The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
session.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: da96c9c3fbe0dd3cd8df4679e047192921e4d24f $
19  *
20  * @file tls/session.c
21  * @brief Initialise OpenSSL sessions, and read/write data to/from them.
22  *
23  * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24  * @copyright 2003 Alan DeKok (aland@freeradius.org)
25  * @copyright 2006-2016 The FreeRADIUS server project
26  */
27 #ifdef WITH_TLS
28 #define LOG_PREFIX "tls"
29 
30 #include <freeradius-devel/server/pair.h>
31 #include <freeradius-devel/server/log.h>
32 
33 #include <freeradius-devel/util/debug.h>
34 #include <freeradius-devel/util/base16.h>
35 #include <freeradius-devel/util/misc.h>
36 #include <freeradius-devel/util/pair_legacy.h>
37 
38 #include <freeradius-devel/protocol/freeradius/freeradius.internal.h>
39 
40 #include <freeradius-devel/unlang/interpret.h>
41 
42 #include <sys/stat.h>
43 #include <ctype.h>
44 #include <fcntl.h>
45 
46 #include "attrs.h"
47 #include "base.h"
48 #include "log.h"
49 
50 #include <openssl/x509v3.h>
51 #include <openssl/ssl.h>
52 
53 static char const *tls_version_str[] = {
54  [SSL2_VERSION] = "SSL 2.0",
55  [SSL3_VERSION] = "SSL 3.0",
56  [TLS1_VERSION] = "TLS 1.0",
57 #ifdef TLS1_1_VERSION
58  [TLS1_1_VERSION] = "TLS 1.1",
59 #endif
60 #ifdef TLS1_2_VERSION
61  [TLS1_2_VERSION] = "TLS 1.2",
62 #endif
63 #ifdef TLS1_3_VERSION
64  [TLS1_3_VERSION] = "TLS 1.3",
65 #endif
66 #ifdef TLS1_4_VERSION
67  [TLS1_4_VERSION] = "TLS 1.4",
68 #endif
69 };
70 
71 static char const *tls_content_type_str[] = {
72  [SSL3_RT_CHANGE_CIPHER_SPEC] = "change_cipher_spec",
73  [SSL3_RT_ALERT] = "alert",
74  [SSL3_RT_HANDSHAKE] = "handshake",
75  [SSL3_RT_APPLICATION_DATA] = "application_data",
76 #ifdef SSL3_RT_HEADER
77  [SSL3_RT_HEADER] = "header",
78 #endif
79 #ifdef SSL3_RT_INNER_CONTENT_TYPE
80  [SSL3_RT_INNER_CONTENT_TYPE] = "inner_content_type",
81 #endif
82 };
83 
84 static char const *tls_alert_description_str[] = {
85  [SSL3_AD_CLOSE_NOTIFY] = "close_notify",
86  [SSL3_AD_UNEXPECTED_MESSAGE] = "unexpected_message",
87  [SSL3_AD_BAD_RECORD_MAC] = "bad_record_mac",
88  [TLS1_AD_DECRYPTION_FAILED] = "decryption_failed",
89  [TLS1_AD_RECORD_OVERFLOW] = "record_overflow",
90  [SSL3_AD_DECOMPRESSION_FAILURE] = "decompression_failure",
91  [SSL3_AD_HANDSHAKE_FAILURE] = "handshake_failure",
92  [SSL3_AD_BAD_CERTIFICATE] = "bad_certificate",
93  [SSL3_AD_UNSUPPORTED_CERTIFICATE] = "unsupported_certificate",
94  [SSL3_AD_CERTIFICATE_REVOKED] = "certificate_revoked",
95  [SSL3_AD_CERTIFICATE_EXPIRED] = "certificate_expired",
96  [SSL3_AD_CERTIFICATE_UNKNOWN] = "certificate_unknown",
97  [SSL3_AD_ILLEGAL_PARAMETER] = "illegal_parameter",
98  [TLS1_AD_UNKNOWN_CA] = "unknown_ca",
99  [TLS1_AD_ACCESS_DENIED] = "access_denied",
100  [TLS1_AD_DECODE_ERROR] = "decode_error",
101  [TLS1_AD_DECRYPT_ERROR] = "decrypt_error",
102  [TLS1_AD_EXPORT_RESTRICTION] = "export_restriction",
103  [TLS1_AD_PROTOCOL_VERSION] = "protocol_version",
104  [TLS1_AD_INSUFFICIENT_SECURITY] = "insufficient_security",
105  [TLS1_AD_INTERNAL_ERROR] = "internal_error",
106  [TLS1_AD_USER_CANCELLED] = "user_cancelled",
107  [TLS1_AD_NO_RENEGOTIATION] = "no_renegotiation",
108 #ifdef TLS13_AD_MISSING_EXTENSION
109  [TLS13_AD_MISSING_EXTENSION] = "missing_extension",
110 #endif
111 #ifdef TLS13_AD_CERTIFICATE_REQUIRED
112  [TLS13_AD_CERTIFICATE_REQUIRED] = "certificate_required",
113 #endif
114 #ifdef TLS1_AD_UNSUPPORTED_EXTENSION
115  [TLS1_AD_UNSUPPORTED_EXTENSION] = "unsupported_extension",
116 #endif
117 #ifdef TLS1_AD_CERTIFICATE_UNOBTAINABLE
118  [TLS1_AD_CERTIFICATE_UNOBTAINABLE] = "certificate_unobtainable",
119 #endif
120 #ifdef TLS1_AD_UNRECOGNIZED_NAME
121  [TLS1_AD_UNRECOGNIZED_NAME] = "unrecognised_name",
122 #endif
123 #ifdef TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
124  [TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE] = "bad_certificate_status_response",
125 #endif
126 #ifdef TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
127  [TLS1_AD_BAD_CERTIFICATE_HASH_VALUE] = "bad_certificate_hash_value",
128 #endif
129 #ifdef TLS1_AD_UNKNOWN_PSK_IDENTITY
130  [TLS1_AD_UNKNOWN_PSK_IDENTITY] = "unknown_psk_identity",
131 #endif
132 #ifdef TLS1_AD_NO_APPLICATION_PROTOCOL
133  [TLS1_AD_NO_APPLICATION_PROTOCOL] = "no_application_protocol",
134 #endif
135 };
136 
137 static char const *tls_handshake_type_str[] = {
138  [SSL3_MT_HELLO_REQUEST] = "hello_request",
139  [SSL3_MT_CLIENT_HELLO] = "client_hello",
140  [SSL3_MT_SERVER_HELLO] = "server_hello",
141 #ifdef SSL3_MT_NEWSESSION_TICKET
142  [SSL3_MT_NEWSESSION_TICKET] = "new_session_ticket",
143 #endif
144 #ifdef SSL3_MT_END_OF_EARLY_DATA
145  [SSL3_MT_END_OF_EARLY_DATA] = "end_of_early_data",
146 #endif
147 #ifdef SSL3_MT_ENCRYPTED_EXTENSIONS
148  [SSL3_MT_ENCRYPTED_EXTENSIONS] = "encrypted_extensions",
149 #endif
150  [SSL3_MT_CERTIFICATE] = "certificate",
151  [SSL3_MT_SERVER_KEY_EXCHANGE] = "server_key_exchange",
152  [SSL3_MT_CERTIFICATE_REQUEST] = "certificate_request",
153  [SSL3_MT_SERVER_DONE] = "server_hello_done",
154  [SSL3_MT_CERTIFICATE_VERIFY] = "certificate_verify",
155  [SSL3_MT_CLIENT_KEY_EXCHANGE] = "client_key_exchange",
156  [SSL3_MT_FINISHED] = "finished",
157 #ifdef SSL3_MT_CERTIFICATE_URL
158  [SSL3_MT_CERTIFICATE_URL] = "certificate_url",
159 #endif
160 #ifdef SSL3_MT_CERTIFICATE_STATUS
161  [SSL3_MT_CERTIFICATE_STATUS] = "certificate_status",
162 #endif
163 #ifdef SSL3_MT_SUPPLEMENTAL_DATA
164  [SSL3_MT_SUPPLEMENTAL_DATA] = "supplemental_data",
165 #endif
166 #ifdef SSL3_MT_KEY_UPDATE
167  [SSL3_MT_KEY_UPDATE] = "key_update",
168 #endif
169 #ifdef SSL3_MT_NEXT_PROTO
170  [SSL3_MT_NEXT_PROTO] = "next_proto",
171 #endif
172 #ifdef SSL3_MT_MESSAGE_HASH
173  [SSL3_MT_MESSAGE_HASH] = "message_hash",
174 #endif
175 #ifdef DTLS1_MT_HELLO_VERIFY_REQUEST
176  [DTLS1_MT_HELLO_VERIFY_REQUEST] = "hello_verify_request",
177 #endif
178 #ifdef SSL3_MT_CHANGE_CIPHER_SPEC
179  [SSL3_MT_CHANGE_CIPHER_SPEC] = "change_cipher_spec",
180 #endif
181 };
182 
183 /** Clear a record buffer
184  *
185  * @param record buffer to clear.
