From: Dan Breslau <dbreslau@painless-security.com>
Date: Mon, 17 Jul 2017 18:05:09 +0000 (-0400)
Subject: Merge tag 'release_3_0_15' into tr-integ
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=refs%2Ftags%2Fmoonshot_release_3.0.15%2Bmoonshot2;hp=-c;p=freeradius.git

Merge tag 'release_3_0_15' into tr-integ
---

92e1ccbd1216421ba5de341120a5cc3f0759762a
diff --combined debian/changelog
index cf9c86d,1a11fa6..02d02d7
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,45 -1,15 +1,57 @@@
++freeradius (3.0.15+moonshot1-0) unstable; urgency=medium
++
++  * Merged from upstream release_3.0.15
++
++ -- Painless Security <build@painless-security.com>  Mon, 17 Jul 2017 18:54:00 -0500
++
+ freeradius (3.0.15+git) unstable; urgency=medium
+ 
+   * New upstream version.
+ 
+  -- Alan DeKok <aland@freeradius.org>  Mon, 29 May 2017 12:00:00 -0400
+ 
 +freeradius (3.0.14+moonshot4-1) unstable; urgency=medium
 +
 +  * Merged from release_3.0.14
 +
 + -- Painless Security <build@painless-security.com>  Mon, 05 Jun 2017 19:03:00 -0400
 +
  freeradius (3.0.14+git) unstable; urgency=medium
  
    * New upstream version.
  
   -- Alan DeKok <aland@freeradius.org>  Tue, 07 Mar 2017 12:00:00 -0400
  
 +freeradius (3.0.13+moonshot3-6) unstable; urgency=medium
 +
 +  * Disabled session caching in EAP in response to CVE-2017-9148.
 +
 + -- Painless Security <build@painless-security.com>  Fri, 02 Jun 2017 15:29:00 -0400
 +
 +freeradius (3.0.13+moonshot3-5) unstable; urgency=medium
 +
 +  * Fixed deleted links when upgrading to 3.0.13 on debian/ubuntu
 +
 + -- Painless Security <build@painless-security.com>  Wed, 10 May 2017 21:26:00 -0400
 +
 +freeradius (3.0.13+moonshot3-4) unstable; urgency=medium
 +
 +  * Bumped version number
 +
 + -- Painless Security <build@painless-security.com>  Tue, 09 May 2017 15:00:00 -0400
 +
 +freeradius (3.0.13+moonshot3-3) unstable; urgency=medium
 +
 +  * Removed some leftover cruft from debian/freeradius-postgresql.postinst
 +
 + -- Painless Security <build@painless-security.com>  Mon, 08 May 2017 21:44:00 -0400
 +
 +freeradius (3.0.13+moonshot3-2) unstable; urgency=medium
 +
 +  * Standard freeradius 3.0.13 + Painless Security signing key.
 +
 + -- Painless Security <build@painless-security.com>  Fri, 05 May 2017 18:24:00 -0400
 +
  freeradius (3.0.13+git) unstable; urgency=medium
  
    * New upstream version.
diff --combined redhat/freeradius.spec-renamed
index eb32165,8ed9652..8ed9652
--- a/redhat/freeradius.spec-renamed
+++ b/redhat/freeradius.spec-renamed
@@@ -26,17 -26,22 +26,22 @@@
  
  Summary: High-performance and highly configurable free RADIUS server
  Name: freeradius
- Version: 3.0.14
+ Version: 3.0.15
  Release: 2%{?dist}
  License: GPLv2+ and LGPLv2+
  Group: System Environment/Daemons
  URL: http://www.freeradius.org/
  
  Source0: ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2
+ %if %{?_unitdir:1}%{!?_unitdir:0}
+ Source100: radiusd.service
+ %else
  Source100: freeradius-radiusd-init
+ %define initddir %{?_initddir:%{_initddir}}%{!?_initddir:%{_initrddir}}
+ %endif
+ 
  Source102: freeradius-logrotate
  Source103: freeradius-pam-conf
- Source104: radiusd.service
  
  Obsoletes: freeradius-devel
  Obsoletes: freeradius-libs
@@@ -50,7 -55,7 +55,7 @@@ BuildRequires: autocon
  BuildRequires: gdbm-devel
  BuildRequires: libtool
  BuildRequires: libtool-ltdl-devel
- BuildRequires: openssl-devel
+ BuildRequires: openssl, openssl-devel
  BuildRequires: pam-devel
  BuildRequires: zlib-devel
  BuildRequires: net-snmp-devel
@@@ -382,14 -387,14 +387,14 @@@ touch $RPM_BUILD_ROOT/var/log/radius/{r
  
  # For systemd based systems, that define _unitdir, install the radiusd unit
  %if %{?_unitdir:1}%{!?_unitdir:0}
- install -D -m 755 %{SOURCE104} $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service
+ install -D -m 755 redhat/radiusd.service $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service
  # For SystemV install the init script
  %else
- install -D -m 755 %{SOURCE100} $RPM_BUILD_ROOT/%{initddir}/radiusd
+ install -D -m 755 redhat/freeradius-radiusd-init $RPM_BUILD_ROOT/%{initddir}/radiusd
  %endif
  
- install -D -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd
- install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd
+ install -D -m 644 redhat/freeradius-logrotate $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd
+ install -D -m 644 redhat/freeradius-pam-conf $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd
  
  # remove unneeded stuff
  rm -rf doc/00-OLD
@@@ -473,11 -478,13 +478,13 @@@ f
  
  %preun
  if [ $1 = 0 ]; then
-   /sbin/service radiusd stop > /dev/null 2>&1
+ %if %{?_unitdir:1}%{!?_unitdir:0}
+   /bin/systemctl disable radiusd
+ %else
    /sbin/chkconfig --del radiusd
+ %endif
  fi
  
