259 lines
7.9 KiB
Diff
259 lines
7.9 KiB
Diff
|
From 10636fbfd51320c8ca8b40651bf3e959211ca921 Mon Sep 17 00:00:00 2001
|
||
|
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||
|
Date: Tue, 21 Oct 2014 18:30:05 +0300
|
||
|
Subject: [PATCH 1/1] Add --disable-openssl-version-check option
|
||
|
|
||
|
Add "--disable-openssl-version-check" configure option, which removes
|
||
|
checking for vulnerable OpenSSL versions. It is supposed to be used by
|
||
|
downstream packagers and distributions who have other means to ensure
|
||
|
vulnerabilities are fixed, such as versioned package dependencies and
|
||
|
vulnerability handling processes.
|
||
|
|
||
|
This avoids the necessity of editing radiusd.conf on package upgrade to
|
||
|
make sure it keeps working. At the same time, it provides safe default
|
||
|
to those installing FreeRADIUS from source.
|
||
|
---
|
||
|
configure | 30 ++++++++++++++++++++++++++++++
|
||
|
configure.ac | 26 ++++++++++++++++++++++++++
|
||
|
raddb/radiusd.conf.in | 10 +---------
|
||
|
src/include/autoconf.h.in | 3 +++
|
||
|
src/include/radiusd.h | 2 ++
|
||
|
src/include/tls-h | 2 ++
|
||
|
src/main/mainconfig.c | 2 ++
|
||
|
src/main/radiusd.c | 2 ++
|
||
|
src/main/tls.c | 4 ++++
|
||
|
9 files changed, 72 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/configure b/configure
|
||
|
index 1b54efd..addfeba 100755
|
||
|
--- a/configure
|
||
|
+++ b/configure
|
||
|
@@ -652,6 +652,7 @@ RUSERS
|
||
|
SNMPWALK
|
||
|
SNMPGET
|
||
|
PERL
|
||
|
+openssl_version_check_config
|
||
|
modconfdir
|
||
|
dictdir
|
||
|
raddbdir
|
||
|
@@ -754,6 +755,7 @@ with_rlm_FOO_include_dir
|
||
|
with_openssl
|
||
|
with_openssl_lib_dir
|
||
|
with_openssl_include_dir
|
||
|
+enable_openssl_version_check
|
||
|
with_talloc_lib_dir
|
||
|
with_talloc_include_dir
|
||
|
with_pcap_lib_dir
|
||
|
@@ -1396,6 +1398,9 @@ Optional Features:
|
||
|
--disable-largefile omit support for large files
|
||
|
--enable-strict-dependencies fail configure on lack of module dependancy.
|
||
|
--enable-werror causes the build to fail if any warnings are generated.
|
||
|
+ --disable-openssl-version-check
|
||
|
+ disable vulnerable OpenSSL version check
|
||
|
+
|
||
|
|
||
|
Optional Packages:
|
||
|
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
|
||
|
@@ -5430,6 +5435,31 @@ if test "${with_openssl_include_dir+set}" = set; then :
|
||
|
fi
|
||
|
|
||
|
|
||
|
+# Check whether --enable-openssl-version-check was given.
|
||
|
+if test "${enable_openssl_version_check+set}" = set; then :
|
||
|
+ enableval=$enable_openssl_version_check;
|
||
|
+fi
|
||
|
+
|
||
|
+if test "x$enable_openssl_version_check" != "xno"; then
|
||
|
+
|
||
|
+$as_echo "#define ENABLE_OPENSSL_VERSION_CHECK 1" >>confdefs.h
|
||
|
+
|
||
|
+ openssl_version_check_config="\
|
||
|
+ #
|
||
|
+ # allow_vulnerable_openssl: Allow the server to start with
|
||
|
+ # versions of OpenSSL known to have critical vulnerabilities.
|
||
|
+ #
|
||
|
+ # This check is based on the version number reported by libssl
|
||
|
+ # and may not reflect patches applied to libssl by
|
||
|
+ # distribution maintainers.
