The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
version.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: bc1d4882c3903695f393a71431d418a3d343e81a $
19 *
20 * @file tls/version.c
21 * @brief Check OpenSSL library/header consistency, and process version information.
22 *
23 * @copyright 2022 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
24 */
25#define LOG_PREFIX "tls"
26
27#include "version.h"
28
29#ifdef WITH_TLS
30#include <freeradius-devel/server/log.h>
31
32static long ssl_built = OPENSSL_VERSION_NUMBER;
33
34/** Check built and linked versions of OpenSSL match
35 *
36 * OpenSSL version number consists of:
37 * MNNFFPPS: major minor fix patch status
38 *
39 * Where status >= 0 && < 10 means beta, and status 10 means release.
40 *
41 * https://wiki.openssl.org/index.php/Versioning
42 *
43 * Startup check for whether the linked version of OpenSSL matches the
44 * version the server was built against.
45 *
46 * @return
47 * - 0 if ok.
48 * - -1 if not ok.
49 */
50int fr_openssl_version_consistent(void)
51{
52 unsigned long ssl_linked;
53
54 ssl_linked = OpenSSL_version_num();
55
56
57 /*
58 * Major mismatch, that's bad.
59 *
60 * For OpenSSL 3, the minor versions are API/ABI compatible.
61 *
62 * https://openssl-library.org/policies/releasestrat/index.html
63 */
64 if ((ssl_linked & 0xff000000) != (ssl_built & 0xff000000)) {
65 ERROR("libssl version mismatch. built: %lx linked: %lx",
66 (unsigned long) ssl_built,
67 (unsigned long) ssl_linked);
68 return -1;
69 }
70
71 return 0;
72}
73
74/** Convert a version number to a text string
75 *
76 * @note Not thread safe.
77 *
78 * @param v version to convert.
79 * @return pointer to a static buffer containing the version string.
80 */
81char const *fr_openssl_version_str_from_num(uint32_t v)
82{
83 /* 2 (%s) + 1 (.) + 2 (%i) + 1 (.) + 2 (%i) + 1 (c) + 8 (%s) + \0 */
84 static char buffer[18];
85
86 /*
87 * OpenSSL major versions >= 3 (which FreeRADIUS requires) use the
88 * new version number layout
89 *
90 * OPENSSL_VERSION_NUMBER is a combination of the major, minor
91 * and patch version into a single integer 0xMNN00PP0L, where:
92 *
93 * M is the number from OPENSSL_VERSION_MAJOR, in hexadecimal notation.
94 * NN is the number from OPENSSL_VERSION_MINOR, in hexadecimal notation.
95 * PP is the number from OPENSSL_VERSION_PATCH, in hexadecimal notation.
96 */
97 snprintf(buffer, sizeof(buffer), "%u.%u.%u",
98 (0xf0000000 & v) >> 28,
99 (0x0ff00000 & v) >> 20,
100 (0x00000ff0 & v) >> 4);
101
102 return buffer;
103}
104
105/** Convert two openssl version numbers into a range string
106 *
107 * @param[in] low version to convert.
108 * @param[in] high version to convert.
109 * @return pointer to a static buffer containing the version range string.
110 */
111char const *fr_openssl_version_range(uint32_t low, uint32_t high)
112{
113 /* 18 (version) + 3 ( - ) + 18 (version) */
114 static _Thread_local char buffer[40];
115 char *p = buffer;
116
117 p += strlcpy(p, fr_openssl_version_str_from_num(low), sizeof(buffer));
118 p += strlcpy(p, " - ", sizeof(buffer) - (p - buffer));
119 strlcpy(p, fr_openssl_version_str_from_num(high), sizeof(buffer) - (p - buffer));
120
121 return buffer;
122}
123
124/** Return the linked SSL version number as a string
125 *
126 * @return pointer to a static buffer containing the version string.
127 */
128char const *fr_openssl_version_basic(void)
129{
130 unsigned long ssl_linked;
131
132 ssl_linked = OpenSSL_version_num();
133 return fr_openssl_version_str_from_num((uint32_t)ssl_linked);
134}
135
136/** Print the current linked version of Openssl
137 *
138 * Print the currently linked version of the OpenSSL library.
139 *
140 * @return pointer to a static buffer containing libssl version information.
141 */
142char const *fr_openssl_version_expanded(void)
143{
144 static _Thread_local char buffer[256];
145
146 unsigned long v = OpenSSL_version_num();
147
148 snprintf(buffer, sizeof(buffer), "%s 0x%.8lx (%s)",
149 OpenSSL_version(OPENSSL_VERSION), /* Not all builds include a useful version number */
150 v,
151 fr_openssl_version_str_from_num(v));
152
153 return buffer;
154}
155
156# ifdef ENABLE_OPENSSL_VERSION_CHECK
157typedef struct {
158 uint64_t high; //!< The last version number this defect affected.
