diff options
| author | sbyx <steven@midlink.org> | 2014-11-11 09:06:21 +0100 |
|---|---|---|
| committer | sbyx <steven@midlink.org> | 2014-11-11 09:06:21 +0100 |
| commit | f2884fa47f2401e252c5fcddc88cc724d4d51f63 (patch) | |
| tree | e2e35774f6d4067ec080673f33347b9f46376a09 | |
| parent | c26000e05352e86d5184179aac799b07f276461d (diff) | |
| parent | 408b2e9dd6b35c4ab7f4c25a1c4af3ce3a6ea54c (diff) | |
Merge pull request #448 from jow-/freeradius-ssl-version
freeradius2: relax SSL version checks
| -rw-r--r-- | net/freeradius2/Makefile | 2 | ||||
| -rw-r--r-- | net/freeradius2/patches/011-upstram-relax-ssl-version-checks.patch | 62 |
2 files changed, 63 insertions, 1 deletions
diff --git a/net/freeradius2/Makefile b/net/freeradius2/Makefile index c48b0bfeb..cbb69d1ff 100644 --- a/net/freeradius2/Makefile +++ b/net/freeradius2/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=freeradius2 PKG_VERSION:=2.2.5 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=freeradius-server-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=ftp://ftp.freeradius.org/pub/freeradius/ diff --git a/net/freeradius2/patches/011-upstram-relax-ssl-version-checks.patch b/net/freeradius2/patches/011-upstram-relax-ssl-version-checks.patch new file mode 100644 index 000000000..2b11d2d4e --- /dev/null +++ b/net/freeradius2/patches/011-upstram-relax-ssl-version-checks.patch @@ -0,0 +1,62 @@ +From 5ae2a70a135062a025d8fabc104eeae3a2c53a7a Mon Sep 17 00:00:00 2001 +From: Arran Cudbard-Bell <a.cudbardb@freeradius.org> +Date: Tue, 17 Jun 2014 10:09:24 +0100 +Subject: [PATCH] Relax libssl checks + +--- + src/main/version.c | 35 ++++++++++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 7 deletions(-) + +--- a/src/main/version.c ++++ b/src/main/version.c +@@ -34,7 +34,12 @@ RCSID("$Id: af82d4126a65d94929c22f44da2b + + static long ssl_built = OPENSSL_VERSION_NUMBER; + +-/** Check build and linked versions of OpenSSL match ++/** Check built and linked versions of OpenSSL match ++ * ++ * OpenSSL version number consists of: ++ * MMNNFFPPS: major minor fix patch status ++ * ++ * Where status >= 0 && < 10 means beta, and status 10 means release. + * + * Startup check for whether the linked version of OpenSSL matches the + * version the server was built against. +@@ -54,14 +59,30 @@ int ssl_check_version(int allow_vulnerab + + ssl_linked = SSLeay(); + +- if (ssl_linked != ssl_built) { +- radlog(L_ERR, "libssl version mismatch." +- " Built with: %lx\n Linked: %lx", +- (unsigned long) ssl_built, +- (unsigned long) ssl_linked); ++ /* ++ * Status mismatch always triggers error. ++ */ ++ if ((ssl_linked & 0x00000000f) != (ssl_built & 0x00000000f)) { ++ mismatch: ++ radlog(L_ERR, "libssl version mismatch. built: %lx linked: %lx", ++ (unsigned long) ssl_built, (unsigned long) ssl_linked); + + return -1; +- }; ++ } ++ ++ /* ++ * Use the OpenSSH approach and relax fix checks after version ++ * 1.0.0 and only allow moving backwards within a patch ++ * series. ++ */ ++ if (ssl_built & 0xff) { ++ if ((ssl_built & 0xffff) != (ssl_linked & 0xffff) || ++ (ssl_built & 0x0000ff) > (ssl_linked & 0x0000ff)) goto mismatch; ++ /* ++ * Before 1.0.0 we require the same major minor and fix version ++ * and ignore the patch number. ++ */ ++ } else if ((ssl_built & 0xffffff) != (ssl_linked & 0xffffff)) goto mismatch; + + if (!allow_vulnerable) { + /* Check for bad versions */ |