From d5d48f55faab89e45d865f7fc23098764e4b20fe Mon Sep 17 00:00:00 2001 From: Arran Cudbard-Bell Date: Tue, 8 Apr 2014 14:09:58 +0100 Subject: [PATCH] Add config item to toggle openssl vulnerability check --- raddb/radiusd.conf.in | 10 ++++++++++ src/include/radiusd.h | 4 +++- src/include/tls-h | 2 +- src/main/mainconfig.c | 1 + src/main/radiusd.c | 20 +++++++++++--------- src/main/tls.c | 20 +++++++++++--------- src/main/version.c | 4 ++-- src/tests/auth/radiusd.conf | 4 ++++ 8 files changed, 43 insertions(+), 22 deletions(-) diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index addf1e7..50acdf1 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -471,6 +471,16 @@ security { # See also raddb/sites-available/status # status_server = yes + + # + # allow_vulnerable_openssl: Allow the server to start with + # versions of OpenSSL known to have critical vulnerabilities. + # + # This check is based on the version number reported by libssl + # and may not reflect patches applied to libssl by + # distribution maintainers. + # + allow_vulnerable_openssl = no } # PROXY CONFIGURATION diff --git a/src/include/radiusd.h b/src/include/radiusd.h index ad7f4a2..f73371d 100644 --- a/src/include/radiusd.h +++ b/src/include/radiusd.h @@ -426,6 +426,8 @@ typedef struct main_config_t { #endif int reject_delay; bool status_server; + bool allow_vulnerable_openssl; + int max_request_time; int cleanup_delay; int max_requests; @@ -584,7 +586,7 @@ void pairlist_free(PAIR_LIST **); /* version.c */ int rad_check_lib_magic(uint64_t magic); -int ssl_check_version(void); +int ssl_check_consistency(void); char const *ssl_version(void); void version(void); diff --git a/src/include/tls-h b/src/include/tls-h index dcf8301..f3d2c02 100644 --- a/src/include/tls-h +++ b/src/include/tls-h @@ -293,7 +293,7 @@ void cbtls_msg(int write_p, int msg_version, int content_type, void const *buf int cbtls_verify(int ok, X509_STORE_CTX *ctx); /* TLS */ -int tls_global_init(void); +int tls_global_init(bool allow_vulnerable); tls_session_t *tls_new_session(fr_tls_server_conf_t *conf, REQUEST *request, int client_cert); tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd); diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c index abd7ade..455493d 100644 --- a/src/main/mainconfig.c +++ b/src/main/mainconfig.c @@ -99,6 +99,7 @@ static const CONF_PARSER security_config[] = { { "max_attributes", PW_TYPE_INTEGER, 0, &fr_max_attributes, STRINGIFY(0) }, { "reject_delay", PW_TYPE_INTEGER, 0, &mainconfig.reject_delay, STRINGIFY(0) }, { "status_server", PW_TYPE_BOOLEAN, 0, &mainconfig.status_server, "no"}, + { "allow_vulnerable_openssl", PW_TYPE_BOOLEAN, 0, &mainconfig.allow_vulnerable_openssl, "no"}, { NULL, -1, 0, NULL, NULL } }; diff --git a/src/main/radiusd.c b/src/main/radiusd.c index c17e190..67b75ad 100644 --- a/src/main/radiusd.c +++ b/src/main/radiusd.c @@ -305,15 +305,7 @@ int main(int argc, char *argv[]) * better to die here than segfault later. */ #ifdef HAVE_OPENSSL_CRYPTO_H - if (ssl_check_version() < 0) { - exit(EXIT_FAILURE); - } - - /* - * Initialising OpenSSL once, here, is safer than having individual - * modules do it. - */ - if (tls_global_init() < 0) { + if (ssl_check_consistency() < 0) { exit(EXIT_FAILURE); } #endif @@ -340,6 +332,16 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } + /* + * Initialising OpenSSL once, here, is safer than having individual + * modules do it. + */ +#ifdef HAVE_OPENSSL_CRYPTO_H + if (tls_global_init(mainconfig.allow_vulnerable_openssl) < 0) { + exit(EXIT_FAILURE); + } +#endif + /* Set the panic action (if required) */ if (mainconfig.panic_action && #ifndef NDEBUG diff --git a/src/main/tls.c b/src/main/tls.c index 09d208b..4184446 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -1913,7 +1913,7 @@ static void sess_free_vps(UNUSED void *parent, void *data_ptr, * * This should be called exactly once from main. */ -int tls_global_init(void) +int tls_global_init(bool allow_vulnerable) { long v; @@ -1923,16 +1923,18 @@ int tls_global_init(void) OpenSSL_add_all_algorithms(); /* required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */ #endif - /* Check for bad versions */ - v = SSLeay(); + if (!allow_vulnerable) { + /* Check for bad versions */ + v = SSLeay(); - /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */ - if ((v >= 0x010001000) && (v < 0x010001070)) { - ERROR("Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). " - "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version()); - ERROR("For more information see http://heartbleed.com"); + /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */ + if ((v >= 0x010001000) && (v < 0x010001070)) { + ERROR("Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). " + "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version()); + ERROR("For more information see http://heartbleed.com"); - return -1; + return -1; + } } return 0; diff --git a/src/main/version.c b/src/main/version.c index 9015220..fb10a00 100644 --- a/src/main/version.c +++ b/src/main/version.c @@ -42,7 +42,7 @@ static long ssl_built = OPENSSL_VERSION_NUMBER; * * @return 0 if ok, else -1 */ -int ssl_check_version(void) +int ssl_check_consistency(void) { long ssl_linked; @@ -83,7 +83,7 @@ char const *ssl_version(void) return buffer; } # else -int ssl_check_version(void) { +int ssl_check_consistency(void) { return 0; } diff --git a/src/tests/auth/radiusd.conf b/src/tests/auth/radiusd.conf index ceb0cfe..82165fd 100644 --- a/src/tests/auth/radiusd.conf +++ b/src/tests/auth/radiusd.conf @@ -7,6 +7,10 @@ testdir = src/tests/auth modconfdir = ${raddb}/mods-config +security { + allow_vulnerable_openssl = yes +} + modules { $INCLUDE ${raddb}/mods-enabled/always -- 2.1.4