Merge tag 'release_3_0_15' into tr-integ

diff --combined debian/changelog
index cf9c86d,1a11fa6..02d02d7
--- 1/debian/changelog
--- 2/debian/changelog
+++ b/debian/changelog
@@@ -1,45 -1,15 +1,57 @@@
++freeradius (3.0.15+moonshot1-0) unstable; urgency=medium
++
++  * Merged from upstream release_3.0.15
++
++ -- Painless Security <build@painless-security.com>  Mon, 17 Jul 2017 18:54:00 -0500
++
+ freeradius (3.0.15+git) unstable; urgency=medium
+ 
+   * New upstream version.
+ 
+  -- Alan DeKok <aland@freeradius.org>  Mon, 29 May 2017 12:00:00 -0400
+ 
 +freeradius (3.0.14+moonshot4-1) unstable; urgency=medium
 +
 +  * Merged from release_3.0.14
 +
 + -- Painless Security <build@painless-security.com>  Mon, 05 Jun 2017 19:03:00 -0400
 +
  freeradius (3.0.14+git) unstable; urgency=medium
  
    * New upstream version.
  
   -- Alan DeKok <aland@freeradius.org>  Tue, 07 Mar 2017 12:00:00 -0400
  
 +freeradius (3.0.13+moonshot3-6) unstable; urgency=medium
 +
 +  * Disabled session caching in EAP in response to CVE-2017-9148.
 +
 + -- Painless Security <build@painless-security.com>  Fri, 02 Jun 2017 15:29:00 -0400
 +
 +freeradius (3.0.13+moonshot3-5) unstable; urgency=medium
 +
 +  * Fixed deleted links when upgrading to 3.0.13 on debian/ubuntu
 +
 + -- Painless Security <build@painless-security.com>  Wed, 10 May 2017 21:26:00 -0400
 +
 +freeradius (3.0.13+moonshot3-4) unstable; urgency=medium
 +
 +  * Bumped version number
 +
 + -- Painless Security <build@painless-security.com>  Tue, 09 May 2017 15:00:00 -0400
 +
 +freeradius (3.0.13+moonshot3-3) unstable; urgency=medium
 +
 +  * Removed some leftover cruft from debian/freeradius-postgresql.postinst
 +
 + -- Painless Security <build@painless-security.com>  Mon, 08 May 2017 21:44:00 -0400
 +
 +freeradius (3.0.13+moonshot3-2) unstable; urgency=medium
 +
 +  * Standard freeradius 3.0.13 + Painless Security signing key.
 +
 + -- Painless Security <build@painless-security.com>  Fri, 05 May 2017 18:24:00 -0400
 +
  freeradius (3.0.13+git) unstable; urgency=medium
  
    * New upstream version.

diff --combined redhat/freeradius.spec-renamed
index eb32165,8ed9652..8ed9652
--- 1/redhat/freeradius.spec-renamed
--- 2/redhat/freeradius.spec
+++ b/redhat/freeradius.spec-renamed
@@@ -26,17 -26,22 +26,22 @@@
  
  Summary: High-performance and highly configurable free RADIUS server
  Name: freeradius
- Version: 3.0.14
+ Version: 3.0.15
  Release: 2%{?dist}
  License: GPLv2+ and LGPLv2+
  Group: System Environment/Daemons
  URL: http://www.freeradius.org/
  
  Source0: ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2
+ %if %{?_unitdir:1}%{!?_unitdir:0}
+ Source100: radiusd.service
+ %else
  Source100: freeradius-radiusd-init
+ %define initddir %{?_initddir:%{_initddir}}%{!?_initddir:%{_initrddir}}
+ %endif
+ 
  Source102: freeradius-logrotate
  Source103: freeradius-pam-conf
- Source104: radiusd.service
  
  Obsoletes: freeradius-devel
  Obsoletes: freeradius-libs
@@@ -50,7 -55,7 +55,7 @@@ BuildRequires: autocon
  BuildRequires: gdbm-devel
  BuildRequires: libtool
  BuildRequires: libtool-ltdl-devel
- BuildRequires: openssl-devel
+ BuildRequires: openssl, openssl-devel
  BuildRequires: pam-devel
  BuildRequires: zlib-devel
  BuildRequires: net-snmp-devel
@@@ -382,14 -387,14 +387,14 @@@ touch $RPM_BUILD_ROOT/var/log/radius/{r
  
  # For systemd based systems, that define _unitdir, install the radiusd unit
  %if %{?_unitdir:1}%{!?_unitdir:0}
- install -D -m 755 %{SOURCE104} $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service
+ install -D -m 755 redhat/radiusd.service $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service
  # For SystemV install the init script
  %else
- install -D -m 755 %{SOURCE100} $RPM_BUILD_ROOT/%{initddir}/radiusd
+ install -D -m 755 redhat/freeradius-radiusd-init $RPM_BUILD_ROOT/%{initddir}/radiusd
  %endif
  
- install -D -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd
- install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd
+ install -D -m 644 redhat/freeradius-logrotate $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd
+ install -D -m 644 redhat/freeradius-pam-conf $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd
  
  # remove unneeded stuff
  rm -rf doc/00-OLD
@@@ -473,11 -478,13 +478,13 @@@ f
  
  %preun
  if [ $1 = 0 ]; then
-   /sbin/service radiusd stop > /dev/null 2>&1
+ %if %{?_unitdir:1}%{!?_unitdir:0}
+   /bin/systemctl disable radiusd
+ %else
    /sbin/chkconfig --del radiusd
+ %endif
  fi
  
