From 10636fbfd51320c8ca8b40651bf3e959211ca921 Mon Sep 17 00:00:00 2001

From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Date: Tue, 21 Oct 2014 18:30:05 +0300

Subject: [PATCH 1/1] Add --disable-openssl-version-check option

Add "--disable-openssl-version-check" configure option, which removes

checking for vulnerable OpenSSL versions. It is supposed to be used by

downstream packagers and distributions who have other means to ensure

vulnerabilities are fixed, such as versioned package dependencies and

vulnerability handling processes.

This avoids the necessity of editing radiusd.conf on package upgrade to

make sure it keeps working. At the same time, it provides safe default

to those installing FreeRADIUS from source.

---

 configure                 | 30 ++++++++++++++++++++++++++++++

 configure.ac              | 26 ++++++++++++++++++++++++++

 raddb/radiusd.conf.in     | 10 +---------

 src/include/autoconf.h.in |  3 +++

 src/include/radiusd.h     |  2 ++

 src/include/tls-h         |  2 ++

 src/main/mainconfig.c     |  2 ++

 src/main/radiusd.c        |  2 ++

 src/main/tls.c            |  4 ++++

 9 files changed, 72 insertions(+), 9 deletions(-)

diff --git a/configure b/configure

index 1b54efd..addfeba 100755

--- a/configure

+++ b/configure

@@ -652,6 +652,7 @@ RUSERS

 SNMPWALK

 SNMPGET

 PERL

+openssl_version_check_config

 modconfdir

 dictdir

 raddbdir

@@ -754,6 +755,7 @@ with_rlm_FOO_include_dir

 with_openssl

 with_openssl_lib_dir

 with_openssl_include_dir

+enable_openssl_version_check

 with_talloc_lib_dir

 with_talloc_include_dir

 with_pcap_lib_dir

@@ -1396,6 +1398,9 @@ Optional Features:

   --disable-largefile     omit support for large files

   --enable-strict-dependencies  fail configure on lack of module dependancy.

   --enable-werror         causes the build to fail if any warnings are generated.

+  --disable-openssl-version-check

+                          disable vulnerable OpenSSL version check

+

 Optional Packages:

   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]

@@ -5430,6 +5435,31 @@ if test "${with_openssl_include_dir+set}" = set; then :

 fi

+# Check whether --enable-openssl-version-check was given.

+if test "${enable_openssl_version_check+set}" = set; then :

+  enableval=$enable_openssl_version_check;

+fi

+

+if test "x$enable_openssl_version_check" != "xno"; then

+

+$as_echo "#define ENABLE_OPENSSL_VERSION_CHECK 1" >>confdefs.h

+

+  openssl_version_check_config="\

+	#

+	#  allow_vulnerable_openssl: Allow the server to start with

+	#  versions of OpenSSL known to have critical vulnerabilities.

+	#

+	#  This check is based on the version number reported by libssl

+	#  and may not reflect patches applied to libssl by

+	#  distribution maintainers.

+	#

+	allow_vulnerable_openssl = no"

+else

+  openssl_version_check_config=

+fi

+

+

+

 CHECKRAD=checkrad

 # Extract the first word of "perl", so it can be a program name with args.

diff --git a/configure.ac b/configure.ac

index 30b226b..b223505 100644

--- a/configure.ac

+++ b/configure.ac

@@ -576,6 +576,32 @@ AC_ARG_WITH(openssl-include-dir,

   esac ]

 )

+dnl #

+dnl #  extra argument: --disable-openssl-version-check

+dnl #

+AC_ARG_ENABLE(openssl-version-check,

+[AS_HELP_STRING([--disable-openssl-version-check],

+                [disable vulnerable OpenSSL version check])]

+)

+if test "x$enable_openssl_version_check" != "xno"; then

+  AC_DEFINE(ENABLE_OPENSSL_VERSION_CHECK, [1],

+            [Define to 1 to have OpenSSL version check enabled])

+  openssl_version_check_config="\

+	#

+	#  allow_vulnerable_openssl: Allow the server to start with

+	#  versions of OpenSSL known to have critical vulnerabilities.

+	#

+	#  This check is based on the version number reported by libssl

+	#  and may not reflect patches applied to libssl by

+	#  distribution maintainers.

+	#

+	allow_vulnerable_openssl = no"

+else

+  openssl_version_check_config=

+fi

+AC_SUBST([openssl_version_check_config])

+

+

 dnl #############################################################

 dnl #

 dnl #  1. Checks for programs

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in

index 307ae10..0e1ff46 100644

--- a/raddb/radiusd.conf.in

+++ b/raddb/radiusd.conf.in

@@ -475,15 +475,7 @@ security {

 	#

 	status_server = yes

-	#

-	#  allow_vulnerable_openssl: Allow the server to start with

-	#  versions of OpenSSL known to have critical vulnerabilities.

