Codebase list libcrypt-ssleay-perl / 887e60a4-a815-4347-8e01-30b103bee29e/main t / 03-version.t
887e60a4-a815-4347-8e01-30b103bee29e/main

Tree @887e60a4-a815-4347-8e01-30b103bee29e/main (Download .tar.gz)

03-version.t @887e60a4-a815-4347-8e01-30b103bee29e/mainraw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!perl

use strict;
use warnings;

use Test::More;
use Crypt::SSLeay::Version qw(
    openssl_built_on
    openssl_cflags
    openssl_dir
    openssl_platform
    openssl_version
    openssl_version_number
);

{
    my $built_on = openssl_built_on();
    ok(defined $built_on, 'openssl_built_on returns a defined value');
    note $built_on;
    like(
        $built_on,
        qr/\Abuilt on:/,
        'openssl_built_on return value looks valid',
    );
}

{
    my $cflags = openssl_cflags();
    ok(defined $cflags, 'openssl_cflags returns a defined value');
    note $cflags;
    like(
        $cflags,
        qr/\Acompiler:/,
        'openssl_cflags return value looks valid',
    );
}

{
    my $dir = openssl_dir();
    ok(defined $dir, 'openssl_dir returns a defined value');
    note $dir;
    like(
        $dir,
        qr/\AOPENSSLDIR:/,
        'openssl_dir return value looks valid',
    );
}

{
    my $platform = openssl_platform();
    ok(defined $platform, 'openssl_platform returns a defined value');
    note $platform;
}

{
    my $version = openssl_version();
    ok(defined $version, 'openssl_version returns a defined value');
    note $version;
    like(
        $version,
        qr/\AOpenSSL/,
        'openssl_version return value looks valid',
    );
}

{
    my $version_number = openssl_version_number();
    ok(defined $version_number, 'openssl_int_version returns a defined value');
    note sprintf('0x%08x', $version_number);
    ok ($version_number >= 0x0922, 'OpenSSL version geq lowest known version');
}

warn_if_openssl_possibly_vulnerable_to_heartbleed();

done_testing;

# see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
sub warn_if_openssl_possibly_vulnerable_to_heartbleed {
    my %vulnerable = map { $_ => undef } (
        0x1000100f,
        0x1000101f,
        0x1000102f,
        0x1000103f,
        0x1000104f,
        0x1000105f,
        0x1000106f,
        0x10002001,
    );

    # not one of the vulnerable versions
    return unless exists $vulnerable{ openssl_version_number() };

    # vulnerable version, but heartbeats disabled, so immune
    return if openssl_cflags =~ m{[-/]DOPENSSL_NO_HEARTBEATS};

    my $version_string = openssl_version();
    my $built_on = openssl_built_on();

    diag(<<EO_DIAG
    You have '$version_string'
    built on '$built_on'
    and SSL Heartbeats are not disabled.

    That means your client may be vulnerable to a server exploiting the
    Heartbleed bug unless the vulnerability was patched without changing
    version. The vulnerability was disclosed on or about 2014/04/07. A
    build date after that may indicate that the library you are using
    may have been patched. You should check this.

    The risk is compounded by the fact that Crypt::SSLeay does not
    verify hosts.  You can still force install Crypt::SSLeay, but you
    need to be aware of this issue, and strongly consider upgrading to a
    safer version of OpenSSL.

    See also:

      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
      - http://isc.sans.edu/diary/17945
      - http://seclists.org/fulldisclosure/2014/Apr/91
EO_DIAG
    );
    return 1;
}