186  */
187 inline static void record_init(fr_tls_record_t *record)
188 {
189  record->used = 0;
190 }
191 
192 /** Destroy a record buffer
193  *
194  * @param record buffer to destroy clear.
195  */
196 inline static void record_close(fr_tls_record_t *record)
197 {
198  record->used = 0;
199 }
200 
201 /** Copy data to the intermediate buffer, before we send it somewhere
202  *
203  * @param[in] record buffer to write to.
204  * @param[in] in data to write.
205  * @param[in] inlen Length of data to write.
206  * @return the amount of data written to the record buffer.
207  */
208 inline static unsigned int record_from_buff(fr_tls_record_t *record, void const *in, unsigned int inlen)
209 {
210  unsigned int added = FR_TLS_MAX_RECORD_SIZE - record->used;
211 
212  if (added > inlen) added = inlen;
213  if (added == 0) return 0;
214 
215  memcpy(record->data + record->used, in, added);
216  record->used += added;
217 
218  return added;
219 }
220 
221 /** Take data from the buffer, and give it to the caller
222  *
223  * @param[in] record buffer to read from.
224  * @param[out] out where to write data from record buffer.
225  * @param[in] outlen The length of the output buffer.
226  * @return the amount of data written to the output buffer.
227  */
228 inline static unsigned int record_to_buff(fr_tls_record_t *record, void *out, unsigned int outlen)
229 {
230  unsigned int taken = record->used;
231 
232  if (taken > outlen) taken = outlen;
233  if (taken == 0) return 0;
234  if (out) memcpy(out, record->data, taken);
235 
236  record->used -= taken;
237 
238  /*
239  * This is pretty bad...
240  */
241  if (record->used > 0) memmove(record->data, record->data + taken, record->used);
242 
243  return taken;
244 }
245 
246 /** Return the static private key password we have configured
247  *
248  * @param[out] buf Where to write the password to.
249  * @param[in] size The length of buf.
250  * @param[in] rwflag
251  * - 0 if password used for decryption.
252  * - 1 if password used for encryption.
253  * @param[in] u The static password.
254  * @return
255  * - 0 on error.
256  * - >0 on success (the length of the password).
257  */
258 int fr_tls_session_password_cb(char *buf, int size, int rwflag UNUSED, void *u)
259 {
260  size_t len;
261 
262  /*
263  * We do this instead of not registering the callback
264  * to ensure OpenSSL doesn't try and read a password
265  * from stdin (causes server to block).
266  */
267  if (!u) {
268  ERROR("Certificate encrypted but no private_key_password configured");
269  return 0;
270  }
271 
272  len = strlcpy(buf, (char *)u, size);
273  if (len > (size_t)size) {
274  ERROR("Password too long. Maximum length is %i bytes", size - 1);
275  return 0;
276  }
277 
278  return len;
279 }
280 
281 #ifdef PSK_MAX_IDENTITY_LEN
282 /** Verify the PSK identity contains no reserved chars
283  *
284  * @param identity to check.
285  * @return
286  * - true identity does not contain reserved chars.
287  * - false identity contains reserved chars.
288  */
289 static bool session_psk_identity_is_safe(const char *identity)
290 {
291  char c;
292 
293  if (!identity) return true;
294 
295  while ((c = *(identity++)) != '\0') {
296  if (isalpha((uint8_t) c) || isdigit((uint8_t) c) || isspace((uint8_t) c) ||
297  (c == '@') || (c == '-') || (c == '_') || (c == '.')) {
298  continue;
299  }
300 
301  return false;
302  }
303 
304  return true;
305 }
306 
307 /** Determine the PSK to use for an outgoing connection
308  *
309  * @param[in] ssl session.
310  * @param[in] identity The identity of the PSK to search for.
311  * @param[out] psk Where to write the PSK we found (if any).
312  * @param[in] max_psk_len The length of the buffer provided for PSK.
313  * @return
314  * - 0 if no PSK matching identity was found.
315  * - >0 if a PSK matching identity was found (the length of bytes written to psk).
316  */
317 unsigned int fr_tls_session_psk_client_cb(SSL *ssl, UNUSED char const *hint,
318  char *identity, unsigned int max_identity_len,
319  unsigned char *psk, unsigned int max_psk_len)
320 {
321  unsigned int psk_len;
322  fr_tls_conf_t *conf;
323 
324  conf = (fr_tls_conf_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF);
325  if (!conf) return 0;
326 
327  psk_len = strlen(conf->psk_password);
328  if (psk_len > (2 * max_psk_len)) return 0;
329 
330  strlcpy(identity, conf->psk_identity, max_identity_len);
331 
332  return fr_base16_decode(NULL,
333  &FR_DBUFF_TMP((uint8_t *)psk, (size_t)max_psk_len),
334  &FR_SBUFF_IN(conf->psk_password, (size_t)psk_len), false);
335 }
336 
337 /** Determine the PSK to use for an incoming connection
338  *
339  * @param[in] ssl session.
340  * @param[in] identity The identity of the PSK to search for.
341  * @param[out] psk Where to write the PSK we found (if any).
342  * @param[in] max_psk_len The length of the buffer provided for PSK.
343  * @return
344  * - 0 if no PSK matching identity was found.
345  * - >0 if a PSK matching identity was found (the length of bytes written to psk).
346  */
347 unsigned int fr_tls_session_psk_server_cb(SSL *ssl, const char *identity,
348  unsigned char *psk, unsigned int max_psk_len)
349 {
350  size_t psk_len = 0;
351  fr_tls_conf_t *conf;
352  request_t *request;
353 
354  conf = (fr_tls_conf_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF);
355  if (!conf) return 0;
356 
357  request = fr_tls_session_request(ssl);
358  if (request && conf->psk_query) {
359  size_t hex_len;
360  fr_pair_t *vp;
361  char buffer[2 * PSK_MAX_PSK_LEN + 4]; /* allow for too-long keys */
362 
363  /*
364  * The passed identity is weird. Deny it.
365  */
366  if (!session_psk_identity_is_safe(identity)) {
367  RWDEBUG("Invalid characters in PSK identity %s", identity);
368  return 0;
369  }
370 
371  MEM(pair_update_request(&vp, attr_tls_psk_identity) >= 0);
372  if (fr_pair_value_from_str(vp, identity, strlen(identity), NULL, true) < 0) {
373  RPWDEBUG2("Failed parsing TLS PSK Identity");
374  talloc_free(vp);
375  return 0;
376  }
377 
378  hex_len = xlat_eval(buffer, sizeof(buffer), request, conf->psk_query, NULL, NULL);
379  if (!hex_len) {
380  RWDEBUG("PSK expansion returned an empty string.");
381  return 0;
382  }
383 
384  /*
385  * The returned key is truncated at MORE than
386  * OpenSSL can handle. That way we can detect
387  * the truncation, and complain about it.
388  */
389  if (hex_len > (2 * max_psk_len)) {
390  RWDEBUG("Returned PSK is too long (%u > %u)", (unsigned int) hex_len, 2 * max_psk_len);
391  return 0;
392  }
393 
394  /*
395  * Leave the TLS-PSK-Identity in the request, and
396  * convert the expansion from printable string
397  * back to hex.
398  */
399  return fr_base16_decode(NULL,
400  &FR_DBUFF_TMP((uint8_t *)psk, (size_t)max_psk_len),
401  &FR_SBUFF_IN(buffer, hex_len), false);
402  }
403 
404  if (!conf->psk_identity) {
405  DEBUG("No static PSK identity set. Rejecting the user");
406  return 0;
407  }
408 
409  /*
410  * No request_t, or no dynamic query. Just look for a
411  * static identity.
412  */
413  if (strcmp(identity, conf->psk_identity) != 0) {
414  ERROR("Supplied PSK identity %s does not match configuration. Rejecting.",
415  identity);
416  return 0;
417  }
418 
419  psk_len = strlen(conf->psk_password);
420  if (psk_len > (2 * max_psk_len)) return 0;
421 
422  return fr_base16_decode(NULL,
423  &FR_DBUFF_TMP((uint8_t *)psk, (size_t)max_psk_len),
424  &FR_SBUFF_IN(conf->psk_password, psk_len), false);
425 }
426 #endif /* PSK_MAX_IDENTITY_LEN */
427 
428 DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
429 DIAG_OFF(used-but-marked-unused) /* Fix spurious warnings for sk_ macros */
430 /** Record session state changes
431  *
432  * Called by OpenSSL whenever the session state changes, an alert is received or an error occurs.
433  *
434  * @param[in] ssl session.
435  * @param[in] where Which context the callback is being called in.
436  * See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_info_callback.html
437  * for additional info.
438  * @param[in] ret 0 if an error occurred, or the alert type if an alert was received.
