be more flexible about truncated ASN1 times

[freeradius.git] / src / main / tls.c

diff --git a/src/main/tls.c b/src/main/tls.c
index 5f04d28..6816ce6 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -505,6 +505,7 @@ tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *con
        talloc_set_destructor(ssn, _tls_session_free);
 
        ssn->ctx = conf->ctx;
+       ssn->mtu = conf->fragment_size;
 
        SSL_CTX_set_mode(ssn->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
 
@@ -537,6 +538,21 @@ tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *con
        SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn);
        SSL_set_fd(ssn->ssl, fd);
        ret = SSL_connect(ssn->ssl);
+
+       if (ret < 0) {
+               switch (SSL_get_error(ssn->ssl, ret)) {
+                       default:
+                               break;
+
+
+
+               case SSL_ERROR_WANT_READ:
+               case SSL_ERROR_WANT_WRITE:
+                       ssn->connected = false;
+                       return ssn;
+               }
+       }
+
        if (ret <= 0) {
                tls_error_io_log(NULL, ssn, ret, "Failed in " STRINGIFY(__FUNCTION__) " (SSL_connect)");
                talloc_free(ssn);
@@ -544,8 +560,7 @@ tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *con
                return NULL;
        }
 
-       ssn->mtu = conf->fragment_size;
-
+       ssn->connected = true;
        return ssn;
 }
 
@@ -823,10 +838,10 @@ static void session_init(tls_session_t *ssn)
 
 static void session_close(tls_session_t *ssn)
 {
-       SSL_set_quiet_shutdown(ssn->ssl, 1);
-       SSL_shutdown(ssn->ssl);
-
        if (ssn->ssl) {
+               SSL_set_quiet_shutdown(ssn->ssl, 1);
+               SSL_shutdown(ssn->ssl);
+
                SSL_free(ssn->ssl);
                ssn->ssl = NULL;
        }
@@ -1457,7 +1472,7 @@ static int ocsp_asn1time_to_epoch(time_t *out, char const *asn1)
                t.tm_year -= 1900;
        }
 
-       if ((end - p) < 10) {
+       if ((end - p) < 4) {
                fr_strerror_printf("ASN1 string too short, expected 10 additional bytes, got %zu bytes",
                                   end - p);
                return -1;
@@ -1467,14 +1482,21 @@ static int ocsp_asn1time_to_epoch(time_t *out, char const *asn1)
        t.tm_mon += (*(p++) - '0') - 1; // -1 since January is 0 not 1.
        t.tm_mday = (*(p++) - '0') * 10;
        t.tm_mday += (*(p++) - '0');
+
+       if ((end - p) < 2) goto done;
        t.tm_hour = (*(p++) - '0') * 10;
        t.tm_hour += (*(p++) - '0');
+
+       if ((end - p) < 2) goto done;
        t.tm_min = (*(p++) - '0') * 10;
        t.tm_min += (*(p++) - '0');
+
+       if ((end - p) < 2) goto done;
        t.tm_sec = (*(p++) - '0') * 10;
        t.tm_sec += (*(p++) - '0');
 
        /* Apparently OpenSSL converts all timestamps to UTC? Maybe? */
+done:
        *out = timegm(&t);
        return 0;
 }
@@ -1590,6 +1612,7 @@ static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int l
                        /* not safe to un-persist a session w/o VPs */
                        RWDEBUG("Failed loading persisted VPs for session %s", buffer);
                        SSL_SESSION_free(sess);
+                       sess = NULL;
                        goto error;
                }
 
@@ -1601,14 +1624,16 @@ static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int l
                        time_t expires;
 
                        if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) {
-                               RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s", buffer);
+                               RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s - %s", buffer, fr_strerror());
                                SSL_SESSION_free(sess);
+                               sess = NULL;
                                goto error;
                        }
 
                        if (expires <= request->timestamp) {
                                RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer);
                                SSL_SESSION_free(sess);
+                               sess = NULL;
                                goto error;
                        }
 
@@ -2016,7 +2041,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
        char            cn_str[1024];
        char            buf[64];
        X509            *client_cert;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
        const STACK_OF(X509_EXTENSION) *ext_list;
 #else
        STACK_OF(X509_EXTENSION) *ext_list;
@@ -2197,7 +2222,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                        }
                }
                if (names != NULL)
-                       sk_GENERAL_NAME_free(names);
+                       GENERAL_NAMES_free(names);
        }
 
        /*
@@ -2218,7 +2243,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
        }
 
        if (lookup == 0) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
                ext_list = X509_get0_extensions(client_cert);
 #else
                X509_CINF       *client_inf;
@@ -2427,7 +2452,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                                                true, true, EXEC_TIMEOUT) != 0) {
                                AUTH(LOG_PREFIX ": Certificate CN (%s) fails external verification!", common_name);
                                my_ok = 0;
-                       } else {
+
+                       } else  if (request) {
                                RDEBUG("Client certificate CN %s passed external validation", common_name);
                        }
 
@@ -3022,6 +3048,7 @@ post_ca:
                SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
        }
 
+#ifndef LIBRESSL_VERSION_NUMBER
        /* Load randomness */
        if (conf->random_file) {
                if (!(RAND_load_file(conf->random_file, 1024*10))) {
@@ -3029,6 +3056,7 @@ post_ca:
                        return NULL;
                }
        }
+#endif
 
        /*
         * Set the cipher list if we were told to
@@ -3056,9 +3084,9 @@ post_ca:
                }
 
                /*
-                *      Cache it, and DON'T auto-clear it.
+                *      Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache.
                 */
-               SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR);
+               SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL);
 
                SSL_CTX_set_session_id_context(ctx,
                                               (unsigned char *) conf->session_context_id,
@@ -3104,7 +3132,7 @@ static int _tls_server_conf_free(fr_tls_server_conf_t *conf)
        return 0;
 }
 
-static fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx)
+fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx)
 {
        fr_tls_server_conf_t *conf;
 
@@ -3150,6 +3178,7 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs)
         *      Only check for certificate things if we don't have a
         *      PSK query.
         */
+#ifdef PSK_MAX_IDENTITY_LEN
        if (conf->psk_identity) {
                if (conf->private_key_file) {
                        WARN(LOG_PREFIX ": Ignoring private key file due to psk_identity being used");
@@ -3159,7 +3188,9 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs)
                        WARN(LOG_PREFIX ": Ignoring certificate file due to psk_identity being used");
                }
 
-       } else {
+       } else
+#endif
+       {
                if (!conf->private_key_file) {
                        ERROR(LOG_PREFIX ": TLS Server requires a private key file");
                        goto error;