be more flexible about truncated ASN1 times
[freeradius.git] / src / main / tls.c
1 /*
2  * tls.c
3  *
4  * Version:     $Id$
5  *
6  *   This program is free software; you can redistribute it and/or modify
7  *   it under the terms of the GNU General Public License as published by
8  *   the Free Software Foundation; either version 2 of the License, or
9  *   (at your option) any later version.
10  *
11  *   This program is distributed in the hope that it will be useful,
12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *   GNU General Public License for more details.
15  *
16  *   You should have received a copy of the GNU General Public License
17  *   along with this program; if not, write to the Free Software
18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19  *
20  * Copyright 2001  hereUare Communications, Inc. <raghud@hereuare.com>
21  * Copyright 2003  Alan DeKok <aland@freeradius.org>
22  * Copyright 2006  The FreeRADIUS server project
23  */
24
25 RCSID("$Id$")
26 USES_APPLE_DEPRECATED_API       /* OpenSSL API has been deprecated by Apple */
27
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/process.h>
30 #include <freeradius-devel/rad_assert.h>
31
32 #ifdef HAVE_SYS_STAT_H
33 #include <sys/stat.h>
34 #endif
35
36 #ifdef HAVE_FCNTL_H
37 #include <fcntl.h>
38 #endif
39
40 #ifdef HAVE_UTIME_H
41 #include <utime.h>
42 #endif
43 #include <ctype.h>
44
45 #ifdef WITH_TLS
46 #  ifdef HAVE_OPENSSL_RAND_H
47 #    include <openssl/rand.h>
48 #  endif
49
50 #  ifdef HAVE_OPENSSL_OCSP_H
51 #    include <openssl/ocsp.h>
52 #  endif
53
54 #  ifdef HAVE_OPENSSL_EVP_H
55 #    include <openssl/evp.h>
56 #  endif
57 #  include <openssl/ssl.h>
58
59 #define LOG_PREFIX "tls"
60
61 #ifdef ENABLE_OPENSSL_VERSION_CHECK
62 typedef struct libssl_defect {
63         uint64_t        high;
64         uint64_t        low;
65
66         char const      *id;
67         char const      *name;
68         char const      *comment;
69 } libssl_defect_t;
70
71 /* Record critical defects in libssl here, new versions of OpenSSL to older versions of OpenSSL.  */
72 static libssl_defect_t libssl_defects[] =
73 {
74         {
75                 .low            = 0x01010101f,          /* 1.1.0a */
76                 .high           = 0x01010101f,          /* 1.1.0a */
77                 .id             = "CVE-2016-6309",
78                 .name           = "OCSP status request extension",
79                 .comment        = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
80         },
81         {
82                 .low            = 0x01010100f,          /* 1.1.0  */
83                 .high           = 0x01010100f,          /* 1.1.0  */
84                 .id             = "CVE-2016-6304",
85                 .name           = "OCSP status request extension",
86                 .comment        = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
87         },
88         {
89                 .low            = 0x01000209f,          /* 1.0.2i */
90                 .high           = 0x01000209f,          /* 1.0.2i */
91                 .id             = "CVE-2016-7052",
92                 .name           = "OCSP status request extension",
93                 .comment        = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
94         },
95         {
96                 .low            = 0x01000200f,          /* 1.0.2  */
97                 .high           = 0x01000208f,          /* 1.0.2h */
98                 .id             = "CVE-2016-6304",
99                 .name           = "OCSP status request extension",
100                 .comment        = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
101         },
102         {
103                 .low            = 0x01000100f,          /* 1.0.1  */
104                 .high           = 0x01000114f,          /* 1.0.1t */
105                 .id             = "CVE-2016-6304",
106                 .name           = "OCSP status request extension",
107                 .comment        = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
108         },
109         {
110                 .low            = 0x010001000,          /* 1.0.1  */
111                 .high           = 0x01000106f,          /* 1.0.1f */
112                 .id             = "CVE-2014-0160",
113                 .name           = "Heartbleed",
114                 .comment        = "For more information see http://heartbleed.com"
115         },
116 };
117 #endif /* ENABLE_OPENSSL_VERSION_CHECK */
118
119 FR_NAME_NUMBER const fr_tls_status_table[] = {
120         { "invalid",                    FR_TLS_INVALID },
121         { "request",                    FR_TLS_REQUEST },
122         { "response",                   FR_TLS_RESPONSE },
123         { "success",                    FR_TLS_SUCCESS },
124         { "fail",                       FR_TLS_FAIL },
125         { "noop",                       FR_TLS_NOOP },
126
127         { "start",                      FR_TLS_START },
128         { "ok",                         FR_TLS_OK },
129         { "ack",                        FR_TLS_ACK },
130         { "first fragment",             FR_TLS_FIRST_FRAGMENT },
131         { "more fragments",             FR_TLS_MORE_FRAGMENTS },
132         { "length included",            FR_TLS_LENGTH_INCLUDED },
133         { "more fragments with length", FR_TLS_MORE_FRAGMENTS_WITH_LENGTH },
134         { "handled",                    FR_TLS_HANDLED },
135         {  NULL ,                       -1},
136 };
137
138 /* index we use to store cached session VPs
139  * needs to be dynamic so we can supply a "free" function
140  */
141 int fr_tls_ex_index_vps = -1;
142 int fr_tls_ex_index_certs = -1;
143
144 /* Session */
145 static void             session_close(tls_session_t *ssn);
146 static void             session_init(tls_session_t *ssn);
147
148 /* record */
149 static void             record_init(record_t *buf);
150 static void             record_close(record_t *buf);
151 static unsigned int     record_plus(record_t *buf, void const *ptr,
152                                     unsigned int size);
153 static unsigned int     record_minus(record_t *buf, void *ptr,
154                                      unsigned int size);
155
156 DIAG_OFF(format-nonliteral)
157 /** Print errors in the TLS thread local error stack
158  *
159  * Drains the thread local OpenSSL error queue, and prints out errors.
160  *
161  * @param[in] request   The current request (may be NULL).
162  * @param[in] msg       Error message describing the operation being attempted.
163  * @param[in] ap        Arguments for msg.
164  * @return the number of errors drained from the stack.
165  */
166 static int tls_verror_log(REQUEST *request, char const *msg, va_list ap)
167 {
168         unsigned long   error;
169         char            *p;
170         int             in_stack = 0;
171         char            buffer[256];
172
173         int             line;
174         char const      *file;
175
176         /*
177          *      Pop the first error, so ERR_peek_error()
178          *      can be used to determine if there are
179          *      multiple errors.
180          */
181         error = ERR_get_error_line(&file, &line);
182
183         if (msg) {
184                 p = talloc_vasprintf(request, msg, ap);
185
186                 /*
187                  *      Single line mode (there's only one error)
188                  */
189                 if (error && !ERR_peek_error()) {
190                         ERR_error_string_n(error, buffer, sizeof(buffer));
191
192                         /* Extra verbose */
193                         if ((request && RDEBUG_ENABLED3) || DEBUG_ENABLED3) {
194                                 ROPTIONAL(REDEBUG, ERROR, "%s: %s[%i]:%s", p, file, line, buffer);
195                         } else {
196                                 ROPTIONAL(REDEBUG, ERROR, "%s: %s", p, buffer);
197                         }
198
199                         talloc_free(p);
200
201                         return 1;
202                 }
203
204                 /*
205                  *      Print the error we were given, irrespective
206                  *      of whether there were any OpenSSL errors.
207                  */
208                 ROPTIONAL(RERROR, ERROR, "%s", p);
209                 talloc_free(p);
210         }
211
212         /*
213          *      Stack mode (there are multiple errors)
214          */
215         if (!error) return 0;
216         do {
217                 ERR_error_string_n(error, buffer, sizeof(buffer));
218                 /* Extra verbose */
219                 if ((request && RDEBUG_ENABLED3) || DEBUG_ENABLED3) {
220                         ROPTIONAL(REDEBUG, ERROR, "%s[%i]:%s", file, line, buffer);
221                 } else {
222                         ROPTIONAL(REDEBUG, ERROR, "%s", buffer);
223                 }
224                 in_stack++;
225         } while ((error = ERR_get_error_line(&file, &line)));
226
227         return in_stack;
228 }
229 DIAG_ON(format-nonliteral)
230
231 /** Print errors in the TLS thread local error stack
232  *
233  * Drains the thread local OpenSSL error queue, and prints out errors.
234  *
235  * @param[in] request   The current request (may be NULL).
236  * @param[in] msg       Error message describing the operation being attempted.
237  * @param[in] ...       Arguments for msg.
238  * @return the number of errors drained from the stack.
239  */
240 int tls_error_log(REQUEST *request, char const *msg, ...)
241 {
242         va_list ap;
243         int ret;
244
245         va_start(ap, msg);
246         ret = tls_verror_log(request, msg, ap);
247         va_end(ap);
248
249         return ret;
250 }
251
252 /** Print errors raised by OpenSSL I/O functions
253  *
254  * Drains the thread local OpenSSL error queue, and prints out errors
255  * based on the SSL handle and the return code of the I/O  function.
256  *
257  * OpenSSL lists I/O functions to be:
258  *   - SSL_connect
259  *   - SSL_accept
260  *   - SSL_do_handshake
261  *   - SSL_read
262  *   - SSL_peek
263  *   - SSL_write
264  *
265  * @param request       The current request (may be NULL).
266  * @param session       The current tls_session.
267  * @param ret           from the I/O operation.
268  * @param msg           Error message describing the operation being attempted.
269  * @param ...           Arguments for msg.
270  * @return
271  *      - 0 TLS session cannot continue.
272  *      - 1 TLS session may still be viable.
273  */
274 int tls_error_io_log(REQUEST *request, tls_session_t *session, int ret, char const *msg, ...)
275 {
276         int     error;
277         va_list ap;
278
279         if (ERR_peek_error()) {
280                 va_start(ap, msg);
281                 tls_verror_log(request, msg, ap);
282                 va_end(ap);
283         }
284
285         error = SSL_get_error(session->ssl, ret);
286         switch (error) {
287         /*
288          *      These seem to be harmless and already "dealt
289          *      with" by our non-blocking environment. NB:
290          *      "ZERO_RETURN" is the clean "error"
291          *      indicating a successfully closed SSL
292          *      tunnel. We let this happen because our IO
293          *      loop should not appear to have broken on
294          *      this condition - and outside the IO loop, the
295          *      "shutdown" state is checked.
296          *
297          *      Don't print anything if we ignore the error.
298          */
299         case SSL_ERROR_NONE:
300         case SSL_ERROR_WANT_READ:
301         case SSL_ERROR_WANT_WRITE:
302         case SSL_ERROR_WANT_X509_LOOKUP:
303         case SSL_ERROR_ZERO_RETURN:
304                 break;
305
306         /*
307          *      These seem to be indications of a genuine
308          *      error that should result in the SSL tunnel
309          *      being regarded as "dead".
310          */
311         case SSL_ERROR_SYSCALL:
312                 ROPTIONAL(REDEBUG, ERROR, "System call (I/O) error (%i)", ret);
313                 return 0;
314
315         case SSL_ERROR_SSL:
316                 ROPTIONAL(REDEBUG, ERROR, "TLS protocol error (%i)", ret);
317                 return 0;
318
319         /*
320          *      For any other errors that (a) exist, and (b)
321          *      crop up - we need to interpret what to do with
322          *      them - so "politely inform" the caller that
323          *      the code needs updating here.
324          */
325         default:
326                 ROPTIONAL(REDEBUG, ERROR, "TLS session error %i (%i)", error, ret);
327                 return 0;
328         }
329
330         return 1;
331 }
332
333 #ifdef PSK_MAX_IDENTITY_LEN
334 static bool identity_is_safe(const char *identity)
335 {
336         char c;
337
338         if (!identity) return true;
339
340         while ((c = *(identity++)) != '\0') {
341                 if (isalpha((int) c) || isdigit((int) c) || isspace((int) c) ||
342                     (c == '@') || (c == '-') || (c == '_') || (c == '.')) {
343                         continue;
344                 }
345
346                 return false;
347         }
348
349         return true;
350 }
351
352 /*
353  *      When a client uses TLS-PSK to talk to a server, this callback
354  *      is used by the server to determine the PSK to use.
355  */
356 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
357                                         unsigned char *psk,
358                                         unsigned int max_psk_len)
359 {
360         unsigned int psk_len = 0;
361         fr_tls_server_conf_t *conf;
362         REQUEST *request;
363
364         conf = (fr_tls_server_conf_t *)SSL_get_ex_data(ssl,
365                                                        FR_TLS_EX_INDEX_CONF);
366         if (!conf) return 0;
367
368         request = (REQUEST *)SSL_get_ex_data(ssl,
369                                              FR_TLS_EX_INDEX_REQUEST);
370         if (request && conf->psk_query) {
371                 size_t hex_len;
372                 VALUE_PAIR *vp;
373                 char buffer[2 * PSK_MAX_PSK_LEN + 4]; /* allow for too-long keys */
374
375                 /*
376                  *      The passed identity is weird.  Deny it.
377                  */
378                 if (!identity_is_safe(identity)) {
379                         RWDEBUG("Invalid characters in PSK identity %s", identity);
380                         return 0;
381                 }
382
383                 vp = pair_make_request("TLS-PSK-Identity", identity, T_OP_SET);
384                 if (!vp) return 0;
385
386                 hex_len = radius_xlat(buffer, sizeof(buffer), request, conf->psk_query,
387                                       NULL, NULL);
388                 if (!hex_len) {
389                         RWDEBUG("PSK expansion returned an empty string.");
390                         return 0;
391                 }
392
393                 /*
394                  *      The returned key is truncated at MORE than
395                  *      OpenSSL can handle.  That way we can detect
396                  *      the truncation, and complain about it.
397                  */
398                 if (hex_len > (2 * max_psk_len)) {
399                         RWDEBUG("Returned PSK is too long (%u > %u)",
400                                 (unsigned int) hex_len, 2 * max_psk_len);
401                         return 0;
402                 }
403
404                 /*
405                  *      Leave the TLS-PSK-Identity in the request, and
406                  *      convert the expansion from printable string
407                  *      back to hex.
408                  */
409                 return fr_hex2bin(psk, max_psk_len, buffer, hex_len);
410         }
411
412         if (!conf->psk_identity) {
413                 DEBUG("No static PSK identity set.  Rejecting the user");
414                 return 0;
415         }
416
417         /*
418          *      No REQUEST, or no dynamic query.  Just look for a
419          *      static identity.
420          */
421         if (strcmp(identity, conf->psk_identity) != 0) {
422                 ERROR("Supplied PSK identity %s does not match configuration.  Rejecting.",
423                       identity);
424                 return 0;
425         }
426
427         psk_len = strlen(conf->psk_password);
428         if (psk_len > (2 * max_psk_len)) return 0;
429
430         return fr_hex2bin(psk, max_psk_len, conf->psk_password, psk_len);
431 }
432
433 static unsigned int psk_client_callback(SSL *ssl, UNUSED char const *hint,
434                                         char *identity, unsigned int max_identity_len,
435                                         unsigned char *psk, unsigned int max_psk_len)
436 {
437         unsigned int psk_len;
438         fr_tls_server_conf_t *conf;
439
440         conf = (fr_tls_server_conf_t *)SSL_get_ex_data(ssl,
441                                                        FR_TLS_EX_INDEX_CONF);
442         if (!conf) return 0;
443
444         psk_len = strlen(conf->psk_password);
445         if (psk_len > (2 * max_psk_len)) return 0;
446
447         strlcpy(identity, conf->psk_identity, max_identity_len);
448
449         return fr_hex2bin(psk, max_psk_len, conf->psk_password, psk_len);
450 }
451
452 #endif
453
454 #define MAX_SESSION_SIZE (256)
455
456
457 void tls_session_id(SSL_SESSION *ssn, char *buffer, size_t bufsize)
458 {
459 #if OPENSSL_VERSION_NUMBER < 0x10001000L
460         size_t size;
461
462         size = ssn->session_id_length;
463         if (size > bufsize) size = bufsize;
464
465         fr_bin2hex(buffer, ssn->session_id, size);
466 #else
467         unsigned int size;
468         uint8_t const *p;
469
470         p = SSL_SESSION_get_id(ssn, &size);
471         if (size > bufsize) size = bufsize;
472
473         fr_bin2hex(buffer, p, size);
474
475 #endif
476 }
477
478
479
480 static int _tls_session_free(tls_session_t *ssn)
481 {
482         /*
483          *      Free any opaque TTLS or PEAP data.