|
||
|
+ #
|
||
|
+ allow_vulnerable_openssl = no"
|
||
|
+else
|
||
|
+ openssl_version_check_config=
|
||
|
+fi
|
||
|
+
|
||
|
+
|
||
|
+
|
||
|
|
||
|
CHECKRAD=checkrad
|
||
|
# Extract the first word of "perl", so it can be a program name with args.
|
||
|
diff --git a/configure.ac b/configure.ac
|
||
|
index 30b226b..b223505 100644
|
||
|
--- a/configure.ac
|
||
|
+++ b/configure.ac
|
||
|
@@ -576,6 +576,32 @@ AC_ARG_WITH(openssl-include-dir,
|
||
|
esac ]
|
||
|
)
|
||
|
|
||
|
+dnl #
|
||
|
+dnl # extra argument: --disable-openssl-version-check
|
||
|
+dnl #
|
||
|
+AC_ARG_ENABLE(openssl-version-check,
|
||
|
+[AS_HELP_STRING([--disable-openssl-version-check],
|
||
|
+ [disable vulnerable OpenSSL version check])]
|
||
|
+)
|
||
|
+if test "x$enable_openssl_version_check" != "xno"; then
|
||
|
+ AC_DEFINE(ENABLE_OPENSSL_VERSION_CHECK, [1],
|
||
|
+ [Define to 1 to have OpenSSL version check enabled])
|
||
|
+ openssl_version_check_config="\
|
||
|
+ #
|
||
|
+ # allow_vulnerable_openssl: Allow the server to start with
|
||
|
+ # versions of OpenSSL known to have critical vulnerabilities.
|
||
|
+ #
|
||
|
+ # This check is based on the version number reported by libssl
|
||
|
+ # and may not reflect patches applied to libssl by
|
||
|
+ # distribution maintainers.
|
||
|
+ #
|
||
|
+ allow_vulnerable_openssl = no"
|
||
|
+else
|
||
|
+ openssl_version_check_config=
|
||
|
+fi
|
||
|
+AC_SUBST([openssl_version_check_config])
|
||
|
+
|
||
|
+
|
||
|
dnl #############################################################
|
||
|
dnl #
|
||
|
dnl # 1. Checks for programs
|
||
|
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
|
||
|
index 307ae10..0e1ff46 100644
|
||
|
--- a/raddb/radiusd.conf.in
|
||
|
+++ b/raddb/radiusd.conf.in
|
||
|
@@ -475,15 +475,7 @@ security {
|
||
|
#
|
||
|
status_server = yes
|
||
|
|
||
|
- #
|
||
|
- # allow_vulnerable_openssl: Allow the server to start with
|
||
|
- # versions of OpenSSL known to have critical vulnerabilities.
|
||
|
- #
|
||
|
- # This check is based on the version number reported by libssl
|
||
|
- # and may not reflect patches applied to libssl by
|
||
|
- # distribution maintainers.
