Alan T. DeKok [Mon, 17 Jul 2017 12:31:41 +0000 (08:31 -0400)]
use packages@
Alan T. DeKok [Mon, 17 Jul 2017 12:29:44 +0000 (08:29 -0400)]
note recent changes
Alan T. DeKok [Mon, 3 Jul 2017 16:35:45 +0000 (12:35 -0400)]
FR-GV-207 - avoid zero-length malloc() in data2vp()
Alan T. DeKok [Mon, 3 Jul 2017 15:35:02 +0000 (11:35 -0400)]
FR-GV-206 - decode option 60 (string) not 63 (octets)
Alan T. DeKok [Mon, 3 Jul 2017 00:54:36 +0000 (20:54 -0400)]
FR-GV-205 - check for "too long" options, too
Alan T. DeKok [Sat, 1 Jul 2017 12:49:24 +0000 (08:49 -0400)]
FR-GV-204 - free VP if decoding options fails, so we don't leak memory
Alan T. DeKok [Mon, 3 Jul 2017 18:48:47 +0000 (14:48 -0400)]
FR-GV-203 - fix memory leak when using decode_tlv()
Alan T. DeKok [Mon, 3 Jul 2017 16:34:00 +0000 (12:34 -0400)]
FR-GV-202 - check for "too long" attributes, too
Alan T. DeKok [Tue, 4 Jul 2017 02:04:40 +0000 (22:04 -0400)]
FR-GV-201 - check input / output length in make_secret()
Alan T. DeKok [Wed, 5 Jul 2017 15:27:35 +0000 (11:27 -0400)]
FR-AD-001 - (v2) use strncmp() instead of memcmp() for bounded data
Alan T. DeKok [Mon, 17 Jul 2017 12:19:36 +0000 (08:19 -0400)]
Remove erroneous fprintf
Alan T. DeKok [Mon, 3 Jul 2017 01:00:58 +0000 (21:00 -0400)]
disable TLS session caches.
So that malicious users cannot falsely resume sessions
Alan T. DeKok [Sat, 1 Jul 2017 14:34:57 +0000 (10:34 -0400)]
Fix OpenSSL API issue. Based on a patch from Guido Vranken
Alan T. DeKok [Thu, 1 Sep 2016 19:31:35 +0000 (15:31 -0400)]
note EOL status of v2
Alan T. DeKok [Thu, 1 Sep 2016 19:28:17 +0000 (15:28 -0400)]
note recent changes
Alan T. DeKok [Thu, 1 Sep 2016 19:26:34 +0000 (15:26 -0400)]
allow non-FIPS
Alan T. DeKok [Thu, 1 Sep 2016 19:26:10 +0000 (15:26 -0400)]
issuer_cert may be NULL
Alan T. DeKok [Thu, 1 Sep 2016 19:22:32 +0000 (15:22 -0400)]
look at index i, not 0
Arran Cudbard-Bell [Wed, 23 Mar 2016 10:06:23 +0000 (10:06 +0000)]
Merge pull request #1570 from alanbuxey/patch-4
fixed typo
Alan Buxey [Wed, 23 Mar 2016 10:05:31 +0000 (10:05 +0000)]
fixed typo
minor typo was still lurking
Alan T. DeKok [Sun, 21 Feb 2016 12:57:21 +0000 (07:57 -0500)]
Escaping for v2 style. Fixe #1543
Arran Cudbard-Bell [Sun, 20 Dec 2015 21:16:28 +0000 (16:16 -0500)]
Merge pull request #1441 from TheMysteriousX/v2.x.x-fix-disable-ssl
Fix build failure when --disable-openssl-version-check is set.
Adam Bishop [Thu, 10 Dec 2015 02:08:29 +0000 (02:08 +0000)]
Fix build failure when --disable-openssl-version-check is set.
4f24d4c mostly corrected the behaviour, however mainconfig.allow_vulnerable_ssl still had a dependency on ENABLE_OPENSSL_VERSION_CHECK.
Alan T. DeKok [Fri, 6 Nov 2015 12:00:11 +0000 (07:00 -0500)]
Make default match config
Alan T. DeKok [Thu, 15 Oct 2015 22:09:18 +0000 (18:09 -0400)]
Note recent changes
Arran Cudbard-Bell [Thu, 15 Oct 2015 21:22:03 +0000 (17:22 -0400)]
ENABLE_OPENSSL_VERSION_CHECK was intended to be used to disable checks for vulnerable OpenSSL versions, NOT our compile/runtime checks for OpenSSL version mismatches.
