6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21 * Copyright 2006 The FreeRADIUS server project
25 USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
27 #include <freeradius-devel/radiusd.h>
30 void cbtls_info(SSL const *s, int where, int ret)
32 char const *str, *state;
33 REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST);
35 if ((where & ~SSL_ST_MASK) & SSL_ST_CONNECT) {
37 } else if (((where & ~SSL_ST_MASK)) & SSL_ST_ACCEPT) {
43 state = SSL_state_string_long(s);
44 state = state ? state : "<none>";
46 if ((where & SSL_CB_LOOP) || (where & SSL_CB_HANDSHAKE_START) || (where & SSL_CB_HANDSHAKE_DONE)) {
47 RDEBUG2("%s: %s", str, state);
51 if (where & SSL_CB_ALERT) {
52 if ((ret & 0xff) == SSL_AD_CLOSE_NOTIFY) return;
54 RERROR("TLS Alert %s:%s:%s", (where & SSL_CB_READ) ? "read": "write",
55 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
59 if (where & SSL_CB_EXIT) {
61 RERROR("%s: Failed in %s", str, state);
66 if (SSL_want_read(s)) {
67 RDEBUG2("%s: Need to read more data: %s", str, state);
70 ERROR("tls: %s: Error in %s", str, state);
76 * Fill in our 'info' with TLS data.
78 void cbtls_msg(int write_p, int msg_version, int content_type,
79 void const *inbuf, size_t len,
80 SSL *ssl UNUSED, void *arg)
82 uint8_t const *buf = inbuf;
83 tls_session_t *state = (tls_session_t *)arg;
86 * OpenSSL 1.0.2 calls this function with 'pseudo'
87 * content types. Which breaks our tracking of
88 * the SSL Session state.
90 if ((msg_version == 0) && (content_type > UINT8_MAX)) {
91 DEBUG4("Ignoring cbtls_msg call with pseudo content type %i, version %i",
92 content_type, msg_version);
96 if ((write_p != 0) && (write_p != 1)) {
97 DEBUG4("Ignoring cbtls_msg call with invalid write_p %d", write_p);
102 * Work around bug #298, where we may be called with a NULL
103 * argument. We should really log a serious error
108 * 0 - received (from peer)
109 * 1 - sending (to peer)
111 state->info.origin = write_p;
112 state->info.content_type = content_type;
113 state->info.record_len = len;
114 state->info.version = msg_version;
115 state->info.initialized = true;
117 if (content_type == SSL3_RT_ALERT) {
118 state->info.alert_level = buf[0];
119 state->info.alert_description = buf[1];
120 state->info.handshake_type = 0x00;
122 } else if (content_type == SSL3_RT_HANDSHAKE) {
123 state->info.handshake_type = buf[0];
124 state->info.alert_level = 0x00;
125 state->info.alert_description = 0x00;
127 #ifdef SSL3_RT_HEARTBEAT
128 } else if (content_type == TLS1_RT_HEARTBEAT) {
131 if ((len >= 3) && (p[0] == 1)) {
134 payload_len = (p[1] << 8) | p[2];
136 if ((payload_len + 3) > len) {
137 state->invalid_hb_used = true;
138 ERROR("OpenSSL Heartbeat attack detected. Closing connection");
144 tls_session_information(state);
147 int cbtls_password(char *buf,
152 strcpy(buf, (char *)userdata);
153 return(strlen((char *)userdata));