-	#

-	#  This check is based on the version number reported by libssl

-	#  and may not reflect patches applied to libssl by

-	#  distribution maintainers.

-	#

-	allow_vulnerable_openssl = no

+@openssl_version_check_config@

 }

 # PROXY CONFIGURATION

diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in

index c313bca..f500049 100644

--- a/src/include/autoconf.h.in

+++ b/src/include/autoconf.h.in

@@ -9,6 +9,9 @@

 /* style of ctime_r function */

 #undef CTIMERSTYLE

+/* Define to 1 to have OpenSSL version check enabled */

+#undef ENABLE_OPENSSL_VERSION_CHECK

+

 /* style of gethostbyaddr_r functions */

 #undef GETHOSTBYADDRRSTYLE

diff --git a/src/include/radiusd.h b/src/include/radiusd.h

index ebe3a21..1ec6959 100644

--- a/src/include/radiusd.h

+++ b/src/include/radiusd.h

@@ -437,7 +437,9 @@ typedef struct main_config_t {

 #endif

 	uint32_t	reject_delay;

 	bool		status_server;

+#ifdef ENABLE_OPENSSL_VERSION_CHECK

 	char const	*allow_vulnerable_openssl;

+#endif

 	uint32_t	max_request_time;

 	uint32_t	cleanup_delay;

diff --git a/src/include/tls-h b/src/include/tls-h

index ade93d5..1418ea2 100644

--- a/src/include/tls-h

+++ b/src/include/tls-h

@@ -295,7 +295,9 @@ int		cbtls_verify(int ok, X509_STORE_CTX *ctx);

 /* TLS */

 void		tls_global_init(void);

+#ifdef ENABLE_OPENSSL_VERSION_CHECK

 int		tls_global_version_check(char const *acknowledged);

+#endif

 void		tls_global_cleanup(void);

 tls_session_t	*tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert);

 tls_session_t	*tls_new_client_session(fr_tls_server_conf_t *conf, int fd);

diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c

index cf1eea5..76979ad 100644

--- a/src/main/mainconfig.c

+++ b/src/main/mainconfig.c

@@ -99,7 +99,9 @@ static const CONF_PARSER security_config[] = {

 	{ "max_attributes",  FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },

 	{ "reject_delay",  FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.reject_delay), STRINGIFY(0) },

 	{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},

+#ifdef ENABLE_OPENSSL_VERSION_CHECK

 	{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},

+#endif

 	{ NULL, -1, 0, NULL, NULL }

 };

diff --git a/src/main/radiusd.c b/src/main/radiusd.c

index 620d7d4..fe8057d 100644

--- a/src/main/radiusd.c

+++ b/src/main/radiusd.c

@@ -359,10 +359,12 @@ int main(int argc, char *argv[])

 	/*  Check for vulnerabilities in the version of libssl were linked against */

 #ifdef HAVE_OPENSSL_CRYPTO_H

+#ifdef ENABLE_OPENSSL_VERSION_CHECK

 	if (tls_global_version_check(main_config.allow_vulnerable_openssl) < 0) {

 		exit(EXIT_FAILURE);

 	}

 #endif

+#endif

 	/*

 	 *  Load the modules

diff --git a/src/main/tls.c b/src/main/tls.c

index 542ce69..42b538c 100644

--- a/src/main/tls.c

+++ b/src/main/tls.c

@@ -51,6 +51,7 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */

 #include <openssl/ocsp.h>

 #endif

+#ifdef ENABLE_OPENSSL_VERSION_CHECK

 typedef struct libssl_defect {

 	uint64_t	high;

 	uint64_t	low;

@@ -71,6 +72,7 @@ static libssl_defect_t libssl_defects[] =

 		.comment	= "For more information see http://heartbleed.com"

 	}

 };

+#endif

 /* record */

 static void 		record_init(record_t *buf);

@@ -2063,6 +2065,7 @@ void tls_global_init(void)

 	OPENSSL_config(NULL);

 }

+#ifdef ENABLE_OPENSSL_VERSION_CHECK

 /** Check for vulnerable versions of libssl

  *

  * @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl.

@@ -2101,6 +2104,7 @@ int tls_global_version_check(char const *acknowledged)

 	return 0;

 }

+#endif

 /** Free any memory alloced by libssl

  *

-- 

2.1.1