From 5c23709fc90bb30b51c598aa81a05d4fe0d8cf70 Mon Sep 17 00:00:00 2001 From: Adam Bishop Date: Thu, 10 Dec 2015 02:08:29 +0000 Subject: [PATCH] Fix build failure when --disable-openssl-version-check is set. 4f24d4c mostly corrected the behaviour, however mainconfig.allow_vulnerable_ssl still had a dependency on ENABLE_OPENSSL_VERSION_CHECK. --- src/include/radiusd.h | 5 +++-- src/main/mainconfig.c | 2 +- src/main/radiusd.c | 15 ++++++++++++++- src/main/version.c | 44 +++++++++++++++++++++++++++++++------------ 4 files changed, 50 insertions(+), 16 deletions(-) diff --git a/src/include/radiusd.h b/src/include/radiusd.h index db05e25cb8a0..471c9223b80d 100644 --- a/src/include/radiusd.h +++ b/src/include/radiusd.h @@ -360,7 +360,7 @@ typedef struct main_config_t { int proxy_requests; int reject_delay; int status_server; -#ifdef ENABLE_OPENSSL_VERSION_CHECK +#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK) int allow_vulnerable_openssl; #endif int max_request_time; @@ -536,7 +536,8 @@ int pairlist_read(const char *file, PAIR_LIST **list, int complain); void pairlist_free(PAIR_LIST **); /* version.c */ -int ssl_check_version(int allow_vulnerable); +int ssl_check_version(void); +int ssl_check_vulnerable(void); const char *ssl_version(void); void version(void); diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c index a90bd788ff41..3ccfcd8343fe 100644 --- a/src/main/mainconfig.c +++ b/src/main/mainconfig.c @@ -172,7 +172,7 @@ static const CONF_PARSER security_config[] = { { "max_attributes", PW_TYPE_INTEGER, 0, &fr_max_attributes, Stringify(0) }, { "reject_delay", PW_TYPE_INTEGER, 0, &mainconfig.reject_delay, Stringify(0) }, { "status_server", PW_TYPE_BOOLEAN, 0, &mainconfig.status_server, "no"}, -#ifdef ENABLE_OPENSSL_VERSION_CHECK +#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK) { "allow_vulnerable_openssl", PW_TYPE_BOOLEAN, 0, &mainconfig.allow_vulnerable_openssl, "no"}, #endif { NULL, -1, 0, NULL, NULL } diff --git a/src/main/radiusd.c b/src/main/radiusd.c index 6cd96548fb68..bd8b3799ffcc 100644 --- a/src/main/radiusd.c +++ b/src/main/radiusd.c @@ -293,9 +293,22 @@ int main(int argc, char *argv[]) * Mismatch between build time OpenSSL and linked SSL, * better to die here than segfault later. */ - if (ssl_check_version(mainconfig.allow_vulnerable_openssl) < 0) { + if (ssl_check_version() < 0) { exit(1); } + + /* + * Check for known vulnerabilities that compromise the + * security of the server. + */ +# ifdef ENABLE_OPENSSL_VERSION_CHECK + if (!mainconfig.allow_vulnerable_openssl) { + if (ssl_check_vulnerable() < 0) { + exit(1); + } + } +# endif + #endif /* Load the modules AFTER doing SSL checks */ diff --git a/src/main/version.c b/src/main/version.c index 760a1bfefea7..504ce202e2c0 100644 --- a/src/main/version.c +++ b/src/main/version.c @@ -63,7 +63,7 @@ const char *ssl_version() * @return 0 if ok, else -1 */ #ifdef HAVE_OPENSSL_CRYPTO_H -int ssl_check_version(int allow_vulnerable) +int ssl_check_version() { long ssl_linked; @@ -94,22 +94,42 @@ int ssl_check_version(int allow_vulnerable) */ } else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch; + return 0; +} + +/** Check OpenSSL version for known vulnerabilities. + * + * OpenSSL version number consists of: + * MNNFFPPS: major minor fix patch status + * + * Where status >= 0 && < 10 means beta, and status 10 means release. + * + * Startup check for whether the linked version of OpenSSL is a version known to + * have serious vulnerabilities impacting FreeRADIUS. + * + * @return 0 if ok, else -1 + */ # ifdef ENABLE_OPENSSL_VERSION_CHECK - if (!allow_vulnerable) { - /* Check for bad versions */ - /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */ - if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) { - radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). " - "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version()); - radlog(L_ERR, "For more information see http://heartbleed.com"); - - return -1; - } +int ssl_check_vulnerable() +{ + long ssl_linked; + + ssl_linked = SSLeay(); + + /* Check for bad versions */ + /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */ + if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) { + radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). " + "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version()); + radlog(L_ERR, "For more information see http://heartbleed.com"); + + return -1; } -# endif return 0; } +# endif + #endif /*