS_PACKET *packet
 			   inet_ntop(packet->src_ipaddr.af,
 				     &packet->src_ipaddr.ipaddr,
 				     host_ipaddr, sizeof(host_ipaddr)));
+		failure = DECODE_FAIL_MA_MISSING;
+		goto finish;
+	}
+
+	/*
+	 *	The client is a NAS which shouldn't send Proxy-State, but it did!
+	 */
+	if (limit_proxy_state && seen_proxy_state && !seen_ma) {
+		FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s:  Packet does not contain required Message-Authenticator attribute, but still has one or more Proxy-State attributes",
+			   inet_ntop(packet->src_ipaddr.af,
+				     &packet->src_ipaddr.ipaddr,
+				     host_ipaddr, sizeof(host_ipaddr)));
 		failure = DECODE_FAIL_MA_MISSING;
 		goto finish;
 	}
Index: freeradius-server-3.0.21/raddb/proxy.conf
===================================================================
--- freeradius-server-3.0.21.orig/raddb/proxy.conf
+++ freeradius-server-3.0.21/raddb/proxy.conf
@@ -204,6 +204,20 @@ home_server localhost {
 	#
 	secret = testing123
 
+	#  The global configuration "security.require_message_authenticator"
+	#  flag sets the default for all home servers.  That default can be
+	#  over-ridden here, by setting it to "no".
+	#
+	#  This flag exists solely for legacy home servers which do
+	#  not send Message-Authenticator in all Access-Accept,
+	#  Access-Reject, or Access-Challenge packets.  We do not
+	#  recommend setting it to "no".
+	#
+	#  allowed values: yes, no
+	#
+	#require_message_authenticator = no
+
+
 	############################################################
 	#
 	#  The rest of the configuration items listed here are optional,
Index: freeradius-server-3.0.21/src/include/realms.h
===================================================================
--- freeradius-server-3.0.21.orig/src/include/realms.h
+++ freeradius-server-3.0.21/src/include/realms.h
@@ -59,6 +59,8 @@ typedef struct home_server {
 							//!< stats or when specifying home servers for a pool.
 
 	bool			dual;			//!< One of a pair of homeservers on consecutive ports.
+	bool			require_ma;		//!< for all replies to Access-Request and Status-Server
+
 	char const		*server;		//!< For internal proxying
 	char const		*parent_server;
 
Index: freeradius-server-3.0.21/src/main/process.c
===================================================================
--- freeradius-server-3.0.21.orig/src/main/process.c
+++ freeradius-server-3.0.21/src/main/process.c
@@ -2598,11 +2598,32 @@ int request_proxy_reply(RADIUS_PACKET *p
 	 *	ignore it.  This does the MD5 calculations in the
 	 *	server core, but I guess we can fix that later.
 	 */
-	if (!request->proxy_reply &&
-	    (rad_verify(packet, request->proxy,
-			request->home_server->secret) != 0)) {
-		DEBUG("Ignoring spoofed proxy reply.  Signature is invalid");
-		return 0;
+	if (!request->proxy_reply) {
+		decode_fail_t reason;
+		
+		/*
+		 *      If the home server configuration requires a Message-Authenticator, then set the flag,
+		 *      but only if the proxied packet is Access-Request or Status-Sercer.
+		 *
+		 *      The realms.c file already clears require_ma for TLS connections.
+		 */
+		bool require_ma = request->home_server->require_ma && (request->proxy->code == PW_CODE_ACCESS_REQUEST);
+
+		if (!request->home_server) {
+			proxy_reply_too_late(request);
+			return 0;
+		}
+ 
+		if (!rad_packet_ok(packet, require_ma, &reason)) {
+			DEBUG("Ignoring invalid packet - %s", fr_strerror());
+			return 0;
+		}
+
+		if (rad_verify(packet, request->proxy,
+			       request->home_server->secret) != 0) {
+			DEBUG("Ignoring spoofed proxy reply.  Signature is invalid");
+			return 0;
+		}
 	}
 
 	/*
Index: freeradius-server-3.0.21/src/main/realms.c
===================================================================
--- freeradius-server-3.0.21.orig/src/main/realms.c
+++ freeradius-server-3.0.21/src/main/realms.c
@@ -367,6 +367,7 @@ static CONF_PARSER home_server_coa[] = {
 #endif
 
 static CONF_PARSER home_server_config[] = {
+	{ "require_message_authenticator", FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, home_server_t, require_ma), NULL },
 	{ "ipaddr", FR_CONF_OFFSET(PW_TYPE_COMBO_IP_ADDR, home_server_t, ipaddr), NULL },
 	{ "ipv4addr", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, home_server_t, ipaddr), NULL },
 	{ "ipv6addr", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, home_server_t, ipaddr), NULL },
@@ -640,6 +641,7 @@ home_server_t *home_server_afrom_cs(TALL
 	home->cs = cs;
 	home->state = HOME_STATE_UNKNOWN;
 	home->proto = IPPROTO_UDP;
+	home->require_ma = main_config.require_ma;
 
