radlib: fix a memory leak in `is_valid_request`

Call `HMAC_CTX_free` if returning early from `is_valid_request` when
processing `Message-Authenticator` tags.

Reported by: Coverity
MFC after: 1 week

radlib: fix a memory leak in `is_valid_request`

Call `HMAC_CTX_free` if returning early from `is_valid_request` when
processing `Message-Authenticator` tags.

Reported by: Coverity
MFC after: 1 week
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")
Differential Revision: https://reviews.freebsd.org/D45488

show more ...

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

libradius: fix WITHOUT_OPENSSL build

int alen is used only with SSL.

Reported by: Michael Dexter, Build Option Survey
MFC after: 3 days
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")

libradius: fix WITHOUT_OPENSSL build

int alen is used only with SSL.

Reported by: Michael Dexter, Build Option Survey
MFC after: 3 days
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")
Sponsored by: The FreeBSD Foundation

show more ...

libradius: fix no SSL build

int alen is only used with SSL.

libradius: Fix attribute length validation in rad_get_attr(3)

The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet. Otherwise

libradius: Fix attribute length validation in rad_get_attr(3)

The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet. Otherwise,
validation may incorrectly fail when fetching the final attribute in a
message.

Fixes: 8d5c78130 ("libradius: Fix input validation bugs")
Reported by: Peter Eriksson
Tested by: Peter Eriksson
MFC after: now
Sponsored by: The FreeBSD Foundation

show more ...

libradius: Fix input validation bugs

Approved by: so
Security: FreeBSD-SA-21:12.libradius
Security: CVE-2021-29629
MFC after: now
Sponsored by: The FreeBSD Foundation

libradius: Rip out dubious use of srandomdev(3)+random(3)

These functions appear to intend to produce unpredictable results. Just use
arc4random.

While here, use an explicit_bzero instead of memse

libradius: Rip out dubious use of srandomdev(3)+random(3)

These functions appear to intend to produce unpredictable results. Just use
arc4random.

While here, use an explicit_bzero instead of memset where the intent is clearly
to zero out a secret (clear_passphrase).

show more ...

Merge ^/head r339015 through r339669.

Merge the remainder of the projects/openssl111 branch to head.

- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved b

Merge the remainder of the projects/openssl111 branch to head.

- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved by: re (kib)
Sponsored by: The FreeBSD Foundation

show more ...

Make libradius(3) buildable.

radlib: fix a memory leak in `is_valid_request`

Call `HMAC_CTX_free` if returning early from `is_valid_request` when
processing `Message-Authenticator` tags.

Reported by: Coverity
MFC after: 1 week

radlib: fix a memory leak in `is_valid_request`

Call `HMAC_CTX_free` if returning early from `is_valid_request` when
processing `Message-Authenticator` tags.

Reported by: Coverity
MFC after: 1 week
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")
Differential Revision: https://reviews.freebsd.org/D45488

show more ...

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

libradius: fix WITHOUT_OPENSSL build

int alen is used only with SSL.

Reported by: Michael Dexter, Build Option Survey
MFC after: 3 days
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")

libradius: fix WITHOUT_OPENSSL build

int alen is used only with SSL.

Reported by: Michael Dexter, Build Option Survey
MFC after: 3 days
Fixes: 8d5c7813061d ("libradius: Fix input validation bugs")
Sponsored by: The FreeBSD Foundation

show more ...

libradius: fix no SSL build

int alen is only used with SSL.

libradius: Fix attribute length validation in rad_get_attr(3)

The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet. Otherwise

libradius: Fix attribute length validation in rad_get_attr(3)

The length of the attribute header needs to be excluded when comparing
the attribute length against the length of the packet. Otherwise,
validation may incorrectly fail when fetching the final attribute in a
message.

Fixes: 8d5c78130 ("libradius: Fix input validation bugs")
Reported by: Peter Eriksson
Tested by: Peter Eriksson
MFC after: now
Sponsored by: The FreeBSD Foundation

show more ...

libradius: Fix input validation bugs

Approved by: so
Security: FreeBSD-SA-21:12.libradius
Security: CVE-2021-29629
MFC after: now
Sponsored by: The FreeBSD Foundation

libradius: Rip out dubious use of srandomdev(3)+random(3)

These functions appear to intend to produce unpredictable results. Just use
arc4random.

While here, use an explicit_bzero instead of memse

libradius: Rip out dubious use of srandomdev(3)+random(3)

These functions appear to intend to produce unpredictable results. Just use
arc4random.

While here, use an explicit_bzero instead of memset where the intent is clearly
to zero out a secret (clear_passphrase).

show more ...

Merge ^/head r339015 through r339669.

Merge the remainder of the projects/openssl111 branch to head.

- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved b

Merge the remainder of the projects/openssl111 branch to head.

- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved by: re (kib)
Sponsored by: The FreeBSD Foundation

show more ...

Make libradius(3) buildable.

lib: further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
pr

lib: further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

show more ...