159 uint64_t low; //!< The first version this defect affected.
160
161 char const *id; //!< CVE (or other ID)
162 char const *name; //!< As known in the media...
163 char const *comment; //!< Where to get more information.
164} fr_openssl_defect_t;
165
166# undef VM
167# undef Vm
168# define VM(_a,_b,_c) (((((_a) << 24) | ((_b) << 16) | ((_c) << 8)) << 4) | 0x0f)
169# define Vm(_a,_b,_c,_d) (((((_a) << 24) | ((_b) << 16) | ((_c) << 8) | ((_d) - 'a' + 1)) << 4) | 0x0f)
170
171/* Record critical defects in libssl here, new versions of OpenSSL to older versions of OpenSSL. */
172static fr_openssl_defect_t fr_openssl_defects[] =
173{
174 {
175 .low = Vm(1,1,0,'a'), /* 1.1.0a */
176 .high = Vm(1,1,0,'a'), /* 1.1.0a */
177 .id = "CVE-2016-6309",
178 .name = "OCSP status request extension",
179 .comment = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
180 },
181 {
182 .low = VM(1,1,0), /* 1.1.0 */
183 .high = VM(1,1,0), /* 1.1.0 */
184 .id = "CVE-2016-6304",
185 .name = "OCSP status request extension",
186 .comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
187 }
188};
189
190/** Check for vulnerable versions of libssl
191 *
192 * @param acknowledged The highest CVE number a user has confirmed is not present in the system's
193 * libssl.
194 * @return 0 if the CVE specified by the user matches the most recent CVE we have, else -1.
195 */
196int fr_openssl_version_check(char const *acknowledged)
197{
198 bool bad = false;
199 size_t i;
200 unsigned long ssl_linked;
201
202
203 /*
204 * Didn't get passed anything, that's an error.
205 */
206 if (!acknowledged || !*acknowledged) {
207 ERROR("Refusing to start until 'allow_vulnerable_openssl' is given a value");
208 return -1;
209 }
210
211 if (strcmp(acknowledged, "yes") == 0) return 0;
212
213 /* Check for bad versions */
214 ssl_linked = OpenSSL_version_num();
215 for (i = 0; i < (NUM_ELEMENTS(fr_openssl_defects)); i++) {
216 fr_openssl_defect_t *defect = &fr_openssl_defects[i];
217
218 if ((ssl_linked >= defect->low) && (ssl_linked <= defect->high)) {
219 /*
220 * If the CVE is acknowledged, allow it.
221 */
222 if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
223
224 ERROR("Refusing to start with libssl version %s (in range %s)",
225 fr_openssl_version_expanded(), fr_openssl_version_range(defect->low, defect->high));
226 ERROR("Security advisory %s (%s)", defect->id, defect->name);
227 ERROR("%s", defect->comment);
228
229 /*
230 * Only warn about the first one...
231 */
232 if (!bad) {
233 INFO("Once you have verified libssl has been correctly patched, "
234 "set security.allow_vulnerable_openssl = '%s'", defect->id);
235 bad = true;
236 }
237 }
238 }
239
240 if (bad) return -1;
241
242 return 0;
243}
244# endif
245#else
246int fr_openssl_version_consistent(void) {
247 return 0;
248}
249
250char const *fr_openssl_version_basic(void)
251{
252 return "not linked";
253}
254
255char const *fr_openssl_version_expanded(void)
256{
257 return "not linked";
258}
259#endif /* ifdef WITH_TLS */
buffer
static int const char char buffer[256]
Definition acutest.h:578
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition build.h:339
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
INFO
#define INFO(fmt,...)
Definition radict.c:54
name
static char const * name
Definition rlm_redis_ippool_tool.c:156
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
strlcpy
size_t strlcpy(char *dst, char const *src, size_t siz)
Definition strlcpy.c:34
fr_openssl_version_basic
char const * fr_openssl_version_basic(void)
Definition version.c:250
fr_openssl_version_consistent
int fr_openssl_version_consistent(void)
Definition version.c:246
fr_openssl_version_expanded
char const * fr_openssl_version_expanded(void)
Definition version.c:255
fr_openssl_version_str_from_num
char const * fr_openssl_version_str_from_num(uint32_t version)
fr_openssl_version_range
char const * fr_openssl_version_range(uint32_t low, uint32_t high)
version.h
Version checking functions.
Generated by   doxygen 1.9.8