484          */
485         if ((ssn->opaque) && (ssn->free_opaque)) {
486                 ssn->free_opaque(ssn->opaque);
487                 ssn->opaque = NULL;
488         }
489
490         session_close(ssn);
491
492         return 0;
493 }
494
495 tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, int fd)
496 {
497         int ret;
498         int verify_mode;
499         tls_session_t *ssn = NULL;
500         REQUEST *request;
501
502         ssn = talloc_zero(ctx, tls_session_t);
503         if (!ssn) return NULL;
504
505         talloc_set_destructor(ssn, _tls_session_free);
506
507         ssn->ctx = conf->ctx;
508         ssn->mtu = conf->fragment_size;
509
510         SSL_CTX_set_mode(ssn->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
511
512         ssn->ssl = SSL_new(ssn->ctx);
513         if (!ssn->ssl) {
514                 talloc_free(ssn);
515                 return NULL;
516         }
517
518         request = request_alloc(ssn);
519         SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
520
521         /*
522          *      Add the message callback to identify what type of
523          *      message/handshake is passed
524          */
525         SSL_set_msg_callback(ssn->ssl, cbtls_msg);
526         SSL_set_msg_callback_arg(ssn->ssl, ssn);
527         SSL_set_info_callback(ssn->ssl, cbtls_info);
528
529         /*
530          *      Always verify the peer certificate.
531          */
532         DEBUG2("Requiring Server certificate");
533         verify_mode = SSL_VERIFY_PEER;
534         verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
535         SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify);
536
537         SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
538         SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn);
539         SSL_set_fd(ssn->ssl, fd);
540         ret = SSL_connect(ssn->ssl);
541
542         if (ret < 0) {
543                 switch (SSL_get_error(ssn->ssl, ret)) {
544                         default:
545                                 break;
546
547
548
549                 case SSL_ERROR_WANT_READ:
550                 case SSL_ERROR_WANT_WRITE:
551                         ssn->connected = false;
552                         return ssn;
553                 }
554         }
555
556         if (ret <= 0) {
557                 tls_error_io_log(NULL, ssn, ret, "Failed in " STRINGIFY(__FUNCTION__) " (SSL_connect)");
558                 talloc_free(ssn);
559
560                 return NULL;
561         }
562
563         ssn->connected = true;
564         return ssn;
565 }
566
567
568 /** Create a new TLS session
569  *
570  * Configures a new TLS session, configuring options, setting callbacks etc...
571  *
572  * @param ctx to alloc session data in. Should usually be NULL unless the lifetime of the
573  *      session is tied to another talloc'd object.
574  * @param conf to use to configure the tls session.
575  * @param request The current #REQUEST.
576  * @param client_cert Whether to require a client_cert.
577  * @return a new session on success, or NULL on error.
578  */
579 tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert)
580 {
581         tls_session_t   *state = NULL;
582         SSL             *new_tls = NULL;
583         int             verify_mode = 0;
584         VALUE_PAIR      *vp;
585
586         rad_assert(request != NULL);
587
588         RDEBUG2("Initiating new EAP-TLS session");
589
590         /*
591          *      Manually flush the sessions every so often.  If HALF
592          *      of the session lifetime has passed since we last
593          *      flushed, then flush it again.
594          *
595          *      FIXME: Also do it every N sessions?
596          */
597         if (conf->session_cache_enable &&
598             ((conf->session_last_flushed + ((int)conf->session_timeout * 1800)) <= request->timestamp)){
599                 RDEBUG2("Flushing SSL sessions (of #%ld)", SSL_CTX_sess_number(conf->ctx));
600
601                 SSL_CTX_flush_sessions(conf->ctx, request->timestamp);
602                 conf->session_last_flushed = request->timestamp;
603         }
604
605         new_tls = SSL_new(conf->ctx);
606         if (new_tls == NULL) {
607                 tls_error_log(request, "Error creating new TLS session");
608                 return NULL;
609         }
610
611         /* We use the SSL's "app_data" to indicate a call-back */
612         SSL_set_app_data(new_tls, NULL);
613
614         if ((state = talloc_zero(ctx, tls_session_t)) == NULL) {
615                 RERROR("Error allocating memory for SSL state");
616                 return NULL;
617         }
618         session_init(state);
619         talloc_set_destructor(state, _tls_session_free);
620
621         state->ctx = conf->ctx;
622         state->ssl = new_tls;
623
624         /*
625          *      Initialize callbacks
626          */
627         state->record_init = record_init;
628         state->record_close = record_close;
629         state->record_plus = record_plus;
630         state->record_minus = record_minus;
631
632         /*
633          *      Create & hook the BIOs to handle the dirty side of the
634          *      SSL.  This is *very important* as we want to handle
635          *      the transmission part.  Now the only IO interface
636          *      that SSL is aware of, is our defined BIO buffers.
637          *
638          *      This means that all SSL IO is done to/from memory,
639          *      and we can update those BIOs from the packets we've
640          *      received.
641          */
642         state->into_ssl = BIO_new(BIO_s_mem());
643         state->from_ssl = BIO_new(BIO_s_mem());
644         SSL_set_bio(state->ssl, state->into_ssl, state->from_ssl);
645
646         /*
647          *      Add the message callback to identify what type of
648          *      message/handshake is passed
649          */
650         SSL_set_msg_callback(new_tls, cbtls_msg);
651         SSL_set_msg_callback_arg(new_tls, state);
652         SSL_set_info_callback(new_tls, cbtls_info);
653
654         /*
655          *      In Server mode we only accept.
656          */
657         SSL_set_accept_state(state->ssl);
658
659         /*
660          *      Verify the peer certificate, if asked.
661          */
662         if (client_cert) {
663                 RDEBUG2("Setting verify mode to require certificate from client");
664                 verify_mode = SSL_VERIFY_PEER;
665                 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
666                 verify_mode |= SSL_VERIFY_CLIENT_ONCE;
667         }
668         SSL_set_verify(state->ssl, verify_mode, cbtls_verify);
669
670         SSL_set_ex_data(state->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
671         SSL_set_ex_data(state->ssl, FR_TLS_EX_INDEX_SSN, (void *)state);
672         state->length_flag = conf->include_length;
673
674         /*
675          *      We use default fragment size, unless the Framed-MTU
676          *      tells us it's too big.  Note that we do NOT account
677          *      for the EAP-TLS headers if conf->fragment_size is
678          *      large, because that config item looks to be confusing.
679          *
680          *      i.e. it should REALLY be called MTU, and the code here
681          *      should figure out what that means for TLS fragment size.
682          *      asking the administrator to know the internal details
683          *      of EAP-TLS in order to calculate fragment sizes is
684          *      just too much.
685          */
686         state->mtu = conf->fragment_size;
687         vp = fr_pair_find_by_num(request->packet->vps, PW_FRAMED_MTU, 0, TAG_ANY);
688         if (vp && (vp->vp_integer > 100) && (vp->vp_integer < state->mtu)) {
689                 state->mtu = vp->vp_integer;
690         }
691
692         if (conf->session_cache_enable) state->allow_session_resumption = true; /* otherwise it's false */
693
694         return state;
695 }
696
697 /*
698  * We are the server, we always get the dirty data
699  * (Handshake data is also considered as dirty data)
700  * During handshake, since SSL API handles itself,
701  * After clean-up, dirty_out will be filled with
702  * the data required for handshaking. So we check
703  * if dirty_out is empty then we simply send it back.
704  * As of now, if handshake is successful, then we keep going,
705  * otherwise we fail.
706  *
707  * Fill the Bio with the dirty data to clean it
708  * Get the cleaned data from SSL, if it is not Handshake data
709  */
710 int tls_handshake_recv(REQUEST *request, tls_session_t *ssn)
711 {
712         int err;
713
714         if (ssn->invalid_hb_used) return 0;
715
716         err = BIO_write(ssn->into_ssl, ssn->dirty_in.data, ssn->dirty_in.used);
717         if (err != (int) ssn->dirty_in.used) {
718                 REDEBUG("Failed writing %zd bytes to SSL BIO: %d", ssn->dirty_in.used, err);
719                 record_init(&ssn->dirty_in);
720                 return 0;
721         }
722         record_init(&ssn->dirty_in);
723
724         err = SSL_read(ssn->ssl, ssn->clean_out.data + ssn->clean_out.used,
725                        sizeof(ssn->clean_out.data) - ssn->clean_out.used);
726         if (err > 0) {
727                 ssn->clean_out.used += err;
728                 return 1;
729         }
730
731         if (!tls_error_io_log(request, ssn, err, "Failed in " STRINGIFY(__FUNCTION__) " (SSL_read)")) return 0;
732
733         /* Some Extra STATE information for easy debugging */
734         if (SSL_is_init_finished(ssn->ssl)) RDEBUG2("SSL Connection Established");
735         if (SSL_in_init(ssn->ssl)) RDEBUG2("In SSL Handshake Phase");
736         if (SSL_in_before(ssn->ssl)) RDEBUG2("Before SSL Handshake Phase");
737         if (SSL_in_accept_init(ssn->ssl)) RDEBUG2("In SSL Accept mode");
738         if (SSL_in_connect_init(ssn->ssl)) RDEBUG2("In SSL Connect mode");
739
740 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
741         /*
742          *      Cache the SSL_SESSION pointer.
743          */
744         if (!ssn->ssl_session && SSL_is_init_finished(ssn->ssl)) {
745                 ssn->ssl_session = SSL_get_session(ssn->ssl);
746                 if (!ssn->ssl_session) {
747                         RDEBUG("Failed getting SSL session");
748                         return 0;
749                 }
750         }
751 #endif
752
753         err = BIO_ctrl_pending(ssn->from_ssl);
754         if (err > 0) {
755                 err = BIO_read(ssn->from_ssl, ssn->dirty_out.data,
756                                sizeof(ssn->dirty_out.data));
757                 if (err > 0) {
758                         ssn->dirty_out.used = err;
759
760                 } else if (BIO_should_retry(ssn->from_ssl)) {
761                         record_init(&ssn->dirty_in);
762                         RDEBUG2("Asking for more data in tunnel");
763                         return 1;
764
765                 } else {
766                         tls_error_log(NULL, NULL);
767                         record_init(&ssn->dirty_in);
768                         return 0;
769                 }
770         } else {
771                 RDEBUG2("SSL Application Data");
772                 /* Its clean application data, do whatever we want */
773                 record_init(&ssn->clean_out);
774         }
775
776         /* We are done with dirty_in, reinitialize it */
777         record_init(&ssn->dirty_in);
778         return 1;
779 }
780
781 /*
782  *      Take cleartext user data, and encrypt it into the output buffer,
783  *      to send to the client at the other end of the SSL connection.
784  */
785 int tls_handshake_send(REQUEST *request, tls_session_t *ssn)
786 {
787         int err;
788
789         /*
790          *      If there's un-encrypted data in 'clean_in', then write
791          *      that data to the SSL session, and then call the BIO function
792          *      to get that encrypted data from the SSL session, into
793          *      a buffer which we can then package into an EAP packet.
794          *
795          *      Based on Server's logic this clean_in is expected to
796          *      contain the data to send to the client.
797          */
798         if (ssn->clean_in.used > 0) {
799                 int written;
800
801                 written = SSL_write(ssn->ssl, ssn->clean_in.data, ssn->clean_in.used);
802                 record_minus(&ssn->clean_in, NULL, written);
803
804                 /* Get the dirty data from Bio to send it */
805                 err = BIO_read(ssn->from_ssl, ssn->dirty_out.data,
806                                sizeof(ssn->dirty_out.data));
807                 if (err > 0) {
808                         ssn->dirty_out.used = err;
809                 } else {
810                         if (!tls_error_io_log(request, ssn, err,
811                                               "Failed in " STRINGIFY(__FUNCTION__) " (SSL_write)")) {
812                                 return 0;
813                         }
814                 }
815         }
816
817         return 1;
818 }
819
820 static void session_init(tls_session_t *ssn)
821 {
822         ssn->ssl = NULL;
823         ssn->into_ssl = ssn->from_ssl = NULL;
824         record_init(&ssn->clean_in);
825         record_init(&ssn->clean_out);
826         record_init(&ssn->dirty_in);
827         record_init(&ssn->dirty_out);
828
829         memset(&ssn->info, 0, sizeof(ssn->info));
830
831         ssn->mtu = 0;
832         ssn->fragment = false;
833         ssn->tls_msg_len = 0;
834         ssn->length_flag = false;
835         ssn->opaque = NULL;
836         ssn->free_opaque = NULL;
837 }
838
839 static void session_close(tls_session_t *ssn)
840 {
841         if (ssn->ssl) {
842                 SSL_set_quiet_shutdown(ssn->ssl, 1);
843                 SSL_shutdown(ssn->ssl);
844
845                 SSL_free(ssn->ssl);
846                 ssn->ssl = NULL;
847         }
848
849         record_close(&ssn->clean_in);
850         record_close(&ssn->clean_out);
851         record_close(&ssn->dirty_in);
852         record_close(&ssn->dirty_out);
853         session_init(ssn);
854 }
855
856 static void record_init(record_t *rec)
857 {
858         rec->used = 0;
859 }
860
861 static void record_close(record_t *rec)
862 {
863         rec->used = 0;
864 }
865
866
867 /*
868  *      Copy data to the intermediate buffer, before we send
869  *      it somewhere.
870  */
871 static unsigned int record_plus(record_t *rec, void const *ptr,
872                                 unsigned int size)
873 {
874         unsigned int added = MAX_RECORD_SIZE - rec->used;
875
876         if(added > size)
877                 added = size;
878         if(added == 0)
879                 return 0;
880         memcpy(rec->data + rec->used, ptr, added);
881         rec->used += added;
882         return added;
883 }
884
885 /*
886  *      Take data from the buffer, and give it to the caller.
887  */
888 static unsigned int record_minus(record_t *rec, void *ptr,
889                                  unsigned int size)
890 {
891         unsigned int taken = rec->used;
892
893         if(taken > size)
894                 taken = size;
895         if(taken == 0)
896                 return 0;
897         if(ptr)
898                 memcpy(ptr, rec->data, taken);
899         rec->used -= taken;
900
901         /*
902          *      This is pretty bad...
903          */
904         if (rec->used > 0) memmove(rec->data, rec->data + taken, rec->used);
905
906         return taken;
907 }
908
909 void tls_session_information(tls_session_t *tls_session)
910 {
911         char const *str_write_p, *str_version, *str_content_type = "";
912         char const *str_details1 = "", *str_details2= "";
913         REQUEST *request;
914         char buffer[32];
915
916         /*
917          *      Don't print this out in the normal course of
918          *      operations.
