We need to initialise SSL before reading the main config Fixes #646

It was initialised before instantiating the modules, but that's probably not enough for RADSEC

diff --git a/src/include/tls-h b/src/include/tls-h
index f00d36b..53fd293 100644 (file)
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -294,8 +294,9 @@ void                cbtls_msg(int write_p, int msg_version, int content_type, void const *buf
 int            cbtls_verify(int ok, X509_STORE_CTX *ctx);
 
 /* TLS */
-int            tls_global_init(char const *acknowledged);
-void           tls_global_remove(void);
+void           tls_global_init(void);
+int            tls_global_version_check(char const *acknowledged);
+void           tls_global_cleanup(void);
 tls_session_t  *tls_new_session(fr_tls_server_conf_t *conf, REQUEST *request,
                               int client_cert);
 tls_session_t  *tls_new_client_session(fr_tls_server_conf_t *conf, int fd);

diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 6bc8ef3..d428cf8 100644 (file)
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -315,6 +315,14 @@ int main(int argc, char *argv[])
        }
 
        /*
+        *  Initialising OpenSSL once, here, is safer than having individual
+        *  modules do it.
+        */
+#ifdef HAVE_OPENSSL_CRYPTO_H
+       tls_global_init();
+#endif
+
+       /*
         *  Initialize any event loops just enough so module instantiations
         *  can add fd/event to them, but do not start them yet.
         */
@@ -327,15 +335,10 @@ int main(int argc, char *argv[])
                exit(EXIT_FAILURE);
        }
 
-       /*
-        *  Initialising OpenSSL once, here, is safer than having individual
-        *  modules do it.
-        */
-#ifdef HAVE_OPENSSL_CRYPTO_H
-       if (tls_global_init(main_config.allow_vulnerable_openssl) < 0) {
+       /*  Check for vulnerabilities in the version of libssl were linked against */
+       if (tls_global_version_check(main_config.allow_vulnerable_openssl) < 0) {
                exit(EXIT_FAILURE);
        }
-#endif
 
        /*
         *  Load the modules
@@ -612,7 +615,7 @@ cleanup:
 #endif
 
 #ifdef HAVE_OPENSSL_CRYPTO_H
-       tls_global_remove();
+       tls_global_cleanup();
 #endif
 
        /*

diff --git a/src/main/tls.c b/src/main/tls.c
index ba3c995..375e4d8 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1975,20 +1975,27 @@ static void sess_free_certs(UNUSED void *parent, void *data_ptr,
        pairfree(certs);
 }
 
-/*
- *     Add all the default ciphers and message digests
- *     Create our context.
+/** Add all the default ciphers and message digests reate our context.
  *
- *     This should be called exactly once from main.
+ * This should be called exactly once from main, before reading the main config
+ * or initialising any modules.
  */
-int tls_global_init(char const *acknowledged)
+void tls_global_init(void)
 {
-       uint64_t v;
-
        SSL_load_error_strings();       /* readable error messages (examples show call before library_init) */
        SSL_library_init();             /* initialize library */
        OpenSSL_add_all_algorithms();   /* required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */
        OPENSSL_config(NULL);
+}
+
+/** Check for vulnerable versions of libssl
+ *
+ * @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl.
+ * @return 0 if the CVE specified by the user matches the most recent CVE we have, else -1.
+ */
+int tls_global_version_check(char const *acknowledged)
+{
+       uint64_t v;
 
        if ((strcmp(acknowledged, libssl_defects[0].id) != 0) && (strcmp(acknowledged, "yes") != 0)) {
                bool bad = false;
@@ -2020,7 +2027,10 @@ int tls_global_init(char const *acknowledged)
        return 0;
 }
 
-void tls_global_remove(void)
+/** Free any memory alloced by libssl
+ *
+ */
+void tls_global_cleanup(void)
 {
        ERR_remove_state(0);
        ENGINE_cleanup();