439  */
440 void fr_tls_session_info_cb(SSL const *ssl, int where, int ret)
441 {
442  char const *role, *state;
443  request_t *request = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST);
444 
445  if ((where & ~SSL_ST_MASK) & SSL_ST_CONNECT) {
446  role = "Client ";
447  } else if (((where & ~SSL_ST_MASK)) & SSL_ST_ACCEPT) {
448  role = "Server ";
449  } else {
450  role = "";
451  }
452 
453  state = SSL_state_string_long(ssl);
454  state = state ? state : "<INVALID>";
455 
456  if ((where & SSL_CB_LOOP) || (where & SSL_CB_HANDSHAKE_START) || (where & SSL_CB_HANDSHAKE_DONE)) {
457  if (ROPTIONAL_ENABLED(RDEBUG_ENABLED3, DEBUG_ENABLED3)) {
458  char const *abbrv = SSL_state_string(ssl);
459  size_t len;
460 
461  /*
462  * Trim crappy OpenSSL state strings...
463  */
464  len = strlen(abbrv);
465  if ((len > 1) && (abbrv[len - 1] == ' ')) len--;
466 
467  ROPTIONAL(RDEBUG3, DEBUG3, "Handshake state [%.*s] - %s%s", (int)len, abbrv, role, state);
468 
469 #ifdef OPENSSL_NO_SSL_TRACE
470  {
471  STACK_OF(SSL_CIPHER) *server_ciphers;
472  STACK_OF(SSL_CIPHER) *client_ciphers;
473 
474  /*
475  * After a ClientHello, list all the proposed ciphers
476  * from the client.
477  *
478  * Only do this if we don't have SSL_trace() as
479  * SSL_trace() prints this information and we don't
480  * want to duplicate it.
481  */
482  if (SSL_get_state(ssl) == TLS_ST_SR_CLNT_HELLO &&
483  (client_ciphers = SSL_get_client_ciphers(ssl))) {
484  int i;
485  int num_ciphers;
486  const SSL_CIPHER *this_cipher;
487 
488  server_ciphers = SSL_get_ciphers(ssl);
489  /*
490  * These are printed on startup, so not usually
491  * required.
492  */
493  ROPTIONAL(RDEBUG4, DEBUG4, "Our preferred ciphers (by priority)");
494  if (ROPTIONAL_ENABLED(RDEBUG_ENABLED4, DEBUG_ENABLED4)) {
495  if (request) RINDENT();
496  num_ciphers = sk_SSL_CIPHER_num(server_ciphers);
497  for (i = 0; i < num_ciphers; i++) {
498  this_cipher = sk_SSL_CIPHER_value(server_ciphers, i);
499  ROPTIONAL(RDEBUG4, DEBUG4, "[%i] %s", i, SSL_CIPHER_get_name(this_cipher));
500  }
501  if (request) REXDENT();
502  }
503 
504  /*
505  * Print information about the client's
506  * handshake message.
507  */
508  if (ROPTIONAL_ENABLED(RDEBUG_ENABLED3, DEBUG_ENABLED3)) {
509  ROPTIONAL(RDEBUG3, DEBUG3, "Client's preferred ciphers (by priority)");
510  if (request) RINDENT();
511  num_ciphers = sk_SSL_CIPHER_num(client_ciphers);
512  for (i = 0; i < num_ciphers; i++) {
513  this_cipher = sk_SSL_CIPHER_value(client_ciphers, i);
514  ROPTIONAL(RDEBUG3, DEBUG3, "[%i] %s", i, SSL_CIPHER_get_name(this_cipher));
515  }
516  if (request) REXDENT();
517  }
518  }
519  }
520 # endif
521  } else {
522  ROPTIONAL(RDEBUG2, DEBUG2, "Handshake state - %s%s (%i)", role, state, SSL_get_state(ssl));
523  }
524  return;
525  }
526 
527  if (where & SSL_CB_ALERT) {
528  if ((ret & 0xff) == SSL_AD_CLOSE_NOTIFY) return;
529 
530  /*
531  * We got an alert...
532  */
533  if (where & SSL_CB_READ) {
534  fr_pair_t *vp;
535 
536  ROPTIONAL(REDEBUG, ERROR, "Client sent %s TLS alert (%i) - %s", SSL_alert_type_string_long(ret),
537  ret & 0xff, SSL_alert_desc_string_long(ret));
538 
539  /*
540  * Offer helpful advice... Should be expanded.
541  */
542  switch (ret & 0xff) {
543  case TLS1_AD_UNKNOWN_CA:
544  REDEBUG("Verify the client has a copy of the server's Certificate "
545  "Authority (CA) installed, and trusts that CA");
546  break;
547 
548  default:
549  break;
550  }
551 
552  MEM(pair_update_request(&vp, attr_tls_client_error_code) >= 0);
553  vp->vp_uint8 = ret & 0xff;
554  ROPTIONAL(RDEBUG2, DEBUG2, "&TLS-Client-Error-Code := %pV", &vp->data);
555  /*
556  * We're sending the client an alert.
557  */
558  } else {
559  ROPTIONAL(REDEBUG, ERROR, "Sending client %s TLS alert (%i) - %s",
560  SSL_alert_type_string_long(ret), ret & 0xff, SSL_alert_desc_string_long(ret));
561 
562  /*
563  * Offer helpful advice... Should be expanded.
564  */
565  switch (ret & 0xff) {
566  case TLS1_AD_PROTOCOL_VERSION:
567  ROPTIONAL(REDEBUG, ERROR, "Client requested a TLS protocol version that is not "
568  "enabled or not supported. Upgrade FreeRADIUS + OpenSSL to their latest "
569  "versions and/or adjust 'tls_max_version'/'tls_min_version' if you want "
570  "authentication to succeed");
571  break;
572 
573  default:
574  break;
575  }
576  }
577  return;
578  }
579 
580  if (where & SSL_CB_EXIT) {
581  if (ret == 0) {
582  ROPTIONAL(REDEBUG, ERROR, "Handshake exit state %s%s", role, state);
583  return;
584  }
585 
586  if (ret < 0) {
587  if (SSL_want_read(ssl)) {
588  RDEBUG2("Need more data from client"); /* State same as previous call, don't print */
589  return;
590  }
591  ROPTIONAL(REDEBUG, ERROR, "Handshake exit state %s%s", role, state);
592  }
593  }
594 }
595 DIAG_ON(used-but-marked-unused)
596 DIAG_ON(DIAG_UNKNOWN_PRAGMAS)
597 
598 /** Print a message to the request or global log detailing handshake state
599  *
600  * @param[in] request The current #request_t.
601  * @param[in] tls_session The current TLS session.
602  */
603 static void session_msg_log(request_t *request, fr_tls_session_t *tls_session, uint8_t const *data, size_t data_len)
604 {
605  char const *version, *content_type;
606  char const *str_details1 = NULL;
607  char const *str_details2 = NULL;
608  char unknown_version[32];
609  char unknown_content_type[32];
610  char unknown_alert_level[32];
611  char unknown_alert_description[32];
612  char unknown_handshake_type[32];
613 
614  /*
615  * Don't print this out in the normal course of
616  * operations.
617  */
618  if (!ROPTIONAL_ENABLED(RDEBUG_ENABLED2, DEBUG_ENABLED2)) return;
619 
620  if (((size_t)tls_session->info.version >= NUM_ELEMENTS(tls_version_str)) ||
621  !tls_version_str[tls_session->info.version]) {
622  snprintf(unknown_version, sizeof(unknown_version), "unknown_tls_version_0x%04x", tls_session->info.version);
623  version = unknown_version;
624  } else {
625  version = tls_version_str[tls_session->info.version];
626  }
627 
628  /*
629  * TLS 1.0, 1.1, 1.2 content types are the same as SSLv3
630  */
631  if (((size_t)tls_session->info.content_type >= NUM_ELEMENTS(tls_content_type_str)) ||
632  !tls_content_type_str[tls_session->info.content_type]) {
633  snprintf(unknown_content_type, sizeof(unknown_content_type),
634  "unknown_content_type_0x%04x", tls_session->info.content_type);
635  content_type = unknown_content_type;
636  } else {
637  content_type = tls_content_type_str[tls_session->info.content_type];
638  }
639 
640  if (tls_session->info.content_type == SSL3_RT_ALERT) {
641  if (tls_session->info.record_len == 2) {
642  switch (tls_session->info.alert_level) {
643  case SSL3_AL_WARNING:
644  str_details1 = "warning";
645  break;
646  case SSL3_AL_FATAL:
647  str_details1 = "fatal";
648  break;
649 
650  default:
651  snprintf(unknown_alert_level, sizeof(unknown_alert_level),
652  "unknown_alert_level_0x%04x", tls_session->info.alert_level);
653  str_details1 = unknown_alert_level;
654  break;
655  }
656 
657  if (((size_t)tls_session->info.alert_description >= NUM_ELEMENTS(tls_alert_description_str)) ||
658  !tls_alert_description_str[tls_session->info.alert_description]) {
659  snprintf(unknown_alert_description, sizeof(unknown_alert_description),
660  "unknown_alert_0x%04x", tls_session->info.alert_description);
661  str_details2 = unknown_alert_description;
662  } else {
663  str_details2 = tls_alert_description_str[tls_session->info.alert_description];
664  }
665  } else {
666  str_details1 = "unknown_alert_level";
667  str_details2 = "unknown_alert";
668  }
669  }
670 
671  if ((size_t)tls_session->info.content_type == SSL3_RT_HANDSHAKE) {
672  if (tls_session->info.record_len > 0) {
673  /*
674  * Range guard not needed due to size of array
675  * and underlying type.
