diff -Naur freeradius-server-2.2.9/src/include/radiusd.h freeradius-server-2.2.9.git/src/include/radiusd.h --- freeradius-server-2.2.9/src/include/radiusd.h 2015-09-30 22:37:13.000000000 +0200 +++ freeradius-server-2.2.9.git/src/include/radiusd.h 2015-12-29 21:30:34.507302617 +0100 @@ -360,7 +360,7 @@ int proxy_requests; int reject_delay; int status_server; -#ifdef ENABLE_OPENSSL_VERSION_CHECK +#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK) int allow_vulnerable_openssl; #endif int max_request_time; @@ -536,7 +536,8 @@ void pairlist_free(PAIR_LIST **); /* version.c */ -int ssl_check_version(int allow_vulnerable); +int ssl_check_version(void); +int ssl_check_vulnerable(void); const char *ssl_version(void); void version(void); diff -Naur freeradius-server-2.2.9/src/main/mainconfig.c freeradius-server-2.2.9.git/src/main/mainconfig.c --- freeradius-server-2.2.9/src/main/mainconfig.c 2015-09-30 22:37:13.000000000 +0200 +++ freeradius-server-2.2.9.git/src/main/mainconfig.c 2015-12-29 21:30:34.509302616 +0100 @@ -172,7 +172,7 @@ { "max_attributes", PW_TYPE_INTEGER, 0, &fr_max_attributes, Stringify(0) }, { "reject_delay", PW_TYPE_INTEGER, 0, &mainconfig.reject_delay, Stringify(0) }, { "status_server", PW_TYPE_BOOLEAN, 0, &mainconfig.status_server, "no"}, -#ifdef ENABLE_OPENSSL_VERSION_CHECK +#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK) { "allow_vulnerable_openssl", PW_TYPE_BOOLEAN, 0, &mainconfig.allow_vulnerable_openssl, "no"}, #endif { NULL, -1, 0, NULL, NULL } diff -Naur freeradius-server-2.2.9/src/main/radiusd.c freeradius-server-2.2.9.git/src/main/radiusd.c --- freeradius-server-2.2.9/src/main/radiusd.c 2015-09-30 22:37:13.000000000 +0200 +++ freeradius-server-2.2.9.git/src/main/radiusd.c 2015-12-29 21:30:34.509302616 +0100 @@ -293,11 +293,22 @@ * Mismatch between build time OpenSSL and linked SSL, * better to die here than segfault later. */ -#ifdef ENABLE_OPENSSL_VERSION_CHECK - if (ssl_check_version(mainconfig.allow_vulnerable_openssl) < 0) { + if (ssl_check_version() < 0) { exit(1); } -#endif + + /* + * Check for known vulnerabilities that compromise the + * security of the server. + */ +# ifdef ENABLE_OPENSSL_VERSION_CHECK + if (!mainconfig.allow_vulnerable_openssl) { + if (ssl_check_vulnerable() < 0) { + exit(1); + } + } +# endif + #endif /* Load the modules AFTER doing SSL checks */ diff -Naur freeradius-server-2.2.9/src/main/version.c freeradius-server-2.2.9.git/src/main/version.c --- freeradius-server-2.2.9/src/main/version.c 2015-09-30 22:37:13.000000000 +0200 +++ freeradius-server-2.2.9.git/src/main/version.c 2015-12-29 21:30:34.509302616 +0100 @@ -62,8 +62,8 @@ * * @return 0 if ok, else -1 */ -#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK) -int ssl_check_version(int allow_vulnerable) +#ifdef HAVE_OPENSSL_CRYPTO_H +int ssl_check_version() { long ssl_linked; @@ -94,20 +94,42 @@ */ } else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch; - if (!allow_vulnerable) { - /* Check for bad versions */ - /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */ - if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) { - radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). " - "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version()); - radlog(L_ERR, "For more information see http://heartbleed.com"); + return 0; +} + +/** Check OpenSSL version for known vulnerabilities. + * + * OpenSSL version number consists of: + * MNNFFPPS: major minor fix patch status + * + * Where status >= 0 && < 10 means beta, and status 10 means release. + * + * Startup check for whether the linked version of OpenSSL is a version known to + * have serious vulnerabilities impacting FreeRADIUS. + * + * @return 0 if ok, else -1 + */ +# ifdef ENABLE_OPENSSL_VERSION_CHECK +int ssl_check_vulnerable() +{ + long ssl_linked; + + ssl_linked = SSLeay(); + + /* Check for bad versions */ + /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */ + if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) { + radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). " + "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version()); + radlog(L_ERR, "For more information see http://heartbleed.com"); - return -1; - } + return -1; } return 0; } +# endif + #endif /* diff -Naur freeradius-server-2.2.9/src/modules/rlm_eap/libeap/cb.c freeradius-server-2.2.9.git/src/modules/rlm_eap/libeap/cb.c --- freeradius-server-2.2.9/src/modules/rlm_eap/libeap/cb.c 2015-09-30 22:37:13.000000000 +0200 +++ freeradius-server-2.2.9.git/src/modules/rlm_eap/libeap/cb.c 2015-12-29 21:27:20.344316846 +0100 @@ -98,6 +98,13 @@ tls_session_t *state = (tls_session_t *)arg; /* + * Work around for pseudo content types in OpenSSL 1.0.2 + */ + if ((msg_version == 0) && (content_type > 255)) return; + + if ((write_p != 0) && (write_p != 1)) return; + + /* * Work around bug #298, where we may be called with a NULL * argument. We should really log a serious error */ diff -Naur freeradius-server-2.2.9/src/modules/rlm_ldap/rlm_ldap.c freeradius-server-2.2.9.git/src/modules/rlm_ldap/rlm_ldap.c --- freeradius-server-2.2.9/src/modules/rlm_ldap/rlm_ldap.c 2015-09-30 22:37:13.000000000 +0200 +++ freeradius-server-2.2.9.git/src/modules/rlm_ldap/rlm_ldap.c 2015-12-29 21:30:21.083303600 +0100 @@ -324,7 +324,7 @@ {"groupname_attribute", PW_TYPE_STRING_PTR, offsetof(ldap_instance,groupname_attr), NULL, "cn"}, {"groupmembership_filter", PW_TYPE_STRING_PTR, - offsetof(ldap_instance,groupmemb_filt), NULL, "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"}, + offsetof(ldap_instance,groupmemb_filt), NULL, "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"}, {"groupmembership_attribute", PW_TYPE_STRING_PTR, offsetof(ldap_instance,groupmemb_attr), NULL, NULL},