- Fix multiple security issues. See http://freeradius.org/security/fuzzer-2017.html Thanks to Guido Vranken for working with us to discover the issues and test the fixes.
- FR-GV-207 Avoid zero-length malloc() in data2vp().
- FR-GV-206 correct decoding of option 60.
- FR-GV-205 check for "too long" WiMAX options.
- FR-GV-204 free VP if decoding fails, so we don't leak memory.
- FR-GV-203 fix memory leak when using decode_tlv().
- FR-GV-202 check for "too long" attributes.
- FR-GV-201 check input/output length in make_secret().
- FR-AD-001 Use strncmp() instead of memcmp() for bounded data.
- Disable in-memory TLS session caches due to OpenSSL API issues.
- Allow issuer_cert to be empty.
- Look for extensions using correct index.
- Fix types.
- Work around OpenSSL 1.0.2 problems, which cause failures in TLS-based EAP methods.
- Revert RedHat contributed bug which removes run-time checks for OpenSSL consistency.
- Allow OCSP responder URL to be later in the packet Fix by Ean Pasternak.
- Catch empty subject and non-existent issuer cert in OCSP Fix by Ean Pasternak.
- Allow non-FIPS for MD5 Fix by Ean Pasternak.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Whenever we ship fixed libopenssl binaries in CC, the Freeradius daemon fails
at startup because it detects a mismatch of the build time and runtime OpenSSL
version.
Since our OpenSSL updates for CC are ABI compatible we do not need or even want
this superflous check. Removing it saves us the effort to rebuild Freeradius
after every OpenSSL version bump.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Merge upstream commit 5ae2a70a135062a025d8fabc104eeae3a2c53a7a to relax the
SSL library version check at runtime.
The objective is to avoid the need for rebuilding freeradius2 whenever we push
binary updates for libopenssl. See https://dev.openwrt.org/ticket/18169 for
reference.
Please backport this change to the for-14.07 branch as well.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Zoltan HERPAI