- 
  %postun
  if [ $1 -ge 1 ]; then
    /sbin/service radiusd condrestart >/dev/null 2>&1 || :

diff --combined src/main/tls.c
index 753bf2d,3d8b1b5..5ac8fc1
--- 1/src/main/tls.c
--- 2/src/main/tls.c
+++ b/src/main/tls.c
@@@ -564,6 -564,7 +564,6 @@@ tls_session_t *tls_new_client_session(T
        return ssn;
  }
  
 -
  /** Create a new TLS session
   *
   * Configures a new TLS session, configuring options, setting callbacks etc...
@@@ -1453,7 -1454,7 +1453,7 @@@ static int ocsp_asn1time_to_epoch(time_
  
        memset(&t, 0, sizeof(t));
  
-       if ((end - p) <= 12) {
+       if ((end - p) <= 13) {
                if ((end - p) < 2) {
                        fr_strerror_printf("ASN1 date string too short, expected 2 additional bytes, got %zu bytes",
                                           end - p);
@@@ -1471,7 -1472,7 +1471,7 @@@
                t.tm_year -= 1900;
        }
  
-       if ((end - p) < 10) {
+       if ((end - p) < 4) {
                fr_strerror_printf("ASN1 string too short, expected 10 additional bytes, got %zu bytes",
                                   end - p);
                return -1;
@@@ -1481,14 -1482,21 +1481,21 @@@
        t.tm_mon += (*(p++) - '0') - 1; // -1 since January is 0 not 1.
        t.tm_mday = (*(p++) - '0') * 10;
        t.tm_mday += (*(p++) - '0');
+ 
+       if ((end - p) < 2) goto done;
        t.tm_hour = (*(p++) - '0') * 10;
        t.tm_hour += (*(p++) - '0');
+ 
+       if ((end - p) < 2) goto done;
        t.tm_min = (*(p++) - '0') * 10;
        t.tm_min += (*(p++) - '0');
+ 
+       if ((end - p) < 2) goto done;
        t.tm_sec = (*(p++) - '0') * 10;
        t.tm_sec += (*(p++) - '0');
  
        /* Apparently OpenSSL converts all timestamps to UTC? Maybe? */
+ done:
        *out = timegm(&t);
        return 0;
  }
@@@ -1604,6 -1612,7 +1611,7 @@@ static SSL_SESSION *cbtls_get_session(S
                        /* not safe to un-persist a session w/o VPs */
                        RWDEBUG("Failed loading persisted VPs for session %s", buffer);
                        SSL_SESSION_free(sess);
+                       sess = NULL;
                        goto error;
                }
  
@@@ -1615,14 -1624,16 +1623,16 @@@
                        time_t expires;
  
                        if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) {
-                               RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s", buffer);
+                               RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s - %s", buffer, fr_strerror());
                                SSL_SESSION_free(sess);
+                               sess = NULL;
                                goto error;
                        }
  
                        if (expires <= request->timestamp) {
                                RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer);
                                SSL_SESSION_free(sess);
+                               sess = NULL;
                                goto error;
                        }
  
@@@ -2030,7 -2041,7 +2040,7 @@@ int cbtls_verify(int ok, X509_STORE_CT
        char            cn_str[1024];
        char            buf[64];
        X509            *client_cert;
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
        const STACK_OF(X509_EXTENSION) *ext_list;
  #else
        STACK_OF(X509_EXTENSION) *ext_list;
@@@ -2211,7 -2222,7 +2221,7 @@@
                        }
                }
                if (names != NULL)
-                       sk_GENERAL_NAME_free(names);
+                       GENERAL_NAMES_free(names);
        }
  
        /*
@@@ -3037,6 -3048,7 +3047,7 @@@ post_ca
                SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
        }
  
+ #ifndef LIBRESSL_VERSION_NUMBER
        /* Load randomness */
        if (conf->random_file) {
                if (!(RAND_load_file(conf->random_file, 1024*10))) {
@@@ -3044,6 -3056,7 +3055,7 @@@
                        return NULL;
                }
        }
+ #endif
  
        /*
         * Set the cipher list if we were told to
@@@ -3165,6 -3178,7 +3177,7 @@@ fr_tls_server_conf_t *tls_server_conf_p
         *      Only check for certificate things if we don't have a
         *      PSK query.
         */
+ #ifdef PSK_MAX_IDENTITY_LEN
        if (conf->psk_identity) {
                if (conf->private_key_file) {
                        WARN(LOG_PREFIX ": Ignoring private key file due to psk_identity being used");
@@@ -3174,7 -3188,9 +3187,9 @@@
                        WARN(LOG_PREFIX ": Ignoring certificate file due to psk_identity being used");
                }
  
-       } else {
+       } else
+ #endif
+       {
                if (!conf->private_key_file) {
                        ERROR(LOG_PREFIX ": TLS Server requires a private key file");
                        goto error;

diff --combined suse/freeradius.spec-renamed
index 1fb3c14,21c2142..21c2142
--- 1/suse/freeradius.spec-renamed
--- 2/suse/freeradius.spec
+++ b/suse/freeradius.spec-renamed
@@@ -1,5 -1,5 +1,5 @@@
  Name:         freeradius-server
- Version: 3.0.14
+ Version: 3.0.15
  Release:      0
  License:      GPLv2 ; LGPLv2.1
  Group:        Productivity/Networking/Radius/Servers