main/freeradius: security fix for CVE-2015-4680

ref #4377

1 files changed, 79 insertions, 0 deletions

diff --git a/main/freeradius/CVE-2015-4680.patch b/main/freeradius/CVE-2015-4680.patch
new file mode 100644
index 0000000000..ade38c9ee7
--- /dev/null
+++ b/main/freeradius/CVE-2015-4680.patch
@@ -0,0 +1,79 @@
+From 874b39451702338389260edbfc52b381b20352ec Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Mon, 22 Jun 2015 15:27:10 -0400
+Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL
+
+---
+ raddb/mods-available/eap |  6 +++++-
+ src/include/tls-h        |  1 +
+ src/main/tls.c           | 12 ++++++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 165971a..10026ec 100644
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -269,9 +269,13 @@ eap {
+ 		#  1) Copy CA certificates and CRLs to same directory.
+ 		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+ 		#    'c_rehash' is OpenSSL's command.
+-		#  3) uncomment the line below.
++		#  3) uncomment the lines below.
+ 		#  5) Restart radiusd
+ 	#	check_crl = yes
++
++		# Check if intermediate CAs have been revoked.
++	#	check_all_crl = yes
++
+ 		ca_path = ${cadir}
+ 
+ 		#
+diff --git a/src/include/tls-h b/src/include/tls-h
+index 9fdc775..a41c6f5 100644
+--- a/src/include/tls-h
++++ b/src/include/tls-h
+@@ -347,6 +347,7 @@ struct fr_tls_server_conf_t {
+ 	 */
+ 	uint32_t	fragment_size;
+ 	bool		check_crl;
++	bool		check_all_crl;
+ 	bool		allow_expired_crl;
+ 	char const	*check_cert_cn;
+ 	char const	*cipher_list;
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 692651f..9df48b4 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = {
+ 	{ "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
+ 	{ "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
+ 	{ "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
++#ifdef X509_V_FLAG_CRL_CHECK_ALL
++	{ "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
++#endif
+ 	{ "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
+ 	{ "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
+ 	{ "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
+@@ -2104,6 +2107,10 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
+ 	if (conf->check_crl)
+ 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
+ #endif
++#ifdef X509_V_FLAG_CRL_CHECK_ALL
++	if (conf->check_all_crl)
++		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
++#endif
+ 	return store;
+ }
+ #endif	/* HAVE_OPENSSL_OCSP_H */
+@@ -2591,6 +2598,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
+ 	    		return NULL;
+ 		}
+ 		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
++
++#ifdef X509_V_FLAG_CRL_CHECK_ALL
++		if (conf->check_all_crl)
++			X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
++#endif
+ 	}
+ #endif
+