X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmain%2Ftls.c;fp=src%2Fmain%2Ftls.c;h=5ac8fc1af1ddf5d4539cf414aff32fcd6a121219;hb=92e1ccbd1216421ba5de341120a5cc3f0759762a;hp=753bf2d0b34f5fbf6468cd03c09ee94967e8de08;hpb=59e73511acfff7f1e80eb40e63b88f6db48873bf;p=freeradius.git diff --git a/src/main/tls.c b/src/main/tls.c index 753bf2d..5ac8fc1 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -1453,7 +1453,7 @@ static int ocsp_asn1time_to_epoch(time_t *out, char const *asn1) memset(&t, 0, sizeof(t)); - if ((end - p) <= 12) { + if ((end - p) <= 13) { if ((end - p) < 2) { fr_strerror_printf("ASN1 date string too short, expected 2 additional bytes, got %zu bytes", end - p); @@ -1471,7 +1471,7 @@ static int ocsp_asn1time_to_epoch(time_t *out, char const *asn1) t.tm_year -= 1900; } - if ((end - p) < 10) { + if ((end - p) < 4) { fr_strerror_printf("ASN1 string too short, expected 10 additional bytes, got %zu bytes", end - p); return -1; @@ -1481,14 +1481,21 @@ static int ocsp_asn1time_to_epoch(time_t *out, char const *asn1) t.tm_mon += (*(p++) - '0') - 1; // -1 since January is 0 not 1. t.tm_mday = (*(p++) - '0') * 10; t.tm_mday += (*(p++) - '0'); + + if ((end - p) < 2) goto done; t.tm_hour = (*(p++) - '0') * 10; t.tm_hour += (*(p++) - '0'); + + if ((end - p) < 2) goto done; t.tm_min = (*(p++) - '0') * 10; t.tm_min += (*(p++) - '0'); + + if ((end - p) < 2) goto done; t.tm_sec = (*(p++) - '0') * 10; t.tm_sec += (*(p++) - '0'); /* Apparently OpenSSL converts all timestamps to UTC? Maybe? */ +done: *out = timegm(&t); return 0; } @@ -1604,6 +1611,7 @@ static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int l /* not safe to un-persist a session w/o VPs */ RWDEBUG("Failed loading persisted VPs for session %s", buffer); SSL_SESSION_free(sess); + sess = NULL; goto error; } @@ -1615,14 +1623,16 @@ static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int l time_t expires; if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) { - RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s", buffer); + RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s - %s", buffer, fr_strerror()); SSL_SESSION_free(sess); + sess = NULL; goto error; } if (expires <= request->timestamp) { RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer); SSL_SESSION_free(sess); + sess = NULL; goto error; } @@ -2030,7 +2040,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) char cn_str[1024]; char buf[64]; X509 *client_cert; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) const STACK_OF(X509_EXTENSION) *ext_list; #else STACK_OF(X509_EXTENSION) *ext_list; @@ -2211,7 +2221,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) } } if (names != NULL) - sk_GENERAL_NAME_free(names); + GENERAL_NAMES_free(names); } /* @@ -3037,6 +3047,7 @@ post_ca: SSL_CTX_set_verify_depth(ctx, conf->verify_depth); } +#ifndef LIBRESSL_VERSION_NUMBER /* Load randomness */ if (conf->random_file) { if (!(RAND_load_file(conf->random_file, 1024*10))) { @@ -3044,6 +3055,7 @@ post_ca: return NULL; } } +#endif /* * Set the cipher list if we were told to @@ -3165,6 +3177,7 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs) * Only check for certificate things if we don't have a * PSK query. */ +#ifdef PSK_MAX_IDENTITY_LEN if (conf->psk_identity) { if (conf->private_key_file) { WARN(LOG_PREFIX ": Ignoring private key file due to psk_identity being used"); @@ -3174,7 +3187,9 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs) WARN(LOG_PREFIX ": Ignoring certificate file due to psk_identity being used"); } - } else { + } else +#endif + { if (!conf->private_key_file) { ERROR(LOG_PREFIX ": TLS Server requires a private key file"); goto error;