|
||
|
- #
|
||
|
- allow_vulnerable_openssl = no
|
||
|
+@openssl_version_check_config@
|
||
|
}
|
||
|
|
||
|
# PROXY CONFIGURATION
|
||
|
diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in
|
||
|
index c313bca..f500049 100644
|
||
|
--- a/src/include/autoconf.h.in
|
||
|
+++ b/src/include/autoconf.h.in
|
||
|
@@ -9,6 +9,9 @@
|
||
|
/* style of ctime_r function */
|
||
|
#undef CTIMERSTYLE
|
||
|
|
||
|
+/* Define to 1 to have OpenSSL version check enabled */
|
||
|
+#undef ENABLE_OPENSSL_VERSION_CHECK
|
||
|
+
|
||
|
/* style of gethostbyaddr_r functions */
|
||
|
#undef GETHOSTBYADDRRSTYLE
|
||
|
|
||
|
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
|
||
|
index ebe3a21..1ec6959 100644
|
||
|
--- a/src/include/radiusd.h
|
||
|
+++ b/src/include/radiusd.h
|
||
|
@@ -437,7 +437,9 @@ typedef struct main_config_t {
|
||
|
#endif
|
||
|
uint32_t reject_delay;
|
||
|
bool status_server;
|
||
|
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
|
||
|
char const *allow_vulnerable_openssl;
|
||
|
+#endif
|
||
|
|
||
|
uint32_t max_request_time;
|
||
|
uint32_t cleanup_delay;
|
||
|
diff --git a/src/include/tls-h b/src/include/tls-h
|
||
|
index ade93d5..1418ea2 100644
|
||
|
--- a/src/include/tls-h
|
||
|
+++ b/src/include/tls-h
|
||
|
@@ -295,7 +295,9 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx);
|
||
|
|
||
|
/* TLS */
|
||
|
void tls_global_init(void);
|
||
|
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
|
||
|
int tls_global_version_check(char const *acknowledged);
|
||
|
+#endif
|
||
|
void tls_global_cleanup(void);
|
||
|
tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert);
|
||
|
tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd);
|
||
|
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
|
||
|
index cf1eea5..76979ad 100644
|
||
|
--- a/src/main/mainconfig.c
|
||
|
+++ b/src/main/mainconfig.c
|
||
|
@@ -99,7 +99,9 @@ static const CONF_PARSER security_config[] = {
|
||
|
{ "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
|
||
|
{ "reject_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.reject_delay), STRINGIFY(0) },
|
||
|
{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
|
||
|
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
|
||
|
{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
|
||
|
+#endif
|
||
|
{ NULL, -1, 0, NULL, NULL }
|
||
|
};
|
||
|
|
||
|
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
|
||
|
index 620d7d4..fe8057d 100644
|
||
|
--- a/src/main/radiusd.c
|
||
|
+++ b/src/main/radiusd.c
|
||
|
@@ -359,10 +359,12 @@ int main(int argc, char *argv[])
|
||
|
|
||
|
/* Check for vulnerabilities in the version of libssl were linked against */
|
||
|
#ifdef HAVE_OPENSSL_CRYPTO_H
|
||
|
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
|
||
|
if (tls_global_version_check(main_config.allow_vulnerable_openssl) < 0) {
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
#endif
|
||
|
+#endif
|
||
|
|
||
|
/*
|
||
|
* Load the modules
|
||
|
diff --git a/src/main/tls.c b/src/main/tls.c
|
||
|
index 542ce69..42b538c 100644
|
||
|
--- a/src/main/tls.c
|
||
|
+++ b/src/main/tls.c
|
||
|
@@ -51,6 +51,7 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
|
||
|
#include <openssl/ocsp.h>
|
||
|
#endif
|
||
|
|
||
|
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
|
||
|
typedef struct libssl_defect {
|
||
|
uint64_t high;
|
||
|
uint64_t low;
|
||
|
@@ -71,6 +72,7 @@ static libssl_defect_t libssl_defects[] =
|
||
|
.comment = "For more information see http://heartbleed.com"
|
||
|
}
|
||
|
};
|
||
|
+#endif
|
||
|
|
||
|
/* record */
|
||
|
static void record_init(record_t *buf);
|
||
|
@@ -2063,6 +2065,7 @@ void tls_global_init(void)
|
||
|
OPENSSL_config(NULL);
|
||
|
}
|
||
|
|
||
|
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
|
||
|
/** Check for vulnerable versions of libssl
|
||
|
*
|
||
|
* @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl.
|
||
|
@@ -2101,6 +2104,7 @@ int tls_global_version_check(char const *acknowledged)
|
||
|
|
||
|
return 0;
|
||
|
}
|
||
|
+#endif
|
||
|
|
||
|
/** Free any memory alloced by libssl
|
||
|
*
|
||
|
--
|
||
|
2.1.1
|
||
|
|