6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21 * Copyright 2003 Alan DeKok <aland@freeradius.org>
25 tls_session_t *eaptls_new_session(SSL_CTX *ssl_ctx, int client_cert)
27 tls_session_t *state = NULL;
29 int verify_mode = SSL_VERIFY_NONE;
31 if ((new_tls = SSL_new(ssl_ctx)) == NULL) {
32 radlog(L_ERR, "rlm_eap_tls: Error creating new SSL");
33 ERR_print_errors_fp(stderr);
37 /* We use the SSL's "app_data" to indicate a call-back */
38 SSL_set_app_data(new_tls, NULL);
40 state = (tls_session_t *)malloc(sizeof(*state));
41 memset(state, 0, sizeof(*state));
46 * Create & hook the BIOs to handle the dirty side of the
47 * SSL. This is *very important* as we want to handle
48 * the transmission part. Now the only IO interface
49 * that SSL is aware of, is our defined BIO buffers.
51 * This means that all SSL IO is done to/from memory,
52 * and we can update those BIOs from the EAP packets we've
55 state->into_ssl = BIO_new(BIO_s_mem());
56 state->from_ssl = BIO_new(BIO_s_mem());
57 SSL_set_bio(state->ssl, state->into_ssl, state->from_ssl);
60 * Add the message callback to identify what type of
61 * message/handshake is passed
63 SSL_set_msg_callback(new_tls, cbtls_msg);
64 SSL_set_msg_callback_arg(new_tls, state);
65 SSL_set_info_callback(new_tls, cbtls_info);
68 * Verify the peer certificate, if asked.
71 DEBUG2(" rlm_eap_tls: Requiring client certificate");
72 verify_mode = SSL_VERIFY_PEER;
73 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
74 verify_mode |= SSL_VERIFY_CLIENT_ONCE;
76 SSL_set_verify(state->ssl, verify_mode, cbtls_verify);
79 * In Server mode we only accept.
81 SSL_set_accept_state(state->ssl);
87 * Print out some text describing the error.
89 static void int_ssl_check(SSL *s, int ret, const char *text)
93 ERR_print_errors_fp(stderr);
94 e = SSL_get_error(s, ret);
98 * These seem to be harmless and already "dealt
99 * with" by our non-blocking environment. NB:
100 * "ZERO_RETURN" is the clean "error"
101 * indicating a successfully closed SSL
102 * tunnel. We let this happen because our IO
103 * loop should not appear to have broken on
104 * this condition - and outside the IO loop, the
105 * "shutdown" state is checked.
107 * Don't print anything if we ignore the error.
110 case SSL_ERROR_WANT_READ:
111 case SSL_ERROR_WANT_WRITE:
112 case SSL_ERROR_WANT_X509_LOOKUP:
113 case SSL_ERROR_ZERO_RETURN:
117 * These seem to be indications of a genuine
118 * error that should result in the SSL tunnel
119 * being regarded as "dead".
121 case SSL_ERROR_SYSCALL:
122 radlog(L_ERR, "rlm_eap_tls: %s failed in a system call (%d), TLS session fails.",
124 SSL_set_app_data(s, (char *)1);
128 radlog(L_ERR, "rlm_eap_tls: %s failed inside of TLS (%d), TLS session fails.",
130 SSL_set_app_data(s, (char *)1);
135 * For any other errors that (a) exist, and (b)
136 * crop up - we need to interpret what to do with
137 * them - so "politely inform" the caller that
138 * the code needs updating here.
140 radlog(L_ERR, "rlm_eap_tls: FATAL SSL error ..... %d\n", e);
146 * We are the server, we always get the dirty data
147 * (Handshake data is also considered as dirty data)
148 * During handshake, since SSL API handles itself,
149 * After clean-up, dirty_out will be filled with
150 * the data required for handshaking. So we check
151 * if dirty_out is empty then we simply send it back.
