25 #define LOG_PREFIX "tls"
30 #include <freeradius-devel/server/log.h>
32 static long ssl_built = OPENSSL_VERSION_NUMBER;
52 unsigned long ssl_linked;
54 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
55 ssl_linked = OpenSSL_version_num();
57 ssl_linked = (
unsigned long)SSLeay();
68 if ((ssl_linked & 0xfff00000) != (ssl_built & 0xfff00000)) {
69 ERROR(
"libssl version mismatch. built: %lx linked: %lx",
70 (
unsigned long) ssl_built,
71 (
unsigned long) ssl_linked);
95 if (((v & 0xf0000000) >> 28) < 3) {
96 p +=
snprintf(p, end - p,
"%u.%u.%u",
97 (0xf0000000 & v) >> 28,
98 (0x0ff00000 & v) >> 20,
99 (0x000ff000 & v) >> 12);
101 if ((0x00000ff0 & v) >> 4) {
102 *p++ = (char) (0x60 + ((0x00000ff0 & v) >> 4));
110 if ((0x0000000f & v) == 0) {
115 }
else if ((0x0000000f & v) <= 14) {
116 snprintf(p, end - p,
"beta %u", 0x0000000f & v);
118 strlcpy(p,
"release", end - p);
136 (0xf0000000 & v) >> 28,
137 (0x0ff00000 & v) >> 20,
138 (0x00000ff0 & v) >> 4);
152 static _Thread_local
char buffer[40];
162 # if OPENSSL_VERSION_NUMBER >= 0x10101000L
169 unsigned long ssl_linked;
171 ssl_linked = OpenSSL_version_num();
183 static _Thread_local
char buffer[256];
185 unsigned long v = OpenSSL_version_num();
188 OpenSSL_version(OPENSSL_VERSION),
203 ssl_linked = SSLeay();
217 static _Thread_local
char buffer[256];
218 long ssl_linked = SSLeay();
221 SSLeay_version(SSLEAY_VERSION),
229 # ifdef ENABLE_OPENSSL_VERSION_CHECK
237 } fr_openssl_defect_t;
241 # define VM(_a,_b,_c) (((((_a) << 24) | ((_b) << 16) | ((_c) << 8)) << 4) | 0x0f)
242 # define Vm(_a,_b,_c,_d) (((((_a) << 24) | ((_b) << 16) | ((_c) << 8) | ((_d) - 'a' + 1)) << 4) | 0x0f)
245 static fr_openssl_defect_t fr_openssl_defects[] =
248 .low = Vm(1,1,0,
'a'),
249 .high = Vm(1,1,0,
'a'),
250 .id =
"CVE-2016-6309",
251 .name =
"OCSP status request extension",
252 .comment =
"For more information see https://www.openssl.org/news/secadv/20160926.txt"
257 .id =
"CVE-2016-6304",
258 .name =
"OCSP status request extension",
259 .comment =
"For more information see https://www.openssl.org/news/secadv/20160922.txt"
269 int fr_openssl_version_check(
char const *acknowledged)
273 unsigned long ssl_linked;
279 if (!acknowledged || !*acknowledged) {
280 ERROR(
"Refusing to start until 'allow_vulnerable_openssl' is given a value");
284 if (strcmp(acknowledged,
"yes") == 0)
return 0;
288 # if OPENSSL_VERSION_NUMBER >= 0x10101000L
289 ssl_linked = OpenSSL_version_num();
291 ssl_linked = (
unsigned long)SSLeay();
294 for (i = 0; i < (
NUM_ELEMENTS(fr_openssl_defects)); i++) {
295 fr_openssl_defect_t *defect = &fr_openssl_defects[i];
297 if ((ssl_linked >= defect->low) && (ssl_linked <= defect->high)) {
301 if (!bad && (strcmp(acknowledged, defect->id) == 0))
return 0;
303 ERROR(
"Refusing to start with libssl version %s (in range %s)",
305 ERROR(
"Security advisory %s (%s)", defect->id, defect->name);
306 ERROR(
"%s", defect->comment);
312 INFO(
"Once you have verified libssl has been correctly patched, "
313 "set security.allow_vulnerable_openssl = '%s'", defect->id);
static int const char char buffer[256]
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
size_t strlcpy(char *dst, char const *src, size_t siz)
int fr_openssl_version_consistent(void)
char const * fr_openssl_version_expanded(void)
char const * fr_openssl_version_basic(void)
char const * fr_openssl_version_str_from_num(uint32_t version)
char const * fr_openssl_version_range(uint32_t low, uint32_t high)
Version checking functions.