676  */
677  if (!tls_handshake_type_str[tls_session->info.handshake_type]) {
678  snprintf(unknown_handshake_type, sizeof(unknown_handshake_type),
679  "unknown_handshake_type_0x%02x", tls_session->info.handshake_type);
680  str_details1 = unknown_handshake_type;
681  } else {
682  str_details1 = tls_handshake_type_str[tls_session->info.handshake_type];
683  }
684  }
685  }
686 
687  snprintf(tls_session->info.info_description, sizeof(tls_session->info.info_description),
688  "%s %s, %s[length %lu]%s%s%s%s",
689  tls_session->info.origin ? ">>> send" : "<<< recv",
690  version,
691  content_type,
692  (unsigned long)tls_session->info.record_len,
693  str_details1 ? ", " : "",
694  str_details1 ? str_details1 : "",
695  str_details2 ? ", " : "",
696  str_details2 ? str_details2 : "");
697 
698  /*
699  * Print out information about the record and print the
700  * data at higher debug levels.
701  */
702  if (ROPTIONAL_ENABLED(RDEBUG_ENABLED4, DEBUG_ENABLED4)) {
703  ROPTIONAL(RHEXDUMP4, HEXDUMP4, data, data_len, "%s", tls_session->info.info_description);
704  } else {
705  ROPTIONAL(RDEBUG2, DEBUG2, "%s", tls_session->info.info_description);
706  }
707 }
708 
709 /** Record the progression of the TLS handshake
710  *
711  * This callback is called by OpenSSL whenever a protocol message relating to a handshake is sent
712  * or received.
713  *
714  * This function copies state information from the various arguments into the state->info
715  * structure of the #fr_tls_session_t, to allow us to track the progression of the handshake.
716  *
717  * @param[in] write_p
718  * - 0 when a message has been received.
719  * - 1 when a message has been sent.
720  *
721  * @param[in] msg_version The TLS version negotiated, should be one of:
722  * - TLS1_VERSION
723  * - TLS1_1_VERSION
724  * - TLS1_2_VERSION
725  * - TLS1_3_VERSION
726  *
727  * @param[in] content_type One of the contentType values defined for TLS:
728  * - SSL3_RT_CHANGE_CIPHER_SPEC (20)
729  * - SSL3_RT_ALERT (21)
730  * - SSL3_RT_HANDSHAKE (22)
731  * - TLS1_RT_HEARTBEAT (24)
732  *
733  * @param[in] inbuf The raw protocol message.
734  * @param[in] len Length of the raw protocol message.
735  * @param[in] ssl The SSL session.
736  * @param[in] arg The #fr_tls_session_t holding the SSL session.
737  */
738 void fr_tls_session_msg_cb(int write_p, int msg_version, int content_type,
739  void const *inbuf, size_t len,
740  SSL *ssl, void *arg)
741 {
742  uint8_t const *buf = inbuf;
743  fr_tls_session_t *tls_session = talloc_get_type_abort(arg, fr_tls_session_t);
744  request_t *request = fr_tls_session_request(tls_session->ssl);
745 
746  /*
747  * Mostly to check for memory corruption...
748  */
749  if (!fr_cond_assert(tls_session->ssl = ssl)) {
750  ROPTIONAL(REDEBUG, ERROR, "fr_tls_session_t and ssl arg do not match in fr_tls_session_msg_cb");
751  tls_session->invalid = true;
752  return;
753  }
754 
755  /*
756  * As per https://tools.ietf.org/html/rfc7568
757  *
758  * We explicitly disable SSLv2/v3, hence the asserts.
759  */
760 #ifdef SSL2_VERSION
761  if (!fr_cond_assert(msg_version != SSL2_VERSION)) {
762  ROPTIONAL(REDEBUG, ERROR, "Invalid version (SSLv2) in handshake");
763  tls_session->invalid = true;
764  return;
765  }
766 #endif
767 
768 #ifdef SSL3_VERSION
769  if (!fr_cond_assert(msg_version != SSL3_VERSION)) {
770  ROPTIONAL(REDEBUG, ERROR, "Invalid version (SSLv3) in handshake");
771  tls_session->invalid = true;
772  return;
773  }
774 #endif
775 
776  /*
777  * OpenSSL >= 1.0.2 calls this function with 'pseudo'
778  * content types. Which breaks our tracking of
779  * the SSL Session state.
780  */
781  if ((msg_version == 0) && (content_type > UINT8_MAX)) {
782  ROPTIONAL(REDEBUG4, DEBUG4, "Ignoring fr_tls_session_msg_cb call with pseudo content type %i, version %i",
783  content_type, msg_version);
784  return;
785  }
786 
787  if ((write_p != 0) && (write_p != 1)) {
788  ROPTIONAL(REDEBUG4, DEBUG4, "Ignoring fr_tls_session_msg_cb call with invalid write_p %d", write_p);
789  return;
790  }
791 
792  /*
793  * 0 - received (from peer)
794  * 1 - sending (to peer)
795  */
796  tls_session->info.origin = write_p;
797  tls_session->info.content_type = content_type;
798  tls_session->info.record_len = len;
799  tls_session->info.version = msg_version;
800  tls_session->info.initialized = true;
801 
802  switch (content_type) {
803  case SSL3_RT_ALERT:
804  tls_session->info.alert_level = buf[0];
805  tls_session->info.alert_description = buf[1];
806  tls_session->info.handshake_type = 0x00;
807  break;
808 
809  case SSL3_RT_HANDSHAKE:
810  tls_session->info.handshake_type = buf[0];
811  tls_session->info.alert_level = 0x00;
812  tls_session->info.alert_description = 0x00;
813  break;
814 
815 #ifdef SSL3_RT_HEARTBEAT
816  case TLS1_RT_HEARTBEAT:
817  uint8_t *p = buf;
818 
819  if ((len >= 3) && (p[0] == 1)) {
820  size_t payload_len;
821 
822  payload_len = fr_nbo_to_uint16(p + 1);
823  if ((payload_len + 3) > len) {
824  tls_session->invalid = true;
825  ROPTIONAL(REDEBUG, ERROR, "OpenSSL Heartbeat attack detected. Closing connection");
826  return;
827  }
828  }
829  break;
830 #endif
831  default:
832  break;
833  }
834 
835  session_msg_log(request, tls_session, (uint8_t const *)inbuf, len);
836 
837 #ifndef OPENSSL_NO_SSL_TRACE
838  if (ROPTIONAL_ENABLED(RDEBUG_ENABLED3, DEBUG_ENABLED3)) {
839  SSL_trace(tls_session->info.origin,
840  tls_session->info.version,
841  tls_session->info.content_type,
842  inbuf, len,
843  ssl,
844  request ?
845  fr_tls_request_log_bio(request, L_DBG, L_DBG_LVL_3) :
846  fr_tls_global_log_bio(L_DBG, L_DBG_LVL_3));
847  }
848 #endif
849 }
850 
851 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
852 /*
853  * By setting the environment variable SSLKEYLOGFILE to a filename keying
854  * material will be exported that you may use with Wireshark to decode any
855  * TLS flows. Please see the following for more details:
856  *
857  * https://gitlab.com/wireshark/wireshark/-/wikis/TLS#tls-decryption
858  *
859  * An example logging session is (you should delete the file on each run):
860  *
861  * rm -f /tmp/sslkey.log; env SSLKEYLOGFILE=/tmp/sslkey.log freeradius -X | tee /tmp/debug
862  *
863  * Note that we rely on the OS to check file permissions. If the
864  * caller can run radiusd, then they can only write to files which
865  * they own. If radiusd is running as root, then only root can
866  * change the environment variables for radiusd.
867  */
868 void fr_tls_session_keylog_cb(const SSL *ssl, const char *line)
869 {
870  int fd;
871  size_t len;
872  const char *filename;
873  char buffer[64 + 2*SSL3_RANDOM_SIZE + 2*SSL_MAX_MASTER_KEY_LENGTH];
874 
875  /*
876  * Prefer the environment variable definition to the
877  * configuration file. This allows for "one-shot"
878  * dumping of EAP keys when you know you're not using
879  * RadSec, and you don't want to edit the configuration.
880  */
881  filename = getenv("SSLKEYLOGFILE");
882  if (!filename) {
883  fr_tls_conf_t *conf;
884 
885  conf = (fr_tls_conf_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF);
886  if (!conf || !conf->keylog_file || !*conf->keylog_file) return;
887 
888  filename = conf->keylog_file;
889  }
890 
891  /*
892  * We write all of the data at once. This is *generally*
893  * atomic on most systems.
894  */
895  len = strlen(line);
896  if ((len + 1) > sizeof(buffer)) {
897  DEBUG("SSLKEYLOGFILE buffer not large enough, max %lu, required %lu", sizeof(buffer), len + 1);
898  return;
899  }
900 
901  /*
902  * Add a \n, which means that in order to write() the
903  * buffer AND the trailing \n, we have to place both
904  * strings into the same buffer.