919          */
920         if (rad_debug_lvl == 0) return;
921
922         str_write_p = tls_session->info.origin ? ">>> send" : "<<< recv";
923
924         switch (tls_session->info.version) {
925         case SSL2_VERSION:
926                 str_version = "SSL 2.0 ";
927                 break;
928         case SSL3_VERSION:
929                 str_version = "SSL 3.0 ";
930                 break;
931         case TLS1_VERSION:
932                 str_version = "TLS 1.0 ";
933                 break;
934 #ifdef TLS1_1_VERSION
935         case TLS1_1_VERSION:
936                 str_version = "TLS 1.1 ";
937                 break;
938 #endif
939 #ifdef TLS1_2_VERSION
940         case TLS1_2_VERSION:
941                 str_version = "TLS 1.2 ";
942                 break;
943 #endif
944 #ifdef TLS1_3_VERSON
945         case TLS1_3_VERSION:
946                 str_version = "TLS 1.3 ";
947                 break;
948 #endif
949
950         default:
951                 sprintf(buffer, "UNKNOWN TLS VERSION ?%04X?", tls_session->info.version);
952                 str_version = buffer;
953                 break;
954         }
955
956         if (tls_session->info.version == SSL3_VERSION ||
957             tls_session->info.version == TLS1_VERSION) {
958                 switch (tls_session->info.content_type) {
959                 case SSL3_RT_CHANGE_CIPHER_SPEC:
960                         str_content_type = "ChangeCipherSpec";
961                         break;
962
963                 case SSL3_RT_ALERT:
964                         str_content_type = "Alert";
965                         break;
966
967                 case SSL3_RT_HANDSHAKE:
968                         str_content_type = "Handshake";
969                         break;
970
971                 case SSL3_RT_APPLICATION_DATA:
972                         str_content_type = "ApplicationData";
973                         break;
974
975                 default:
976                         str_content_type = "UnknownContentType";
977                         break;
978                 }
979
980                 if (tls_session->info.content_type == SSL3_RT_ALERT) {
981                         str_details1 = ", ???";
982
983                         if (tls_session->info.record_len == 2) {
984
985                                 switch (tls_session->info.alert_level) {
986                                 case SSL3_AL_WARNING:
987                                         str_details1 = ", warning";
988                                         break;
989                                 case SSL3_AL_FATAL:
990                                         str_details1 = ", fatal";
991                                         break;
992                                 }
993
994                                 str_details2 = " ???";
995                                 switch (tls_session->info.alert_description) {
996                                 case SSL3_AD_CLOSE_NOTIFY:
997                                         str_details2 = " close_notify";
998                                         break;
999
1000                                 case SSL3_AD_UNEXPECTED_MESSAGE:
1001                                         str_details2 = " unexpected_message";
1002                                         break;
1003
1004                                 case SSL3_AD_BAD_RECORD_MAC:
1005                                         str_details2 = " bad_record_mac";
1006                                         break;
1007
1008                                 case TLS1_AD_DECRYPTION_FAILED:
1009                                         str_details2 = " decryption_failed";
1010                                         break;
1011
1012                                 case TLS1_AD_RECORD_OVERFLOW:
1013                                         str_details2 = " record_overflow";
1014                                         break;
1015
1016                                 case SSL3_AD_DECOMPRESSION_FAILURE:
1017                                         str_details2 = " decompression_failure";
1018                                         break;
1019
1020                                 case SSL3_AD_HANDSHAKE_FAILURE:
1021                                         str_details2 = " handshake_failure";
1022                                         break;
1023
1024                                 case SSL3_AD_BAD_CERTIFICATE:
1025                                         str_details2 = " bad_certificate";
1026                                         break;
1027
1028                                 case SSL3_AD_UNSUPPORTED_CERTIFICATE:
1029                                         str_details2 = " unsupported_certificate";
1030                                         break;
1031
1032                                 case SSL3_AD_CERTIFICATE_REVOKED:
1033                                         str_details2 = " certificate_revoked";
1034                                         break;
1035
1036                                 case SSL3_AD_CERTIFICATE_EXPIRED:
1037                                         str_details2 = " certificate_expired";
1038                                         break;
1039
1040                                 case SSL3_AD_CERTIFICATE_UNKNOWN:
1041                                         str_details2 = " certificate_unknown";
1042                                         break;
1043
1044                                 case SSL3_AD_ILLEGAL_PARAMETER:
1045                                         str_details2 = " illegal_parameter";
1046                                         break;
1047
1048                                 case TLS1_AD_UNKNOWN_CA:
1049                                         str_details2 = " unknown_ca";
1050                                         break;
1051
1052                                 case TLS1_AD_ACCESS_DENIED:
1053                                         str_details2 = " access_denied";
1054                                         break;
1055
1056                                 case TLS1_AD_DECODE_ERROR:
1057                                         str_details2 = " decode_error";
1058                                         break;
1059
1060                                 case TLS1_AD_DECRYPT_ERROR:
1061                                         str_details2 = " decrypt_error";
1062                                         break;
1063
1064                                 case TLS1_AD_EXPORT_RESTRICTION:
1065                                         str_details2 = " export_restriction";
1066                                         break;
1067
1068                                 case TLS1_AD_PROTOCOL_VERSION:
1069                                         str_details2 = " protocol_version";
1070                                         break;
1071
1072                                 case TLS1_AD_INSUFFICIENT_SECURITY:
1073                                         str_details2 = " insufficient_security";
1074                                         break;
1075
1076                                 case TLS1_AD_INTERNAL_ERROR:
1077                                         str_details2 = " internal_error";
1078                                         break;
1079
1080                                 case TLS1_AD_USER_CANCELLED:
1081                                         str_details2 = " user_canceled";
1082                                         break;
1083
1084                                 case TLS1_AD_NO_RENEGOTIATION:
1085                                         str_details2 = " no_renegotiation";
1086                                         break;
1087                                 }
1088                         }
1089                 }
1090
1091                 if (tls_session->info.content_type == SSL3_RT_HANDSHAKE) {
1092                         str_details1 = "???";
1093
1094                         if (tls_session->info.record_len > 0) switch (tls_session->info.handshake_type) {
1095                         case SSL3_MT_HELLO_REQUEST:
1096                                 str_details1 = ", HelloRequest";
1097                                 break;
1098
1099                         case SSL3_MT_CLIENT_HELLO:
1100                                 str_details1 = ", ClientHello";
1101                                 break;
1102
1103                         case SSL3_MT_SERVER_HELLO:
1104                                 str_details1 = ", ServerHello";
1105                                 break;
1106
1107                         case SSL3_MT_CERTIFICATE:
1108                                 str_details1 = ", Certificate";
1109                                 break;
1110
1111                         case SSL3_MT_SERVER_KEY_EXCHANGE:
1112                                 str_details1 = ", ServerKeyExchange";
1113                                 break;
1114
1115                         case SSL3_MT_CERTIFICATE_REQUEST:
1116                                 str_details1 = ", CertificateRequest";
1117                                 break;
1118
1119                         case SSL3_MT_SERVER_DONE:
1120                                 str_details1 = ", ServerHelloDone";
1121                                 break;
1122
1123                         case SSL3_MT_CERTIFICATE_VERIFY:
1124                                 str_details1 = ", CertificateVerify";
1125                                 break;
1126
1127                         case SSL3_MT_CLIENT_KEY_EXCHANGE:
1128                                 str_details1 = ", ClientKeyExchange";
1129                                 break;
1130
1131                         case SSL3_MT_FINISHED:
1132                                 str_details1 = ", Finished";
1133                                 break;
1134                         }
1135                 }
1136         }
1137
1138         snprintf(tls_session->info.info_description,
1139                  sizeof(tls_session->info.info_description),
1140                  "%s %s%s [length %04lx]%s%s\n",
1141                  str_write_p, str_version, str_content_type,
1142                  (unsigned long)tls_session->info.record_len,
1143                  str_details1, str_details2);
1144
1145         request = SSL_get_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_REQUEST);
1146         ROPTIONAL(RDEBUG2, DEBUG2, "%s", tls_session->info.info_description);
1147 }
1148
1149 static CONF_PARSER cache_config[] = {
1150         { "enable", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, session_cache_enable), "no" },
1151
1152         { "lifetime", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, session_timeout), "24" },
1153         { "name", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, session_id_name), NULL },
1154
1155         { "max_entries", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, session_cache_size), "255" },
1156         { "persist_dir", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, session_cache_path), NULL },
1157         CONF_PARSER_TERMINATOR
1158 };
1159
1160 static CONF_PARSER verify_config[] = {
1161         { "skip_if_ocsp_ok", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, verify_skip_if_ocsp_ok), "no" },
1162         { "tmpdir", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, verify_tmp_dir), NULL },
1163         { "client", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, verify_client_cert_cmd), NULL },
1164         CONF_PARSER_TERMINATOR
1165 };
1166
1167 #ifdef HAVE_OPENSSL_OCSP_H
1168 static CONF_PARSER ocsp_config[] = {
1169         { "enable", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, ocsp_enable), "no" },
1170         { "override_cert_url", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, ocsp_override_url), "no" },
1171         { "url", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, ocsp_url), NULL },
1172         { "use_nonce", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, ocsp_use_nonce), "yes" },
1173         { "timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, ocsp_timeout), "yes" },
1174         { "softfail", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, ocsp_softfail), "no" },
1175         CONF_PARSER_TERMINATOR
1176 };
1177 #endif
1178
1179 static CONF_PARSER tls_server_config[] = {
1180         { "verify_depth", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, verify_depth), "0" },
1181         { "CA_path", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, fr_tls_server_conf_t, ca_path), NULL },
1182         { "ca_path", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, ca_path), NULL },
1183         { "pem_file_type", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, file_type), "yes" },
1184         { "private_key_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, private_key_file), NULL },
1185         { "certificate_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, certificate_file), NULL },
1186         { "CA_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, fr_tls_server_conf_t, ca_file), NULL },
1187         { "ca_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, ca_file), NULL },
1188         { "private_key_password", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, fr_tls_server_conf_t, private_key_password), NULL },
1189 #ifdef PSK_MAX_IDENTITY_LEN
1190         { "psk_identity", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, psk_identity), NULL },
1191         { "psk_hexphrase", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, fr_tls_server_conf_t, psk_password), NULL },
1192         { "psk_query", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, psk_query), NULL },
1193 #endif
1194         { "dh_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, dh_file), NULL },
1195         { "random_file", FR_CONF_OFFSET(PW_TYPE_FILE_EXISTS, fr_tls_server_conf_t, random_file), NULL },
1196         { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
1197         { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
1198         { "auto_chain", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, auto_chain), "yes" },
1199         { "disable_single_dh_use", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, disable_single_dh_use), NULL },
1200         { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
1201 #ifdef X509_V_FLAG_CRL_CHECK_ALL
1202         { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
1203 #endif
1204         { "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
1205         { "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
1206         { "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
1207         { "cipher_server_preference", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, cipher_server_preference), NULL },
1208         { "check_cert_issuer", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_issuer), NULL },
1209         { "require_client_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, require_client_cert), NULL },
1210
1211 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
1212 #ifndef OPENSSL_NO_ECDH
1213         { "ecdh_curve", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, ecdh_curve), "prime256v1" },
1214 #endif
1215 #endif
1216
1217 #ifdef SSL_OP_NO_TLSv1
1218         { "disable_tlsv1", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, disable_tlsv1), NULL },
1219 #endif
1220
1221 #ifdef SSL_OP_NO_TLSv1_1
1222         { "disable_tlsv1_1", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, disable_tlsv1_1), NULL },
1223 #endif
1224
1225 #ifdef SSL_OP_NO_TLSv1_2
1226         { "disable_tlsv1_2", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, disable_tlsv1_2), NULL },
1227 #endif
1228
1229         { "cache", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) cache_config },
1230
1231         { "verify", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) verify_config },
1232
1233 #ifdef HAVE_OPENSSL_OCSP_H
1234         { "ocsp", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) ocsp_config },
1235 #endif
1236         CONF_PARSER_TERMINATOR
1237 };
1238
1239
1240 static CONF_PARSER tls_client_config[] = {
1241         { "verify_depth", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, verify_depth), "0" },
1242         { "ca_path", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, ca_path), NULL },
1243         { "pem_file_type", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, file_type), "yes" },
1244         { "private_key_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, private_key_file), NULL },
1245         { "certificate_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, certificate_file), NULL },
1246         { "ca_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, fr_tls_server_conf_t, ca_file), NULL },
1247         { "private_key_password", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, fr_tls_server_conf_t, private_key_password), NULL },
1248         { "dh_file", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, dh_file), NULL },
1249         { "random_file", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, random_file), NULL },
1250         { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
1251         { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
1252         { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
1253         { "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
1254         { "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
1255         { "check_cert_issuer", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_issuer), NULL },
1256
1257 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
1258 #ifndef OPENSSL_NO_ECDH
1259         { "ecdh_curve", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, ecdh_curve), "prime256v1" },
1260 #endif
1261 #endif
1262
1263 #ifdef SSL_OP_NO_TLSv1
1264         { "disable_tlsv1", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, disable_tlsv1), NULL },
1265 #endif
1266
1267 #ifdef SSL_OP_NO_TLSv1_1
1268         { "disable_tlsv1_1", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, disable_tlsv1_1), NULL },
1269 #endif
1270
1271 #ifdef SSL_OP_NO_TLSv1_2
1272         { "disable_tlsv1_2", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, disable_tlsv1_2), NULL },
1273 #endif
1274         CONF_PARSER_TERMINATOR
1275 };
1276
1277
1278 /*
1279  *      TODO: Check for the type of key exchange * like conf->dh_key
1280  */
1281 static int load_dh_params(SSL_CTX *ctx, char *file)
1282 {
1283         DH *dh = NULL;
1284         BIO *bio;
1285
1286         if (!file) return 0;
1287
1288         if ((bio = BIO_new_file(file, "r")) == NULL) {
1289                 ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
1290                 return -1;
1291         }
1292
1293         dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
1294         BIO_free(bio);
1295         if (!dh) {
1296                 WARN(LOG_PREFIX ": Unable to set DH parameters.  DH cipher suites may not work!");
1297                 WARN(LOG_PREFIX ": Fix this by running the OpenSSL command listed in eap.conf");
1298                 return 0;
1299         }
1300
1301         if (SSL_CTX_set_tmp_dh(ctx, dh) < 0) {
1302                 ERROR(LOG_PREFIX ": Unable to set DH parameters");
1303                 DH_free(dh);
1304                 return -1;
1305         }
1306
1307         DH_free(dh);
1308         return 0;
1309 }
1310
1311
1312 /*
1313  *      Print debugging messages, and free data.
1314  */
1315 static void cbtls_remove_session(SSL_CTX *ctx, SSL_SESSION *sess)
1316 {
1317         char                    buffer[2 * MAX_SESSION_SIZE + 1];
1318         fr_tls_server_conf_t    *conf;
1319
1320         tls_session_id(sess, buffer, MAX_SESSION_SIZE);
1321
1322         conf = (fr_tls_server_conf_t *)SSL_CTX_get_app_data(ctx);
1323         if (!conf) {
1324                 DEBUG(LOG_PREFIX ": Failed to find TLS configuration in session");
1325                 return;
1326         }
1327
1328         {
1329                 int rv;
1330                 char filename[256];
1331
1332                 DEBUG2(LOG_PREFIX ": Removing session %s from the cache", buffer);
1333
1334                 /* remove session and any cached VPs */
1335                 snprintf(filename, sizeof(filename), "%s%c%s.asn1",
1336                          conf->session_cache_path, FR_DIR_SEP, buffer);
1337                 rv = unlink(filename);
1338                 if (rv != 0) {
1339                         DEBUG2(LOG_PREFIX ": Could not remove persisted session file %s: %s",
1340                                filename, fr_syserror(errno));
1341                 }
1342                 /* VPs might be absent; might not have been written to disk yet */
1343                 snprintf(filename, sizeof(filename), "%s%c%s.vps",
1344                          conf->session_cache_path, FR_DIR_SEP, buffer);
1345                 unlink(filename);
1346         }
1347
1348         return;
1349 }
1350
1351 static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess)
1352 {
1353         char                    buffer[2 * MAX_SESSION_SIZE + 1];
1354         fr_tls_server_conf_t    *conf;
1355         unsigned char           *sess_blob = NULL;
1356
1357         REQUEST                 *request = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST);
1358
1359         conf = (fr_tls_server_conf_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF);
1360         if (!conf) {
1361                 RWDEBUG("Failed to find TLS configuration in session");
1362                 return 0;
1363         }
1364
1365         tls_session_id(sess, buffer, MAX_SESSION_SIZE);
1366
1367         {
1368                 int fd, rv, todo, blob_len;
1369                 char filename[256];
1370                 unsigned char *p;
1371
1372                 RDEBUG2("Serialising session %s, and storing in cache", buffer);
1373
1374                 /* find out what length data we need */
1375                 blob_len = i2d_SSL_SESSION(sess, NULL);
1376                 if (blob_len < 1) {
1377                         /* something went wrong */
1378                         if (request) RWDEBUG("Session serialisation failed, couldn't determine required buffer length");
1379                         return 0;
1380                 }
1381
1382                 /* Do not convert to TALLOC - Thread safety */
1383                 /* alloc and convert to ASN.1 */
1384                 sess_blob = malloc(blob_len);
1385                 if (!sess_blob) {
1386                         RWDEBUG("Session serialisation failed, couldn't allocate buffer (%d bytes)", blob_len);
1387                         return 0;
1388                 }
1389                 /* openssl mutates &p */
1390                 p = sess_blob;
1391                 rv = i2d_SSL_SESSION(sess, &p);
1392                 if (rv != blob_len) {
1393                         if (request) RWDEBUG("Session serialisation failed");
1394                         goto error;
1395                 }
1396
1397                 /* open output file */
1398                 snprintf(filename, sizeof(filename), "%s%c%s.asn1",
1399                          conf->session_cache_path, FR_DIR_SEP, buffer);
1400                 fd = open(filename, O_RDWR|O_CREAT|O_EXCL, S_IWUSR);
1401                 if (fd < 0) {
1402                         if (request) RERROR("Session serialisation failed, failed opening session file %s: %s",
1403                                             filename, fr_syserror(errno));
1404                         goto error;
1405                 }
1406
1407                 /*
1408                  *      Set the filename to be temporarily write-only.
1409                  */
1410                 if (request) {
1411                         VALUE_PAIR *vp;
1412
1413                         vp = fr_pair_afrom_num(request->state_ctx, PW_TLS_CACHE_FILENAME, 0);
1414                         if (vp) {
1415                                 fr_pair_value_strcpy(vp, filename);
1416                                 fr_pair_add(&request->state, vp);
1417                         }
1418                 }
1419
1420                 todo = blob_len;
1421                 p = sess_blob;
1422                 while (todo > 0) {
1423                         rv = write(fd, p, todo);
1424                         if (rv < 1) {
1425                                 if (request) RWDEBUG("Failed writing session: %s", fr_syserror(errno));
1426                                 close(fd);
1427                                 goto error;
1428                         }
1429                         p += rv;
1430                         todo -= rv;
1431                 }
1432                 close(fd);
1433                 if (request) RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len);
1434         }
1435
1436 error:
1437         free(sess_blob);
1438
1439         return 0;
1440 }
1441
1442 /** Convert OpenSSL's ASN1_TIME to an epoch time
1443  *
1444  * @param[out] out      Where to write the time_t.
