diff options
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | dtls.c | 4 | ||||
| -rw-r--r-- | radsecproxy.conf.5.xml | 19 |
5 files changed, 29 insertions, 9 deletions
@@ -1,8 +1,15 @@ -2012-09-14 1.6.1-dev +2012-10-25 1.6.2 + Bug fixes (security): + - Fix the issue with verification of clients when using multiple + 'tls' config blocks (RADSECPROXY-43) for DTLS too. Fixes + CVE-2012-4523. Reported by Raphael Geissert. + +2012-09-14 1.6.1 Bug fixes (security): - When verifying clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the - certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43) + certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43, + CVE-2012-4523). Bug fixes: - Make naptr-eduroam.sh check NAPTR type case insensitively. @@ -1,4 +1,4 @@ -This is unreleased radsecproxy 1.6.1-dev. +This is unreleased radsecproxy 1.7-dev. radsecproxy is a generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports. There is also experimental support for diff --git a/configure.ac b/configure.ac index 4326ecc..e5df020 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ dnl Copyright (c) 2006-2010, UNINETT AS dnl Copyright (c) 2010-2012, NORDUnet A/S dnl See LICENSE for licensing information. -AC_INIT(radsecproxy, 1.6.1-dev, radsecproxy@uninett.no) +AC_INIT(radsecproxy, 1.7-dev, radsecproxy@uninett.no) AC_CANONICAL_TARGET AM_INIT_AUTOMAKE AC_PROG_CC @@ -350,6 +350,7 @@ void *dtlsservernew(void *arg) { X509 *cert = NULL; SSL_CTX *ctx = NULL; uint8_t delay = 60; + struct tls *accepted_tls = NULL; debug(DBG_DBG, "dtlsservernew: starting"); conf = find_clconf(handle, (struct sockaddr *)¶ms->addr, NULL); @@ -363,10 +364,11 @@ void *dtlsservernew(void *arg) { cert = verifytlscert(ssl); if (!cert) goto exit; + accepted_tls = conf->tlsconf; } while (conf) { - if (verifyconfcert(cert, conf)) { + if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) { X509_free(cert); client = addclient(conf, 1); if (client) { diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 44ea1c7..0c713ea 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> <refentry> <refentryinfo> - <date>2012-05-23</date> + <date>2012-10-25</date> </refentryinfo> <refmeta> <refentrytitle> <application>radsecproxy.conf</application> </refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo>radsecproxy 1.6.1-dev</refmiscinfo> + <refmiscinfo>radsecproxy 1.7-dev</refmiscinfo> </refmeta> <refnamediv> <refname> @@ -531,8 +531,10 @@ blocktype name { <literal>secret</literal> is the shared RADIUS key used with this client. If the secret contains whitespace, the value must be quoted. This option is optional for TLS/DTLS and if omitted - will default to "mysecret". Note that the default value of - <literal>secret</literal> will change in an upcoming release. + will default to "radsec". (Note that using a secret other than + "radsec" for TLS is a violation of the standard (RFC 6614) and + that the proposed standard for DTLS stipulates that the secret + must be "radius/dtls".) </para> <para> For a TLS/DTLS client you may also specify the @@ -544,6 +546,15 @@ blocktype name { <literal>default</literal>. If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error. + + NOTE: All versions of radsecproxy up to and including 1.6 + erroneously verify client certificate chains using the CA in the + very first matching client block regardless of which block is + used for the final decision. This was changed in version 1.6.1 + so that a client block with a different <literal>tls</literal> + option than the first matching client block is no longer + considered for verification of clients. + </para> <para> For a TLS/DTLS client, the option |