 	/*
 	 *	Parse the configuration into the home server
@@ -924,6 +926,11 @@ home_server_t *home_server_afrom_cs(TALL
 		 *	Parse the SSL client configuration.
 		 */
 		if (tls) {
+			/*
+			 *	We don't require this for TLS connections.
+			 */
+			home->require_ma = false;
+
 			home->tls = tls_client_conf_parse(tls);
 			if (!home->tls) {
 				goto error;
Index: freeradius-server-3.0.21/man/man1/radclient.1
===================================================================
--- freeradius-server-3.0.21.orig/man/man1/radclient.1
+++ freeradius-server-3.0.21/man/man1/radclient.1
@@ -5,6 +5,7 @@ radclient - send packets to a RADIUS ser
 .B radclient
 .RB [ \-4 ]
 .RB [ \-6 ]
+.RB [ \-b ]
 .RB [ \-c
 .IR count ]
 .RB [ \-d
@@ -52,6 +53,13 @@ automatically encrypted before the packe
 Use IPv4 (default)
 .IP \-6
 Use IPv6
+.IP \-b
+Enforce the Blast RADIUS checks.  All replies to an Access-Request packet
+must contain a Message-Authenticator as the first attribute.
+
+For compatibility with old servers, this flag is not set by default.
+However, radclient still checks for the Blast RADIUS signature, and
+discards packets which match the attack.
 .IP \-c\ \fIcount\fP
 Send each packet \fIcount\fP times.
 .IP \-d\ \fIraddb_directory\fP
Index: freeradius-server-3.0.21/src/main/radclient.c
===================================================================
--- freeradius-server-3.0.21.orig/src/main/radclient.c
+++ freeradius-server-3.0.21/src/main/radclient.c
@@ -54,6 +54,7 @@ static fr_ipaddr_t server_ipaddr;
 static int resend_count = 1;
 static bool done = true;
 static bool print_filename = false;
+static bool blast_radius = false;
 
 static fr_ipaddr_t client_ipaddr;
 static uint16_t client_port = 0;
@@ -89,6 +90,7 @@ static void NEVER_RETURNS usage(void)
 	fprintf(stderr, "  <command>              One of auth, acct, status, coa, disconnect or auto.\n");
 	fprintf(stderr, "  -4                     Use IPv4 address of server\n");
 	fprintf(stderr, "  -6                     Use IPv6 address of server.\n");
+	fprintf(stderr, "  -b                     Mandate checks for Blast RADIUS issue (this is not set by default).\n");
 	fprintf(stderr, "  -c <count>             Send each packet 'count' times.\n");
 	fprintf(stderr, "  -d <raddb>             Set user dictionary directory (defaults to " RADDBDIR ").\n");
 	fprintf(stderr, "  -D <dictdir>           Set main dictionary directory (defaults to " DICTDIR ").\n");
@@ -1001,6 +1003,131 @@ static int send_one_packet(rc_request_t
 }
 
