24 RCSID(
"$Id: 6a74e7d1b77b6f56a9d89a6001cb4fa154115706 $")
27 #include <freeradius-devel/radiusd.h>
30 void cbtls_info(SSL
const *s,
int where,
int ret)
32 char const *str, *
state;
33 REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST);
35 if ((where & ~SSL_ST_MASK) & SSL_ST_CONNECT) {
37 }
else if (((where & ~SSL_ST_MASK)) & SSL_ST_ACCEPT) {
43 state = SSL_state_string_long(s);
44 state = state ? state :
"<none>";
46 if ((where & SSL_CB_LOOP) || (where & SSL_CB_HANDSHAKE_START) || (where & SSL_CB_HANDSHAKE_DONE)) {
55 if (where & SSL_CB_ALERT) {
56 if ((ret & 0xff) == SSL_AD_CLOSE_NOTIFY)
return;
58 if (where & SSL_CB_READ) {
59 RERROR(
"Client sent %s TLS alert: %s", SSL_alert_type_string_long(ret),
60 SSL_alert_desc_string_long(ret));
66 case TLS1_AD_UNKNOWN_CA:
67 RERROR(
"Verify client has copy of CA certificate, and trusts CA");
74 RERROR(
"Sending client %s TLS alert: %s", SSL_alert_type_string_long(ret),
75 SSL_alert_desc_string_long(ret));
80 if (where & SSL_CB_EXIT) {
82 RERROR(
"%s: Failed in %s", str, state);
87 if (SSL_want_read(s)) {
88 RDEBUG2(
"%s: Need to read more data: %s", str, state);
91 ERROR(
"tls: %s: Error in %s", str, state);
99 void cbtls_msg(
int write_p,
int msg_version,
int content_type,
100 void const *inbuf,
size_t len,
101 SSL *ssl
UNUSED,
void *arg)
103 uint8_t
const *buf = inbuf;
104 tls_session_t *state = (tls_session_t *)arg;
111 if ((msg_version == 0) && (content_type > UINT8_MAX)) {
112 DEBUG4(
"Ignoring cbtls_msg call with pseudo content type %i, version %i",
113 content_type, msg_version);
117 if ((write_p != 0) && (write_p != 1)) {
118 DEBUG4(
"Ignoring cbtls_msg call with invalid write_p %d", write_p);
132 state->info.origin = write_p;
133 state->info.content_type = content_type;
134 state->info.record_len = len;
135 state->info.initialized =
true;
137 if (content_type == SSL3_RT_ALERT) {
138 state->info.alert_level = buf[0];
139 state->info.alert_description = buf[1];
140 state->info.handshake_type = 0x00;
142 }
else if (content_type == SSL3_RT_HANDSHAKE) {
143 state->info.handshake_type = buf[0];
144 state->info.alert_level = 0x00;
145 state->info.alert_description = 0x00;
147 #ifdef SSL3_RT_HEARTBEAT
148 }
else if (content_type == TLS1_RT_HEARTBEAT) {
151 if ((len >= 3) && (p[0] == 1)) {
154 payload_len = (p[1] << 8) | p[2];
156 if ((payload_len + 3) > len) {
157 state->invalid_hb_used =
true;
158 ERROR(
"OpenSSL Heartbeat attack detected. Closing connection");
164 tls_session_information(state);
167 int cbtls_password(
char *buf,
172 strcpy(buf, (
char *)userdata);
173 return(strlen((
char *)userdata));
#define USES_APPLE_DEPRECATED_API