905  */
906  memcpy(buffer, line, len);
907  buffer[len] = '\n';
908 
909  fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
910  if (fd < 0) {
911  DEBUG("Failed to open file %s: %s", filename, strerror(errno));
912  return;
913  }
914 
915  /*
916  * This should work in most situations.
917  */
918  if (write(fd, buffer, len + 1) < 0) {
919  DEBUG("Failed to write to file %s: %s", filename, strerror(errno));
920  }
921 
922  close(fd);
923 }
924 #endif
925 
926 /** Decrypt application data
927  *
928  * @note Handshake must have completed before this function may be called.
929  *
930  * Feed data from dirty_in to OpenSSL, and read the clean data into clean_out.
931  *
932  * @param[in] request The current #request_t.
933  * @param[in] tls_session The current TLS session.
934  * @return
935  * - -1 on error.
936  * - 1 if more fragments are required to fully reassemble the record for decryption.
937  * - 0 if we decrypted a complete record.
938  */
939 int fr_tls_session_recv(request_t *request, fr_tls_session_t *tls_session)
940 {
941  int ret;
942 
943  fr_tls_session_request_bind(tls_session->ssl, request);
944 
945  if (!SSL_is_init_finished(tls_session->ssl)) {
946  REDEBUG("Attempted to read application data before handshake completed");
947  error:
948  ret = -1;
949  goto finish;
950  }
951 
952  /*
953  * Decrypt the complete record.
954  */
955  if (tls_session->dirty_in.used) {
956  ret = BIO_write(tls_session->into_ssl, tls_session->dirty_in.data, tls_session->dirty_in.used);
957  if (ret != (int) tls_session->dirty_in.used) {
958  record_init(&tls_session->dirty_in);
959  REDEBUG("Failed writing %zd bytes to SSL BIO: %d", tls_session->dirty_in.used, ret);
960  goto error;
961  }
962 
963  record_init(&tls_session->dirty_in);
964  }
965 
966  /*
967  * Clear the dirty buffer now that we are done with it
968  * and init the clean_out buffer to store decrypted data
969  */
970  record_init(&tls_session->clean_out);
971 
972  /*
973  * Read (and decrypt) the tunneled data from the
974  * SSL session, and put it into the decrypted
975  * data buffer.
976  */
977  ret = SSL_read(tls_session->ssl, tls_session->clean_out.data, sizeof(tls_session->clean_out.data));
978  if (ret < 0) {
979  int code;
980 
981  code = SSL_get_error(tls_session->ssl, ret);
982  switch (code) {
983  case SSL_ERROR_WANT_READ:
984  RWDEBUG("Peer indicated record was complete, but OpenSSL returned SSL_WANT_READ. "
985  "Attempting to continue");
986  ret = 1;
987  goto finish;
988 
989  case SSL_ERROR_WANT_WRITE:
990  REDEBUG("Error in fragmentation logic: SSL_WANT_WRITE");
991  goto error;
992 
993  case SSL_ERROR_NONE:
994  RDEBUG2("No application data received. Assuming handshake is continuing...");
995  ret = 0;
996  break;
997 
998  default:
999  REDEBUG("Error in fragmentation logic");
1000  fr_tls_log_io_error(request, code, "SSL_read (%s)", __FUNCTION__);
1001  goto error;
1002  }
1003  }
1004 
1005  /*
1006  * Passed all checks, successfully decrypted data
1007  */
1008  tls_session->clean_out.used = ret;
1009  ret = 0;
1010 
1011  if (RDEBUG_ENABLED3) {
1012  RHEXDUMP3(tls_session->clean_out.data, tls_session->clean_out.used,
1013  "Decrypted TLS application data (%zu bytes)", tls_session->clean_out.used);
1014  } else {
1015  RDEBUG2("Decrypted TLS application data (%zu bytes)", tls_session->clean_out.used);
1016  }
1017 finish:
1018  fr_tls_session_request_unbind(tls_session->ssl);
1019 
1020  return ret;
1021 }
1022 
1023 /** Encrypt application data
1024  *
1025  * @note Handshake must have completed before this function may be called.
1026  *
1027  * Take cleartext data from clean_in, and feed it to OpenSSL, reading
1028  * the encrypted data into dirty_out.
1029  *
1030  * @param[in] request The current request.
1031  * @param[in] tls_session The current TLS session.
1032  * @return
1033  * - -1 on failure.
1034  * - 0 on success.
1035  */
1036 int fr_tls_session_send(request_t *request, fr_tls_session_t *tls_session)
1037 {
1038  int ret = 0;
1039 
1040  fr_tls_session_request_bind(tls_session->ssl, request);
1041 
1042  if (!SSL_is_init_finished(tls_session->ssl)) {
1043  REDEBUG("Attempted to write application data before handshake completed");
1044  ret = -1;
1045  goto finish;
1046  }
1047 
1048  /*
1049  * If there's un-encrypted data in 'clean_in', then write
1050  * that data to the SSL session, and then call the BIO function
1051  * to get that encrypted data from the SSL session, into
1052  * a buffer which we can then package into an EAP packet.
1053  *
1054  * Based on Server's logic this clean_in is expected to
1055  * contain the data to send to the client.
1056  */
1057  if (tls_session->clean_in.used > 0) {
1058  if (RDEBUG_ENABLED3) {
1059  RHEXDUMP3(tls_session->clean_in.data, tls_session->clean_in.used,
1060  "TLS application data to encrypt (%zu bytes)", tls_session->clean_in.used);
1061  } else {
1062  RDEBUG2("TLS application data to encrypt (%zu bytes)", tls_session->clean_in.used);
1063  }
1064 
1065  ret = SSL_write(tls_session->ssl, tls_session->clean_in.data, tls_session->clean_in.used);
1066  record_to_buff(&tls_session->clean_in, NULL, ret);
1067 
1068  /* Get the dirty data from Bio to send it */
1069  ret = BIO_read(tls_session->from_ssl, tls_session->dirty_out.data,
1070  sizeof(tls_session->dirty_out.data));
1071  if (ret > 0) {
1072  tls_session->dirty_out.used = ret;
1073  ret = 0;
1074  } else {
1075  if (fr_tls_log_io_error(request, SSL_get_error(tls_session->ssl, ret),
1076  "SSL_write (%s)", __FUNCTION__) < 0) ret = -1;
1077  }
1078  }
1079 
1080 finish:
1081  fr_tls_session_request_unbind(tls_session->ssl);
1082 
1083  return ret;
1084 }
1085 
1086 /** Instruct fr_tls_session_async_handshake to create a synthesised TLS alert record and send it to the peer
1087  *
1088  */
1089 int fr_tls_session_alert(UNUSED request_t *request, fr_tls_session_t *session, uint8_t level, uint8_t description)
1090 {
1091  if (session->alerts_sent > 3) return -1; /* Some kind of state machine brokenness */
1092 
1093  /*
1094  * Ignore less severe alerts
1095  */
1096  if (session->pending_alert && (level < session->pending_alert_level)) return 0;
1097 
1098  session->pending_alert = true;
1099  session->pending_alert_level = level;
1100  session->pending_alert_description = description;
1101 
1102  return 0;
1103 }
1104 
1105 static void fr_tls_session_alert_send(request_t *request, fr_tls_session_t *session)
1106 {
1107  /*
1108  * Update our internal view of the session
1109  */
1110  session->info.origin = TLS_INFO_ORIGIN_RECORD_SENT;
1111  session->info.content_type = SSL3_RT_ALERT;
1112  session->info.alert_level = session->pending_alert_level;
1113  session->info.alert_description = session->pending_alert_description;
1114 
1115  session->dirty_out.data[0] = session->info.content_type;
1116  session->dirty_out.data[1] = 3;
1117  session->dirty_out.data[2] = 1;
1118  session->dirty_out.data[3] = 0;
1119  session->dirty_out.data[4] = 2;
1120  session->dirty_out.data[5] = session->pending_alert_level;
1121  session->dirty_out.data[6] = session->pending_alert_description;
1122 
1123  session->dirty_out.used = 7;
1124 
1125  session->pending_alert = false;
1126  session->alerts_sent++;
1127 
1128  SSL_clear(session->ssl); /* Reset the SSL *, to allow the client to restart the session */
1129 
1130  session_msg_log(request, session, session->dirty_out.data, session->dirty_out.used);
1131 }
1132 
1133 /** Finish off a handshake round, possibly adding attributes to the request
1134  *
1135  */
1136 static unlang_action_t tls_session_async_handshake_done_round(UNUSED rlm_rcode_t *p_result, UNUSED int *priority,
1137  request_t *request, void *uctx)
1138 {
1139  fr_tls_session_t *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
1140  int ret;
1141 
1142  RDEBUG3("entered state %s", __FUNCTION__);
1143 
1144  /*
1145  * This only occurs once per session, where calling
1146  * SSL_read updates the state of the SSL session, setting
1147  * this flag to true.
1148  *
1149  * Callbacks provide enough info so we don't need to
1150  * print debug statements when the handshake is in other
1151  * states.
