A few bugs in 2.2.9

Eran Pasternak eran.pasternak at forescout.com
Thu Sep 1 17:25:58 CEST 2016


Since it's EOL I'm not reporting it in GIT but as this code may also be used in 3.x (haven't checked) I want to inform about it.

1)     rlm_eap_tls.c:

a.                                293: ad = sk_ACCESS_DESCRIPTION_value(aia, 0);

2nd parameter should obviously be i (otherwise the loop is useless). With 0, OCSP verification fails if the OCSP responder URL in the client cert is not the first SSL item in the packet

b.      In line 865 I added this check. The fix avoids crashing when ocsp of a client cert that has an empty subject, and whose issuer-cert was not installed/added:


                if (!(strlen(subject)>0 || issuer_cert)) {

                      /* Verify Either Subject or Issuer Cert - OCSP Request creation sigsegv's otherwise (openssl)*/

                      radlog(L_ERR, "Error: [ocsp] - Missing both Subject(len=%d) and Issuer Cert(%p) - Cannot proceed with OCSP.",

                                         strlen(subject), issuer_cert);

                      my_ok = 0;

2)     mppe_keys.c:
In line 65 I added the following:
     * Bypass radius crash in FIPS mode caused by using md5 of openSSL.
     * Setting this flag used in the same manner as in openSSL - tls_P_hash()
    HMAC_CTX_set_flags(&ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
    HMAC_CTX_set_flags(&ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);

Eran pasternak

The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.

More information about the Freeradius-Devel mailing list