1445  * @param[in] asn1      The ASN1_TIME to convert.
1446  * @return
1447  *      - 0 success.
1448  *      - -1 on failure.
1449  */
1450 static int ocsp_asn1time_to_epoch(time_t *out, char const *asn1)
1451 {
1452         struct          tm t;
1453         char const      *p = asn1, *end = p + strlen(p);
1454
1455         memset(&t, 0, sizeof(t));
1456
1457         if ((end - p) <= 12) {
1458                 if ((end - p) < 2) {
1459                         fr_strerror_printf("ASN1 date string too short, expected 2 additional bytes, got %zu bytes",
1460                                            end - p);
1461                         return -1;
1462                 }
1463
1464                 t.tm_year = (*(p++) - '0') * 10;
1465                 t.tm_year += (*(p++) - '0');
1466                 if (t.tm_year < 70) t.tm_year += 100;
1467         } else {
1468                 t.tm_year = (*(p++) - '0') * 1000;
1469                 t.tm_year += (*(p++) - '0') * 100;
1470                 t.tm_year += (*(p++) - '0') * 10;
1471                 t.tm_year += (*(p++) - '0');
1472                 t.tm_year -= 1900;
1473         }
1474
1475         if ((end - p) < 4) {
1476                 fr_strerror_printf("ASN1 string too short, expected 10 additional bytes, got %zu bytes",
1477                                    end - p);
1478                 return -1;
1479         }
1480
1481         t.tm_mon = (*(p++) - '0') * 10;
1482         t.tm_mon += (*(p++) - '0') - 1; // -1 since January is 0 not 1.
1483         t.tm_mday = (*(p++) - '0') * 10;
1484         t.tm_mday += (*(p++) - '0');
1485
1486         if ((end - p) < 2) goto done;
1487         t.tm_hour = (*(p++) - '0') * 10;
1488         t.tm_hour += (*(p++) - '0');
1489
1490         if ((end - p) < 2) goto done;
1491         t.tm_min = (*(p++) - '0') * 10;
1492         t.tm_min += (*(p++) - '0');
1493
1494         if ((end - p) < 2) goto done;
1495         t.tm_sec = (*(p++) - '0') * 10;
1496         t.tm_sec += (*(p++) - '0');
1497
1498         /* Apparently OpenSSL converts all timestamps to UTC? Maybe? */
1499 done:
1500         *out = timegm(&t);
1501         return 0;
1502 }
1503
1504 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1505 static SSL_SESSION *cbtls_get_session(SSL *ssl, unsigned char *data, int len, int *copy)
1506 #else
1507 static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int len, int *copy)
1508 #endif
1509 {
1510         size_t                  size;
1511         char                    buffer[2 * MAX_SESSION_SIZE + 1];
1512         fr_tls_server_conf_t    *conf;
1513         TALLOC_CTX              *talloc_ctx;
1514
1515         SSL_SESSION             *sess = NULL;
1516         unsigned char           *sess_data = NULL;
1517         PAIR_LIST               *pairlist = NULL;
1518
1519         REQUEST                 *request = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST);
1520
1521         rad_assert(request != NULL);
1522
1523         size = len;
1524         if (size > MAX_SESSION_SIZE) size = MAX_SESSION_SIZE;
1525
1526         fr_bin2hex(buffer, data, size);
1527
1528         RDEBUG2("Peer requested cached session: %s", buffer);
1529
1530         *copy = 0;
1531
1532         conf = (fr_tls_server_conf_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF);
1533         if (!conf) {
1534                 RWDEBUG("Failed to find TLS configuration in session");
1535                 return NULL;
1536         }
1537
1538         talloc_ctx = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_TALLOC);
1539
1540         {
1541                 int             rv, fd, todo;
1542                 char            filename[256];
1543
1544                 unsigned char const     **o;
1545                 unsigned char           **p;
1546                 uint8_t                 *q;
1547
1548                 struct stat     st;
1549                 VALUE_PAIR      *vps = NULL;
1550                 VALUE_PAIR      *vp;
1551
1552                 /* load the actual SSL session */
1553                 snprintf(filename, sizeof(filename), "%s%c%s.asn1", conf->session_cache_path, FR_DIR_SEP, buffer);
1554                 fd = open(filename, O_RDONLY);
1555                 if (fd < 0) {
1556                         RWDEBUG("No persisted session file %s: %s", filename, fr_syserror(errno));
1557                         goto error;
1558                 }
1559
1560                 rv = fstat(fd, &st);
1561                 if (rv < 0) {
1562                         RWDEBUG("Failed stating persisted session file %s: %s", filename, fr_syserror(errno));
1563                         close(fd);
1564                         goto error;
1565                 }
1566
1567                 sess_data = talloc_array(NULL, unsigned char, st.st_size);
1568                 if (!sess_data) {
1569                         RWDEBUG("Failed allocating buffer for persisted session (%d bytes)", (int) st.st_size);
1570                         close(fd);
1571                         goto error;
1572                 }
1573
1574                 q = sess_data;
1575                 todo = st.st_size;
1576                 while (todo > 0) {
1577                         rv = read(fd, q, todo);
1578                         if (rv < 1) {
1579                                 RWDEBUG("Failed reading persisted session: %s", fr_syserror(errno));
1580                                 close(fd);
1581                                 goto error;
1582                         }
1583                         todo -= rv;
1584                         q += rv;
1585                 }
1586                 close(fd);
1587
1588                 /*
1589                  *      OpenSSL mutates what's passed in, so we assign sess_data to q,
1590                  *      so the value of q gets mutated, and not the value of sess_data.
1591                  *
1592                  *      We then need a pointer to hold &q, but it can't be const, because
1593                  *      clang complains about lack of consting in nested pointer types.
1594                  *
1595                  *      So we memcpy the value of that pointer, to one that
1596                  *      does have a const, which we then pass into d2i_SSL_SESSION *sigh*.
1597                  */
1598                 q = sess_data;
1599                 p = &q;
1600                 memcpy(&o, &p, sizeof(o));
1601                 sess = d2i_SSL_SESSION(NULL, o, st.st_size);
1602                 if (!sess) {
1603                         RWDEBUG("Failed loading persisted session: %s", ERR_error_string(ERR_get_error(), NULL));
1604                         goto error;
1605                 }
1606
1607                 /* read in the cached VPs from the .vps file */
1608                 snprintf(filename, sizeof(filename), "%s%c%s.vps",
1609                          conf->session_cache_path, FR_DIR_SEP, buffer);
1610                 rv = pairlist_read(talloc_ctx, filename, &pairlist, 1);
1611                 if (rv < 0) {
1612                         /* not safe to un-persist a session w/o VPs */
1613                         RWDEBUG("Failed loading persisted VPs for session %s", buffer);
1614                         SSL_SESSION_free(sess);
1615                         sess = NULL;
1616                         goto error;
1617                 }
1618
1619                 /*
1620                  *      Enforce client certificate expiration.
1621                  */
1622                 vp = fr_pair_find_by_num(pairlist->reply, PW_TLS_CLIENT_CERT_EXPIRATION, 0, TAG_ANY);
1623                 if (vp) {
1624                         time_t expires;
1625
1626                         if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) {
1627                                 RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s - %s", buffer, fr_strerror());
1628                                 SSL_SESSION_free(sess);
1629                                 sess = NULL;
1630                                 goto error;
1631                         }
1632
1633                         if (expires <= request->timestamp) {
1634                                 RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer);
1635                                 SSL_SESSION_free(sess);
1636                                 sess = NULL;
1637                                 goto error;
1638                         }
1639
1640                         /*
1641                          *      Account for Session-Timeout, if it's available.
1642                          */
1643                         vp = fr_pair_find_by_num(request->reply->vps, PW_SESSION_TIMEOUT, 0, TAG_ANY);
1644                         if (vp) {
1645                                 if ((request->timestamp + vp->vp_integer) > expires) {
1646                                         vp->vp_integer = expires - request->timestamp;
1647                                         RWDEBUG2("Updating Session-Timeout to %u, due to impending certificate expiration",
1648                                                  vp->vp_integer);
1649                                 }
1650                         }
1651                 }
1652
1653                 /* move the cached VPs into the session */
1654                 fr_pair_list_mcopy_by_num(talloc_ctx, &vps, &pairlist->reply, 0, 0, TAG_ANY);
1655
1656                 SSL_SESSION_set_ex_data(sess, fr_tls_ex_index_vps, vps);
1657                 RWDEBUG("Successfully restored session %s", buffer);
1658                 rdebug_pair_list(L_DBG_LVL_2, request, vps, "reply:");
1659         }
1660 error:
1661         if (sess_data) talloc_free(sess_data);
1662         if (pairlist) pairlist_free(&pairlist);
1663
1664         return sess;
1665 }
1666
1667 #ifdef HAVE_OPENSSL_OCSP_H
1668
1669 /** Extract components of OCSP responser URL from a certificate
1670  *
1671  * @param[in] cert to extract URL from.
1672  * @param[out] host_out Portion of the URL (must be freed with free()).
1673  * @param[out] port_out Port portion of the URL (must be freed with free()).
1674  * @param[out] path_out Path portion of the URL (must be freed with free()).
1675  * @param[out] is_https Whether the responder should be contacted using https.
1676  * @return
1677  *      - 0 if no valid URL is contained in the certificate.
1678  *      - 1 if a URL was found and parsed.
1679  *      - -1 if at least one URL was found, but none could be parsed.
1680  */
1681 static int ocsp_parse_cert_url(X509 *cert, char **host_out, char **port_out,
1682                                char **path_out, int *is_https)
1683 {
1684         int                     i;
1685         bool                    found_uri = false;
1686
1687         AUTHORITY_INFO_ACCESS   *aia;
1688         ACCESS_DESCRIPTION      *ad;
1689
1690         aia = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL);
1691
1692         for (i = 0; i < sk_ACCESS_DESCRIPTION_num(aia); i++) {
1693                 ad = sk_ACCESS_DESCRIPTION_value(aia, i);
1694                 if (OBJ_obj2nid(ad->method) != NID_ad_OCSP) continue;
1695                 if (ad->location->type != GEN_URI) continue;
1696                 found_uri = true;
1697
1698                 if (OCSP_parse_url((char *) ad->location->d.ia5->data, host_out,
1699                                    port_out, path_out, is_https)) return 1;
1700         }
1701         return found_uri ? -1 : 0;
1702 }
1703
1704 /*
1705  * This function sends a OCSP request to a defined OCSP responder
1706  * and checks the OCSP response for correctness.
1707  */
1708
1709 /* Maximum leeway in validity period: default 5 minutes */
1710 #define MAX_VALIDITY_PERIOD     (5 * 60)
1711
1712 typedef enum {
1713         OCSP_STATUS_FAILED      = 0,
1714         OCSP_STATUS_OK          = 1,
1715         OCSP_STATUS_SKIPPED     = 2,
1716 } ocsp_status_t;
1717
1718 static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
1719                                 fr_tls_server_conf_t *conf)
1720 {
1721         OCSP_CERTID     *certid;
1722         OCSP_REQUEST    *req;
1723         OCSP_RESPONSE   *resp = NULL;
1724         OCSP_BASICRESP  *bresp = NULL;
1725         char            *host = NULL;
1726         char            *port = NULL;
1727         char            *path = NULL;
1728         char            hostheader[1024];
1729         int             use_ssl = -1;
1730         long            nsec = MAX_VALIDITY_PERIOD, maxage = -1;
1731         BIO             *cbio, *bio_out;
1732         ocsp_status_t   ocsp_status = OCSP_STATUS_FAILED;
1733         int             status;
1734         ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1735         int             reason;
1736 #if OPENSSL_VERSION_NUMBER >= 0x1000003f
1737         OCSP_REQ_CTX    *ctx;
1738         int             rc;
1739         struct timeval  now;
1740         struct timeval  when;
1741 #endif
1742         VALUE_PAIR      *vp;
1743
1744         /*
1745          * Create OCSP Request
1746          */
1747         certid = OCSP_cert_to_id(NULL, client_cert, issuer_cert);
1748         req = OCSP_REQUEST_new();
1749         OCSP_request_add0_id(req, certid);
1750         if (conf->ocsp_use_nonce) OCSP_request_add1_nonce(req, NULL, 8);
1751
1752         /*
1753          * Send OCSP Request and get OCSP Response
1754          */
1755
1756         /* Get OCSP responder URL */
1757         if (conf->ocsp_override_url) {
1758                 char *url;
1759
1760         use_ocsp_url:
1761                 memcpy(&url, &conf->ocsp_url, sizeof(url));
1762                 /* Reading the libssl src, they do a strdup on the URL, so it could of been const *sigh* */
1763                 OCSP_parse_url(url, &host, &port, &path, &use_ssl);
1764                 if (!host || !port || !path) {
1765                         RWDEBUG("ocsp: Host or port or path missing from configured URL \"%s\".  Not doing OCSP", url);
1766                         goto skipped;
1767                 }
1768         } else {
1769                 int ret;
1770
1771                 ret = ocsp_parse_cert_url(client_cert, &host, &port, &path, &use_ssl);
1772                 switch (ret) {
1773                 case -1:
1774                         RWDEBUG("ocsp: Invalid URL in certificate.  Not doing OCSP");
1775                         break;
1776
1777                 case 0:
1778                         if (conf->ocsp_url) {
1779                                 RWDEBUG("ocsp: No OCSP URL in certificate, falling back to configured URL");
1780                                 goto use_ocsp_url;
1781                         }
1782                         RWDEBUG("ocsp: No OCSP URL in certificate.  Not doing OCSP");
1783                         goto skipped;
1784
1785                 case 1:
1786                         break;
1787                 }
1788         }
1789
1790         RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port, path);
1791
1792         /* Check host and port length are sane, then create Host: HTTP header */
1793         if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) {
1794                 RWDEBUG("ocsp: Host and port too long");
1795                 goto skipped;
1796         }
1797         snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port);
1798
1799         /* Setup BIO socket to OCSP responder */
1800         cbio = BIO_new_connect(host);
1801
1802         bio_out = NULL;
1803         if (rad_debug_lvl) {
1804                 if (default_log.dst == L_DST_STDOUT) {
1805                         bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
1806                 } else if (default_log.dst == L_DST_STDERR) {
1807                         bio_out = BIO_new_fp(stderr, BIO_NOCLOSE);
1808                 }
1809         }
1810
1811         BIO_set_conn_port(cbio, port);
1812 #if OPENSSL_VERSION_NUMBER < 0x1000003f
1813         BIO_do_connect(cbio);
1814
1815         /* Send OCSP request and wait for response */
1816         resp = OCSP_sendreq_bio(cbio, path, req);
1817         if (!resp) {
1818                 REDEBUG("ocsp: Couldn't get OCSP response");
1819                 ocsp_status = OCSP_STATUS_SKIPPED;
1820                 goto ocsp_end;
1821         }
1822 #else
1823         if (conf->ocsp_timeout)
1824                 BIO_set_nbio(cbio, 1);
1825
1826         rc = BIO_do_connect(cbio);
1827         if ((rc <= 0) && ((!conf->ocsp_timeout) || !BIO_should_retry(cbio))) {
1828                 REDEBUG("ocsp: Couldn't connect to OCSP responder");
1829                 ocsp_status = OCSP_STATUS_SKIPPED;
1830                 goto ocsp_end;
1831         }
1832
1833         ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
1834         if (!ctx) {
1835                 REDEBUG("ocsp: Couldn't create OCSP request");
1836                 ocsp_status = OCSP_STATUS_SKIPPED;
1837                 goto ocsp_end;
1838         }
1839
1840         if (!OCSP_REQ_CTX_add1_header(ctx, "Host", hostheader)) {
1841                 REDEBUG("ocsp: Couldn't set Host header");
1842                 ocsp_status = OCSP_STATUS_SKIPPED;
1843                 goto ocsp_end;
1844         }
1845
1846         if (!OCSP_REQ_CTX_set1_req(ctx, req)) {
1847                 REDEBUG("ocsp: Couldn't add data to OCSP request");
1848                 ocsp_status = OCSP_STATUS_SKIPPED;
1849                 goto ocsp_end;
1850         }
1851
1852         gettimeofday(&when, NULL);
1853         when.tv_sec += conf->ocsp_timeout;
1854
1855         do {
1856                 rc = OCSP_sendreq_nbio(&resp, ctx);
1857                 if (conf->ocsp_timeout) {
1858                         gettimeofday(&now, NULL);
1859                         if (!timercmp(&now, &when, <))
1860                                 break;
1861                 }
1862         } while ((rc == -1) && BIO_should_retry(cbio));
1863