1152  */
1153  if (SSL_is_init_finished(tls_session->ssl)) {
1154  SSL_CIPHER const *cipher;
1155  fr_pair_t *vp;
1156  char const *version;
1157 
1158  char cipher_desc[256], cipher_desc_clean[256];
1159  char *p = cipher_desc, *q = cipher_desc_clean;
1160 
1161  cipher = SSL_get_current_cipher(tls_session->ssl);
1162  SSL_CIPHER_description(cipher, cipher_desc, sizeof(cipher_desc));
1163 
1164  /*
1165  * Cleanup the output from OpenSSL
1166  * Seems to print info in a tabular format.
1167  */
1168  while (*p != '\0') {
1169  if (isspace((uint8_t) *p)) {
1170  *q++ = *p;
1171  fr_skip_whitespace(p);
1172  continue;
1173  }
1174  *q++ = *p++;
1175  }
1176  *q = '\0';
1177 
1178  RDEBUG2("Cipher suite: %s", cipher_desc_clean);
1179 
1180  RDEBUG2("Adding TLS session information to request");
1181  vp = fr_pair_afrom_da(request->session_state_ctx, attr_tls_session_cipher_suite);
1182  if (vp) {
1183  fr_pair_value_strdup(vp, SSL_CIPHER_get_name(cipher), false);
1184  fr_pair_append(&request->session_state_pairs, vp);
1185  RINDENT();
1186  RDEBUG2("&session-state.%pP", vp);
1187  REXDENT();
1188  }
1189 
1190  if (((size_t)tls_session->info.version >= NUM_ELEMENTS(tls_version_str)) ||
1191  !tls_version_str[tls_session->info.version]) {
1192  version = "UNKNOWN";
1193  } else {
1194  version = tls_version_str[tls_session->info.version];
1195  }
1196 
1197  vp = fr_pair_afrom_da(request->session_state_ctx, attr_tls_session_version);
1198  if (vp) {
1199  fr_pair_value_strdup(vp, version, false);
1200  fr_pair_append(&request->session_state_pairs, vp);
1201  RINDENT();
1202  RDEBUG2("&session-state.TLS-Session-Version := \"%s\"", version);
1203  REXDENT();
1204  }
1205 
1206  /*
1207  * Cache the SSL_SESSION pointer.
1208  *
1209  * Which contains all the data we need for session resumption.
1210  */
1211  if (!tls_session->session) {
1212  tls_session->session = SSL_get_session(tls_session->ssl);
1213  if (!tls_session->session) {
1214  REDEBUG("Failed getting TLS session");
1215  error:
1216  tls_session->result = FR_TLS_RESULT_ERROR;
1217  fr_tls_session_request_unbind(tls_session->ssl);
1218  return UNLANG_ACTION_CALCULATE_RESULT;
1219  }
1220  }
1221 
1222  if (RDEBUG_ENABLED3) {
1223  if (SSL_SESSION_print(fr_tls_request_log_bio(request, L_DBG, L_DBG_LVL_3),
1224  tls_session->session) != 1) {
1225  } else {
1226  RDEBUG3("Failed retrieving session data");
1227  }
1228  }
1229 
1230  /*
1231  * Session was resumed, add attribute to mark it as such.
1232  */
1233  if (SSL_session_reused(tls_session->ssl)) {
1234  /*
1235  * Mark the request as resumed.
1236  */
1237  MEM(pair_update_request(&vp, attr_session_resumed) >= 0);
1238  vp->vp_bool = true;
1239  }
1240  }
1241 
1242  /*
1243  * Get data to pack and send back to the TLS peer.
1244  */
1245  ret = BIO_ctrl_pending(tls_session->from_ssl);
1246  if (ret > 0) {
1247  ret = BIO_read(tls_session->from_ssl, tls_session->dirty_out.data,
1248  sizeof(tls_session->dirty_out.data));
1249  if (ret > 0) {
1250  tls_session->dirty_out.used = ret;
1251  } else if (BIO_should_retry(tls_session->from_ssl)) {
1252  record_init(&tls_session->dirty_in);
1253  RDEBUG2("Asking for more data in tunnel");
1254 
1255  } else {
1256  fr_tls_log(NULL, NULL);
1257  record_init(&tls_session->dirty_in);
1258  goto error;
1259  }
1260  } else {
1261  /* Its clean application data, do whatever we want */
1262  record_init(&tls_session->clean_out);
1263  }
1264 
1265  /*
1266  * Trash the current data in dirty_out, and synthesize
1267  * a TLS error record.
1268  *
1269  * OpensSL annoyingly provides no mechanism for us to
1270  * send alerts, and we need to send alerts as part of
1271  * RFC 5216, so this is our only option.
1272  */
1273  if (tls_session->pending_alert) fr_tls_session_alert_send(request, tls_session);
1274 
1275  /* We are done with dirty_in, reinitialize it */
1276  record_init(&tls_session->dirty_in);
1277 
1278  tls_session->result = FR_TLS_RESULT_SUCCESS;
1279  fr_tls_session_request_unbind(tls_session->ssl);
1280  return UNLANG_ACTION_CALCULATE_RESULT;
1281 }
1282 
1283 /** Try very hard to get the SSL * into a consistent state where it's not yielded
1284  *
1285  * ...because if it's yielded, we'll probably leak thread contexts and all kinds of memory.
1286  *
1287  * @param[in] request being cancelled.
1288  * @param[in] action we're being signalled with.
1289  * @param[in] uctx the SSL * to cancel.
1290  */
1291 static void tls_session_async_handshake_signal(UNUSED request_t *request, UNUSED fr_signal_t action, void *uctx)
1292 {
1293  fr_tls_session_t *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
1294  int ret;
1295 
1296  /*
1297  * We might want to set can_pause = false here
1298  * but that would trigger asserts in the
1299  * cache code.
1300  */
1301 
1302  /*
1303  * If SSL_get_error returns SSL_ERROR_WANT_ASYNC
1304  * it means we're yielded in the middle of a
1305  * callback.
1306  *
1307  * Keep calling SSL_read() in a loop until we
1308  * no longer get SSL_ERROR_WANT_ASYNC, then
1309  * shut it down so it's in a consistent state.
1310  *
1311  * It'll get freed later when the request is
1312  * freed.
1313  */
1314  for (ret = tls_session->last_ret;
1315  SSL_get_error(tls_session->ssl, ret) == SSL_ERROR_WANT_ASYNC;
1316  ret = SSL_read(tls_session->ssl, tls_session->clean_out.data + tls_session->clean_out.used,
1317  sizeof(tls_session->clean_out.data) - tls_session->clean_out.used));
1318 
1319  /*
1320  * Unbind the cancelled request from the SSL *
1321  */
1322  fr_tls_session_request_unbind(tls_session->ssl);
1323 }
1324 
1325 /** Call SSL_read() to continue the TLS state machine
1326  *
1327  * This function may be called multiple times, once after every asynchronous request.
1328  *
1329  * @param[in,out] p_result UNUSED.
1330  * @param[out] priority UNUSED
1331  * @param[in] request The current request.
1332  * @param[in] uctx #fr_tls_session_t to continue.
1333  * @return
1334  * - UNLANG_ACTION_CALCULATE_RESULT - We're done with this round.
1335  * - UNLANG_ACTION_PUSHED_CHILD - Need to perform more asynchronous actions.
1336  */
1337 static unlang_action_t tls_session_async_handshake_cont(rlm_rcode_t *p_result, int *priority,
1338  request_t *request, void *uctx)
1339 {
1340  fr_tls_session_t *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
1341  int err;
1342 
1343  RDEBUG3("(re-)entered state %s", __FUNCTION__);
1344 
1345  /*
1346  * Magic/More magic? Although SSL_read is normally
1347  * used to read application data, it will also
1348  * continue the TLS handshake. Removing this call will
1349  * cause the handshake to fail.
1350  *
1351  * We don't ever expect to actually *receive* application
1352  * data here.
1353  *
1354  * The reason why we call SSL_read instead of SSL_accept,
1355  * or SSL_connect, as it allows this function
1356  * to be used, irrespective or whether we're acting
1357  * as a client or a server.
1358  *
1359  * If acting as a client SSL_set_connect_state must have
1360  * been called before this function.
1361  *
1362  * If acting as a server SSL_set_accept_state must have
1363  * been called before this function.
1364  */
1365  tls_session->can_pause = true;
1366  tls_session->last_ret = SSL_read(tls_session->ssl, tls_session->clean_out.data + tls_session->clean_out.used,
1367  sizeof(tls_session->clean_out.data) - tls_session->clean_out.used);
1368  tls_session->can_pause = false;
1369  if (tls_session->last_ret > 0) {
1370  tls_session->clean_out.used += tls_session->last_ret;
1371 
1372  /*
1373  * Round successful, and we don't need to do any
1374  * further processing.
1375  */
1376  tls_session->result = FR_TLS_RESULT_SUCCESS;
1377  finish:
1378  /*
1379  * Was bound by caller
1380  */
1381  fr_tls_session_request_unbind(tls_session->ssl);
1382  return UNLANG_ACTION_CALCULATE_RESULT;
1383  }
1384 
1385 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1386  /*
1387  * Bug in OpenSSL 3.0 - Normal handshaking behaviour
1388  * results in spurious "BIO_R_UNSUPPORTED_METHOD"
1389  * errors.
