The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
version.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 224ebf663247f7b1e48fa7672eadfd1eb5f443f2 $
19  *
20  * @file tls/version.c
21  * @brief Check OpenSSL library/header consistency, and process version information.
22  *
23  * @copyright 2022 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
24  */
25 #define LOG_PREFIX "tls"
26 
27 #include "version.h"
28 
29 #ifdef WITH_TLS
30 #include <freeradius-devel/server/log.h>
31 
32 static long ssl_built = OPENSSL_VERSION_NUMBER;
33 
34 /** Check built and linked versions of OpenSSL match
35  *
36  * OpenSSL version number consists of:
37  * MNNFFPPS: major minor fix patch status
38  *
39  * Where status >= 0 && < 10 means beta, and status 10 means release.
40  *
41  * https://wiki.openssl.org/index.php/Versioning
42  *
43  * Startup check for whether the linked version of OpenSSL matches the
44  * version the server was built against.
45  *
46  * @return
47  * - 0 if ok.
48  * - -1 if not ok.
49  */
50 int fr_openssl_version_consistent(void)
51 {
52  unsigned long ssl_linked;
53 
54 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
55  ssl_linked = OpenSSL_version_num();
56 #else
57  ssl_linked = (unsigned long)SSLeay();
58 #endif
59 
60  /*
61  * Major and minor versions mismatch, that's bad.
62  *
63  * We still allow mismatches between patch versions
64  * as they should be ABI compatible.
65  *
66  * This should work for >= 1.1.0 including 3.0.0
67  */
68  if ((ssl_linked & 0xfff00000) != (ssl_built & 0xfff00000)) {
69  ERROR("libssl version mismatch. built: %lx linked: %lx",
70  (unsigned long) ssl_built,
71  (unsigned long) ssl_linked);
72  return -1;
73  }
74 
75  return 0;
76 }
77 
78 /** Convert a version number to a text string
79  *
80  * @note Not thread safe.
81  *
82  * @param v version to convert.
83  * @return pointer to a static buffer containing the version string.
84  */
85 char const *fr_openssl_version_str_from_num(uint32_t v)
86 {
87  /* 2 (%s) + 1 (.) + 2 (%i) + 1 (.) + 2 (%i) + 1 (c) + 8 (%s) + \0 */
88  static char buffer[18];
89  char *p = buffer, *end = buffer + sizeof(buffer);
90 
91  /*
92  * If OpenSSL major version is less than three
93  * use the old version number layout.
94  */
95  if (((v & 0xf0000000) >> 28) < 3) {
96  p += snprintf(p, end - p, "%u.%u.%u",
97  (0xf0000000 & v) >> 28,
98  (0x0ff00000 & v) >> 20,
99  (0x000ff000 & v) >> 12);
100 
101  if ((0x00000ff0 & v) >> 4) {
102  *p++ = (char) (0x60 + ((0x00000ff0 & v) >> 4));
103  }
104 
105  *p++ = ' ';
106 
107  /*
108  * Development (0)
109  */
110  if ((0x0000000f & v) == 0) {
111  strlcpy(p, "dev", end - p);
112  /*
113  * Beta (1-14)
114  */
115  } else if ((0x0000000f & v) <= 14) {
116  snprintf(p, end - p, "beta %u", 0x0000000f & v);
117  } else {
118  strlcpy(p, "release", end - p);
119  }
120 
121  return buffer;
122  }
123 
124  /*
125  * If OpenSSL major version is >= 3 us the
126  * new version number layout
127  *
128  * OPENSSL_VERSION_NUMBER is a combination of the major, minor
129  * and patch version into a single integer 0xMNN00PP0L, where:
130  *
131  * M is the number from OPENSSL_VERSION_MAJOR, in hexadecimal notation.
132  * NN is the number from OPENSSL_VERSION_MINOR, in hexadecimal notation.
133  * PP is the number from OPENSSL_VERSION_PATCH, in hexadecimal notation.
