A few bugs in 2.2.9

Alan DeKok aland at deployingradius.com
Thu Sep 1 21:42:08 CEST 2016

On Sep 1, 2016, at 11:25 AM, Eran Pasternak <eran.pasternak at forescout.com> wrote:
> Since it's EOL I'm not reporting it in GIT but as this code may also be used in 3.x (haven't checked) I want to inform about it.

  I've pushed the fixes to v2.x.x, v3.0.x, and the v4.0.x branches.  Thanks.

> 1)     rlm_eap_tls.c:
> a.                                293: ad = sk_ACCESS_DESCRIPTION_value(aia, 0);
> 2nd parameter should obviously be i (otherwise the loop is useless). With 0, OCSP verification fails if the OCSP responder URL in the client cert is not the first SSL item in the packet

  That was fixed in v3 already.

> b.      In line 865 I added this check. The fix avoids crashing when ocsp of a client cert that has an empty subject, and whose issuer-cert was not installed/added:

  Sure.  Add to v3, too.

> 2)     mppe_keys.c:
> In line 65 I added the following:
>          /*
>     * Bypass radius crash in FIPS mode caused by using md5 of openSSL.
>     * Setting this flag used in the same manner as in openSSL - tls_P_hash()
>     */
>    HMAC_CTX_set_flags(&ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
>    HMAC_CTX_set_flags(&ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);

  <sigh>  Some days I hate OpenSSL.  Other days I only loathe it with a passion that words cannot describe.

  Added, thanks.

  Alan DeKok.

More information about the Freeradius-Devel mailing list