152 * As of now, if handshake is successful, then it is EAP-Success
153 * or else EAP-failure should be sent
155 * Fill the Bio with the dirty data to clean it
156 * Get the cleaned data from SSL, if it is not Handshake data
158 int tls_handshake_recv(tls_session_t *ssn)
162 BIO_write(ssn->into_ssl, ssn->dirty_in.data, ssn->dirty_in.used);
163 err = SSL_read(ssn->ssl, ssn->clean_out.data,
164 sizeof(ssn->clean_out.data));
166 ssn->clean_out.used = err;
168 int_ssl_check(ssn->ssl, err, "SSL_read");
171 /* Some Extra STATE information for easy debugging */
172 if (SSL_is_init_finished(ssn->ssl)) {
173 DEBUG2("SSL Connection Established\n");
175 if (SSL_in_init(ssn->ssl)) {
176 DEBUG2("In SSL Handshake Phase\n");
178 if (SSL_in_before(ssn->ssl)) {
179 DEBUG2("Before SSL Handshake Phase\n");
181 if (SSL_in_accept_init(ssn->ssl)) {
182 DEBUG2("In SSL Accept mode \n");
184 if (SSL_in_connect_init(ssn->ssl)) {
185 DEBUG2("In SSL Connect mode \n");
188 if (ssn->info.content_type != application_data) {
189 err = BIO_read(ssn->from_ssl, ssn->dirty_out.data,
190 sizeof(ssn->dirty_out.data));
192 ssn->dirty_out.used = err;
194 int_ssl_check(ssn->ssl, err, "BIO_read");
195 record_init(&ssn->dirty_in);
199 radlog(L_INFO, "rlm_eap_tls: Application Data");
200 /* Its clean application data, do whatever we want */
201 record_init(&ssn->clean_out);
204 /* We are done with dirty_in, reinitialize it */
205 record_init(&ssn->dirty_in);
210 * Take clear-text user data, and encrypt it into the output buffer,
211 * to send to the client at the other end of the SSL connection.
213 int tls_handshake_send(tls_session_t *ssn)
218 * If there's un-encrypted data in 'clean_in', then write
219 * that data to the SSL session, and then call the BIO function
220 * to get that encrypted data from the SSL session, into
221 * a buffer which we can then package into an EAP packet.
223 * Based on Server's logic this clean_in is expected to
224 * contain the data to send to the client.
226 if (ssn->clean_in.used > 0) {
227 SSL_write(ssn->ssl, ssn->clean_in.data, ssn->clean_in.used);
229 /* Get the dirty data from Bio to send it */
230 err = BIO_read(ssn->from_ssl, ssn->dirty_out.data,
231 sizeof(ssn->dirty_out.data));
233 ssn->dirty_out.used = err;
235 int_ssl_check(ssn->ssl, err, "handshake_send");
242 void session_init(tls_session_t *ssn)
245 ssn->into_ssl = ssn->from_ssl = NULL;
246 record_init(&ssn->clean_in);
247 record_init(&ssn->clean_out);
248 record_init(&ssn->dirty_in);
249 record_init(&ssn->dirty_out);
251 memset(&ssn->info, 0, sizeof(ssn->info));
255 ssn->tls_msg_len = 0;
256 ssn->length_flag = 0;
258 ssn->free_opaque = NULL;
261 void session_close(tls_session_t *ssn)
267 * WARNING: SSL_free seems to decrement the reference counts already,
268 * so doing this might crash the application.
271 BIO_free(ssn->into_ssl);
273 BIO_free(ssn->from_ssl);
275 record_close(&ssn->clean_in);
276 record_close(&ssn->clean_out);
277 record_close(&ssn->dirty_in);
278 record_close(&ssn->dirty_out);
282 void session_free(void *ssn)
284 tls_session_t *sess = (tls_session_t *)ssn;
289 * Free any opaque TTLS or PEAP data.
291 if ((sess->opaque) && (sess->free_opaque)) {
292 sess->free_opaque(sess->opaque);
301 void record_init(record_t *rec)
306 void record_close(record_t *rec)
313 * Copy data to the intermediate buffer, before we send
316 unsigned int record_plus(record_t *rec, const unsigned char *ptr,
319 unsigned int added = MAX_RECORD_SIZE - rec->used;
325 memcpy(rec->data + rec->used, ptr, added);
331 * Take data from the buffer, and give it to the caller.
333 unsigned int record_minus(record_t *rec, unsigned char *ptr,
336 unsigned int taken = rec->used;
343 memcpy(ptr, rec->data, taken);
347 * This is pretty bad...
