The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
version.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 135d0f83c8e2bcbfa7a9de58710e0704050708a4 $
19  *
20  * @file tls/version.c
21  * @brief Check OpenSSL library/header consistency, and process version information.
22  *
23  * @copyright 2022 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
24  */
25 #define LOG_PREFIX "tls"
26 
27 #include "version.h"
28 
29 #ifdef WITH_TLS
30 #include <freeradius-devel/server/log.h>
31 
32 static long ssl_built = OPENSSL_VERSION_NUMBER;
33 
34 /** Check built and linked versions of OpenSSL match
35  *
36  * OpenSSL version number consists of:
37  * MNNFFPPS: major minor fix patch status
38  *
39  * Where status >= 0 && < 10 means beta, and status 10 means release.
40  *
41  * https://wiki.openssl.org/index.php/Versioning
42  *
43  * Startup check for whether the linked version of OpenSSL matches the
44  * version the server was built against.
45  *
46  * @return
47  * - 0 if ok.
48  * - -1 if not ok.
49  */
50 int fr_openssl_version_consistent(void)
51 {
52  unsigned long ssl_linked;
53 
54  ssl_linked = OpenSSL_version_num();
55 
56  /*
57  * Major and minor versions mismatch, that's bad.
58  *
59  * We still allow mismatches between patch versions
60  * as they should be ABI compatible.
61  *
62  * This should work for >= 1.1.0 including 3.0.0
63  */
64  if ((ssl_linked & 0xfff00000) != (ssl_built & 0xfff00000)) {
65  ERROR("libssl version mismatch. built: %lx linked: %lx",
66  (unsigned long) ssl_built,
67  (unsigned long) ssl_linked);
68  return -1;
69  }
70 
71  return 0;
72 }
73 
74 /** Convert a version number to a text string
75  *
76  * @note Not thread safe.
77  *
78  * @param v version to convert.
79  * @return pointer to a static buffer containing the version string.
80  */
81 char const *fr_openssl_version_str_from_num(uint32_t v)
82 {
83  /* 2 (%s) + 1 (.) + 2 (%i) + 1 (.) + 2 (%i) + 1 (c) + 8 (%s) + \0 */
84  static char buffer[18];
85  char *p = buffer, *end = buffer + sizeof(buffer);
86 
87  /*
88  * If OpenSSL major version is less than three
89  * use the old version number layout.
90  */
91  if (((v & 0xf0000000) >> 28) < 3) {
92  p += snprintf(p, end - p, "%u.%u.%u",
93  (0xf0000000 & v) >> 28,
94  (0x0ff00000 & v) >> 20,
95  (0x000ff000 & v) >> 12);
96 
97  if ((0x00000ff0 & v) >> 4) {
98  *p++ = (char) (0x60 + ((0x00000ff0 & v) >> 4));
99  }
100 
101  *p++ = ' ';
102 
103  /*
104  * Development (0)
105  */
106  if ((0x0000000f & v) == 0) {
107  strlcpy(p, "dev", end - p);
108  /*
109  * Beta (1-14)
110  */
111  } else if ((0x0000000f & v) <= 14) {
112  snprintf(p, end - p, "beta %u", 0x0000000f & v);
113  } else {
114  strlcpy(p, "release", end - p);
115  }
116 
117  return buffer;
118  }
119 
120  /*
121  * If OpenSSL major version is >= 3 us the
122  * new version number layout
123  *
124  * OPENSSL_VERSION_NUMBER is a combination of the major, minor
125  * and patch version into a single integer 0xMNN00PP0L, where:
126  *
127  * M is the number from OPENSSL_VERSION_MAJOR, in hexadecimal notation.
128  * NN is the number from OPENSSL_VERSION_MINOR, in hexadecimal notation.
129  * PP is the number from OPENSSL_VERSION_PATCH, in hexadecimal notation.
130  */
131  snprintf(buffer, sizeof(buffer), "%u.%u.%u",
132  (0xf0000000 & v) >> 28,
133  (0x0ff00000 & v) >> 20,
134  (0x00000ff0 & v) >> 4);
135 
136  return buffer;
137 }
138 
139 /** Convert two openssl version numbers into a range string
140  *
141  * @param[in] low version to convert.
142  * @param[in] high version to convert.
143  * @return pointer to a static buffer containing the version range string.
144  */
145 char const *fr_openssl_version_range(uint32_t low, uint32_t high)
146 {
147  /* 18 (version) + 3 ( - ) + 18 (version) */
148  static _Thread_local char buffer[40];
149  char *p = buffer;
150 
151  p += strlcpy(p, fr_openssl_version_str_from_num(low), sizeof(buffer));
152  p += strlcpy(p, " - ", sizeof(buffer) - (p - buffer));
153  strlcpy(p, fr_openssl_version_str_from_num(high), sizeof(buffer) - (p - buffer));
154 
155  return buffer;
156 }
157 
158 /** Return the linked SSL version number as a string
159  *
160  * @return pointer to a static buffer containing the version string.
161  */
162 char const *fr_openssl_version_basic(void)
163 {
164  unsigned long ssl_linked;
165 
166  ssl_linked = OpenSSL_version_num();
167  return fr_openssl_version_str_from_num((uint32_t)ssl_linked);
168 }
169 
170 /** Print the current linked version of Openssl
171  *
172  * Print the currently linked version of the OpenSSL library.