1390  *
1391  * SSL_get_error apparently returns SSL_ERROR_SSL if
1392  * there are any errors in the stack. This masks
1393  * SSL_ERROR_WANT_ASYNC and causes the handshake to
1394  * fail.
1395  *
1396  * Note: We may want some version of this code
1397  * included for all OpenSSL versions.
1398  *
1399  * It would call ERR_GET_FATAL() on each of the errors
1400  * in the stack to drain non-fatal errors and prevent
1401  * the other (more useful) return codes of
1402  * SSL_get_error from being masked. I guess we'll see
1403  * if this occurs in other scenarios.
1404  */
1405  if (SSL_get_error(tls_session->ssl, tls_session->last_ret) == SSL_ERROR_SSL) {
1406  unsigned long ssl_err;
1407 
1408  /*
1409  * Some weird OpenSSL thing marking ERR_GET_REASON
1410  * as "unused". Unclear why this is done as it's
1411  * not deprecated.
1412  */
1413 DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
1414 DIAG_OFF(used-but-marked-unused)
1415  while ((ssl_err = ERR_peek_error()) && (ERR_GET_REASON(ssl_err) == BIO_R_UNSUPPORTED_METHOD)) {
1416  (void) ERR_get_error();
1417  }
1418 DIAG_ON(used-but-marked-unused)
1419 DIAG_ON(DIAG_UNKNOWN_PRAGMAS)
1420  }
1421 #endif
1422 
1423  /*
1424  * Deal with asynchronous requests from OpenSSL.
1425  * These aren't actually errors, they're the
1426  * result of one of our callbacks indicating that
1427  * it'd like to perform the operation
1428  * asynchronously.
1429  */
1430  switch (err = SSL_get_error(tls_session->ssl, tls_session->last_ret)) {
1431  case SSL_ERROR_WANT_ASYNC: /* Certification validation or cache loads */
1432  {
1433  unlang_action_t ua;
1434 
1435  RDEBUG3("Performing async action for libssl");
1436 
1437  /*
1438  * Call this function again once we're done
1439  * asynchronously satisfying the load request.
1440  */
1441  if (unlikely(unlang_function_repeat_set(request, tls_session_async_handshake_cont) < 0)) {
1442  error:
1443  tls_session->result = FR_TLS_RESULT_ERROR;
1444  goto finish;
1445  }
1446 
1447  /*
1448  * First service any pending cache actions
1449  */
1450  ua = fr_tls_cache_pending_push(request, tls_session);
1451  switch (ua) {
1452  case UNLANG_ACTION_FAIL:
1453  IGNORE(unlang_function_clear(request), int);
1454  goto error;
1455 
1456  case UNLANG_ACTION_PUSHED_CHILD:
1457  return ua;
1458 
1459  default:
1460  break;
1461  }
1462 
1463  /*
1464  * Next service any pending certificate
1465  * validation actions.
1466  */
1467  ua = fr_tls_verify_cert_pending_push(request, tls_session);
1468  switch (ua) {
1469  case UNLANG_ACTION_FAIL:
1470  IGNORE(unlang_function_clear(request), int);
1471  goto error;
1472 
1473  default:
1474  return ua;
1475  }
1476  }
1477 
1478  case SSL_ERROR_WANT_ASYNC_JOB:
1479  RERROR("No async jobs available in pool, increase thread.openssl_async_pool_max");
1480  goto error;
1481 
1482  default:
1483  /*
1484  * Returns 0 if we can continue processing the handshake
1485  * Returns -1 if we encountered a fatal error.
1486  */
1487  if (fr_tls_log_io_error(request,
1488  err, "SSL_read (%s)", __FUNCTION__) < 0) goto error;
1489  return tls_session_async_handshake_done_round(p_result, priority, request, uctx);
1490  }
1491 }
1492 
1493 /** Ingest data for another handshake round
1494  *
1495  * Advance the TLS handshake by feeding OpenSSL data from dirty_in,
1496  * and reading data from OpenSSL into dirty_out.
1497  *
1498  * Calls #tls_session_async_handshake_read to perform the actual ingestion.
1499  * #tls_session_async_handshake_read is split out because we may need to call
1500  * it multiple times, once after every async action.
1501  *
1502  * @param[in,out] p_result UNUSED.
1503  * @param[out] priority UNUSED
1504  * @param[in] request The current request.
1505  * @param[in] uctx #fr_tls_session_t to continue.
1506  * @return
1507  * - UNLANG_ACTION_CALCULATE_RESULT - We're done with this round.
1508  * - UNLANG_ACTION_PUSHED_CHILD - Need to perform more asynchronous actions.
1509  */
1510 static unlang_action_t tls_session_async_handshake(rlm_rcode_t *p_result, int *priority,
1511  request_t *request, void *uctx)
1512 {
1513  fr_tls_session_t *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
1514  int ret;
1515 
1516  RDEBUG3("entered state %s", __FUNCTION__);
1517 
1518  tls_session->result = FR_TLS_RESULT_IN_PROGRESS;
1519 
1520  fr_tls_session_request_bind(tls_session->ssl, request); /* May be unbound in this function or asynchronously */
1521 
1522  /*
1523  * This is a logic error. fr_tls_session_async_handshake
1524  * must not be called if the handshake is
1525  * complete fr_tls_session_recv must be
1526  * called instead.
1527  */
1528  if (SSL_is_init_finished(tls_session->ssl)) {
1529  REDEBUG("Attempted to continue TLS handshake, but handshake has completed");
1530  error:
1531  tls_session->result = FR_TLS_RESULT_ERROR;
1532  fr_tls_session_request_unbind(tls_session->ssl); /* Was bound in this function */
1533  return UNLANG_ACTION_CALCULATE_RESULT;
1534  }
1535 
1536  if (tls_session->invalid) {
1537  REDEBUG("Preventing invalid session from continuing");
1538  goto error;
1539  }
1540 
1541  /*
1542  * Feed dirty data into OpenSSL, so that is can either
1543  * process it as Application data (decrypting it)
1544  * or continue the TLS handshake.
1545  */
1546  if (tls_session->dirty_in.used) {
1547  ret = BIO_write(tls_session->into_ssl, tls_session->dirty_in.data, tls_session->dirty_in.used);
1548  if (ret != (int)tls_session->dirty_in.used) {
1549  REDEBUG("Failed writing %zd bytes to TLS BIO: %d", tls_session->dirty_in.used, ret);
1550  record_init(&tls_session->dirty_in);
1551  goto error;
1552  }
1553  record_init(&tls_session->dirty_in);
1554  }
1555 
1556  return tls_session_async_handshake_cont(p_result, priority, request, uctx); /* Must unbind request, possibly asynchronously */
1557 }
1558 
1559 /** Push a handshake call onto the stack
1560  *
1561  * We push the handshake frame (as opposed to having the caller do it),
1562  * so that we guarantee there's a frame that the handshake function can
1563  * manipulate to manage its own state.
1564  *
1565  * The result of processing this handshake round can be found in
1566  * tls_session->result.
1567  *
1568  * @param[in] request The current request.
1569  * @param[in] tls_session to continue handshaking.
1570  * @return
1571  * - UNLANG_ACTION_PUSHED_CHILD on success.
1572  * - UNLANG_ACTION_FAIL on failure.
1573  */
1574 unlang_action_t fr_tls_session_async_handshake_push(request_t *request, fr_tls_session_t *tls_session)
1575 {
1576  return unlang_function_push(request,
1577  tls_session_async_handshake,
1578  NULL,
1579  tls_session_async_handshake_signal,
1580  ~FR_SIGNAL_CANCEL,
1581  UNLANG_SUB_FRAME,
1582  tls_session);
1583 }
1584 
1585 /** Free a TLS session and any associated OpenSSL data
1586  *
1587  * @param session to free.
1588  * @return 0.
1589  */
1590 static int _fr_tls_session_free(fr_tls_session_t *session)
1591 {
1592  if (session->ssl) {
1593  SSL_set_quiet_shutdown(session->ssl, 1);
1594  SSL_shutdown(session->ssl);
1595  SSL_free(session->ssl);
1596  session->ssl = NULL;
1597  }
1598 
1599  return 0;
1600 }
1601 
1602 static void session_init(fr_tls_session_t *session)
1603 {
1604  session->ssl = NULL;
1605  session->into_ssl = session->from_ssl = NULL;
1606  record_init(&session->clean_in);
1607  record_init(&session->clean_out);
1608  record_init(&session->dirty_in);
1609  record_init(&session->dirty_out);
1610 
1611  memset(&session->info, 0, sizeof(session->info));
1612 
1613  session->mtu = 0;
1614  session->opaque = NULL;
1615 }
1616 
1617 /** Create a new client TLS session
1618  *
1619  * Configures a new client TLS session, configuring options, setting callbacks etc...
1620  *
1621  * @param[in] ctx to alloc session data in. Should usually be NULL unless the lifetime of the
1622  * session is tied to another talloc'd object.
1623  * @param[in] ssl_ctx containing the base configuration for this session.
1624  * @return
1625  * - A new session on success.