134  */
135  snprintf(buffer, sizeof(buffer), "%u.%u.%u",
136  (0xf0000000 & v) >> 28,
137  (0x0ff00000 & v) >> 20,
138  (0x00000ff0 & v) >> 4);
139 
140  return buffer;
141 }
142 
143 /** Convert two openssl version numbers into a range string
144  *
145  * @param[in] low version to convert.
146  * @param[in] high version to convert.
147  * @return pointer to a static buffer containing the version range string.
148  */
149 char const *fr_openssl_version_range(uint32_t low, uint32_t high)
150 {
151  /* 18 (version) + 3 ( - ) + 18 (version) */
152  static _Thread_local char buffer[40];
153  char *p = buffer;
154 
155  p += strlcpy(p, fr_openssl_version_str_from_num(low), sizeof(buffer));
156  p += strlcpy(p, " - ", sizeof(buffer) - (p - buffer));
157  strlcpy(p, fr_openssl_version_str_from_num(high), sizeof(buffer) - (p - buffer));
158 
159  return buffer;
160 }
161 
162 # if OPENSSL_VERSION_NUMBER >= 0x10101000L
163 /** Return the linked SSL version number as a string
164  *
165  * @return pointer to a static buffer containing the version string.
166  */
167 char const *fr_openssl_version_basic(void)
168 {
169  unsigned long ssl_linked;
170 
171  ssl_linked = OpenSSL_version_num();
172  return fr_openssl_version_str_from_num((uint32_t)ssl_linked);
173 }
174 
175 /** Print the current linked version of Openssl
176  *
177  * Print the currently linked version of the OpenSSL library.
178  *
179  * @return pointer to a static buffer containing libssl version information.
180  */
181 char const *fr_openssl_version_expanded(void)
182 {
183  static _Thread_local char buffer[256];
184 
185  unsigned long v = OpenSSL_version_num();
186 
187  snprintf(buffer, sizeof(buffer), "%s 0x%.8lx (%s)",
188  OpenSSL_version(OPENSSL_VERSION), /* Not all builds include a useful version number */
189  v,
190  fr_openssl_version_str_from_num(v));
191 
192  return buffer;
193 }
194 # else
195 /** Return the linked SSL version number as a string
196  *
197  * @return pointer to a static buffer containing the version string.
198  */
199 char const *fr_openssl_version_basic(void)
200 {
201  long ssl_linked;
202 
203  ssl_linked = SSLeay();
204  return fr_openssl_version_str_from_num((uint32_t)ssl_linked);
205 }
206 
207 /** Print the current linked version of Openssl
208  *
209  * Print the currently linked version of the OpenSSL library.
210  *
211  * @note Not thread safe.
212  *
213  * @return pointer to a static buffer containing libssl version information.
214  */
215 char const *fr_openssl_version_expanded(void)
216 {
217  static _Thread_local char buffer[256];
218  long ssl_linked = SSLeay();
219 
220  snprintf(buffer, sizeof(buffer), "%s 0x%.8x (%s)",
221  SSLeay_version(SSLEAY_VERSION), /* Not all builds include a useful version number */
222  ssl_linked,
223  fr_openssl_version_str_from_num(v));
224 
225  return buffer;
226 }
227 # endif
228 
229 # ifdef ENABLE_OPENSSL_VERSION_CHECK
230 typedef struct {
231  uint64_t high; //!< The last version number this defect affected.
232  uint64_t low; //!< The first version this defect affected.
233 
234  char const *id; //!< CVE (or other ID)
235  char const *name; //!< As known in the media...
236  char const *comment; //!< Where to get more information.
