4f24d4c mostly corrected the behaviour, however mainconfig.allow_vulnerable_ssl still had a dependency on ENABLE_OPENSSL_VERSION_CHECK.
int proxy_requests;
int reject_delay;
int status_server;
-#ifdef ENABLE_OPENSSL_VERSION_CHECK
+#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK)
int allow_vulnerable_openssl;
#endif
int max_request_time;
void pairlist_free(PAIR_LIST **);
/* version.c */
-int ssl_check_version(int allow_vulnerable);
+int ssl_check_version(void);
+int ssl_check_vulnerable(void);
const char *ssl_version(void);
void version(void);
{ "max_attributes", PW_TYPE_INTEGER, 0, &fr_max_attributes, Stringify(0) },
{ "reject_delay", PW_TYPE_INTEGER, 0, &mainconfig.reject_delay, Stringify(0) },
{ "status_server", PW_TYPE_BOOLEAN, 0, &mainconfig.status_server, "no"},
-#ifdef ENABLE_OPENSSL_VERSION_CHECK
+#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK)
{ "allow_vulnerable_openssl", PW_TYPE_BOOLEAN, 0, &mainconfig.allow_vulnerable_openssl, "no"},
#endif
{ NULL, -1, 0, NULL, NULL }
* Mismatch between build time OpenSSL and linked SSL,
* better to die here than segfault later.
*/
- if (ssl_check_version(mainconfig.allow_vulnerable_openssl) < 0) {
+ if (ssl_check_version() < 0) {
exit(1);
}
+
+ /*
+ * Check for known vulnerabilities that compromise the
+ * security of the server.
+ */
+# ifdef ENABLE_OPENSSL_VERSION_CHECK
+ if (!mainconfig.allow_vulnerable_openssl) {
+ if (ssl_check_vulnerable() < 0) {
+ exit(1);
+ }
+ }
+# endif
+
#endif
/* Load the modules AFTER doing SSL checks */
* @return 0 if ok, else -1
*/
#ifdef HAVE_OPENSSL_CRYPTO_H
-int ssl_check_version(int allow_vulnerable)
+int ssl_check_version()
{
long ssl_linked;
*/
} else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
+ return 0;
+}
+
+/** Check OpenSSL version for known vulnerabilities.
+ *
+ * OpenSSL version number consists of:
+ * MNNFFPPS: major minor fix patch status
+ *
+ * Where status >= 0 && < 10 means beta, and status 10 means release.
+ *
+ * Startup check for whether the linked version of OpenSSL is a version known to
+ * have serious vulnerabilities impacting FreeRADIUS.
+ *
+ * @return 0 if ok, else -1
+ */
# ifdef ENABLE_OPENSSL_VERSION_CHECK
- if (!allow_vulnerable) {
- /* Check for bad versions */
- /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
- if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) {
- radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). "
- "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version());
- radlog(L_ERR, "For more information see http://heartbleed.com");
-
- return -1;
- }
+int ssl_check_vulnerable()
+{
+ long ssl_linked;
+
+ ssl_linked = SSLeay();
+
+ /* Check for bad versions */
+ /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
+ if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) {
+ radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). "
+ "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version());
+ radlog(L_ERR, "For more information see http://heartbleed.com");
+
+ return -1;
}
-# endif
return 0;
}
+# endif
+
#endif
/*