aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzi <zi@FreeBSD.org>2011-08-10 22:08:03 +0800
committerzi <zi@FreeBSD.org>2011-08-10 22:08:03 +0800
commitc8743e9eba2fbbabcf9bded2b6645b0b3362b707 (patch)
treeb83cd9d312a70261500f47ad84e5a4943aacb5f4
parent9264e95cafee18f9825d920e94e5d8e86f54a022 (diff)
downloadfreebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.tar.gz
freebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.tar.zst
freebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.zip
Resolve memleak in rlm_detail
Resolve OSCP certificate validation issue Resolve crash triggered by event.c issue Bump PORTREVISION Pacify portlint(1) Approved by: wxs (mentor) Obtained from: freeradius github
-rw-r--r--net/freeradius2/Makefile5
-rw-r--r--net/freeradius2/files/patch-src__lib__event.c24
-rw-r--r--net/freeradius2/files/patch-src__modules__rlm_detail__rlm_detail.c16
-rw-r--r--net/freeradius2/files/patch-src__modules__rlm_eap__types__rlm_eap_tls__rlm_eap_tls.c125
4 files changed, 168 insertions, 2 deletions
diff --git a/net/freeradius2/Makefile b/net/freeradius2/Makefile
index ce1a5b68953f..0a5f1b85ac10 100644
--- a/net/freeradius2/Makefile
+++ b/net/freeradius2/Makefile
@@ -9,6 +9,7 @@
PORTNAME= freeradius
DISTVERSION= 2.1.11
+PORTREVISION= 1
CATEGORIES= net
MASTER_SITES= ftp://ftp.freeradius.org/pub/freeradius/%SUBDIR%/ \
ftp://ftp.ntua.gr/pub/net/radius/freeradius/%SUBDIR%/ \
@@ -21,6 +22,8 @@ DISTNAME= freeradius-server-${DISTVERSION}
MAINTAINER= zi@FreeBSD.org
COMMENT= A free RADIUS server implementation
+LICENSE= GPLv2
+
LIB_DEPENDS= gdbm.3:${PORTSDIR}/databases/gdbm
USE_GMAKE= yes
@@ -60,8 +63,6 @@ OPTIONS= USER "Run as user freeradius, group freeradius" on \
.include <bsd.port.options.mk>
-LICENSE= GPLv2
-
# Default requirements for rc script
_REQUIRE= NETWORKING SERVERS
diff --git a/net/freeradius2/files/patch-src__lib__event.c b/net/freeradius2/files/patch-src__lib__event.c
new file mode 100644
index 000000000000..aa47183a735c
--- /dev/null
+++ b/net/freeradius2/files/patch-src__lib__event.c
@@ -0,0 +1,24 @@
+--- ./src/lib/event.c.orig 2011-06-20 10:57:14.000000000 -0400
++++ ./src/lib/event.c 2011-08-10 07:39:10.000000000 -0400
+@@ -155,7 +155,7 @@
+ {
+ fr_event_t *ev;
+
+- if (!el || !callback | !when || (when->tv_usec > USEC)) return 0;
++ if (!el || !callback | !when || (when->tv_usec >= USEC)) return 0;
+
+ if (ev_p && *ev_p) fr_event_delete(el, ev_p);
+
+@@ -364,9 +364,11 @@
+ if (when.tv_sec > 0) {
+ when.tv_sec--;
+ when.tv_usec += USEC;
++ } else {
++ when.tv_sec = 0;
+ }
+ when.tv_usec -= el->now.tv_usec;
+- if (when.tv_usec > USEC) {
++ if (when.tv_usec >= USEC) {
+ when.tv_usec -= USEC;
+ when.tv_sec++;
+ }
diff --git a/net/freeradius2/files/patch-src__modules__rlm_detail__rlm_detail.c b/net/freeradius2/files/patch-src__modules__rlm_detail__rlm_detail.c
new file mode 100644
index 000000000000..4f259167f280
--- /dev/null
+++ b/net/freeradius2/files/patch-src__modules__rlm_detail__rlm_detail.c
@@ -0,0 +1,16 @@
+--- ./src/modules/rlm_detail/rlm_detail.c.orig 2011-08-09 23:23:35.000000000 -0400
++++ ./src/modules/rlm_detail/rlm_detail.c 2011-08-09 23:25:09.000000000 -0400
+@@ -463,11 +463,11 @@
+ */
+ if (fflush(fp) != 0) {
+ ftruncate(outfd, fsize); /* ignore errors! */
+- close(outfd);
++ fclose(fp);
+ return RLM_MODULE_FAIL;
+ }
+
+- close(outfd);
++ fclose(fp);
+
+ /*
+ * And everything is fine.
diff --git a/net/freeradius2/files/patch-src__modules__rlm_eap__types__rlm_eap_tls__rlm_eap_tls.c b/net/freeradius2/files/patch-src__modules__rlm_eap__types__rlm_eap_tls__rlm_eap_tls.c
new file mode 100644
index 000000000000..47875db8cd05
--- /dev/null
+++ b/net/freeradius2/files/patch-src__modules__rlm_eap__types__rlm_eap_tls__rlm_eap_tls.c
@@ -0,0 +1,125 @@
+--- ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c.orig 2011-06-20 10:57:14.000000000 -0400
++++ ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2011-08-10 07:03:40.000000000 -0400
+@@ -277,6 +277,10 @@
+ * This function sends a OCSP request to a defined OCSP responder
+ * and checks the OCSP response for correctness.
