void pairlist_free(PAIR_LIST **);
/* version.c */
-int ssl_check_version(void);
+int ssl_check_version(int allow_vulnerable);
const char *ssl_version(void);
void version(void);
}
if (mainconfig.reject_delay < 0) mainconfig.reject_delay = 0;
- /* Reload the modules. */
- if (setup_modules(reload, mainconfig.config) < 0) {
- return -1;
- }
-
if (chroot_dir) {
if (chdir(radlog_dir) < 0) {
radlog(L_ERR, "Failed to 'chdir %s' after chroot: %s",
}
}
- /*
- * Mismatch between build time OpenSSL and linked SSL,
- * better to die here than segfault later.
- */
- if (ssl_check_version() < 0) {
- exit(1);
- }
-
if (flag && (flag != 0x03)) {
fprintf(stderr, "radiusd: The options -i and -p cannot be used individually.\n");
exit(1);
exit(1);
}
+ /*
+ * Mismatch between build time OpenSSL and linked SSL,
+ * better to die here than segfault later.
+ */
+ if (ssl_check_version(mainconfig.allow_vulnerable_openssl) < 0) {
+ exit(1);
+ }
+
+ /* Load the modules AFTER doing SSL checks */
+ if (setup_modules(FALSE, mainconfig.config) < 0) {
+ return -1;
+ }
+
/* Set the panic action (if required) */
if (mainconfig.panic_action &&
#ifndef NDEBUG
*
* @return 0 if ok, else -1
*/
-int ssl_check_version(void)
+int ssl_check_version(int allow_vulnerable)
{
long ssl_linked;
return -1;
};
+ if (!allow_vulnerable) {
+ /* Check for bad versions */
+ /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
+ if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) {
+ radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). "
+ "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version());
+ radlog(L_ERR, "For more information see http://heartbleed.com");
+
+ return -1;
+ }
+ }
+
return 0;
}
return SSLeay_version(SSLEAY_VERSION);
}
#else
-int ssl_check_version(void) {
+int ssl_check_version(UNUSED int allow_vulnerable)
+{
return 0;
}