net/freeradius3/patches/002-disable-session-cache-CVE-2017-9148.patch

   1 Description: disable session caching in the server (as opposed to in the
   2  config, which would be way harder to get right) to address
   3  https://security-tracker.debian.org/tracker/CVE-2017-9148
   4 Author: Michael Stapelberg <stapelberg@debian.org>
   5 Forwarded: not-needed
   6 Last-Update: 2017-05-30
   7
   8 ---
   9
  10 --- a/src/main/tls.c
  11 +++ b/src/main/tls.c
  12 @@ -369,7 +369,7 @@ tls_session_t *tls_new_session(TALLOC_CT
  13          *
  14          *      FIXME: Also do it every N sessions?
  15          */
  16 -       if (conf->session_cache_enable &&
  17 +       if (/*conf->session_cache_enable*/0 &&
  18             ((conf->session_last_flushed + ((int)conf->session_timeout * 1800)) <= request->timestamp)){
  19                 RDEBUG2("Flushing SSL sessions (of #%ld)", SSL_CTX_sess_number(conf->ctx));
  20
  21 @@ -463,7 +463,7 @@ tls_session_t *tls_new_session(TALLOC_CT
  22                 state->mtu = vp->vp_integer;
  23         }
  24
  25 -       if (conf->session_cache_enable) state->allow_session_resumption = true; /* otherwise it's false */
  26 +       if (/*conf->session_cache_enable*/0) state->allow_session_resumption = true; /* otherwise it's false */
  27
  28         return state;
  29  }
  30 @@ -2675,7 +2675,7 @@ post_ca:
  31         /*
  32          *      Callbacks, etc. for session resumption.
  33          */
  34 -       if (conf->session_cache_enable) {
  35 +       if (/*conf->session_cache_enable*/0) {
  36                 /*
  37                  *      Cache sessions on disk if requested.
  38                  */
  39 @@ -2745,7 +2745,7 @@ post_ca:
  40         /*
  41          *      Setup session caching
  42          */
  43 -       if (conf->session_cache_enable) {
  44 +       if (/*conf->session_cache_enable*/0) {
  45                 /*
  46                  *      Create a unique context Id per EAP-TLS configuration.
  47                  */