Resolve memleak in rlm_detail

Resolve OSCP certificate validation issue Resolve crash triggered by event.c issue Bump PORTREVISION Pacify portlint(1) Approved by: wxs (mentor) Obtained from: freeradius github
author: zi <zi@FreeBSD.org> 2011-08-10 22:08:03 +0800
committer: zi <zi@FreeBSD.org> 2011-08-10 22:08:03 +0800
commit: c8743e9eba2fbbabcf9bded2b6645b0b3362b707 (patch)
tree: b83cd9d312a70261500f47ad84e5a4943aacb5f4 /net
parent: 9264e95cafee18f9825d920e94e5d8e86f54a022 (diff)
download: freebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.tar.gz
freebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.tar.zst
freebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.zip
4 files changed, 168 insertions, 2 deletions
diff --git a/net/freeradius2/Makefile b/net/freeradius2/Makefile
index ce1a5b68953f..0a5f1b85ac10 100644
--- a/net/freeradius2/Makefile
+++ b/net/freeradius2/Makefile
@@ -9,6 +9,7 @@
 
 PORTNAME=	freeradius
 DISTVERSION=	2.1.11
+PORTREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	ftp://ftp.freeradius.org/pub/freeradius/%SUBDIR%/ \
 		ftp://ftp.ntua.gr/pub/net/radius/freeradius/%SUBDIR%/ \
@@ -21,6 +22,8 @@ DISTNAME=	freeradius-server-${DISTVERSION}
 MAINTAINER=	zi@FreeBSD.org
 COMMENT=	A free RADIUS server implementation
 
+LICENSE=	GPLv2
+
 LIB_DEPENDS=	gdbm.3:${PORTSDIR}/databases/gdbm
 
 USE_GMAKE=	yes
@@ -60,8 +63,6 @@ OPTIONS=	USER		"Run as user freeradius, group freeradius" on \
 
 .include <bsd.port.options.mk>
 
-LICENSE=	GPLv2
-
 # Default requirements for rc script
 _REQUIRE=	NETWORKING SERVERS
 