+ */
++
++/* Maximum leeway in validity period: default 5 minutes */
++#define MAX_VALIDITY_PERIOD (5 * 60)
++
+ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
+ EAP_TLS_CONF *conf)
+ {
+@@ -288,9 +292,12 @@
+ char *port = NULL;
+ char *path = NULL;
+ int use_ssl = -1;
+- BIO *cbio;
+- int ocsp_ok;
+- int status;
++ long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
++ BIO *cbio, *bio_out;
++ int ocsp_ok = 0;
++ int status ;
++ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
++ int reason;
+
+ /*
+ * Create OCSP Request
+@@ -299,7 +306,7 @@
+ req = OCSP_REQUEST_new();
+ OCSP_request_add0_id(req, certid);
+ OCSP_request_add1_nonce(req, NULL, 8);
+-
++
+ /*
+ * Send OCSP Request and get OCSP Response
+ */
+@@ -316,6 +323,9 @@
+
+ /* Setup BIO socket to OCSP responder */
+ cbio = BIO_new_connect(host);
++
++ bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
++
+ BIO_set_conn_port(cbio, port);
+ BIO_do_connect(cbio);
+
+@@ -323,30 +333,60 @@
+ resp = OCSP_sendreq_bio(cbio, path, req);
+ if(resp==0) {
+ radlog(L_ERR, "Error: Couldn't get OCSP response");
+- ocsp_ok = 0;
+ goto ocsp_end;
+ }
+
+- /* Verify OCSP response */
++ /* Verify OCSP response status */
+ status = OCSP_response_status(resp);
++ DEBUG2("[ocsp] --> Response status: %s",OCSP_response_status_str(status));
+ if(status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+ radlog(L_ERR, "Error: OCSP response status: %s", OCSP_response_status_str(status));
+- ocsp_ok = 0;
+ goto ocsp_end;
+ }
+ bresp = OCSP_response_get1_basic(resp);
+ if(OCSP_check_nonce(req, bresp)!=1) {
+ radlog(L_ERR, "Error: OCSP response has wrong nonce value");
+- ocsp_ok = 0;
+ goto ocsp_end;
+ }
+ if(OCSP_basic_verify(bresp, NULL, store, 0)!=1){
+ radlog(L_ERR, "Error: Couldn't verify OCSP basic response");
+- ocsp_ok = 0;
+ goto ocsp_end;
+ }
+-
+- ocsp_ok = 1;
++ /* Verify OCSP cert status */
++ if(!OCSP_resp_find_status(bresp, certid, &status, &reason,
++ &rev, &thisupd, &nextupd)) {
++ radlog(L_ERR, "ERROR: No Status found.\n");
++ goto ocsp_end;
++ }
++
++ if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
++ BIO_puts(bio_out, "WARNING: Status times invalid.\n");
++ ERR_print_errors(bio_out);
++ goto ocsp_end;
++ }
++ BIO_puts(bio_out, "\tThis Update: ");
++ ASN1_GENERALIZEDTIME_print(bio_out, thisupd);
++ BIO_puts(bio_out, "\n");
++ BIO_puts(bio_out, "\tNext Update: ");
++ ASN1_GENERALIZEDTIME_print(bio_out, nextupd);
++ BIO_puts(bio_out, "\n");
++
++ switch (status) {
++ case V_OCSP_CERTSTATUS_GOOD:
++ DEBUG2("[oscp] --> Cert status: good");
++ ocsp_ok = 1;
++ break;
++
++ default:
++ /* REVOKED / UNKNOWN */
++ DEBUG2("[ocsp] --> Cert status: %s",OCSP_cert_status_str(status));
++ if (reason != -1)
++ DEBUG2("[ocsp] --> Reason: %s", OCSP_crl_reason_str(reason));
++ BIO_puts(bio_out, "\tRevocation Time: ");
++ ASN1_GENERALIZEDTIME_print(bio_out, rev);
++ BIO_puts(bio_out, "\n");
++ break;
++ }
+
+ ocsp_end:
+ /* Free OCSP Stuff */
+@@ -1170,7 +1210,7 @@
+ return -1;
+ }
+ }
+-#endif HAVE_OPENSSL_OCSP_H
++#endif /*HAVE_OPENSSL_OCSP_H*/
+
+ if (load_dh_params(inst->ctx, conf->dh_file) < 0) {
+ eaptls_detach(inst);