It was initialised before instantiating the modules, but that's probably not enough for RADSEC
int cbtls_verify(int ok, X509_STORE_CTX *ctx);
/* TLS */
-int tls_global_init(char const *acknowledged);
-void tls_global_remove(void);
+void tls_global_init(void);
+int tls_global_version_check(char const *acknowledged);
+void tls_global_cleanup(void);
tls_session_t *tls_new_session(fr_tls_server_conf_t *conf, REQUEST *request,
int client_cert);
tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd);
}
/*
+ * Initialising OpenSSL once, here, is safer than having individual
+ * modules do it.
+ */
+#ifdef HAVE_OPENSSL_CRYPTO_H
+ tls_global_init();
+#endif
+
+ /*
* Initialize any event loops just enough so module instantiations
* can add fd/event to them, but do not start them yet.
*/
exit(EXIT_FAILURE);
}
- /*
- * Initialising OpenSSL once, here, is safer than having individual
- * modules do it.
- */
-#ifdef HAVE_OPENSSL_CRYPTO_H
- if (tls_global_init(main_config.allow_vulnerable_openssl) < 0) {
+ /* Check for vulnerabilities in the version of libssl were linked against */
+ if (tls_global_version_check(main_config.allow_vulnerable_openssl) < 0) {
exit(EXIT_FAILURE);
}
-#endif
/*
* Load the modules
#endif
#ifdef HAVE_OPENSSL_CRYPTO_H
- tls_global_remove();
+ tls_global_cleanup();
#endif
/*
pairfree(certs);
}
-/*
- * Add all the default ciphers and message digests
- * Create our context.
+/** Add all the default ciphers and message digests reate our context.
*
- * This should be called exactly once from main.
+ * This should be called exactly once from main, before reading the main config
+ * or initialising any modules.
*/
-int tls_global_init(char const *acknowledged)
+void tls_global_init(void)
{
- uint64_t v;
-
SSL_load_error_strings(); /* readable error messages (examples show call before library_init) */
SSL_library_init(); /* initialize library */
OpenSSL_add_all_algorithms(); /* required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */
OPENSSL_config(NULL);
+}
+
+/** Check for vulnerable versions of libssl
+ *
+ * @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl.
+ * @return 0 if the CVE specified by the user matches the most recent CVE we have, else -1.
+ */
+int tls_global_version_check(char const *acknowledged)
+{
+ uint64_t v;
if ((strcmp(acknowledged, libssl_defects[0].id) != 0) && (strcmp(acknowledged, "yes") != 0)) {
bool bad = false;
return 0;
}
-void tls_global_remove(void)
+/** Free any memory alloced by libssl
+ *
+ */
+void tls_global_cleanup(void)
{
ERR_remove_state(0);
ENGINE_cleanup();