diff --git a/net/freeradius2/files/patch-src__lib__event.c b/net/freeradius2/files/patch-src__lib__event.c
new file mode 100644
index 000000000000..aa47183a735c
--- /dev/null
+++ b/net/freeradius2/files/patch-src__lib__event.c
@@ -0,0 +1,24 @@
+--- ./src/lib/event.c.orig	2011-06-20 10:57:14.000000000 -0400
++++ ./src/lib/event.c	2011-08-10 07:39:10.000000000 -0400
+@@ -155,7 +155,7 @@
+ {
+ 	fr_event_t *ev;
+ 
+-	if (!el || !callback | !when || (when->tv_usec > USEC)) return 0;
++	if (!el || !callback | !when || (when->tv_usec >= USEC)) return 0;
+ 
+ 	if (ev_p && *ev_p) fr_event_delete(el, ev_p);
+ 
+@@ -364,9 +364,11 @@
+ 				if (when.tv_sec > 0) {
+ 					when.tv_sec--;
+ 					when.tv_usec += USEC;
++				} else {
++					when.tv_sec = 0;
+ 				}
+ 				when.tv_usec -= el->now.tv_usec;
+-				if (when.tv_usec > USEC) {
++				if (when.tv_usec >= USEC) {
+ 					when.tv_usec -= USEC;
+ 					when.tv_sec++;
+ 				}
diff --git a/net/freeradius2/files/patch-src__modules__rlm_detail__rlm_detail.c b/net/freeradius2/files/patch-src__modules__rlm_detail__rlm_detail.c
new file mode 100644
index 000000000000..4f259167f280
--- /dev/null
+++ b/net/freeradius2/files/patch-src__modules__rlm_detail__rlm_detail.c
@@ -0,0 +1,16 @@
+--- ./src/modules/rlm_detail/rlm_detail.c.orig	2011-08-09 23:23:35.000000000 -0400
++++ ./src/modules/rlm_detail/rlm_detail.c	2011-08-09 23:25:09.000000000 -0400
+@@ -463,11 +463,11 @@
+ 	 */
+ 	if (fflush(fp) != 0) {
+ 		ftruncate(outfd, fsize); /* ignore errors! */
+-		close(outfd);
++		fclose(fp);
+ 		return RLM_MODULE_FAIL;
+ 	}
+ 
+-	close(outfd);
++	fclose(fp);
+ 
+ 	/*
+ 	 *	And everything is fine.
diff --git a/net/freeradius2/files/patch-src__modules__rlm_eap__types__rlm_eap_tls__rlm_eap_tls.c b/net/freeradius2/files/patch-src__modules__rlm_eap__types__rlm_eap_tls__rlm_eap_tls.c
new file mode 100644
index 000000000000..47875db8cd05
--- /dev/null
+++ b/net/freeradius2/files/patch-src__modules__rlm_eap__types__rlm_eap_tls__rlm_eap_tls.c
@@ -0,0 +1,125 @@
+--- ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c.orig	2011-06-20 10:57:14.000000000 -0400
++++ ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2011-08-10 07:03:40.000000000 -0400
+@@ -277,6 +277,10 @@
+  * This function sends a OCSP request to a defined OCSP responder
+  * and checks the OCSP response for correctness.
+  */
++
++/* Maximum leeway in validity period: default 5 minutes */
++#define MAX_VALIDITY_PERIOD     (5 * 60)
++
+ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
+ 		      EAP_TLS_CONF *conf)
+ {
+@@ -288,9 +292,12 @@
+ 	char *port = NULL;
+ 	char *path = NULL;
+ 	int use_ssl = -1;
+-	BIO *cbio;
+-	int ocsp_ok;
+-	int status;
++	long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
++	BIO *cbio, *bio_out;
++	int ocsp_ok = 0;
++	int status ;
++	ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
++	int reason;
+ 
+ 	/* 
+ 	 * Create OCSP Request 
+@@ -299,7 +306,7 @@
+ 	req = OCSP_REQUEST_new();
+ 	OCSP_request_add0_id(req, certid);
+ 	OCSP_request_add1_nonce(req, NULL, 8);
+-
++	
+ 	/* 
+ 	 * Send OCSP Request and get OCSP Response
+ 	 */
+@@ -316,6 +323,9 @@
+ 
+ 	/* Setup BIO socket to OCSP responder */
+ 	cbio = BIO_new_connect(host);
++
++	bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
++
+ 	BIO_set_conn_port(cbio, port);
+ 	BIO_do_connect(cbio);
+ 
+@@ -323,30 +333,60 @@
+ 	resp = OCSP_sendreq_bio(cbio, path, req);
+ 	if(resp==0) {
+ 		radlog(L_ERR, "Error: Couldn't get OCSP response");
+-		ocsp_ok = 0;
+ 		goto ocsp_end;
+ 	}
+ 
+-	/* Verify OCSP response */
++	/* Verify OCSP response status */
+ 	status = OCSP_response_status(resp);
++	DEBUG2("[ocsp] --> Response status: %s",OCSP_response_status_str(status));
+ 	if(status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+ 		radlog(L_ERR, "Error: OCSP response status: %s", OCSP_response_status_str(status));
+-		ocsp_ok = 0;
+ 		goto ocsp_end;
+ 	}
+ 	bresp = OCSP_response_get1_basic(resp);
+ 	if(OCSP_check_nonce(req, bresp)!=1) {
+ 		radlog(L_ERR, "Error: OCSP response has wrong nonce value");
+-		ocsp_ok = 0;
+ 		goto ocsp_end;
+ 	}
+ 	if(OCSP_basic_verify(bresp, NULL, store, 0)!=1){
+ 		radlog(L_ERR, "Error: Couldn't verify OCSP basic response");
+-		ocsp_ok = 0;
+ 		goto ocsp_end;
+ 	}
+-	
+-	ocsp_ok = 1; 
++	/*	Verify OCSP cert status */
++	if(!OCSP_resp_find_status(bresp, certid, &status, &reason,
++				                      &rev, &thisupd, &nextupd)) {
++		radlog(L_ERR, "ERROR: No Status found.\n");
++		goto ocsp_end;
++	}
++
++	if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
++		BIO_puts(bio_out, "WARNING: Status times invalid.\n");
++		ERR_print_errors(bio_out);
++		goto ocsp_end;
++	}
++	BIO_puts(bio_out, "\tThis Update: ");
++        ASN1_GENERALIZEDTIME_print(bio_out, thisupd);
++        BIO_puts(bio_out, "\n");
++	BIO_puts(bio_out, "\tNext Update: ");
++        ASN1_GENERALIZEDTIME_print(bio_out, nextupd);
++        BIO_puts(bio_out, "\n");
++
++	switch (status) {
++	case V_OCSP_CERTSTATUS_GOOD:
++		DEBUG2("[oscp] --> Cert status: good");
++		ocsp_ok = 1; 
++		break;
++
++	default:
++		/* REVOKED / UNKNOWN */
++		DEBUG2("[ocsp] --> Cert status: %s",OCSP_cert_status_str(status));
++                if (reason != -1)
++			DEBUG2("[ocsp] --> Reason: %s", OCSP_crl_reason_str(reason));
++                BIO_puts(bio_out, "\tRevocation Time: ");
++                ASN1_GENERALIZEDTIME_print(bio_out, rev);
++                BIO_puts(bio_out, "\n"); 
++		break;
++	}
+ 
+ ocsp_end:
+ 	/* Free OCSP Stuff */
+@@ -1170,7 +1210,7 @@
+ 		  return -1;
+ 		}
+ 	}
+-#endif HAVE_OPENSSL_OCSP_H
++#endif /*HAVE_OPENSSL_OCSP_H*/
+ 
+ 	if (load_dh_params(inst->ctx, conf->dh_file) < 0) {
+ 		eaptls_detach(inst);
author	zi <zi@FreeBSD.org>	2011-08-10 22:08:03 +0800
committer	zi <zi@FreeBSD.org>	2011-08-10 22:08:03 +0800
commit	c8743e9eba2fbbabcf9bded2b6645b0b3362b707 (patch)
tree	b83cd9d312a70261500f47ad84e5a4943aacb5f4 /net
parent	9264e95cafee18f9825d920e94e5d8e86f54a022 (diff)
download	freebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.tar.gz freebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.tar.zst freebsd-ports-gnome-c8743e9eba2fbbabcf9bded2b6645b0b3362b707.zip