237 } fr_openssl_defect_t;
238 
239 # undef VM
240 # undef Vm
241 # define VM(_a,_b,_c) (((((_a) << 24) | ((_b) << 16) | ((_c) << 8)) << 4) | 0x0f)
242 # define Vm(_a,_b,_c,_d) (((((_a) << 24) | ((_b) << 16) | ((_c) << 8) | ((_d) - 'a' + 1)) << 4) | 0x0f)
243 
244 /* Record critical defects in libssl here, new versions of OpenSSL to older versions of OpenSSL. */
245 static fr_openssl_defect_t fr_openssl_defects[] =
246 {
247  {
248  .low = Vm(1,1,0,'a'), /* 1.1.0a */
249  .high = Vm(1,1,0,'a'), /* 1.1.0a */
250  .id = "CVE-2016-6309",
251  .name = "OCSP status request extension",
252  .comment = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
253  },
254  {
255  .low = VM(1,1,0), /* 1.1.0 */
256  .high = VM(1,1,0), /* 1.1.0 */
257  .id = "CVE-2016-6304",
258  .name = "OCSP status request extension",
259  .comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
260  }
261 };
262 
263 /** Check for vulnerable versions of libssl
264  *
265  * @param acknowledged The highest CVE number a user has confirmed is not present in the system's
266  * libssl.
267  * @return 0 if the CVE specified by the user matches the most recent CVE we have, else -1.
268  */
269 int fr_openssl_version_check(char const *acknowledged)
270 {
271  bool bad = false;
272  size_t i;
273  unsigned long ssl_linked;
274 
275 
276  /*
277  * Didn't get passed anything, that's an error.
278  */
279  if (!acknowledged || !*acknowledged) {
280  ERROR("Refusing to start until 'allow_vulnerable_openssl' is given a value");
281  return -1;
282  }
283 
284  if (strcmp(acknowledged, "yes") == 0) return 0;
285 
286  /* Check for bad versions */
287 
288 # if OPENSSL_VERSION_NUMBER >= 0x10101000L
289  ssl_linked = OpenSSL_version_num();
290 # else
291  ssl_linked = (unsigned long)SSLeay();
292 # endif
293 
294  for (i = 0; i < (NUM_ELEMENTS(fr_openssl_defects)); i++) {
295  fr_openssl_defect_t *defect = &fr_openssl_defects[i];
296 
297  if ((ssl_linked >= defect->low) && (ssl_linked <= defect->high)) {
298  /*
299  * If the CVE is acknowledged, allow it.
300  */
301  if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
302 
303  ERROR("Refusing to start with libssl version %s (in range %s)",
304  fr_openssl_version_expanded(), fr_openssl_version_range(defect->low, defect->high));
305  ERROR("Security advisory %s (%s)", defect->id, defect->name);
306  ERROR("%s", defect->comment);
307 
308  /*
309  * Only warn about the first one...
310  */
311  if (!bad) {
312  INFO("Once you have verified libssl has been correctly patched, "
313  "set security.allow_vulnerable_openssl = '%s'", defect->id);
314  bad = true;
315  }
316  }
317  }
318 
319  if (bad) return -1;
320 
321  return 0;
322 }
323 # endif
324 #else
325 int fr_openssl_version_consistent(void) {
326  return 0;
327 }
328 
329 char const *fr_openssl_version_basic(void)
330 {
331  return "not linked";
332 }
333 
334 char const *fr_openssl_version_expanded(void)
335 {
336  return "not linked";
337 }
338 #endif /* ifdef WITH_TLS */
buffer
static int const char char buffer[256]
Definition: acutest.h:574
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition: build.h:335
ERROR
#define ERROR(fmt,...)
Definition: dhcpclient.c:41
uint32_t
unsigned int uint32_t
Definition: merged_model.c:33
INFO
#define INFO(fmt,...)
Definition: radict.c:54
name
static char const * name
Definition: rlm_redis_ippool_tool.c:156
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition: snprintf.c:689
strlcpy
size_t strlcpy(char *dst, char const *src, size_t siz)
Definition: strlcpy.c:34
fr_openssl_version_consistent
int fr_openssl_version_consistent(void)
Definition: version.c:325
fr_openssl_version_expanded
char const * fr_openssl_version_expanded(void)
Definition: version.c:334
fr_openssl_version_basic
char const * fr_openssl_version_basic(void)
Definition: version.c:329
fr_openssl_version_str_from_num
char const * fr_openssl_version_str_from_num(uint32_t version)
fr_openssl_version_range
char const * fr_openssl_version_range(uint32_t low, uint32_t high)
version.h
Version checking functions.
Generated by   doxygen 1.9.1