6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21 * Copyright 2006 The FreeRADIUS server project
24 #include <freeradius-devel/ident.h>
31 void cbtls_info(const SSL *s, int where, int ret)
33 const char *str, *state;
35 EAP_HANDLER *handler = (EAP_HANDLER *)SSL_get_ex_data(s, 0);
36 REQUEST *request = NULL;
39 if (handler) request = handler->request;
41 w = where & ~SSL_ST_MASK;
42 if (w & SSL_ST_CONNECT) str=" TLS_connect";
43 else if (w & SSL_ST_ACCEPT) str=" TLS_accept";
46 state = SSL_state_string_long(s);
47 state = state ? state : "NULL";
50 if (where & SSL_CB_LOOP) {
51 RDEBUG2("%s: %s", str, state);
52 } else if (where & SSL_CB_HANDSHAKE_START) {
53 RDEBUG2("%s: %s", str, state);
54 } else if (where & SSL_CB_HANDSHAKE_DONE) {
55 RDEBUG2("%s: %s", str, state);
56 } else if (where & SSL_CB_ALERT) {
57 str=(where & SSL_CB_READ)?"read":"write";
59 snprintf(buffer, sizeof(buffer), "TLS Alert %s:%s:%s",
61 SSL_alert_type_string_long(ret),
62 SSL_alert_desc_string_long(ret));
63 } else if (where & SSL_CB_EXIT) {
65 snprintf(buffer, sizeof(buffer), "%s: failed in %s",
69 if (SSL_want_read(s)) {
70 RDEBUG2("%s: Need to read more data: %s",
73 snprintf(buffer, sizeof(buffer),
74 "%s: error in %s", str, state);
80 radlog(L_ERR, "%s", buffer);
85 vp = pairmake("Module-Failure-Message", buffer, T_OP_ADD);
86 if (vp) pairadd(&request->packet->vps, vp);
92 * Fill in our 'info' with TLS data.
94 void cbtls_msg(int write_p, int msg_version, int content_type,
95 const void *buf, size_t len,
96 SSL *ssl UNUSED, void *arg)
98 tls_session_t *state = (tls_session_t *)arg;
101 * Work around for pseudo content types in OpenSSL 1.0.2
103 if ((msg_version == 0) && (content_type > 255)) return;
106 * Work around bug #298, where we may be called with a NULL
107 * argument. We should really log a serious error
111 state->info.origin = (unsigned char)write_p;
112 state->info.content_type = (unsigned char)content_type;
113 state->info.record_len = len;
114 state->info.version = msg_version;
115 state->info.initialized = 1;
117 if (content_type == SSL3_RT_ALERT) {
118 state->info.alert_level = ((const unsigned char*)buf)[0];
119 state->info.alert_description = ((const unsigned char*)buf)[1];
120 state->info.handshake_type = 0x00;
122 } else if (content_type == SSL3_RT_HANDSHAKE) {
123 state->info.handshake_type = ((const unsigned char*)buf)[0];
124 state->info.alert_level = 0x00;
125 state->info.alert_description = 0x00;
127 #ifdef SSL3_RT_HEARTBEAT
128 } else if (content_type == TLS1_RT_HEARTBEAT) {
131 if ((len >= 3) && (p[0] == 1)) {
134 payload_len = (p[1] << 8) | p[2];
136 if ((payload_len + 3) > len) {
137 state->invalid_hb_used = TRUE;
138 ERROR("OpenSSL Heartbeat attack detected. Closing connection");
145 tls_session_information(state);
148 int cbtls_password(char *buf,
153 strcpy(buf, (char *)userdata);
154 return(strlen((char *)userdata));
160 int eaptls_handle_idx = -1;
161 int eaptls_conf_idx = -1;
162 int eaptls_store_idx = -1; /* OCSP Store */
163 int eaptls_session_idx = -1;
165 #endif /* !defined(NO_OPENSSL) */