1864         if (conf->ocsp_timeout && (rc == -1) && BIO_should_retry(cbio)) {
1865                 REDEBUG("ocsp: Response timed out");
1866                 ocsp_status = OCSP_STATUS_SKIPPED;
1867                 goto ocsp_end;
1868         }
1869
1870         OCSP_REQ_CTX_free(ctx);
1871
1872         if (rc == 0) {
1873                 REDEBUG("ocsp: Couldn't get OCSP response");
1874                 ocsp_status = OCSP_STATUS_SKIPPED;
1875                 goto ocsp_end;
1876         }
1877 #endif
1878
1879         /* Verify OCSP response status */
1880         status = OCSP_response_status(resp);
1881         if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1882                 REDEBUG("ocsp: Response status: %s", OCSP_response_status_str(status));
1883                 goto ocsp_end;
1884         }
1885         bresp = OCSP_response_get1_basic(resp);
1886         if (conf->ocsp_use_nonce && OCSP_check_nonce(req, bresp)!=1) {
1887                 REDEBUG("ocsp: Response has wrong nonce value");
1888                 goto ocsp_end;
1889         }
1890         if (OCSP_basic_verify(bresp, NULL, store, 0)!=1){
1891                 REDEBUG("ocsp: Couldn't verify OCSP basic response");
1892                 goto ocsp_end;
1893         }
1894
1895         /*      Verify OCSP cert status */
1896         if (!OCSP_resp_find_status(bresp, certid, &status, &reason, &rev, &thisupd, &nextupd)) {
1897                 REDEBUG("ocsp: No Status found");
1898                 goto ocsp_end;
1899         }
1900
1901         if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
1902                 if (bio_out) {
1903                         BIO_puts(bio_out, "WARNING: Status times invalid.\n");
1904                         ERR_print_errors(bio_out);
1905                 }
1906                 goto ocsp_end;
1907         }
1908
1909         if (bio_out) {
1910                 BIO_puts(bio_out, "\tThis Update: ");
1911                 ASN1_GENERALIZEDTIME_print(bio_out, thisupd);
1912                 BIO_puts(bio_out, "\n");
1913                 if (nextupd) {
1914                         BIO_puts(bio_out, "\tNext Update: ");
1915                         ASN1_GENERALIZEDTIME_print(bio_out, nextupd);
1916                         BIO_puts(bio_out, "\n");
1917                 }
1918         }
1919
1920         switch (status) {
1921         case V_OCSP_CERTSTATUS_GOOD:
1922                 RDEBUG2("ocsp: Cert status: good");
1923                 vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
1924                 vp->vp_integer = 1;     /* yes */
1925                 ocsp_status = OCSP_STATUS_OK;
1926                 break;
1927
1928         default:
1929                 /* REVOKED / UNKNOWN */
1930                 REDEBUG("ocsp: Cert status: %s", OCSP_cert_status_str(status));
1931                 if (reason != -1) REDEBUG("ocsp: Reason: %s", OCSP_crl_reason_str(reason));
1932
1933                 if (bio_out) {
1934                         BIO_puts(bio_out, "\tRevocation Time: ");
1935                         ASN1_GENERALIZEDTIME_print(bio_out, rev);
1936                         BIO_puts(bio_out, "\n");
1937                 }
1938                 break;
1939         }
1940
1941 ocsp_end:
1942         /* Free OCSP Stuff */
1943         OCSP_REQUEST_free(req);
1944         OCSP_RESPONSE_free(resp);
1945         free(host);
1946         free(port);
1947         free(path);
1948         BIO_free_all(cbio);
1949         if (bio_out) BIO_free(bio_out);
1950         OCSP_BASICRESP_free(bresp);
1951
1952         switch (ocsp_status) {
1953         case OCSP_STATUS_OK:
1954                 RDEBUG2("ocsp: Certificate is valid");
1955                 break;
1956
1957         case OCSP_STATUS_SKIPPED:
1958         skipped:
1959                 vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
1960                 vp->vp_integer = 2;     /* skipped */
1961                 if (conf->ocsp_softfail) {
1962                         RWDEBUG("ocsp: Unable to check certificate, assuming it's valid");
1963                         RWDEBUG("ocsp: This may be insecure");
1964
1965                         /* Remove OpenSSL errors from queue or handshake will fail */
1966                         while (ERR_get_error());
1967
1968                         ocsp_status = OCSP_STATUS_SKIPPED;
1969                 } else {
1970                         REDEBUG("ocsp: Unable to check certificate, failing");
1971                         ocsp_status = OCSP_STATUS_FAILED;
1972                 }
1973                 break;
1974
1975         default:
1976                 vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
1977                 vp->vp_integer = 0;     /* no */
1978                 REDEBUG("ocsp: Certificate has been expired/revoked");
1979                 break;
1980         }
1981
1982         return ocsp_status;
1983 }
1984 #endif  /* HAVE_OPENSSL_OCSP_H */
1985
1986 /*
1987  *      For creating certificate attributes.
1988  */
1989 static char const *cert_attr_names[8][2] = {
1990         { "TLS-Client-Cert-Serial",                     "TLS-Cert-Serial" },
1991         { "TLS-Client-Cert-Expiration",                 "TLS-Cert-Expiration" },
1992         { "TLS-Client-Cert-Subject",                    "TLS-Cert-Subject" },
1993         { "TLS-Client-Cert-Issuer",                     "TLS-Cert-Issuer" },
1994         { "TLS-Client-Cert-Common-Name",                "TLS-Cert-Common-Name" },
1995         { "TLS-Client-Cert-Subject-Alt-Name-Email",     "TLS-Cert-Subject-Alt-Name-Email" },
1996         { "TLS-Client-Cert-Subject-Alt-Name-Dns",       "TLS-Cert-Subject-Alt-Name-Dns" },
1997         { "TLS-Client-Cert-Subject-Alt-Name-Upn",       "TLS-Cert-Subject-Alt-Name-Upn" }
1998 };
1999
2000 #define FR_TLS_SERIAL           (0)
2001 #define FR_TLS_EXPIRATION       (1)
2002 #define FR_TLS_SUBJECT          (2)
2003 #define FR_TLS_ISSUER           (3)
2004 #define FR_TLS_CN               (4)
2005 #define FR_TLS_SAN_EMAIL        (5)
2006 #define FR_TLS_SAN_DNS          (6)
2007 #define FR_TLS_SAN_UPN          (7)
2008
2009 /*
2010  *      Before trusting a certificate, you must make sure that the
2011  *      certificate is 'valid'. There are several steps that your
2012  *      application can take in determining if a certificate is
2013  *      valid. Commonly used steps are:
2014  *
2015  *      1.Verifying the certificate's signature, and verifying that
2016  *      the certificate has been issued by a trusted Certificate
2017  *      Authority.
2018  *
2019  *      2.Verifying that the certificate is valid for the present date
2020  *      (i.e. it is being presented within its validity dates).
2021  *
2022  *      3.Verifying that the certificate has not been revoked by its
2023  *      issuing Certificate Authority, by checking with respect to a
2024  *      Certificate Revocation List (CRL).
2025  *
2026  *      4.Verifying that the credentials presented by the certificate
2027  *      fulfill additional requirements specific to the application,
2028  *      such as with respect to access control lists or with respect
2029  *      to OCSP (Online Certificate Status Processing).
2030  *
2031  *      NOTE: This callback will be called multiple times based on the
2032  *      depth of the root certificate chain
2033  */
2034 int cbtls_verify(int ok, X509_STORE_CTX *ctx)
2035 {
2036         char            subject[1024]; /* Used for the subject name */
2037         char            issuer[1024]; /* Used for the issuer name */
2038         char            attribute[1024];
2039         char            value[1024];
2040         char            common_name[1024];
2041         char            cn_str[1024];
2042         char            buf[64];
2043         X509            *client_cert;
2044 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
2045         const STACK_OF(X509_EXTENSION) *ext_list;
2046 #else
2047         STACK_OF(X509_EXTENSION) *ext_list;
2048 #endif
2049         SSL             *ssl;
2050         int             err, depth, lookup, loc;
2051         fr_tls_server_conf_t *conf;
2052         int             my_ok = ok;
2053
2054         ASN1_INTEGER    *sn = NULL;
2055         ASN1_TIME       *asn_time = NULL;
2056         VALUE_PAIR      **certs;
2057         char **identity;
2058 #ifdef HAVE_OPENSSL_OCSP_H
2059         X509_STORE      *ocsp_store = NULL;
2060         X509            *issuer_cert;
2061         bool            do_verify = false;
2062 #endif
2063         VALUE_PAIR      *vp;
2064         TALLOC_CTX      *talloc_ctx;
2065
2066         REQUEST         *request;
2067
2068         client_cert = X509_STORE_CTX_get_current_cert(ctx);
2069         err = X509_STORE_CTX_get_error(ctx);
2070         depth = X509_STORE_CTX_get_error_depth(ctx);
2071
2072         lookup = depth;
2073
2074         /*
2075          *      Log client/issuing cert.  If there's an error, log
2076          *      issuing cert.
2077          */
2078         if ((lookup > 1) && !my_ok) lookup = 1;
2079
2080         /*
2081          * Retrieve the pointer to the SSL of the connection currently treated
2082          * and the application specific data stored into the SSL object.
2083          */
2084         ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
2085         conf = (fr_tls_server_conf_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF);
2086         if (!conf) return 1;
2087
2088         request = (REQUEST *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST);
2089         rad_assert(request != NULL);
2090         certs = (VALUE_PAIR **)SSL_get_ex_data(ssl, fr_tls_ex_index_certs);
2091
2092         identity = (char **)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_IDENTITY);
2093 #ifdef HAVE_OPENSSL_OCSP_H
2094         ocsp_store = conf->ocsp_store;
2095 #endif
2096
2097         talloc_ctx = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_TALLOC);
2098
2099         /*
2100          *      Get the Serial Number
2101          */
2102         buf[0] = '\0';
2103         sn = X509_get_serialNumber(client_cert);
2104
2105         RDEBUG2("Creating attributes from certificate OIDs");
2106         RINDENT();
2107
2108         /*
2109          *      For this next bit, we create the attributes *only* if
2110          *      we're at the client or issuing certificate, AND we
2111          *      have a user identity.  i.e. we don't create the
2112          *      attributes for RadSec connections.
2113          */
2114         if (certs && identity &&
2115             (lookup <= 1) && sn && ((size_t) sn->length < (sizeof(buf) / 2))) {
2116                 char *p = buf;
2117                 int i;
2118
2119                 for (i = 0; i < sn->length; i++) {
2120                         sprintf(p, "%02x", (unsigned int)sn->data[i]);
2121                         p += 2;
2122                 }
2123                 vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SERIAL][lookup], buf, T_OP_SET);
2124                 rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2125         }
2126
2127
2128         /*
2129          *      Get the Expiration Date
2130          */
2131         buf[0] = '\0';
2132         asn_time = X509_get_notAfter(client_cert);
2133         if (certs && identity && (lookup <= 1) && asn_time &&
2134             (asn_time->length < (int) sizeof(buf))) {
2135                 memcpy(buf, (char*) asn_time->data, asn_time->length);
2136                 buf[asn_time->length] = '\0';
2137                 vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_EXPIRATION][lookup], buf, T_OP_SET);
2138                 rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2139         }
2140
2141         /*
2142          *      Get the Subject & Issuer
2143          */
2144         subject[0] = issuer[0] = '\0';
2145         X509_NAME_oneline(X509_get_subject_name(client_cert), subject,
2146                           sizeof(subject));
2147         subject[sizeof(subject) - 1] = '\0';
2148         if (certs && identity && (lookup <= 1) && subject[0]) {
2149                 vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SUBJECT][lookup], subject, T_OP_SET);
2150                 rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2151         }
2152
2153         X509_NAME_oneline(X509_get_issuer_name(client_cert), issuer,
2154                           sizeof(issuer));
2155         issuer[sizeof(issuer) - 1] = '\0';
2156         if (certs && identity && (lookup <= 1) && issuer[0]) {
2157                 vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_ISSUER][lookup], issuer, T_OP_SET);
2158                 rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2159         }
2160
2161         /*
2162          *      Get the Common Name, if there is a subject.
2163          */
2164         X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
2165                                   NID_commonName, common_name, sizeof(common_name));
2166         common_name[sizeof(common_name) - 1] = '\0';
2167         if (certs && identity && (lookup <= 1) && common_name[0] && subject[0]) {
2168                 vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET);
2169                 rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2170         }
2171
2172         /*
2173          *      Get the RFC822 Subject Alternative Name
2174          */
2175         loc = X509_get_ext_by_NID(client_cert, NID_subject_alt_name, -1);
2176         if (certs && (lookup <= 1) && (loc >= 0)) {
2177                 X509_EXTENSION *ext = NULL;
2178                 GENERAL_NAMES *names = NULL;
2179                 int i;
2180
2181                 if ((ext = X509_get_ext(client_cert, loc)) &&
2182                     (names = X509V3_EXT_d2i(ext))) {
2183                         for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
2184                                 GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
2185
2186                                 switch (name->type) {
2187 #ifdef GEN_EMAIL
2188                                 case GEN_EMAIL:
2189                                         vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SAN_EMAIL][lookup],
2190                                                       (char const *) ASN1_STRING_get0_data(name->d.rfc822Name), T_OP_SET);
2191                                         rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2192                                         break;
2193 #endif  /* GEN_EMAIL */
2194 #ifdef GEN_DNS
2195                                 case GEN_DNS:
2196                                         vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SAN_DNS][lookup],
2197                                                       (char const *) ASN1_STRING_get0_data(name->d.dNSName), T_OP_SET);
2198                                         rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2199                                         break;
2200 #endif  /* GEN_DNS */
2201 #ifdef GEN_OTHERNAME
2202                                 case GEN_OTHERNAME:
2203                                         /* look for a MS UPN */
2204                                         if (NID_ms_upn == OBJ_obj2nid(name->d.otherName->type_id)) {
2205                                             /* we've got a UPN - Must be ASN1-encoded UTF8 string */
2206                                             if (name->d.otherName->value->type == V_ASN1_UTF8STRING) {
2207                                                     vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SAN_UPN][lookup],
2208                                                                   (char const *) ASN1_STRING_get0_data(name->d.otherName->value->value.utf8string), T_OP_SET);
2209                                                     rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2210                                                 break;
2211                                             } else {
2212                                                 RWARN("Invalid UPN in Subject Alt Name (should be UTF-8)");
2213                                                 break;
2214                                             }
2215                                         }
2216                                         break;
2217 #endif  /* GEN_OTHERNAME */
2218                                 default:
2219                                         /* XXX TODO handle other SAN types */
2220                                         break;
2221                                 }
2222                         }
2223                 }
2224                 if (names != NULL)
2225                         GENERAL_NAMES_free(names);
2226         }
2227
2228         /*
2229          *      If the CRL has expired, that might still be OK.
2230          */
2231         if (!my_ok &&
2232             (conf->allow_expired_crl) &&
2233             (err == X509_V_ERR_CRL_HAS_EXPIRED)) {
2234                 my_ok = 1;
2235                 X509_STORE_CTX_set_error( ctx, 0 );
2236         }
2237
2238         if (!my_ok) {
2239                 char const *p = X509_verify_cert_error_string(err);
2240                 RERROR("SSL says error %d : %s", err, p);
2241                 REXDENT();
2242                 return my_ok;
2243         }
2244
2245         if (lookup == 0) {
2246 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
2247                 ext_list = X509_get0_extensions(client_cert);
2248 #else
2249                 X509_CINF       *client_inf;
2250                 client_inf = client_cert->cert_info;
2251                 ext_list = client_inf->extensions;
2252 #endif
2253         } else {
2254                 ext_list = NULL;
2255         }
2256
2257         /*
2258          *      Grab the X509 extensions, and create attributes out of them.