350 memmove(rec->data, rec->data + taken, rec->used);
354 void tls_session_information(tls_session_t *tls_session)
356 const char *str_write_p, *str_version, *str_content_type = "";
357 const char *str_details1 = "", *str_details2= "";
360 * Don't print this out in the normal course of
363 if (debug_flag == 0) {
367 str_write_p = tls_session->info.origin ? ">>>" : "<<<";
369 switch (tls_session->info.version)
372 str_version = "SSL 2.0";
375 str_version = "SSL 3.0 ";
378 str_version = "TLS 1.0 ";
381 str_version = "Unknown TLS version";
385 if (tls_session->info.version == SSL3_VERSION ||
386 tls_session->info.version == TLS1_VERSION) {
387 switch (tls_session->info.content_type) {
388 case SSL3_RT_CHANGE_CIPHER_SPEC:
389 str_content_type = "ChangeCipherSpec";
392 str_content_type = "Alert";
394 case SSL3_RT_HANDSHAKE:
395 str_content_type = "Handshake";
397 case SSL3_RT_APPLICATION_DATA:
398 str_content_type = "ApplicationData";
401 str_content_type = "UnknownContentType";
405 if (tls_session->info.content_type == SSL3_RT_ALERT) {
406 str_details1 = ", ???";
408 if (tls_session->info.record_len == 2) {
410 switch (tls_session->info.alert_level) {
411 case SSL3_AL_WARNING:
412 str_details1 = ", warning";
415 str_details1 = ", fatal";
419 str_details2 = " ???";
420 switch (tls_session->info.alert_description) {
421 case SSL3_AD_CLOSE_NOTIFY:
422 str_details2 = " close_notify";
424 case SSL3_AD_UNEXPECTED_MESSAGE:
425 str_details2 = " unexpected_message";
427 case SSL3_AD_BAD_RECORD_MAC:
428 str_details2 = " bad_record_mac";
430 case TLS1_AD_DECRYPTION_FAILED:
431 str_details2 = " decryption_failed";
433 case TLS1_AD_RECORD_OVERFLOW:
434 str_details2 = " record_overflow";
436 case SSL3_AD_DECOMPRESSION_FAILURE:
437 str_details2 = " decompression_failure";
439 case SSL3_AD_HANDSHAKE_FAILURE:
440 str_details2 = " handshake_failure";
442 case SSL3_AD_BAD_CERTIFICATE:
443 str_details2 = " bad_certificate";
445 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
446 str_details2 = " unsupported_certificate";
448 case SSL3_AD_CERTIFICATE_REVOKED:
449 str_details2 = " certificate_revoked";
451 case SSL3_AD_CERTIFICATE_EXPIRED:
452 str_details2 = " certificate_expired";
454 case SSL3_AD_CERTIFICATE_UNKNOWN:
455 str_details2 = " certificate_unknown";
457 case SSL3_AD_ILLEGAL_PARAMETER:
458 str_details2 = " illegal_parameter";
460 case TLS1_AD_UNKNOWN_CA:
461 str_details2 = " unknown_ca";
463 case TLS1_AD_ACCESS_DENIED:
464 str_details2 = " access_denied";
466 case TLS1_AD_DECODE_ERROR:
467 str_details2 = " decode_error";
469 case TLS1_AD_DECRYPT_ERROR:
470 str_details2 = " decrypt_error";
472 case TLS1_AD_EXPORT_RESTRICTION:
473 str_details2 = " export_restriction";
475 case TLS1_AD_PROTOCOL_VERSION:
476 str_details2 = " protocol_version";
478 case TLS1_AD_INSUFFICIENT_SECURITY:
479 str_details2 = " insufficient_security";
481 case TLS1_AD_INTERNAL_ERROR:
482 str_details2 = " internal_error";
484 case TLS1_AD_USER_CANCELLED:
485 str_details2 = " user_canceled";
487 case TLS1_AD_NO_RENEGOTIATION:
488 str_details2 = " no_renegotiation";
494 if (tls_session->info.content_type == SSL3_RT_HANDSHAKE) {
495 str_details1 = "???";
497 if (tls_session->info.record_len > 0)
498 switch (tls_session->info.handshake_type)
500 case SSL3_MT_HELLO_REQUEST:
501 str_details1 = ", HelloRequest";
503 case SSL3_MT_CLIENT_HELLO:
504 str_details1 = ", ClientHello";
506 case SSL3_MT_SERVER_HELLO:
507 str_details1 = ", ServerHello";
509 case SSL3_MT_CERTIFICATE:
510 str_details1 = ", Certificate";
512 case SSL3_MT_SERVER_KEY_EXCHANGE:
513 str_details1 = ", ServerKeyExchange";
515 case SSL3_MT_CERTIFICATE_REQUEST:
516 str_details1 = ", CertificateRequest";
518 case SSL3_MT_SERVER_DONE:
519 str_details1 = ", ServerHelloDone";
521 case SSL3_MT_CERTIFICATE_VERIFY:
522 str_details1 = ", CertificateVerify";
524 case SSL3_MT_CLIENT_KEY_EXCHANGE:
525 str_details1 = ", ClientKeyExchange";
527 case SSL3_MT_FINISHED:
528 str_details1 = ", Finished";
534 sprintf(tls_session->info.info_description, "%s %s%s [length %04lx]%s%s\n",
535 str_write_p, str_version, str_content_type,
536 (unsigned long)tls_session->info.record_len, str_details1, str_details2);
537 DEBUG2(" rlm_eap_tls: %s\n", tls_session->info.info_description);