 /*
+ *     Do Blast RADIUS checks.
+ *
+ *     The request is an Access-Request, and does NOT contain Proxy-State.
+ *
+ *     The reply is a raw packet, and is NOT yet decoded.
+ */
+static int blast_radius_check(rc_request_t *request, RADIUS_PACKET *reply)
+{
+	uint8_t *attr, *end;
+	VALUE_PAIR *vp;
+	bool have_message_authenticator = false;
+ 
+	/*
+	*      We've received a raw packet.  Nothing has (as of yet) checked
+	*      anything in it other than the length, and that it's a
+	*      well-formed RADIUS packet.
+	*/
+	switch (reply->data[0]) {
+	case PW_CODE_ACCESS_ACCEPT:
+	case PW_CODE_ACCESS_REJECT:
+	case PW_CODE_ACCESS_CHALLENGE:
+	       if (reply->data[1] != request->packet->id) {
+		       ERROR("Invalid reply ID %d to Access-Request ID %d", reply->data[1], request->packet->id);
+		       return -1;
+	       }
+	       break;
+ 
+	default:
+	       ERROR("Invalid reply code %d to Access-Request", reply->data[0]);
+	       return -1;
+	}
+ 
+	/*
+	*      If the reply has a Message-Authenticator, then it MIGHT be fine.
+	*/
+	attr = reply->data + 20;
+	end = reply->data + reply->data_len;
+ 
+	/*
+	*      It should be the first attribute, so we warn if it isn't there.
+	*
+	*      But it's not a fatal error.
+	*/
+	if (blast_radius && (attr[0] != PW_MESSAGE_AUTHENTICATOR)) {
+	       RDEBUG("WARNING The %s reply packet does not have Message-Authenticator as the first attribute.	The packet may be vulnerable to Blast RADIUS attacks.",
+		      fr_packet_codes[reply->data[0]]);
+	}
+ 
+	/*
+	*      Set up for Proxy-State checks.
+	*
+	*      If we see a Proxy-State in the reply which we didn't send, then it's a Blast RADIUS attack.
+	*/
+	vp = fr_pair_find_by_num(request->packet->vps, PW_PROXY_STATE, 0, TAG_ANY);
+ 
+	while (attr < end) {
+	       /*
+		*      Blast RADIUS work-arounds require that
+		*      Message-Authenticator is the first attribute in the
+		*      reply.  Note that we don't check for it being the
+		*      first attribute, but simply that it exists.
+		*
+		*      That check is a balance between securing the reply
+		*      packet from attacks, and not violating the RFCs which
+		*      say that there is no order to attributes in the
+		*      packet.
+		*
+		*      However, no matter the status of the '-b' flag we
+		*      still can check for the signature of the attack, and
+		*      discard packets which are suspicious.  This behavior
+		*      protects radclient from the attack, without mandating
+		*      new behavior on the server side.
+		*
+		*      Note that we don't set the '-b' flag by default.
+		*      radclient is intended for testing / debugging, and is
+		*      not intended to be used as part of a secure login /
+		*      user checking system.
+		*/
+	       if (attr[0] == PW_MESSAGE_AUTHENTICATOR) {
+		       have_message_authenticator = true;
+		       goto next;
+	       }
+ 
+	       /*
+		*      If there are Proxy-State attributes in the reply, they must
+		*      match EXACTLY the Proxy-State attributes in the request.
+		*
+		*      Note that we don't care if there are more Proxy-States
+		*      in the request than in the reply.  The Blast RADIUS
+		*      issue requires _adding_ Proxy-State attributes, and
+		*      cannot work when the server _deletes_ Proxy-State
+		*      attributes.
+		*/
+	       if (attr[0] == PW_PROXY_STATE) {
+		       if (!vp || (vp->length != (size_t) (attr[1] - 2)) || (memcmp(vp->vp_octets, attr + 2, vp->length) != 0)) {
+			       ERROR("Invalid reply to Access-Request ID %d - Discarding packet due to Blast RADIUS attack being detected.", request->packet->id);
+			       ERROR("We received a Proxy-State in the reply which we did not send, or which is different from what we sent.");
+			       return -1;
+		       }
+ 
+		       vp = fr_pair_find_by_num(vp->next, PW_PROXY_STATE, 0, TAG_ANY);
+	       }
+ 
+	next:
+	       attr += attr[1];
+	}
+ 
+	/*
+	*      If "-b" is set, then we require Message-Authenticator in the reply.
+	*/
+	if (blast_radius && !have_message_authenticator) {
+	       ERROR("The %s reply packet does not contain Message-Authenticator - discarding packet due to Blast RADIUS checks.",
+		     fr_packet_codes[reply->data[0]]);
+	       return -1;
+	}
+ 
+	/*
+	*      The packet doesn't look like it's a Blast RADIUS attack.  The
+	*      caller will now verify the packet signature.
+	*/
+	return 0;
+}
+
+
+/*
  *	Receive one packet, maybe.
  */
 static int recv_one_packet(int wait_time)
@@ -1052,6 +1179,20 @@ static int recv_one_packet(int wait_time
 	request = fr_packet2myptr(rc_request_t, packet, packet_p);
 
 	/*
+	 *	We want radclient to be able to send any packet, including
+	 *	imperfect ones.  However, we do NOT want to be vulnerable to
+	 *	the "Blast RADIUS" issue.  Instead of adding command-line
+	 *	flags to enable/disable similar flags to what the server
+	 *	sends, we just do a few more smart checks to double-check
+	 *	things.
+	 */
+	if ((request->packet->code == PW_CODE_ACCESS_REQUEST) &&
+	    blast_radius_check(request, reply) < 0) {
+		rad_free(&reply);
+		return -1;
+	}
+ 
+	/*
 	 *	Fails the signature validation: not a real reply.
 	 *	FIXME: Silently drop it and listen for another packet.
 	 */
@@ -1183,7 +1324,7 @@ int main(int argc, char **argv)
 		exit(1);
 	}
 
-	while ((c = getopt(argc, argv, "46c:d:D:f:Fhn:p:qr:sS:t:vx"
+	while ((c = getopt(argc, argv, "46bc:d:D:f:Fhn:p:qr:sS:t:vx"
 #ifdef WITH_TCP
 		"P:"
 #endif
@@ -1196,6 +1337,10 @@ int main(int argc, char **argv)
 			force_af = AF_INET6;
 			break;
 
+		case 'b':
+			blast_radius = true;
+			break;
+
 		case 'c':
 			if (!isdigit((int) *optarg))
 				usage();

Places

File CVE-2024-3596.patch of Package freeradius-server

Places