Bug 2183447
| Summary: | Crash when verifying a client certificate | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | freeradius | Assignee: | Antonio Torres <antorres> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Polovka <mpolovka> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 9.1 | CC: | aland, antorres, frenaud, nikolai.kondrashov, vogt |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | freeradius-3.0.21-38.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-07 08:33:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
See the v3.0.x branch. All uses of cert_attr_names[FR_TLS_ISSUER][lookup] are protected by a check: if (lookup <= 1) ... Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (freeradius bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6443 |
Description of problem: We have a customer encountering a crash of radiusd when `cbtls_verity()` executes: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- (gdb) f 6 #6 0x000055ce87cc8992 in cbtls_verify (ok=1, ctx=0x55ce894cb7b0) at src/main/tls.c:3007 3007 RDEBUG2("(TLS) Creating attributes from %s certificate", cert_names[lookup]); (gdb) p err $1 = 0 (gdb) p depth $2 = 3 (gdb) p lookup $3 = 3 (gdb) p cert_names $4 = {0x55ce87cda04f "client", 0x55ce87cd5871 "server"} -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Here above, we can see that "lookup" is out of range, it should be only 0 or 1, but is 3 here. "lookup" is initially set to "depth" variable, which doesn't make sense to me since there was no error with the certificate: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 2936 int cbtls_verify(int ok, X509_STORE_CTX *ctx) 2937 { : 2970 client_cert = X509_STORE_CTX_get_current_cert(ctx); 2971 err = X509_STORE_CTX_get_error(ctx); 2972 depth = X509_STORE_CTX_get_error_depth(ctx); 2973 2974 HERE>> lookup = depth; 2975 2976 /* 2977 * Log client/issuing cert. If there's an error, log 2978 * issuing cert. 2979 */ 2980 if ((lookup > 1) && !my_ok) lookup = 1; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- I don't understand the logic behind setting "lookup" to "depth" at all, IMHO it should be set to 0 (since it's a client cert here). Upstream v3.0.x branch has exact same code (which disappeared with more recent branches). Version-Release number of selected component (if applicable): freeradius-3.0.21-34.el9 How reproducible: Always on customer system when doing when doing EAP-TLS Additional info: Coredump available in initial customer case if needed.