2259          *      For laziness, we re-use the OpenSSL names
2260          */
2261         if (certs && (sk_X509_EXTENSION_num(ext_list) > 0)) {
2262                 int i, len;
2263                 char *p;
2264                 BIO *out;
2265
2266                 out = BIO_new(BIO_s_mem());
2267                 strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute));
2268
2269                 for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) {
2270                         ASN1_OBJECT *obj;
2271                         X509_EXTENSION *ext;
2272
2273                         ext = sk_X509_EXTENSION_value(ext_list, i);
2274
2275                         obj = X509_EXTENSION_get_object(ext);
2276                         i2a_ASN1_OBJECT(out, obj);
2277                         len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1);
2278                         if (len <= 0) continue;
2279
2280                         attribute[16 + len] = '\0';
2281
2282                         for (p = attribute + 16; *p != '\0'; p++) {
2283                                 if (*p == ' ') *p = '-';
2284                         }
2285
2286                         X509V3_EXT_print(out, ext, 0, 0);
2287                         len = BIO_read(out, value , sizeof(value) - 1);
2288                         if (len <= 0) continue;
2289
2290                         value[len] = '\0';
2291
2292                         vp = fr_pair_make(talloc_ctx, certs, attribute, value, T_OP_ADD);
2293                         if (!vp) {
2294                                 RDEBUG3("Skipping %s += '%s'.  Please check that both the "
2295                                         "attribute and value are defined in the dictionaries",
2296                                         attribute, value);
2297                         } else {
2298                                 /*
2299                                  *      rdebug_pair_list indents (so pre REXDENT())
2300                                  */
2301                                 REXDENT();
2302                                 rdebug_pair_list(L_DBG_LVL_2, request, vp, NULL);
2303                                 RINDENT();
2304                         }
2305                 }
2306
2307                 BIO_free_all(out);
2308         }
2309
2310         REXDENT();
2311
2312         switch (X509_STORE_CTX_get_error(ctx)) {
2313         case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
2314                 RERROR("issuer=%s", issuer);
2315                 break;
2316
2317         case X509_V_ERR_CERT_NOT_YET_VALID:
2318         case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
2319                 RERROR("notBefore=");
2320 #if 0
2321                 ASN1_TIME_print(bio_err, X509_get_notBefore(ctx->current_cert));
2322 #endif
2323                 break;
2324
2325         case X509_V_ERR_CERT_HAS_EXPIRED:
2326         case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
2327                 RERROR("notAfter=");
2328 #if 0
2329                 ASN1_TIME_print(bio_err, X509_get_notAfter(ctx->current_cert));
2330 #endif
2331                 break;
2332         }
2333
2334         /*
2335          *      If we're at the actual client cert, apply additional
2336          *      checks.
2337          */
2338         if (depth == 0) {
2339                 /*
2340                  *      If the conf tells us to, check cert issuer
2341                  *      against the specified value and fail
2342                  *      verification if they don't match.
2343                  */
2344                 if (conf->check_cert_issuer &&
2345                     (strcmp(issuer, conf->check_cert_issuer) != 0)) {
2346                         AUTH(LOG_PREFIX ": Certificate issuer (%s) does not match specified value (%s)!",
2347                              issuer, conf->check_cert_issuer);
2348                         my_ok = 0;
2349                 }
2350
2351                 /*
2352                  *      If the conf tells us to, check the CN in the
2353                  *      cert against xlat'ed value, but only if the
2354                  *      previous checks passed.
2355                  */
2356                 if (my_ok && conf->check_cert_cn) {
2357                         if (radius_xlat(cn_str, sizeof(cn_str), request, conf->check_cert_cn, NULL, NULL) < 0) {
2358                                 /* if this fails, fail the verification */
2359                                 my_ok = 0;
2360                         } else {
2361                                 RDEBUG2("checking certificate CN (%s) with xlat'ed value (%s)", common_name, cn_str);
2362                                 if (strcmp(cn_str, common_name) != 0) {
2363                                         AUTH(LOG_PREFIX ": Certificate CN (%s) does not match specified value (%s)!",
2364                                              common_name, cn_str);
2365                                         my_ok = 0;
2366                                 }
2367                         }
2368                 } /* check_cert_cn */
2369
2370 #ifdef HAVE_OPENSSL_OCSP_H
2371                 if (my_ok) {
2372                         /*
2373                          *      No OCSP, allow external verification.
2374                          */
2375                         if (!conf->ocsp_enable) {
2376                                 do_verify = true;
2377
2378                         } else {
2379                                 RDEBUG2("Starting OCSP Request");
2380                                 if ((X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) ||
2381                                     !issuer_cert) {
2382                                         /*
2383                                          *      Allow for external verify.
2384                                          */
2385                                         RERROR("Couldn't get issuer_cert for %s", common_name);
2386                                         do_verify = true;
2387
2388                                 } else {
2389                                         /*
2390                                          *      Do the full OCSP checks.
2391                                          *
2392                                          *      If they fail, don't run the external verify.  We don't want
2393                                          *      to allow admins to force authentication success for bad
2394                                          *      certificates.
2395                                          *
2396                                          *      If the OCSP checks succeed, check whether we still want to
2397                                          *      run the external verification routine.  If it's marked as
2398                                          *      "skip verify on OK", then we don't do verify.
2399                                          */
2400                                         my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf);
2401                                         if (my_ok != OCSP_STATUS_FAILED) {
2402                                                 do_verify = !conf->verify_skip_if_ocsp_ok;
2403                                         }
2404                                 }
2405                         }
2406                 }
2407 #endif
2408
2409                 if ((my_ok != OCSP_STATUS_FAILED)
2410 #ifdef HAVE_OPENSSL_OCSP_H
2411                     && do_verify
2412 #endif
2413                         ) while (conf->verify_client_cert_cmd) {
2414                         char filename[256];
2415                         int fd;
2416                         FILE *fp;
2417
2418                         snprintf(filename, sizeof(filename), "%s/%s.client.XXXXXXXX",
2419                                  conf->verify_tmp_dir, main_config.name);
2420                         fd = mkstemp(filename);
2421                         if (fd < 0) {
2422                                 RDEBUG("Failed creating file in %s: %s",
2423                                        conf->verify_tmp_dir, fr_syserror(errno));
2424                                 break;
2425                         }
2426
2427                         fp = fdopen(fd, "w");
2428                         if (!fp) {
2429                                 close(fd);
2430                                 RDEBUG("Failed opening file %s: %s",
2431                                        filename, fr_syserror(errno));
2432                                 break;
2433                         }
2434
2435                         if (!PEM_write_X509(fp, client_cert)) {
2436                                 fclose(fp);
2437                                 RDEBUG("Failed writing certificate to file");
2438                                 goto do_unlink;
2439                         }
2440                         fclose(fp);
2441
2442                         if (!pair_make_request("TLS-Client-Cert-Filename",
2443                                              filename, T_OP_SET)) {
2444                                 RDEBUG("Failed creating TLS-Client-Cert-Filename");
2445
2446                                 goto do_unlink;
2447                         }
2448
2449                         RDEBUG("Verifying client certificate: %s", conf->verify_client_cert_cmd);
2450                         if (radius_exec_program(request, NULL, 0, NULL, request, conf->verify_client_cert_cmd,
2451                                                 request->packet->vps,
2452                                                 true, true, EXEC_TIMEOUT) != 0) {
2453                                 AUTH(LOG_PREFIX ": Certificate CN (%s) fails external verification!", common_name);
2454                                 my_ok = 0;
2455
2456                         } else  if (request) {
2457                                 RDEBUG("Client certificate CN %s passed external validation", common_name);
2458                         }
2459
2460                 do_unlink:
2461                         unlink(filename);
2462                         break;
2463                 }
2464         } /* depth == 0 */
2465
2466         if (certs && request && !my_ok) {
2467                 fr_pair_add(&request->packet->vps, fr_pair_list_copy(request->packet, *certs));
2468         }
2469
2470         if (RDEBUG_ENABLED3) {
2471                 RDEBUG3("chain-depth   : %d", depth);
2472                 RDEBUG3("error         : %d", err);
2473
2474                 if (identity) RDEBUG3("identity      : %s", *identity);
2475                 RDEBUG3("common name   : %s", common_name);
2476                 RDEBUG3("subject       : %s", subject);
2477                 RDEBUG3("issuer        : %s", issuer);
2478                 RDEBUG3("verify return : %d", my_ok);
2479         }
2480
2481         return (my_ok != 0);
2482 }
2483
2484
2485 #ifdef HAVE_OPENSSL_OCSP_H
2486 /*
2487  *      Create Global X509 revocation store and use it to verify
2488  *      OCSP responses
2489  *
2490  *      - Load the trusted CAs
2491  *      - Load the trusted issuer certificates
2492  */
2493 static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
2494 {
2495         X509_STORE *store = NULL;
2496
2497         store = X509_STORE_new();
2498
2499         /* Load the CAs we trust */
2500         if (conf->ca_file || conf->ca_path)
2501                 if (!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) {
2502                         tls_error_log(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file);
2503                         return NULL;
2504                 }
2505
2506 #ifdef X509_V_FLAG_CRL_CHECK
2507         if (conf->check_crl)
2508                 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
2509 #endif
2510 #ifdef X509_V_FLAG_CRL_CHECK_ALL
2511         if (conf->check_all_crl)
2512                 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
2513 #endif
2514         return store;
2515 }
2516 #endif  /* HAVE_OPENSSL_OCSP_H */
2517
2518 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
2519 #ifndef OPENSSL_NO_ECDH
2520 static int set_ecdh_curve(SSL_CTX *ctx, char const *ecdh_curve, bool disable_single_dh_use)
2521 {
2522         int      nid;
2523         EC_KEY  *ecdh;
2524
2525         if (!ecdh_curve || !*ecdh_curve) return 0;
2526
2527         nid = OBJ_sn2nid(ecdh_curve);
2528         if (!nid) {
2529                 ERROR(LOG_PREFIX ": Unknown ecdh_curve \"%s\"", ecdh_curve);
2530                 return -1;
2531         }
2532
2533         ecdh = EC_KEY_new_by_curve_name(nid);
2534         if (!ecdh) {
2535                 ERROR(LOG_PREFIX ": Unable to create new curve \"%s\"", ecdh_curve);
2536                 return -1;
2537         }
2538
2539         SSL_CTX_set_tmp_ecdh(ctx, ecdh);
2540
2541         if (!disable_single_dh_use) {
2542                 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
2543         }
2544
2545         EC_KEY_free(ecdh);
2546
2547         return 0;
2548 }
2549 #endif
2550 #endif
2551
2552 /*
2553  * DIE OPENSSL DIE DIE DIE
2554  *
2555  * What a palaver, just to free some data attached the
2556  * session. We need to do this because the "remove" callback
2557  * is called when refcount > 0 sometimes, if another thread
2558  * is using the session
2559  */
2560 static void sess_free_vps(UNUSED void *parent, void *data_ptr,
2561                                 UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx,
2562                                 UNUSED long argl, UNUSED void *argp)
2563 {
2564         VALUE_PAIR *vp = data_ptr;
2565         if (!vp) return;
2566
2567         DEBUG2(LOG_PREFIX ": Freeing cached session VPs");
2568
2569         fr_pair_list_free(&vp);
2570 }
2571
2572 static void sess_free_certs(UNUSED void *parent, void *data_ptr,
2573                                 UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx,
2574                                 UNUSED long argl, UNUSED void *argp)
2575 {
2576         VALUE_PAIR **certs = data_ptr;
2577         if (!certs) return;
2578
2579         DEBUG2(LOG_PREFIX ": Freeing cached session Certificates");
2580
2581         fr_pair_list_free(certs);
2582 }
2583
2584 /** Add all the default ciphers and message digests reate our context.
2585  *
2586  * This should be called exactly once from main, before reading the main config
2587  * or initialising any modules.
2588  */
2589 void tls_global_init(void)
2590 {
2591         SSL_load_error_strings();       /* readable error messages (examples show call before library_init) */
2592         SSL_library_init();             /* initialize library */
2593         OpenSSL_add_all_algorithms();   /* required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */
2594         CONF_modules_load_file(NULL, NULL, 0);
2595
2596         /*
2597          *      Initialize the index for the certificates.
2598          */
2599         fr_tls_ex_index_certs = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, sess_free_certs);
2600 }
2601
2602 #ifdef ENABLE_OPENSSL_VERSION_CHECK
2603 /** Check for vulnerable versions of libssl
2604  *
2605  * @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl.
2606  * @return 0 if the CVE specified by the user matches the most recent CVE we have, else -1.
2607  */
2608 int tls_global_version_check(char const *acknowledged)
2609 {
2610         uint64_t v;
2611         bool bad = false;
2612         size_t i;
2613
2614         if (strcmp(acknowledged, "yes") == 0) return 0;
2615
2616         /* Check for bad versions */
2617         v = (uint64_t) SSLeay();
2618
2619         for (i = 0; i < (sizeof(libssl_defects) / sizeof(*libssl_defects)); i++) {
2620                 libssl_defect_t *defect = &libssl_defects[i];
2621
2622                 if ((v >= defect->low) && (v <= defect->high)) {
2623                         /*
2624                          *      If the CVE is acknowledged, allow it.
2625                          */
2626                         if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
2627
2628                         ERROR("Refusing to start with libssl version %s (in range %s)",
2629                               ssl_version(), ssl_version_range(defect->low, defect->high));
2630                         ERROR("Security advisory %s (%s)", defect->id, defect->name);
2631                         ERROR("%s", defect->comment);
2632
2633                         /*
2634                          *      Only warn about the first one...
2635                          */
2636                         if (!bad) {
2637                                 INFO("Once you have verified libssl has been correctly patched, "
2638                                      "set security.allow_vulnerable_openssl = '%s'", defect->id);
2639
2640                                 bad = true;
2641                         }
2642                 }
2643         }
2644
2645         if (bad) return -1;
2646
2647         return 0;
2648 }
2649 #endif
2650
2651 /** Free any memory alloced by libssl
2652  *
2653  */
2654 void tls_global_cleanup(void)
2655 {
2656 #if OPENSSL_VERSION_NUMBER < 0x10000000L
2657         ERR_remove_state(0);
2658 #elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
2659         ERR_remove_thread_state(NULL);
2660 #endif
2661         ENGINE_cleanup();
2662         CONF_modules_unload(1);
2663         ERR_free_strings();
2664         EVP_cleanup();
2665         CRYPTO_cleanup_all_ex_data();
2666 }
2667
2668 /** Create SSL context
2669  *
2670  * - Load the trusted CAs
2671  * - Load the Private key & the certificate
2672  * - Set the Context options & Verify options
2673  */
2674 SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
2675 {
2676         SSL_CTX         *ctx;
2677         X509_STORE      *certstore;
2678         int             verify_mode = SSL_VERIFY_NONE;
2679         int             ctx_options = 0;
2680         int             ctx_tls_versions = 0;
2681         int             type;
2682
2683         /*
2684          *      SHA256 is in all versions of OpenSSL, but isn't
2685          *      initialized by default.  It's needed for WiMAX
2686          *      certificates.
2687          */
2688 #ifdef HAVE_OPENSSL_EVP_SHA256
2689         EVP_add_digest(EVP_sha256());
2690 #endif
2691
2692         ctx = SSL_CTX_new(SSLv23_method()); /* which is really "all known SSL / TLS methods".  Idiots. */
2693         if (!ctx) {
2694                 tls_error_log(NULL, "Failed creating TLS context");
2695                 return NULL;
2696         }
2697
2698         /*
2699          * Save the config on the context so that callbacks which
2700          * only get SSL_CTX* e.g. session persistence, can get it
2701          */
2702         SSL_CTX_set_app_data(ctx, conf);
2703
2704         /*
2705          * Identify the type of certificates that needs to be loaded
2706          */
2707         if (conf->file_type) {
2708                 type = SSL_FILETYPE_PEM;
2709         } else {
2710                 type = SSL_FILETYPE_ASN1;
2711         }
2712
2713         /*
2714          * Set the password to load private key
2715          */
2716         if (conf->private_key_password) {
2717 #ifdef __APPLE__
2718                 /*
2719                  * We don't want to put the private key password in eap.conf, so  check
2720                  * for our special string which indicates we should get the password
2721                  * programmatically.
