From 10636fbfd51320c8ca8b40651bf3e959211ca921 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 21 Oct 2014 18:30:05 +0300
Subject: [PATCH 1/1] Add --disable-openssl-version-check option
Add "--disable-openssl-version-check" configure option, which removes
checking for vulnerable OpenSSL versions. It is supposed to be used by
downstream packagers and distributions who have other means to ensure
vulnerabilities are fixed, such as versioned package dependencies and
vulnerability handling processes.
This avoids the necessity of editing radiusd.conf on package upgrade to
make sure it keeps working. At the same time, it provides safe default
to those installing FreeRADIUS from source.
---
configure | 30 ++++++++++++++++++++++++++++++
configure.ac | 26 ++++++++++++++++++++++++++
raddb/radiusd.conf.in | 10 +---------
src/include/autoconf.h.in | 3 +++
src/include/radiusd.h | 2 ++
src/include/tls-h | 2 ++
src/main/mainconfig.c | 2 ++
src/main/radiusd.c | 2 ++
src/main/tls.c | 4 ++++
9 files changed, 72 insertions(+), 9 deletions(-)
diff --git a/configure b/configure
index 1b54efd..addfeba 100755
--- a/configure
+++ b/configure
@@ -652,6 +652,7 @@ RUSERS
SNMPWALK
SNMPGET
PERL
+openssl_version_check_config
modconfdir
dictdir
raddbdir
@@ -754,6 +755,7 @@ with_rlm_FOO_include_dir
with_openssl
with_openssl_lib_dir
with_openssl_include_dir
+enable_openssl_version_check
with_talloc_lib_dir
with_talloc_include_dir
with_pcap_lib_dir
@@ -1396,6 +1398,9 @@ Optional Features:
--disable-largefile omit support for large files
--enable-strict-dependencies fail configure on lack of module dependancy.
--enable-werror causes the build to fail if any warnings are generated.
+ --disable-openssl-version-check
+ disable vulnerable OpenSSL version check
+
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -5430,6 +5435,31 @@ if test "${with_openssl_include_dir+set}" = set; then :
fi
+# Check whether --enable-openssl-version-check was given.
+if test "${enable_openssl_version_check+set}" = set; then :
+ enableval=$enable_openssl_version_check;
+fi
+
+if test "x$enable_openssl_version_check" != "xno"; then
+
+$as_echo "#define ENABLE_OPENSSL_VERSION_CHECK 1" >>confdefs.h
+
+ openssl_version_check_config="\
+ #
+ # allow_vulnerable_openssl: Allow the server to start with
+ # versions of OpenSSL known to have critical vulnerabilities.
+ #
+ # This check is based on the version number reported by libssl
+ # and may not reflect patches applied to libssl by
+ # distribution maintainers.
+ #
+ allow_vulnerable_openssl = no"
+else
+ openssl_version_check_config=
+fi
+
+
+
CHECKRAD=checkrad
# Extract the first word of "perl", so it can be a program name with args.
diff --git a/configure.ac b/configure.ac
index 30b226b..b223505 100644
--- a/configure.ac
+++ b/configure.ac
@@ -576,6 +576,32 @@ AC_ARG_WITH(openssl-include-dir,
esac ]
)
+dnl #
+dnl # extra argument: --disable-openssl-version-check
+dnl #
+AC_ARG_ENABLE(openssl-version-check,
+[AS_HELP_STRING([--disable-openssl-version-check],
+ [disable vulnerable OpenSSL version check])]
+)
+if test "x$enable_openssl_version_check" != "xno"; then
+ AC_DEFINE(ENABLE_OPENSSL_VERSION_CHECK, [1],
+ [Define to 1 to have OpenSSL version check enabled])
+ openssl_version_check_config="\
+ #
+ # allow_vulnerable_openssl: Allow the server to start with
+ # versions of OpenSSL known to have critical vulnerabilities.
+ #
+ # This check is based on the version number reported by libssl
+ # and may not reflect patches applied to libssl by
+ # distribution maintainers.
+ #
+ allow_vulnerable_openssl = no"
+else
+ openssl_version_check_config=
+fi
+AC_SUBST([openssl_version_check_config])
+
+
dnl #############################################################
dnl #
dnl # 1. Checks for programs
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 307ae10..0e1ff46 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -475,15 +475,7 @@ security {
#
status_server = yes
- #
- # allow_vulnerable_openssl: Allow the server to start with
- # versions of OpenSSL known to have critical vulnerabilities.
- #
- # This check is based on the version number reported by libssl
- # and may not reflect patches applied to libssl by
- # distribution maintainers.
- #
- allow_vulnerable_openssl = no
+@openssl_version_check_config@
}
# PROXY CONFIGURATION
diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in
index c313bca..f500049 100644
--- a/src/include/autoconf.h.in
+++ b/src/include/autoconf.h.in
@@ -9,6 +9,9 @@
/* style of ctime_r function */
#undef CTIMERSTYLE
+/* Define to 1 to have OpenSSL version check enabled */
+#undef ENABLE_OPENSSL_VERSION_CHECK
+
/* style of gethostbyaddr_r functions */
#undef GETHOSTBYADDRRSTYLE
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index ebe3a21..1ec6959 100644
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -437,7 +437,9 @@ typedef struct main_config_t {
#endif
uint32_t reject_delay;
bool status_server;
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
char const *allow_vulnerable_openssl;
+#endif
uint32_t max_request_time;
uint32_t cleanup_delay;
diff --git a/src/include/tls-h b/src/include/tls-h
index ade93d5..1418ea2 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -295,7 +295,9 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx);
/* TLS */
void tls_global_init(void);
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
int tls_global_version_check(char const *acknowledged);
+#endif
void tls_global_cleanup(void);
tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert);
tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd);
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index cf1eea5..76979ad 100644
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -99,7 +99,9 @@ static const CONF_PARSER security_config[] = {
{ "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
{ "reject_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.reject_delay), STRINGIFY(0) },
{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
+#endif
{ NULL, -1, 0, NULL, NULL }
};
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 620d7d4..fe8057d 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -359,10 +359,12 @@ int main(int argc, char *argv[])
/* Check for vulnerabilities in the version of libssl were linked against */
#ifdef HAVE_OPENSSL_CRYPTO_H
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
if (tls_global_version_check(main_config.allow_vulnerable_openssl) < 0) {
exit(EXIT_FAILURE);
}
#endif
+#endif
/*
* Load the modules
diff --git a/src/main/tls.c b/src/main/tls.c
index 542ce69..42b538c 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -51,6 +51,7 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#include <openssl/ocsp.h>
#endif
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
typedef struct libssl_defect {
uint64_t high;
uint64_t low;
@@ -71,6 +72,7 @@ static libssl_defect_t libssl_defects[] =
.comment = "For more information see http://heartbleed.com"
}
};
+#endif
/* record */
static void record_init(record_t *buf);
@@ -2063,6 +2065,7 @@ void tls_global_init(void)
OPENSSL_config(NULL);
}
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
/** Check for vulnerable versions of libssl
*
* @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl.
@@ -2101,6 +2104,7 @@ int tls_global_version_check(char const *acknowledged)
return 0;
}
+#endif
/** Free any memory alloced by libssl
*
--
2.1.1