From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 15 Oct 2015 21:22:03 +0000 (-0400)
Subject: ENABLE_OPENSSL_VERSION_CHECK was intended to be used to disable checks for vulnerable... 
X-Git-Tag: release_2_2_10~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4f24d4c;p=thirdparty%2Ffreeradius-server.git

ENABLE_OPENSSL_VERSION_CHECK was intended to be used to disable checks for vulnerable OpenSSL versions, NOT our compile/runtime checks for OpenSSL version mismatches.
---

diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index f29c92809a..6cd96548fb 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -293,11 +293,9 @@ int main(int argc, char *argv[])
 	 *	Mismatch between build time OpenSSL and linked SSL,
 	 *	better to die here than segfault later.
 	 */
-#ifdef ENABLE_OPENSSL_VERSION_CHECK
 	if (ssl_check_version(mainconfig.allow_vulnerable_openssl) < 0) {
 		exit(1);
 	}
-#endif
 #endif
 
 	/*  Load the modules AFTER doing SSL checks */
diff --git a/src/main/version.c b/src/main/version.c
index b9ee25e002..760a1bfefe 100644
--- a/src/main/version.c
+++ b/src/main/version.c
@@ -62,7 +62,7 @@ const char *ssl_version()
  *
  * @return 0 if ok, else -1
  */
-#if defined(HAVE_OPENSSL_CRYPTO_H) && defined(ENABLE_OPENSSL_VERSION_CHECK)
+#ifdef HAVE_OPENSSL_CRYPTO_H
 int ssl_check_version(int allow_vulnerable)
 {
 	long ssl_linked;
@@ -94,6 +94,7 @@ int ssl_check_version(int allow_vulnerable)
 	 */
 	} else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
 
+#  ifdef ENABLE_OPENSSL_VERSION_CHECK
 	if (!allow_vulnerable) {
 		/* Check for bad versions */
 		/* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
@@ -105,6 +106,7 @@ int ssl_check_version(int allow_vulnerable)
 			return -1;
 		}
 	}
+#  endif
 
 	return 0;
 }