2722                  */
2723                 char const* special_string = "Apple:UseCertAdmin";
2724                 if (strncmp(conf->private_key_password, special_string, strlen(special_string)) == 0) {
2725                         char cmd[256];
2726                         char *password;
2727                         long const max_password_len = 128;
2728                         snprintf(cmd, sizeof(cmd) - 1, "/usr/sbin/certadmin --get-private-key-passphrase \"%s\"",
2729                                  conf->private_key_file);
2730
2731                         DEBUG2(LOG_PREFIX ":  Getting private key passphrase using command \"%s\"", cmd);
2732
2733                         FILE* cmd_pipe = popen(cmd, "r");
2734                         if (!cmd_pipe) {
2735                                 ERROR(LOG_PREFIX ": %s command failed: Unable to get private_key_password", cmd);
2736                                 ERROR(LOG_PREFIX ": Error reading private_key_file %s", conf->private_key_file);
2737                                 return NULL;
2738                         }
2739
2740                         rad_const_free(conf->private_key_password);
2741                         password = talloc_array(conf, char, max_password_len);
2742                         if (!password) {
2743                                 ERROR(LOG_PREFIX ": Can't allocate space for private_key_password");
2744                                 ERROR(LOG_PREFIX ": Error reading private_key_file %s", conf->private_key_file);
2745                                 pclose(cmd_pipe);
2746                                 return NULL;
2747                         }
2748
2749                         fgets(password, max_password_len, cmd_pipe);
2750                         pclose(cmd_pipe);
2751
2752                         /* Get rid of newline at end of password. */
2753                         password[strlen(password) - 1] = '\0';
2754
2755                         DEBUG3(LOG_PREFIX ": Password from command = \"%s\"", password);
2756                         conf->private_key_password = password;
2757                 }
2758 #endif
2759
2760                 {
2761                         char *password;
2762
2763                         memcpy(&password, &conf->private_key_password, sizeof(password));
2764                         SSL_CTX_set_default_passwd_cb_userdata(ctx, password);
2765                         SSL_CTX_set_default_passwd_cb(ctx, cbtls_password);
2766                 }
2767         }
2768
2769 #ifdef PSK_MAX_IDENTITY_LEN
2770         if (!client) {
2771                 /*
2772                  *      No dynamic query exists.  There MUST be a
2773                  *      statically configured identity and password.
2774                  */
2775                 if (conf->psk_query && !*conf->psk_query) {
2776                         ERROR(LOG_PREFIX ": Invalid PSK Configuration: psk_query cannot be empty");
2777                         return NULL;
2778                 }
2779
2780                 /*
2781                  *      Set the callback only if we can check things.
2782                  */
2783                 if (conf->psk_identity || conf->psk_query) {
2784                         SSL_CTX_set_psk_server_callback(ctx, psk_server_callback);
2785                 }
2786
2787         } else if (conf->psk_query) {
2788                 ERROR(LOG_PREFIX ": Invalid PSK Configuration: psk_query cannot be used for outgoing connections");
2789                 return NULL;
2790         }
2791
2792         /*
2793          *      Now check that if PSK is being used, the config is valid.
2794          */
2795         if ((conf->psk_identity && !conf->psk_password) ||
2796             (!conf->psk_identity && conf->psk_password) ||
2797             (conf->psk_identity && !*conf->psk_identity) ||
2798             (conf->psk_password && !*conf->psk_password)) {
2799                 ERROR(LOG_PREFIX ": Invalid PSK Configuration: psk_identity or psk_password are empty");
2800                 return NULL;
2801         }
2802
2803         if (conf->psk_identity) {
2804                 size_t psk_len, hex_len;
2805                 uint8_t buffer[PSK_MAX_PSK_LEN];
2806
2807                 if (conf->certificate_file ||
2808                     conf->private_key_password || conf->private_key_file ||
2809                     conf->ca_file || conf->ca_path) {
2810                         ERROR(LOG_PREFIX ": When PSKs are used, No certificate configuration is permitted");
2811                         return NULL;
2812                 }
2813
2814                 if (client) {
2815                         SSL_CTX_set_psk_client_callback(ctx,
2816                                                         psk_client_callback);
2817                 }
2818
2819                 psk_len = strlen(conf->psk_password);
2820                 if (strlen(conf->psk_password) > (2 * PSK_MAX_PSK_LEN)) {
2821                         ERROR(LOG_PREFIX ": psk_hexphrase is too long (max %d)", PSK_MAX_PSK_LEN);
2822                         return NULL;
2823                 }
2824
2825                 /*
2826                  *      Check the password now, so that we don't have
2827                  *      errors at run-time.
2828                  */
2829                 hex_len = fr_hex2bin(buffer, sizeof(buffer), conf->psk_password, psk_len);
2830                 if (psk_len != (2 * hex_len)) {
2831                         ERROR(LOG_PREFIX ": psk_hexphrase is not all hex");
2832                         return NULL;
2833                 }
2834
2835                 goto post_ca;
2836         }
2837 #else
2838         (void) client;  /* -Wunused */
2839 #endif
2840
2841         /*
2842          *      Load our keys and certificates
2843          *
2844          *      If certificates are of type PEM then we can make use
2845          *      of cert chain authentication using openssl api call
2846          *      SSL_CTX_use_certificate_chain_file.  Please see how
2847          *      the cert chain needs to be given in PEM from
2848          *      openSSL.org
2849          */
2850         if (!conf->certificate_file) goto load_ca;
2851
2852         if (type == SSL_FILETYPE_PEM) {
2853                 if (!(SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file))) {
2854                         tls_error_log(NULL, "Failed reading certificate file \"%s\"",
2855                                       conf->certificate_file);
2856                         return NULL;
2857                 }
2858
2859         } else if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) {
2860                 tls_error_log(NULL, "Failed reading certificate file \"%s\"",
2861                               conf->certificate_file);
2862                 return NULL;
2863         }
2864
2865         /* Load the CAs we trust */
2866 load_ca:
2867         if (conf->ca_file || conf->ca_path) {
2868                 if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) {
2869                         tls_error_log(NULL, "Failed reading Trusted root CA list \"%s\"",
2870                                       conf->ca_file);
2871                         return NULL;
2872                 }
2873         }
2874         if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
2875
2876         if (conf->private_key_file) {
2877                 if (!(SSL_CTX_use_PrivateKey_file(ctx, conf->private_key_file, type))) {
2878                         tls_error_log(NULL, "Failed reading private key file \"%s\"",
2879                                       conf->private_key_file);
2880                         return NULL;
2881                 }
2882
2883                 /*
2884                  * Check if the loaded private key is the right one
2885                  */
2886                 if (!SSL_CTX_check_private_key(ctx)) {
2887                         ERROR(LOG_PREFIX ": Private key does not match the certificate public key");
2888                         return NULL;
2889                 }
2890         }
2891
2892 #ifdef PSK_MAX_IDENTITY_LEN
2893 post_ca:
2894 #endif
2895
2896         /*
2897          *      We never want SSLv2 or SSLv3.
2898          */
2899         ctx_options |= SSL_OP_NO_SSLv2;
2900         ctx_options |= SSL_OP_NO_SSLv3;
2901
2902         /*
2903          *      As of 3.0.5, we always allow TLSv1.1 and TLSv1.2.
2904          *      Though they can be *globally* disabled if necessary.x
2905          */
2906 #ifdef SSL_OP_NO_TLSv1
2907         if (conf->disable_tlsv1) ctx_options |= SSL_OP_NO_TLSv1;
2908
2909         ctx_tls_versions |= SSL_OP_NO_TLSv1;
2910 #endif
2911 #ifdef SSL_OP_NO_TLSv1_1
2912         if (conf->disable_tlsv1_1) ctx_options |= SSL_OP_NO_TLSv1_1;
2913
2914         ctx_tls_versions |= SSL_OP_NO_TLSv1_1;
2915 #endif
2916 #ifdef SSL_OP_NO_TLSv1_2
2917
2918         if (conf->disable_tlsv1_2) ctx_options |= SSL_OP_NO_TLSv1_2;
2919
2920         ctx_tls_versions |= SSL_OP_NO_TLSv1_2;
2921
2922 #endif
2923
2924         if ((ctx_options & ctx_tls_versions) == ctx_tls_versions) {
2925                 ERROR(LOG_PREFIX ": You have disabled all available TLS versions.  EAP will not work");
2926                 return NULL;
2927         }
2928
2929 #ifdef SSL_OP_NO_TICKET
2930         ctx_options |= SSL_OP_NO_TICKET;
2931 #endif
2932
2933         if (!conf->disable_single_dh_use) {
2934                 /*
2935                  *      SSL_OP_SINGLE_DH_USE must be used in order to prevent
2936                  *      small subgroup attacks and forward secrecy. Always
2937                  *      using SSL_OP_SINGLE_DH_USE has an impact on the
2938                  *      computer time needed during negotiation, but it is not
2939                  *      very large.
2940                  */
2941                 ctx_options |= SSL_OP_SINGLE_DH_USE;
2942         }
2943
2944         /*
2945          *      SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS to work around issues
2946          *      in Windows Vista client.
2947          *      http://www.openssl.org/~bodo/tls-cbc.txt
2948          *      http://www.nabble.com/(RADIATOR)-Radiator-Version-3.16-released-t2600070.html
2949          */
2950         ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
2951
2952         if (conf->cipher_server_preference) {
2953                 /*
2954                  *      SSL_OP_CIPHER_SERVER_PREFERENCE to follow best practice
2955                  *      of nowday's TLS: do not allow poorly-selected ciphers from
2956                  *      client to take preference
2957                  */
2958                 ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
2959         }
2960
2961         SSL_CTX_set_options(ctx, ctx_options);
2962
2963         /*
2964          *      TODO: Set the RSA & DH
2965          *      SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
2966          *      SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
2967          */
2968
2969         /*
2970          *      set the message callback to identify the type of
2971          *      message.  For every new session, there can be a
2972          *      different callback argument.
2973          *
2974          *      SSL_CTX_set_msg_callback(ctx, cbtls_msg);
2975          */
2976
2977         /*
2978          *      Set eliptical curve crypto configuration.
2979          */
2980 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
2981 #ifndef OPENSSL_NO_ECDH
2982         if (set_ecdh_curve(ctx, conf->ecdh_curve, conf->disable_single_dh_use) < 0) {
2983                 return NULL;
2984         }
2985 #endif
2986 #endif
2987
2988         /*
2989          *      OpenSSL will automatically create certificate chains,
2990          *      unless we tell it to not do that.  The problem is that
2991          *      it sometimes gets the chains right from a certificate
2992          *      signature view, but wrong from the clients view.
2993          */
2994         if (!conf->auto_chain) {
2995                 SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
2996         }
2997
2998         /* Set Info callback */
2999         SSL_CTX_set_info_callback(ctx, cbtls_info);
3000
3001         /*
3002          *      Callbacks, etc. for session resumption.
3003          */
3004         if (conf->session_cache_enable) {
3005                 /*
3006                  *      Cache sessions on disk if requested.
3007                  */
3008                 if (conf->session_cache_path) {
3009                         SSL_CTX_sess_set_new_cb(ctx, cbtls_new_session);
3010                         SSL_CTX_sess_set_get_cb(ctx, cbtls_get_session);
3011                         SSL_CTX_sess_set_remove_cb(ctx, cbtls_remove_session);
3012                 }
3013
3014                 SSL_CTX_set_quiet_shutdown(ctx, 1);
3015                 if (fr_tls_ex_index_vps < 0)
3016                         fr_tls_ex_index_vps = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, sess_free_vps);
3017         }
3018
3019         /*
3020          *      Check the certificates for revocation.
3021          */
3022 #ifdef X509_V_FLAG_CRL_CHECK
3023         if (conf->check_crl) {
3024                 certstore = SSL_CTX_get_cert_store(ctx);
3025                 if (certstore == NULL) {
3026                         tls_error_log(NULL, "Error reading Certificate Store");
3027                         return NULL;
3028                 }
3029                 X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
3030
3031 #ifdef X509_V_FLAG_CRL_CHECK_ALL
3032                 if (conf->check_all_crl)
3033                         X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
3034 #endif
3035         }
3036 #endif
3037
3038         /*
3039          *      Set verify modes
3040          *      Always verify the peer certificate
3041          */
3042         verify_mode |= SSL_VERIFY_PEER;
3043         verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
3044         verify_mode |= SSL_VERIFY_CLIENT_ONCE;
3045         SSL_CTX_set_verify(ctx, verify_mode, cbtls_verify);
3046
3047         if (conf->verify_depth) {
3048                 SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
3049         }
3050
3051 #ifndef LIBRESSL_VERSION_NUMBER
3052         /* Load randomness */
3053         if (conf->random_file) {
3054                 if (!(RAND_load_file(conf->random_file, 1024*10))) {
3055                         tls_error_log(NULL, "Failed loading randomness");
3056                         return NULL;
3057                 }
3058         }
3059 #endif
3060
3061         /*
3062          * Set the cipher list if we were told to
3063          */
3064         if (conf->cipher_list) {
3065                 if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
3066                         tls_error_log(NULL, "Failed setting cipher list");
3067                         return NULL;
3068                 }
3069         }
3070
3071         /*
3072          *      Setup session caching
3073          */
3074         if (conf->session_cache_enable) {
3075                 /*
3076                  *      Create a unique context Id per EAP-TLS configuration.
3077                  */
3078                 if (conf->session_id_name) {
3079                         snprintf(conf->session_context_id, sizeof(conf->session_context_id),
3080                                  "FR eap %s", conf->session_id_name);
3081                 } else {
3082                         snprintf(conf->session_context_id, sizeof(conf->session_context_id),
3083                                  "FR eap %p", conf);
3084                 }
3085
3086                 /*
3087                  *      Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache.
3088                  */
3089                 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL);
3090
3091                 SSL_CTX_set_session_id_context(ctx,
3092                                                (unsigned char *) conf->session_context_id,
3093                                                (unsigned int) strlen(conf->session_context_id));
3094
3095                 /*
3096                  *      Our timeout is in hours, this is in seconds.
3097                  */
3098                 SSL_CTX_set_timeout(ctx, conf->session_timeout * 3600);
3099
3100                 /*
3101                  *      Set the maximum number of entries in the
3102                  *      session cache.
3103                  */
3104                 SSL_CTX_sess_set_cache_size(ctx, conf->session_cache_size);
3105
3106         } else {
3107                 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
3108         }
3109
3110         return ctx;
3111 }
3112
3113
3114 /*
3115  *      Free TLS client/server config
3116  *      Should not be called outside this code, as a callback is
3117  *      added to automatically free the data when the CONF_SECTION
3118  *      is freed.
3119  */
3120 static int _tls_server_conf_free(fr_tls_server_conf_t *conf)
3121 {
3122         if (conf->ctx) SSL_CTX_free(conf->ctx);
3123
3124 #ifdef HAVE_OPENSSL_OCSP_H
3125         if (conf->ocsp_store) X509_STORE_free(conf->ocsp_store);
3126         conf->ocsp_store = NULL;
3127 #endif
3128
3129 #ifndef NDEBUG
3130         memset(conf, 0, sizeof(*conf));
3131 #endif
3132         return 0;
3133 }
3134
3135 fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx)
3136 {
3137         fr_tls_server_conf_t *conf;
3138
3139         conf = talloc_zero(ctx, fr_tls_server_conf_t);
3140         if (!conf) {
3141                 ERROR(LOG_PREFIX ": Out of memory");
3142                 return NULL;
3143         }
3144
3145         talloc_set_destructor(conf, _tls_server_conf_free);
3146
3147         return conf;
3148 }
3149
3150 fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs)
3151 {
3152         fr_tls_server_conf_t *conf;
3153
3154         /*
3155          *      If cs has already been parsed there should be a cached copy
3156          *      of conf already stored, so just return that.
3157          */
3158         conf = cf_data_find(cs, "tls-conf");
3159         if (conf) {
3160                 DEBUG(LOG_PREFIX ": Using cached TLS configuration from previous invocation");
3161                 return conf;
3162         }
3163
3164         conf = tls_server_conf_alloc(cs);
3165
3166         if (cf_section_parse(cs, conf, tls_server_config) < 0) {
3167         error:
3168                 talloc_free(conf);
3169                 return NULL;
3170         }
3171
3172         /*
3173          *      Save people from their own stupidity.
3174          */
3175         if (conf->fragment_size < 100) conf->fragment_size = 100;
3176
3177         /*
3178          *      Only check for certificate things if we don't have a
3179          *      PSK query.
3180          */
3181 #ifdef PSK_MAX_IDENTITY_LEN
3182         if (conf->psk_identity) {
3183                 if (conf->private_key_file) {
3184                         WARN(LOG_PREFIX ": Ignoring private key file due to psk_identity being used");
3185                 }
3186
3187                 if (conf->certificate_file) {
3188                         WARN(LOG_PREFIX ": Ignoring certificate file due to psk_identity being used");
3189                 }
3190
3191         } else
3192 #endif
3193         {
3194                 if (!conf->private_key_file) {
3195                         ERROR(LOG_PREFIX ": TLS Server requires a private key file");
3196                         goto error;
3197                 }
3198
3199                 if (!conf->certificate_file) {
3200                         ERROR(LOG_PREFIX ": TLS Server requires a certificate file");
3201                         goto error;
3202                 }
3203         }
3204
3205         /*
3206          *      Initialize TLS
3207          */
3208         conf->ctx = tls_init_ctx(conf, 0);
3209         if (conf->ctx == NULL) {
3210                 goto error;
3211         }
3212
3213 #ifdef HAVE_OPENSSL_OCSP_H
3214         /*
3215          *      Initialize OCSP Revocation Store
3216          */
3217         if (conf->ocsp_enable) {
3218                 conf->ocsp_store = init_revocation_store(conf);
3219                 if (conf->ocsp_store == NULL) goto error;
3220         }
3221 #endif /*HAVE_OPENSSL_OCSP_H*/
3222         {
3223                 char *dh_file;
3224
3225                 memcpy(&dh_file, &conf->dh_file, sizeof(dh_file));
3226                 if (load_dh_params(conf->ctx, dh_file) < 0) {
3227                         goto error;
3228                 }
3229         }
3230
3231         if (conf->verify_tmp_dir) {
3232                 if (chmod(conf->verify_tmp_dir, S_IRWXU) < 0) {
3233                         ERROR(LOG_PREFIX ": Failed changing permissions on %s: %s",
3234                               conf->verify_tmp_dir, fr_syserror(errno));
3235                         goto error;
3236                 }
3237         }
3238
3239         if (conf->verify_client_cert_cmd && !conf->verify_tmp_dir) {
3240                 ERROR(LOG_PREFIX ": You MUST set the verify directory in order to use verify_client_cmd");
3241                 goto error;
3242         }
3243
3244 #ifdef SSL_OP_NO_TLSv1_2
3245         /*
3246          *      OpenSSL 1.0.1f and 1.0.1g get the MS-MPPE keys wrong.
