|
|
- From 5ae2a70a135062a025d8fabc104eeae3a2c53a7a Mon Sep 17 00:00:00 2001
- From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
- Date: Tue, 17 Jun 2014 10:09:24 +0100
- Subject: [PATCH] Relax libssl checks
-
- ---
- src/main/version.c | 35 ++++++++++++++++++++++++++++-------
- 1 file changed, 28 insertions(+), 7 deletions(-)
-
- --- a/src/main/version.c
- +++ b/src/main/version.c
- @@ -34,7 +34,12 @@ RCSID("$Id: af82d4126a65d94929c22f44da2b
-
- static long ssl_built = OPENSSL_VERSION_NUMBER;
-
- -/** Check build and linked versions of OpenSSL match
- +/** Check built and linked versions of OpenSSL match
- + *
- + * OpenSSL version number consists of:
- + * MMNNFFPPS: major minor fix patch status
- + *
- + * Where status >= 0 && < 10 means beta, and status 10 means release.
- *
- * Startup check for whether the linked version of OpenSSL matches the
- * version the server was built against.
- @@ -54,14 +59,30 @@ int ssl_check_version(int allow_vulnerab
-
- ssl_linked = SSLeay();
-
- - if (ssl_linked != ssl_built) {
- - radlog(L_ERR, "libssl version mismatch."
- - " Built with: %lx\n Linked: %lx",
- - (unsigned long) ssl_built,
- - (unsigned long) ssl_linked);
- + /*
- + * Status mismatch always triggers error.
- + */
- + if ((ssl_linked & 0x00000000f) != (ssl_built & 0x00000000f)) {
- + mismatch:
- + radlog(L_ERR, "libssl version mismatch. built: %lx linked: %lx",
- + (unsigned long) ssl_built, (unsigned long) ssl_linked);
-
- return -1;
- - };
- + }
- +
- + /*
- + * Use the OpenSSH approach and relax fix checks after version
- + * 1.0.0 and only allow moving backwards within a patch
- + * series.
- + */
- + if (ssl_built & 0xff) {
- + if ((ssl_built & 0xffff) != (ssl_linked & 0xffff) ||
- + (ssl_built & 0x0000ff) > (ssl_linked & 0x0000ff)) goto mismatch;
- + /*
- + * Before 1.0.0 we require the same major minor and fix version
- + * and ignore the patch number.
- + */
- + } else if ((ssl_built & 0xffffff) != (ssl_linked & 0xffffff)) goto mismatch;
-
- if (!allow_vulnerable) {
- /* Check for bad versions */
|