173  *
174  * @return pointer to a static buffer containing libssl version information.
175  */
176 char const *fr_openssl_version_expanded(void)
177 {
178  static _Thread_local char buffer[256];
179 
180  unsigned long v = OpenSSL_version_num();
181 
182  snprintf(buffer, sizeof(buffer), "%s 0x%.8lx (%s)",
183  OpenSSL_version(OPENSSL_VERSION), /* Not all builds include a useful version number */
184  v,
185  fr_openssl_version_str_from_num(v));
186 
187  return buffer;
188 }
189 
190 # ifdef ENABLE_OPENSSL_VERSION_CHECK
191 typedef struct {
192  uint64_t high; //!< The last version number this defect affected.
193  uint64_t low; //!< The first version this defect affected.
194 
195  char const *id; //!< CVE (or other ID)
196  char const *name; //!< As known in the media...
197  char const *comment; //!< Where to get more information.
198 } fr_openssl_defect_t;
199 
200 # undef VM
201 # undef Vm
202 # define VM(_a,_b,_c) (((((_a) << 24) | ((_b) << 16) | ((_c) << 8)) << 4) | 0x0f)
203 # define Vm(_a,_b,_c,_d) (((((_a) << 24) | ((_b) << 16) | ((_c) << 8) | ((_d) - 'a' + 1)) << 4) | 0x0f)
204 
205 /* Record critical defects in libssl here, new versions of OpenSSL to older versions of OpenSSL. */
206 static fr_openssl_defect_t fr_openssl_defects[] =
207 {
208  {
209  .low = Vm(1,1,0,'a'), /* 1.1.0a */
210  .high = Vm(1,1,0,'a'), /* 1.1.0a */
211  .id = "CVE-2016-6309",
212  .name = "OCSP status request extension",
213  .comment = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
214  },
215  {
216  .low = VM(1,1,0), /* 1.1.0 */
217  .high = VM(1,1,0), /* 1.1.0 */
218  .id = "CVE-2016-6304",
219  .name = "OCSP status request extension",
220  .comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
221  }
222 };
223 
224 /** Check for vulnerable versions of libssl
225  *
226  * @param acknowledged The highest CVE number a user has confirmed is not present in the system's
227  * libssl.
228  * @return 0 if the CVE specified by the user matches the most recent CVE we have, else -1.
229  */
230 int fr_openssl_version_check(char const *acknowledged)
231 {
232  bool bad = false;
233  size_t i;
234  unsigned long ssl_linked;
235 
236 
237  /*
238  * Didn't get passed anything, that's an error.
239  */
240  if (!acknowledged || !*acknowledged) {
241  ERROR("Refusing to start until 'allow_vulnerable_openssl' is given a value");
242  return -1;
243  }
244 
245  if (strcmp(acknowledged, "yes") == 0) return 0;
246 
247  /* Check for bad versions */
248  ssl_linked = OpenSSL_version_num();
249  for (i = 0; i < (NUM_ELEMENTS(fr_openssl_defects)); i++) {
250  fr_openssl_defect_t *defect = &fr_openssl_defects[i];
251 
252  if ((ssl_linked >= defect->low) && (ssl_linked <= defect->high)) {
253  /*
254  * If the CVE is acknowledged, allow it.
255  */
256  if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
257 
258  ERROR("Refusing to start with libssl version %s (in range %s)",
259  fr_openssl_version_expanded(), fr_openssl_version_range(defect->low, defect->high));
260  ERROR("Security advisory %s (%s)", defect->id, defect->name);
261  ERROR("%s", defect->comment);
262 
263  /*
264  * Only warn about the first one...
265  */
266  if (!bad) {
267  INFO("Once you have verified libssl has been correctly patched, "
268  "set security.allow_vulnerable_openssl = '%s'", defect->id);
269  bad = true;
270  }
271  }
272  }
273 
274  if (bad) return -1;
275 
276  return 0;
277 }
278 # endif
279 #else
280 int fr_openssl_version_consistent(void) {
281  return 0;
282 }
283 
284 char const *fr_openssl_version_basic(void)
285 {
286  return "not linked";
287 }
288 
289 char const *fr_openssl_version_expanded(void)
290 {
291  return "not linked";
292 }
293 #endif /* ifdef WITH_TLS */
buffer
static int const char char buffer[256]
Definition: acutest.h:574
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition: build.h:335
ERROR
#define ERROR(fmt,...)
Definition: dhcpclient.c:41
uint32_t
unsigned int uint32_t
Definition: merged_model.c:33
INFO
#define INFO(fmt,...)
Definition: radict.c:54
name
static char const * name
Definition: rlm_redis_ippool_tool.c:156
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition: snprintf.c:689
strlcpy
size_t strlcpy(char *dst, char const *src, size_t siz)
Definition: strlcpy.c:34
fr_openssl_version_consistent
int fr_openssl_version_consistent(void)
Definition: version.c:280
fr_openssl_version_expanded
char const * fr_openssl_version_expanded(void)
Definition: version.c:289
fr_openssl_version_basic
char const * fr_openssl_version_basic(void)
Definition: version.c:284
fr_openssl_version_str_from_num
char const * fr_openssl_version_str_from_num(uint32_t version)
fr_openssl_version_range
char const * fr_openssl_version_range(uint32_t low, uint32_t high)
version.h
Version checking functions.
Generated by   doxygen 1.9.1