Alan T. DeKok [Sun, 11 Oct 2015 21:21:57 +0000 (17:21 -0400)]
Work around other OpenSSL stupidity.
Alan T. DeKok [Sat, 10 Oct 2015 13:07:15 +0000 (09:07 -0400)]
note OpenSSL 1.0.2 idiocy
Arran Cudbard-Bell [Sat, 10 Oct 2015 00:48:09 +0000 (20:48 -0400)]
Fix compatibility with OpenSSL 1.0.2
Which may help OS maintainers who really, really, really want to keep support for v2.x.x.
Alan T. DeKok [Tue, 6 Oct 2015 13:11:27 +0000 (09:11 -0400)]
Bump for 2.2.10
Which will only be released if there are catastrophic security
bugs. Everyone should upgrade to 3.0
Alan T. DeKok [Wed, 30 Sep 2015 20:37:13 +0000 (16:37 -0400)]
Update for release
Arran Cudbard-Bell [Wed, 30 Sep 2015 11:39:33 +0000 (07:39 -0400)]
Merge pull request #1280 from mcnewton/ch2xx
update changelog
Matthew Newton [Wed, 30 Sep 2015 10:05:22 +0000 (11:05 +0100)]
update changelog
Alan T. DeKok [Mon, 28 Sep 2015 14:39:29 +0000 (10:39 -0400)]
note recent changes
Alan T. DeKok [Mon, 28 Sep 2015 13:28:43 +0000 (09:28 -0400)]
Don't go to next sibling on empty case. Fixes #1274
Alan T. DeKok [Tue, 22 Sep 2015 17:46:43 +0000 (13:46 -0400)]
Bump for 2.2.9
Alan T. DeKok [Wed, 16 Sep 2015 18:08:38 +0000 (14:08 -0400)]
close to 2.2.9
Alan T. DeKok [Wed, 16 Sep 2015 18:07:12 +0000 (14:07 -0400)]
bump for 2.2.9
Alan T. DeKok [Wed, 16 Sep 2015 18:05:40 +0000 (14:05 -0400)]
Bump for 2.2.9
Alan T. DeKok [Wed, 9 Sep 2015 13:25:00 +0000 (09:25 -0400)]
Note recent changes
Alan T. DeKok [Wed, 9 Sep 2015 13:23:48 +0000 (09:23 -0400)]
Always delete MS-MPPE-* from the reply. Fixes #1206
Alan T. DeKok [Wed, 9 Sep 2015 13:18:50 +0000 (09:18 -0400)]
More fixes to use SSL_export_keying_material
Alan T. DeKok [Fri, 14 Aug 2015 19:44:19 +0000 (21:44 +0200)]
Back-port
d1cdce1b0 from v3.0.x
Properly iencode and decode very long Tunnel-Password attributes
Arran Cudbard-Bell [Thu, 13 Aug 2015 11:02:51 +0000 (07:02 -0400)]
Merge pull request #1187 from jeremybrowne/v2.x.x
Fix OpenSSL version check issues
Jeremy Browne [Thu, 13 Aug 2015 07:09:17 +0000 (00:09 -0700)]
Fix OpenSSL version check issues
Bring the relevant bits of
3eb1025dc6ac back to v2.x.x branch
Alan T. DeKok [Mon, 27 Jul 2015 19:30:23 +0000 (15:30 -0400)]
set "now"
Alan T. DeKok [Thu, 9 Jul 2015 14:37:25 +0000 (10:37 -0400)]
Time for 2.2.8
Arran Cudbard-Bell [Mon, 29 Jun 2015 15:06:20 +0000 (11:06 -0400)]
Merge pull request #1105 from alanbuxey/patch-51
Update Makefile
Alan Buxey [Mon, 29 Jun 2015 14:16:18 +0000 (15:16 +0100)]
Update Makefile
Alan T. DeKok [Mon, 29 Jun 2015 12:50:33 +0000 (08:50 -0400)]
Manually manage the append list
Alan T. DeKok [Mon, 22 Jun 2015 19:28:38 +0000 (15:28 -0400)]
Note recent changes
Alan T. DeKok [Mon, 22 Jun 2015 19:27:32 +0000 (15:27 -0400)]
Set X509_V_FLAG_CRL_CHECK_ALL
Alan T. DeKok [Mon, 8 Jun 2015 15:33:48 +0000 (11:33 -0400)]