3247          */
3248 #if (OPENSSL_VERSION_NUMBER >= 0x10010060L) && (OPENSSL_VERSION_NUMBER < 0x10010060L)
3249         conf->disable_tlsv1_2 = true;
3250         WARN(LOG_PREFIX ": Disabling TLSv1.2 due to OpenSSL bugs");
3251 #endif
3252 #endif
3253
3254         /*
3255          *      Cache conf in cs in case we're asked to parse this again.
3256          */
3257         cf_data_add(cs, "tls-conf", conf, NULL);
3258
3259         return conf;
3260 }
3261
3262 fr_tls_server_conf_t *tls_client_conf_parse(CONF_SECTION *cs)
3263 {
3264         fr_tls_server_conf_t *conf;
3265
3266         conf = cf_data_find(cs, "tls-conf");
3267         if (conf) {
3268                 DEBUG2(LOG_PREFIX ": Using cached TLS configuration from previous invocation");
3269                 return conf;
3270         }
3271
3272         conf = tls_server_conf_alloc(cs);
3273
3274         if (cf_section_parse(cs, conf, tls_client_config) < 0) {
3275         error:
3276                 talloc_free(conf);
3277                 return NULL;
3278         }
3279
3280         /*
3281          *      Save people from their own stupidity.
3282          */
3283         if (conf->fragment_size < 100) conf->fragment_size = 100;
3284
3285         /*
3286          *      Initialize TLS
3287          */
3288         conf->ctx = tls_init_ctx(conf, 1);
3289         if (conf->ctx == NULL) {
3290                 goto error;
3291         }
3292
3293         {
3294                 char *dh_file;
3295
3296                 memcpy(&dh_file, &conf->dh_file, sizeof(dh_file));
3297                 if (load_dh_params(conf->ctx, dh_file) < 0) {
3298                         goto error;
3299                 }
3300         }
3301
3302         cf_data_add(cs, "tls-conf", conf, NULL);
3303
3304         return conf;
3305 }
3306
3307
3308 int tls_success(tls_session_t *ssn, REQUEST *request)
3309 {
3310         VALUE_PAIR *vp, *vps = NULL;
3311         fr_tls_server_conf_t *conf;
3312         TALLOC_CTX *talloc_ctx;
3313
3314         conf = (fr_tls_server_conf_t *)SSL_get_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF);
3315         rad_assert(conf != NULL);
3316
3317         talloc_ctx = SSL_get_ex_data(ssn->ssl, FR_TLS_EX_INDEX_TALLOC);
3318
3319         /*
3320          *      If there's no session resumption, delete the entry
3321          *      from the cache.  This means either it's disabled
3322          *      globally for this SSL context, OR we were told to
3323          *      disable it for this user.
3324          *
3325          *      This also means you can't turn it on just for one
3326          *      user.
3327          */
3328         if ((!ssn->allow_session_resumption) ||
3329             (((vp = fr_pair_find_by_num(request->config, PW_ALLOW_SESSION_RESUMPTION, 0, TAG_ANY)) != NULL) &&
3330              (vp->vp_integer == 0))) {
3331                 SSL_CTX_remove_session(ssn->ctx,
3332                                        ssn->ssl_session);
3333                 ssn->allow_session_resumption = false;
3334
3335                 /*
3336                  *      If we're in a resumed session and it's
3337                  *      not allowed,
3338                  */
3339                 if (SSL_session_reused(ssn->ssl)) {
3340                         RDEBUG("Forcibly stopping session resumption as it is not allowed");
3341                         return -1;
3342                 }
3343
3344         /*
3345          *      Else resumption IS allowed, so we store the
3346          *      user data in the cache.
3347          */
3348         } else if (!SSL_session_reused(ssn->ssl)) {
3349                 VALUE_PAIR **certs;
3350                 char buffer[2 * MAX_SESSION_SIZE + 1];
3351
3352                 tls_session_id(ssn->ssl_session, buffer, MAX_SESSION_SIZE);
3353
3354                 vp = fr_pair_list_copy_by_num(talloc_ctx, request->reply->vps, PW_USER_NAME, 0, TAG_ANY);
3355                 if (vp) fr_pair_add(&vps, vp);
3356
3357                 vp = fr_pair_list_copy_by_num(talloc_ctx, request->packet->vps, PW_STRIPPED_USER_NAME, 0, TAG_ANY);
3358                 if (vp) fr_pair_add(&vps, vp);
3359
3360                 vp = fr_pair_list_copy_by_num(talloc_ctx, request->packet->vps, PW_STRIPPED_USER_DOMAIN, 0, TAG_ANY);
3361                 if (vp) fr_pair_add(&vps, vp);
3362
3363                 vp = fr_pair_list_copy_by_num(talloc_ctx, request->reply->vps, PW_CHARGEABLE_USER_IDENTITY, 0, TAG_ANY);
3364                 if (vp) fr_pair_add(&vps, vp);
3365
3366                 vp = fr_pair_list_copy_by_num(talloc_ctx, request->reply->vps, PW_CACHED_SESSION_POLICY, 0, TAG_ANY);
3367                 if (vp) fr_pair_add(&vps, vp);
3368
3369                 certs = (VALUE_PAIR **)SSL_get_ex_data(ssn->ssl, fr_tls_ex_index_certs);
3370
3371                 /*
3372                  *      Hmm... the certs should probably be session data.
3373                  */
3374                 if (certs) {
3375                         /*
3376                          *      @todo: some go into reply, others into
3377                          *      request
3378                          */
3379                         fr_pair_add(&vps, fr_pair_list_copy(talloc_ctx, *certs));
3380
3381                         /*
3382                          *      Save the certs in the packet, so that we can see them.
3383                          */
3384                         fr_pair_add(&request->packet->vps, fr_pair_list_copy(request->packet, *certs));
3385
3386                         vp = fr_pair_find_by_num(request->packet->vps, PW_TLS_CLIENT_CERT_EXPIRATION, 0, TAG_ANY);
3387                         if (vp) {
3388                                 time_t expires;
3389
3390                                 if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) {
3391                                         RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s", buffer);
3392                                         SSL_CTX_remove_session(ssn->ctx, ssn->ssl_session);
3393                                         return -1;
3394                                 }
3395
3396                                 if (expires <= request->timestamp) {
3397                                         RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer);
3398                                         SSL_CTX_remove_session(ssn->ctx, ssn->ssl_session);
3399                                         return -1;
3400                                 }
3401
3402                                 /*
3403                                  *      Account for Session-Timeout, if it's available.
3404                                  */
3405                                 vp = fr_pair_find_by_num(request->reply->vps, PW_SESSION_TIMEOUT, 0, TAG_ANY);
3406                                 if (vp) {
3407                                         if ((request->timestamp + vp->vp_integer) > expires) {
3408                                                 vp->vp_integer = expires - request->timestamp;
3409                                                 RWDEBUG2("Updating Session-Timeout to %u, due to impending certificate expiration",
3410                                                          vp->vp_integer);
3411                                         }
3412                                 }
3413                         }
3414                 }
3415
3416                 if (vps) {
3417                         SSL_SESSION_set_ex_data(ssn->ssl_session, fr_tls_ex_index_vps, vps);
3418                         rdebug_pair_list(L_DBG_LVL_2, request, vps, "  caching ");
3419
3420                         if (conf->session_cache_path) {
3421                                 /* write the VPs to the cache file */
3422                                 char filename[256], buf[1024];
3423                                 FILE *vp_file;
3424
3425                                 RDEBUG2("Saving session %s in the disk cache", buffer);
3426
3427                                 snprintf(filename, sizeof(filename), "%s%c%s.vps", conf->session_cache_path,
3428                                          FR_DIR_SEP, buffer);
3429                                 vp_file = fopen(filename, "w");
3430                                 if (vp_file == NULL) {
3431                                         RWDEBUG("Could not write session VPs to persistent cache: %s",
3432                                                 fr_syserror(errno));
3433                                 } else {
3434                                         VALUE_PAIR *prev = NULL;
3435                                         vp_cursor_t cursor;
3436                                         /* generate a dummy user-style entry which is easy to read back */
3437                                         fprintf(vp_file, "# SSL cached session\n");
3438                                         fprintf(vp_file, "%s\n\t", buffer);
3439
3440                                         for (vp = fr_cursor_init(&cursor, &vps);
3441                                              vp;
3442                                              vp = fr_cursor_next(&cursor)) {
3443                                                 /*
3444                                                  *      Terminate the previous line.
3445                                                  */
3446                                                 if (prev) fprintf(vp_file, ",\n\t");
3447
3448                                                 /*
3449                                                  *      Write this one.
3450                                                  */
3451                                                 vp_prints(buf, sizeof(buf), vp);
3452                                                 fputs(buf, vp_file);
3453                                                 prev = vp;
3454                                         }
3455
3456                                         /*
3457                                          *      Terminate the final line.
3458                                          */
3459                                         fprintf(vp_file, "\n");
3460                                         fclose(vp_file);
3461                                 }
3462                         } else {
3463                                 RDEBUG("Failed to find 'persist_dir' in TLS configuration.  Session will not be cached on disk.");
3464                         }
3465                 } else {
3466                         RDEBUG2("No information to cache: session caching will be disabled for session %s", buffer);
3467                         SSL_CTX_remove_session(ssn->ctx, ssn->ssl_session);
3468                 }
3469
3470         /*
3471          *      Else the session WAS allowed.  Copy the cached reply.
3472          */
3473         } else {
3474                 char buffer[2 * MAX_SESSION_SIZE + 1];
3475
3476                 tls_session_id(ssn->ssl_session, buffer, MAX_SESSION_SIZE);
3477
3478                 /*
3479                  *      The "restore VPs from OpenSSL cache" code is
3480                  *      now in eaptls_process()
3481                  */
3482
3483                 if (conf->session_cache_path) {
3484                         /* "touch" the cached session/vp file */
3485                         char filename[256];
3486
3487                         snprintf(filename, sizeof(filename), "%s%c%s.asn1",
3488                                  conf->session_cache_path, FR_DIR_SEP, buffer);
3489                         utime(filename, NULL);
3490                         snprintf(filename, sizeof(filename), "%s%c%s.vps",
3491                                  conf->session_cache_path, FR_DIR_SEP, buffer);
3492                         utime(filename, NULL);
3493                 }
3494
3495                 /*
3496                  *      Mark the request as resumed.
3497                  */
3498                 pair_make_request("EAP-Session-Resumed", "1", T_OP_SET);
3499         }
3500
3501         return 0;
3502 }
3503
3504
3505 void tls_fail(tls_session_t *ssn)
3506 {
3507         /*
3508          *      Force the session to NOT be cached.
3509          */
3510         SSL_CTX_remove_session(ssn->ctx, ssn->ssl_session);
3511 }
3512
3513 fr_tls_status_t tls_application_data(tls_session_t *ssn, REQUEST *request)
3514
3515 {
3516         int err;
3517         VALUE_PAIR **certs;
3518
3519         /*
3520          *      Decrypt the complete record.
3521          */
3522         err = BIO_write(ssn->into_ssl, ssn->dirty_in.data,
3523                         ssn->dirty_in.used);
3524         if (err != (int) ssn->dirty_in.used) {
3525                 record_init(&ssn->dirty_in);
3526                 RDEBUG("Failed writing %zd bytes to SSL BIO: %d", ssn->dirty_in.used, err);
3527                 return FR_TLS_FAIL;
3528         }
3529
3530         /*
3531          *      Clear the dirty buffer now that we are done with it
3532          *      and init the clean_out buffer to store decrypted data
3533          */
3534         record_init(&ssn->dirty_in);
3535         record_init(&ssn->clean_out);
3536
3537         /*
3538          *      Read (and decrypt) the tunneled data from the
3539          *      SSL session, and put it into the decrypted
3540          *      data buffer.
3541          */
3542         err = SSL_read(ssn->ssl, ssn->clean_out.data, sizeof(ssn->clean_out.data));
3543         if (err < 0) {
3544                 int code;
3545
3546                 RDEBUG("SSL_read Error");
3547
3548                 code = SSL_get_error(ssn->ssl, err);
3549                 switch (code) {
3550                 case SSL_ERROR_WANT_READ:
3551                         DEBUG("Error in fragmentation logic: SSL_WANT_READ");
3552                         return FR_TLS_MORE_FRAGMENTS;
3553
3554                 case SSL_ERROR_WANT_WRITE:
3555                         DEBUG("Error in fragmentation logic: SSL_WANT_WRITE");
3556                         break;
3557
3558                 default:
3559                         REDEBUG("Error in fragmentation logic");
3560                         tls_error_io_log(request, ssn, err,
3561                                          "Failed in " STRINGIFY(__FUNCTION__) " (SSL_read)");
3562                         break;
3563                 }
3564                 return FR_TLS_FAIL;
3565         }
3566
3567         if (err == 0) RWDEBUG("No data inside of the tunnel");
3568
3569         /*
3570          *      Passed all checks, successfully decrypted data
3571          */
3572         ssn->clean_out.used = err;
3573
3574         /*
3575          *      Add the certificates to intermediate packets, so that
3576          *      the inner tunnel policies can use them.
3577          */
3578         certs = (VALUE_PAIR **)SSL_get_ex_data(ssn->ssl, fr_tls_ex_index_certs);
3579
3580         if (certs) fr_pair_add(&request->packet->vps, fr_pair_list_copy(request->packet, *certs));
3581
3582         return FR_TLS_OK;
3583 }
3584
3585
3586 /*
3587  * Acknowledge received is for one of the following messages sent earlier
3588  * 1. Handshake completed Message, so now send, EAP-Success
3589  * 2. Alert Message, now send, EAP-Failure
3590  * 3. Fragment Message, now send, next Fragment
3591  */
3592 fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
3593 {
3594         if (ssn == NULL){
3595                 REDEBUG("Unexpected ACK received:  No ongoing SSL session");
3596                 return FR_TLS_INVALID;
3597         }
3598         if (!ssn->info.initialized) {
3599                 RDEBUG("No SSL info available.  Waiting for more SSL data");
3600                 return FR_TLS_REQUEST;
3601         }
3602
3603         if ((ssn->info.content_type == handshake) && (ssn->info.origin == 0)) {
3604                 REDEBUG("Unexpected ACK received:  We sent no previous messages");
3605                 return FR_TLS_INVALID;
3606         }
3607
3608         switch (ssn->info.content_type) {
3609         case alert:
3610                 RDEBUG2("Peer ACKed our alert");
3611                 return FR_TLS_FAIL;
3612
3613         case handshake:
3614                 if ((ssn->info.handshake_type == handshake_finished) && (ssn->dirty_out.used == 0)) {
3615                         RDEBUG2("Peer ACKed our handshake fragment.  handshake is finished");
3616
3617                         /*
3618                          *      From now on all the content is
3619                          *      application data set it here as nobody else
3620                          *      sets it.
3621                          */
3622                         ssn->info.content_type = application_data;
3623                         return FR_TLS_SUCCESS;
3624                 } /* else more data to send */
3625
3626                 RDEBUG2("Peer ACKed our handshake fragment");
3627                 /* Fragmentation handler, send next fragment */
3628                 return FR_TLS_REQUEST;
3629
3630         case application_data:
3631                 RDEBUG2("Peer ACKed our application data fragment");
3632                 return FR_TLS_REQUEST;
3633
3634                 /*
3635                  *      For the rest of the conditions, switch over
3636                  *      to the default section below.
3637                  */
3638         default:
3639                 REDEBUG("Invalid ACK received: %d", ssn->info.content_type);
3640                 return FR_TLS_INVALID;
3641         }
3642 }
3643 #endif  /* WITH_TLS */
3644