From 048c538655b8465a63d28d209e14e30454cea01a Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sat, 30 Jan 2016 13:07:58 +0100 Subject: Add OpenSSL version sanity checking. --- socket.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'socket.c') diff --git a/socket.c b/socket.c index 4cdd2f89..276c5b43 100644 --- a/socket.c +++ b/socket.c @@ -378,6 +378,18 @@ va_dcl { #include #include +#define fm_MIN_OPENSSL_VER 0x1000100fL + +#if OPENSSL_VERSION_NUMBER < fm_MIN_OPENSSL_VER +#error Your OpenSSL version must be at least 1.0.1 release. Older OpenSSL versions are unsupported. +#else +/* +#define __fm_ossl_ver(x) #x +#define _fm_ossl_ver(x) __fm_ossl_ver(x) +#pragma message "Building with OpenSSL headers version " _fm_ossl_ver(OPENSSL_VERSION_NUMBER) ", " OPENSSL_VERSION_TEXT +*/ +#endif + static void report_SSL_errors(FILE *stream) { unsigned long err; @@ -877,13 +889,24 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck struct stat randstat; int i; int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; - long sslopts = SSL_OP_ALL; + long sslopts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; int ssle_connect = 0; + long ver; SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); /* see Debian Bug#576430 and manpage */ + if ((ver = SSLeay()) < OPENSSL_VERSION_NUMBER) { + report(stderr, GT_("Loaded OpenSSL library %#lx older than headers %#lx, refusing to work.\n"), (long)ver, (long)(OPENSSL_VERSION_NUMBER)); + return -1; + } + + if (ver > OPENSSL_VERSION_NUMBER && outlevel >= O_VERBOSE) { + report(stdout, GT_("Loaded OpenSSL library %#lx newer than headers %#lx, trying to continue.\n"), (long)ver, (long)(OPENSSL_VERSION_NUMBER)); + return -1; + } + if (stat("/dev/random", &randstat) && stat("/dev/urandom", &randstat)) { /* Neither /dev/random nor /dev/urandom are present, so add -- cgit v1.2.3