Mark home server dead based on calculated time
Alan T. DeKok [Sun, 31 May 2015 14:46:39 +0000 (10:46 -0400)]
Note recent changes
Alan T. DeKok [Sun, 31 May 2015 12:11:42 +0000 (08:11 -0400)]
Allow post-auth to return reject
If so, return Access-Reject
Alan T. DeKok [Wed, 20 May 2015 21:39:38 +0000 (17:39 -0400)]
Save a copy of the filename
Alan T. DeKok [Wed, 20 May 2015 21:36:09 +0000 (17:36 -0400)]
Oops
Arran Cudbard-Bell [Fri, 8 May 2015 03:22:46 +0000 (23:22 -0400)]
Merge pull request #986 from alanbuxey/patch-21
Update base64.h to remove compiler warning
Alan T. DeKok [Fri, 1 May 2015 11:23:58 +0000 (07:23 -0400)]
-Wshadow fix
Arran Cudbard-Bell [Thu, 30 Apr 2015 23:52:17 +0000 (19:52 -0400)]
Merge pull request #985 from alanbuxey/patch-20
Update base64.c to remove compiler warning
Alan T. DeKok [Thu, 30 Apr 2015 23:48:24 +0000 (19:48 -0400)]
Fix client_add for virtual servers.
If there's a "listen" section, the clients are added to that
virtual server.
If there's no "listen" section in this virtual server, the
clients are added to the global list.
Alan T. DeKok [Thu, 30 Apr 2015 23:48:06 +0000 (19:48 -0400)]
Bump for 2.2.8
Alan Buxey [Thu, 30 Apr 2015 22:08:40 +0000 (23:08 +0100)]
Update base64.h
Alan Buxey [Thu, 30 Apr 2015 22:07:25 +0000 (23:07 +0100)]
Update base64.c
Arran Cudbard-Bell [Mon, 27 Apr 2015 09:21:57 +0000 (10:21 +0100)]
Merge pull request #979 from jahir/patch-1
fixed radclient.c compile error
jahir [Mon, 27 Apr 2015 09:18:24 +0000 (11:18 +0200)]
fixed radclient.c compile error
gcc with -Werror=format-security doesn't like printf without string literal
Alan T. DeKok [Wed, 22 Apr 2015 17:31:54 +0000 (13:31 -0400)]
Release for 2.2.7
Alan T. DeKok [Mon, 13 Apr 2015 16:43:49 +0000 (12:43 -0400)]
Expand buffer to max string size
Alan T. DeKok [Wed, 8 Apr 2015 18:42:57 +0000 (14:42 -0400)]
Add certs to the packet, too
Manual port of commit #
994db028
Alan T. DeKok [Sun, 5 Apr 2015 13:57:52 +0000 (09:57 -0400)]
note recent changes
Alan T. DeKok [Sun, 5 Apr 2015 13:57:04 +0000 (09:57 -0400)]
Port fix for #945 from v3.0.x branch
Alan T. DeKok [Tue, 31 Mar 2015 16:07:29 +0000 (12:07 -0400)]
Fix for v2
Alan T. DeKok [Tue, 31 Mar 2015 15:34:50 +0000 (11:34 -0400)]
Note recent changes
Alan T. DeKok [Tue, 31 Mar 2015 15:34:23 +0000 (11:34 -0400)]
Revert "Disable TLS 1.2 by default. Causes MPPE key mismatches with eapol_test."
This reverts commit
d541351bba3f874bcb9d51483679970981892c49.
No longer necessary after previous commit
Alan T. DeKok [Tue, 31 Mar 2015 15:33:12 +0000 (11:33 -0400)]
Use SSL_export_keying_material for TLSv1.2 PRF derivation
Alan T. DeKok [Tue, 31 Mar 2015 02:51:09 +0000 (22:51 -0400)]
Disable TLS 1.2 by default. Causes MPPE key mismatches with eapol_test.
Manual port of commit 8ac08a4 to v2.