- 
  %postun
  if [ $1 -ge 1 ]; then
    /sbin/service radiusd condrestart >/dev/null 2>&1 || :
diff --combined src/main/tls.c
index 753bf2d,3d8b1b5..5ac8fc1
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@@ -564,6 -564,7 +564,6 @@@ tls_session_t *tls_new_client_session(T
  	return ssn;
  }
  
 -
  /** Create a new TLS session
   *
   * Configures a new TLS session, configuring options, setting callbacks etc...
@@@ -1453,7 -1454,7 +1453,7 @@@ static int ocsp_asn1time_to_epoch(time_
  
  	memset(&t, 0, sizeof(t));
  
- 	if ((end - p) <= 12) {
+ 	if ((end - p) <= 13) {
  		if ((end - p) < 2) {
  			fr_strerror_printf("ASN1 date string too short, expected 2 additional bytes, got %zu bytes",
  					   end - p);
@@@ -1471,7 -1472,7 +1471,7 @@@
  		t.tm_year -= 1900;
  	}
  
- 	if ((end - p) < 10) {
+ 	if ((end - p) < 4) {
  		fr_strerror_printf("ASN1 string too short, expected 10 additional bytes, got %zu bytes",
  				   end - p);
  		return -1;
@@@ -1481,14 -1482,21 +1481,21 @@@
  	t.tm_mon += (*(p++) - '0') - 1; // -1 since January is 0 not 1.
  	t.tm_mday = (*(p++) - '0') * 10;
  	t.tm_mday += (*(p++) - '0');
+ 
+ 	if ((end - p) < 2) goto done;
  	t.tm_hour = (*(p++) - '0') * 10;
  	t.tm_hour += (*(p++) - '0');
+ 
+ 	if ((end - p) < 2) goto done;
  	t.tm_min = (*(p++) - '0') * 10;
  	t.tm_min += (*(p++) - '0');
+ 
+ 	if ((end - p) < 2) goto done;
  	t.tm_sec = (*(p++) - '0') * 10;
  	t.tm_sec += (*(p++) - '0');
  
  	/* Apparently OpenSSL converts all timestamps to UTC? Maybe? */
+ done:
  	*out = timegm(&t);
  	return 0;
  }
@@@ -1604,6 -1612,7 +1611,7 @@@ static SSL_SESSION *cbtls_get_session(S
  			/* not safe to un-persist a session w/o VPs */
  			RWDEBUG("Failed loading persisted VPs for session %s", buffer);
  			SSL_SESSION_free(sess);
+ 			sess = NULL;
  			goto error;
  		}
  
@@@ -1615,14 -1624,16 +1623,16 @@@
  			time_t expires;
  
  			if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) {
- 				RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s", buffer);
+ 				RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s - %s", buffer, fr_strerror());
  				SSL_SESSION_free(sess);
+ 				sess = NULL;
  				goto error;
  			}
  
  			if (expires <= request->timestamp) {
  				RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer);
  				SSL_SESSION_free(sess);
+ 				sess = NULL;
  				goto error;
  			}
  
@@@ -2030,7 -2041,7 +2040,7 @@@ int cbtls_verify(int ok, X509_STORE_CT
  	char		cn_str[1024];
  	char		buf[64];
  	X509		*client_cert;
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
  	const STACK_OF(X509_EXTENSION) *ext_list;
  #else
  	STACK_OF(X509_EXTENSION) *ext_list;
@@@ -2211,7 -2222,7 +2221,7 @@@
  			}
  		}
  		if (names != NULL)
- 			sk_GENERAL_NAME_free(names);
+ 			GENERAL_NAMES_free(names);
  	}
  
  	/*
@@@ -3037,6 -3048,7 +3047,7 @@@ post_ca
  		SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
  	}
  
+ #ifndef LIBRESSL_VERSION_NUMBER
  	/* Load randomness */
  	if (conf->random_file) {
  		if (!(RAND_load_file(conf->random_file, 1024*10))) {
@@@ -3044,6 -3056,7 +3055,7 @@@
  			return NULL;
  		}
  	}
+ #endif
  
  	/*
  	 * Set the cipher list if we were told to
@@@ -3165,6 -3178,7 +3177,7 @@@ fr_tls_server_conf_t *tls_server_conf_p
  	 *	Only check for certificate things if we don't have a
  	 *	PSK query.
  	 */
+ #ifdef PSK_MAX_IDENTITY_LEN
  	if (conf->psk_identity) {
  		if (conf->private_key_file) {
  			WARN(LOG_PREFIX ": Ignoring private key file due to psk_identity being used");
@@@ -3174,7 -3188,9 +3187,9 @@@
  			WARN(LOG_PREFIX ": Ignoring certificate file due to psk_identity being used");
  		}
  
- 	} else {
+ 	} else
+ #endif
+ 	{
  		if (!conf->private_key_file) {
  			ERROR(LOG_PREFIX ": TLS Server requires a private key file");
  			goto error;
diff --combined suse/freeradius.spec-renamed
index 1fb3c14,21c2142..21c2142
--- a/suse/freeradius.spec-renamed
+++ b/suse/freeradius.spec-renamed
@@@ -1,5 -1,5 +1,5 @@@
  Name:         freeradius-server
- Version: 3.0.14
+ Version: 3.0.15
  Release:      0
  License:      GPLv2 ; LGPLv2.1
  Group:        Productivity/Networking/Radius/Servers