Alan T. DeKok [Sun, 29 Mar 2015 14:03:11 +0000 (10:03 -0400)]
Fix error message to be correct
Alan T. DeKok [Thu, 26 Mar 2015 18:15:15 +0000 (13:15 -0500)]
Note recent changes
Alan T. DeKok [Thu, 26 Mar 2015 18:12:45 +0000 (13:12 -0500)]
Allow "eap" in Post-Auth-Type Reject
which sends EAP failure and Message-Authenticator
Alan T. DeKok [Tue, 24 Mar 2015 22:12:14 +0000 (17:12 -0500)]
start from 0 for failover
Alan T. DeKok [Tue, 10 Mar 2015 13:54:44 +0000 (09:54 -0400)]
md5 == nt
Alan T. DeKok [Wed, 4 Mar 2015 13:07:53 +0000 (08:07 -0500)]
note recent changes
Alan T. DeKok [Wed, 4 Mar 2015 13:06:12 +0000 (08:06 -0500)]
Use the correct name if there are multiple tagged attributes
Alan T. DeKok [Wed, 25 Feb 2015 19:22:06 +0000 (14:22 -0500)]
Note recent changes
Alan T. DeKok [Wed, 25 Feb 2015 19:21:17 +0000 (14:21 -0500)]
Set correct default destination port for replies to relay
Alan DeKok [Fri, 13 Feb 2015 12:36:46 +0000 (07:36 -0500)]
Merge pull request #907 from spbnick/ssl_headers_fix
Include headers for OpenSSL init
Nikolai Kondrashov [Fri, 13 Feb 2015 10:54:29 +0000 (11:54 +0100)]
Include headers for OpenSSL init
Inlude OpenSSL headers into radiusd.c for OpenSSL init.
This fixes "implicit declaration of function" warnings concerning
SSL_library_init and SSL_load_error_strings.
Arran Cudbard-Bell [Wed, 11 Feb 2015 16:13:00 +0000 (11:13 -0500)]
Merge pull request #906 from spbnick/fix-openssl-version-check-disabling
Move OpenSSL init out of version check
Nikolai Kondrashov [Wed, 11 Feb 2015 14:24:23 +0000 (15:24 +0100)]
Move OpenSSL init out of version check
Initialize OpenSSL outside ssl_version_check() to execute even with
disabled version check. Otherwise SSL_CTX_new() returns zero and
FreeRADIUS segfaults in init_tls_ctx with version check disabled.
Alan DeKok [Tue, 3 Feb 2015 19:40:05 +0000 (14:40 -0500)]
Merge pull request #898 from spbnick/disable_openssl_vercheck_v2.x.x
Add --disable-openssl-version-check option
Nikolai Kondrashov [Tue, 3 Feb 2015 09:33:48 +0000 (10:33 +0100)]
Add --disable-openssl-version-check option
Add "--disable-openssl-version-check" configure option, which removes
checking for vulnerable OpenSSL versions. It is supposed to be used by
downstream packagers and distributions who have other means to ensure
vulnerabilities are fixed, such as versioned package dependencies and
vulnerability handling processes.
This avoids the necessity of editing radiusd.conf on package upgrade to
make sure it keeps working. At the same time, it provides safe default
to those installing FreeRADIUS from source.
Instead of defining a dummy ssl_check_version function and ignoring
allow_vulnerable_openssl option, remove these altogether to match the
v3.0.x branch.
Alan DeKok [Tue, 3 Feb 2015 13:32:49 +0000 (08:32 -0500)]
Merge pull request #897 from spbnick/strlcpy_fix
log: Check message buffer length to avoid overflow
Nikolai Kondrashov [Tue, 3 Feb 2015 11:10:52 +0000 (12:10 +0100)]
log: Check message buffer length to avoid overflow
Check that adding strlcpy result to the message length didn't exceed
size of the message buffer to avoid underflow in calculating remaining
size and overflowing the buffer.
Alan T. DeKok [Sun, 1 Feb 2015 22:24:23 +0000 (17:24 -0500)]
Replace strncat() with strlcpy()
Alan DeKok [Sun, 1 Feb 2015 22:12:02 +0000 (17:12 -0500)]
Merge pull request #895 from spbnick/v2.x.x_misc_fixes
v2.x.x misc fixes
Nikolai Kondrashov [Fri, 30 Jan 2015 14:13:57 +0000 (16:13 +0200)]
Don't dereference NULL cs in cf_item_parse
Avoid dereferencing NULL cs in cf_item_parse and cf_reference_item it
invokes.
This fixes the following Coverity errors:
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:900: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:932: var_deref_op: Dereferencing null pointer "cs".
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:900: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:938: var_deref_op: Dereferencing null pointer "cs".
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:958: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:963: var_deref_model: Passing null pointer "cs" to "cf_expand_variables", which dereferences it.
freeradius-server-2.2.6/src/main/conffile.c:782:4: deref_parm_in_call: Function "cf_reference_item" dereferences "outercs".
freeradius-server-2.2.6/src/main/conffile.c:597:25: var_assign_parm: Assigning: "cs" = "outercs".
freeradius-server-2.2.6/src/main/conffile.c:615:4: deref_var: Dereferencing "cs" (which is a copy of "outercs").
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:958: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:973: var_deref_op: Dereferencing null pointer "cs".
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:994: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:1009: var_deref_op: Dereferencing null pointer "cs".
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:900: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:1041: var_deref_op: Dereferencing null pointer "cs".
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:900: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:1051: var_deref_op: Dereferencing null pointer "cs".
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:900: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:1054: var_deref_op: Dereferencing null pointer "cs".
Error: FORWARD_NULL (CWE-476):
freeradius-server-2.2.6/src/main/conffile.c:900: var_compare_op: Comparing "cs" to null implies that "cs" might be null.
freeradius-server-2.2.6/src/main/conffile.c:1066: var_deref_op: Dereferencing null pointer "cs".
Nikolai Kondrashov [Fri, 30 Jan 2015 13:23:49 +0000 (15:23 +0200)]
dhcp: Remove useless variable initializer
Remove an initialization of a variable, which is then overwritten, in
dhcp_get_option.
This fixes the following Clang warning:
freeradius-server-2.2.6/src/lib/dhcp.c:144:11: warning: Value stored to 'data' during its initialization is never read
Nikolai Kondrashov [Fri, 30 Jan 2015 11:35:06 +0000 (13:35 +0200)]
dhcpd: Verify DICT_VALUE exists itself
Verify that a DICT_VALUE was returned from dict_valbyattr by checking
the returned pointer, not the "name" field address. This likely fixes a
possible segfault when debugging.
This also fixes the following Coverity error:
Error: NO_EFFECT (CWE-398):
freeradius-server-2.2.6/src/main/dhcpd.c:300: array_null: Comparing an array to null is not useful: "dv->name".
Nikolai Kondrashov [Fri, 30 Jan 2015 10:54:39 +0000 (12:54 +0200)]
dhcp: Use correct format specifiers in a message
Format size_t with %zu specifier, instead of %d, as size_t is not
guaranteed to be the same size as int.
This fixes the following compiler warnings:
freeradius-server-2.2.6/src/lib/dhcp.c: scope_hint: In function 'fr_dhcp_add_arp_entry'
freeradius-server-2.2.6/src/lib/dhcp.c:1536: warning: format '%d' expects type 'int', but argument 2 has type 'long unsigned int'
freeradius-server-2.2.6/src/lib/dhcp.c:1536: warning: format '%d' expects type 'int', but argument 3 has type 'size_t'
Nikolai Kondrashov [Thu, 29 Jan 2015 19:39:44 +0000 (21:39 +0200)]
Fix two pointer signedness warnings
This fixes the following compiler warnings:
freeradius-server-2.2.6/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c: scope_hint: In function 'cbtls_verify'
freeradius-server-2.2.6/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c:711: warning: pointer targets in passing argument 2 of 'pairmake' differ in signedness
freeradius-server-2.2.6/src/include/libradius.h:373: note: expected 'const char *' but argument is of type 'unsigned char *'
freeradius-server-2.2.6/src/modules/rlm_expr/rlm_expr.c: scope_hint: In function 'base64_to_hex_xlat'
freeradius-server-2.2.6/src/modules/rlm_expr/rlm_expr.c:678: warning: pointer targets in passing argument 1 of 'fr_bin2hex' differ in signedness
freeradius-server-2.2.6/src/include/libradius.h:418: note: expected 'const uint8_t *' but argument is of type 'char *'