1626  * - NULL on error.
1627  */
1628 fr_tls_session_t *fr_tls_session_alloc_client(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx)
1629 {
1630  int verify_mode;
1631  fr_tls_session_t *tls_session = NULL;
1632  fr_tls_conf_t *conf = fr_tls_ctx_conf(ssl_ctx);
1633 
1634  MEM(tls_session = talloc_zero(ctx, fr_tls_session_t));
1635  talloc_set_destructor(tls_session, _fr_tls_session_free);
1636  fr_pair_list_init(&tls_session->extra_pairs);
1637 
1638  tls_session->ssl = SSL_new(ssl_ctx);
1639  if (!tls_session->ssl) {
1640  talloc_free(tls_session);
1641  return NULL;
1642  }
1643 
1644  /*
1645  * Add the message callback to identify what type of
1646  * message/handshake is passed
1647  */
1648  SSL_set_msg_callback(tls_session->ssl, fr_tls_session_msg_cb);
1649  SSL_set_msg_callback_arg(tls_session->ssl, tls_session);
1650  SSL_set_info_callback(tls_session->ssl, fr_tls_session_info_cb);
1651 
1652  /*
1653  * Always verify the peer certificate.
1654  */
1655  DEBUG2("Requiring Server certificate");
1656  verify_mode = SSL_VERIFY_PEER;
1657  verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1658 
1659  /*
1660  * Callback should be fr_tls_verify_cert_cb but this
1661  * requires support around SSL_connect for dealing
1662  * with async.
1663  *
1664  * If the callback is NULL OpenSSL uses its own validation
1665  * function, and the flags modifies that function's
1666  * behaviour.
1667  */
1668  SSL_set_verify(tls_session->ssl, verify_mode, NULL);
1669  SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
1670  SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
1671 
1672  tls_session->mtu = conf->fragment_size;
1673 
1674  return tls_session;
1675 }
1676 
1677 /** Create a new server TLS session
1678  *
1679  * Configures a new server TLS session, configuring options, setting callbacks etc...
1680  *
1681  * @param[in] ctx to alloc session data in. Should usually be NULL
1682  * unless the lifetime of the session is tied to another
1683  * talloc'd object.
1684  * @param[in] ssl_ctx containing the base configuration for this session.
1685  * @param[in] request The current #request_t.
1686  * @param[in] client_cert Whether to require a client_cert.
1687  * @return
1688  * - A new session on success.
1689  * - NULL on error.
1690  */
1691 fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, bool client_cert)
1692 {
1693  fr_tls_session_t *tls_session = NULL;
1694  SSL *ssl = NULL;
1695  int verify_mode = 0;
1696  fr_pair_t *vp;
1697  fr_tls_conf_t *conf = fr_tls_ctx_conf(ssl_ctx);
1698 
1699  RDEBUG2("Initiating new TLS session");
1700 
1701  MEM(tls_session = talloc_zero(ctx, fr_tls_session_t));
1702 
1703  ssl = SSL_new(ssl_ctx);
1704  if (ssl == NULL) {
1705  fr_tls_log(request, "Error creating new TLS session");
1706  return NULL;
1707  }
1708  fr_pair_list_init(&tls_session->extra_pairs);
1709 
1710  session_init(tls_session);
1711  tls_session->ctx = ssl_ctx;
1712  tls_session->ssl = ssl;
1713  talloc_set_destructor(tls_session, _fr_tls_session_free);
1714 
1715  fr_tls_session_request_bind(tls_session->ssl, request); /* Is unbound in this function */
1716 
1717  /*
1718  * Initialize callbacks
1719  */
1720  tls_session->record_init = record_init;
1721  tls_session->record_close = record_close;
1722  tls_session->record_from_buff = record_from_buff;
1723  tls_session->record_to_buff = record_to_buff;
1724 
1725  /*
1726  * Create & hook the BIOs to handle the dirty side of the
1727  * SSL. This is *very important* as we want to handle
1728  * the transmission part. Now the only IO interface
1729  * that SSL is aware of, is our defined BIO buffers.
1730  *
1731  * This means that all SSL IO is done to/from memory,
1732  * and we can update those BIOs from the packets we've
1733  * received.
1734  */
1735  MEM(tls_session->into_ssl = BIO_new(BIO_s_mem()));
1736  MEM(tls_session->from_ssl = BIO_new(BIO_s_mem()));
1737  SSL_set_bio(tls_session->ssl, tls_session->into_ssl, tls_session->from_ssl);
1738 
1739  /*
1740  * Add the message callback to identify what type of
1741  * message/handshake is passed
1742  */
1743  SSL_set_msg_callback(ssl, fr_tls_session_msg_cb);
1744  SSL_set_msg_callback_arg(ssl, tls_session);
1745  SSL_set_info_callback(ssl, fr_tls_session_info_cb);
1746 
1747  /*
1748  * This sets the context sessions can be resumed in.
1749  * This is to prevent sessions being created by one application
1750  * and used by another. In our case it prevents sessions being
1751  * reused between modules, or TLS server components such as
1752  * RADSEC.
1753  *
1754  * A context must always be set when doing session resumption
1755  * otherwise session resumption will fail.
1756  *
1757  * As the context ID must be <= 32, we digest the context
1758  * data with sha256.
1759  *
1760  * This seems to only be used for stateful session resumption
1761  * not session-tickets
1762  */
1763  if (conf->cache.mode != FR_TLS_CACHE_DISABLED) {
1764  char *context_id;
1765  EVP_MD_CTX *md_ctx;
1766  uint8_t digest[SHA256_DIGEST_LENGTH];
1767 
1768  static_assert(sizeof(digest) <= SSL_MAX_SSL_SESSION_ID_LENGTH,
1769  "SSL_MAX_SSL_SESSION_ID_LENGTH must be >= SHA256_DIGEST_LENGTH");
1770  fr_assert(conf->cache.id_name);
1771 
1772  if (tmpl_aexpand(tls_session, &context_id, request, conf->cache.id_name, NULL, NULL) < 0) {
1773  RPEDEBUG("Failed expanding session ID");
1774  error:
1775  fr_tls_session_request_unbind(tls_session->ssl); /* Was bound in this function */
1776  talloc_free(tls_session);
1777  return NULL;
1778  }
1779 
1780  MEM(md_ctx = EVP_MD_CTX_create());
1781  EVP_DigestInit_ex(md_ctx, EVP_sha256(), NULL);
1782  EVP_DigestUpdate(md_ctx, context_id, talloc_array_length(context_id) - 1);
1783  EVP_DigestFinal_ex(md_ctx, digest, NULL);
1784  EVP_MD_CTX_destroy(md_ctx);
1785  talloc_free(context_id);
1786 
1787  if (!fr_cond_assert(SSL_set_session_id_context(tls_session->ssl,
1788  digest, sizeof(digest)) == 1)) goto error;
1789  }
1790 
1791  /*
1792  * Add the session certificate to the session.
1793  */
1794  vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_tls_session_cert_file);
1795  if (vp) {
1796  RDEBUG2("Loading TLS session certificate \"%pV\"", &vp->data);
1797 
1798  if (SSL_use_certificate_file(tls_session->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
1799  fr_tls_log(request, "Failed loading TLS session certificate \"%s\"",
1800  vp->vp_strvalue);
1801  goto error;
1802  }
1803 
1804  if (SSL_use_PrivateKey_file(tls_session->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
1805  fr_tls_log(request, "Failed loading TLS session certificate \"%s\"",
1806  vp->vp_strvalue);
1807  goto error;
1808  }
1809 
1810  if (SSL_check_private_key(tls_session->ssl) != 1) {
1811  fr_tls_log(request, "Failed validating TLS session certificate \"%s\"",
1812  vp->vp_strvalue);
1813  goto error;
1814  }
1815  /*
1816  * Better to perform explicit checks, than rely
1817  * on OpenSSL's opaque error messages.
1818  */
1819  } else {
1820  if (!conf->chains || !conf->chains[0]->private_key_file) {
1821  ERROR("TLS Server requires a private key file");
1822  goto error;
1823  }
1824 
1825  if (!conf->chains || !conf->chains[0]->certificate_file) {
1826  ERROR("TLS Server requires a certificate file");
1827  goto error;
1828  }
1829  }
1830 
1831  /** Dynamic toggle for allowing disallowing client certs
1832  *
1833  * This is mainly used for testing in environments where we can't
1834  * get test credentials for the host.
1835  */
1836  vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_tls_session_require_client_cert);
1837  if (vp) client_cert = vp->vp_bool;
1838 
1839  /*
1840  * In Server mode we only accept.
1841  *
1842  * This sets up the SSL session to work correctly with
1843  * fr_tls_session_handhsake.
1844  */
1845  SSL_set_accept_state(tls_session->ssl);
1846 
1847  /*
1848  * Verify the peer certificate, if asked.
1849  */
1850  if (client_cert) {
1851  RDEBUG2("Setting verify mode to require certificate from client");
1852  verify_mode = SSL_VERIFY_PEER;
1853  verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
1854  verify_mode |= SSL_VERIFY_CLIENT_ONCE;
1855  }
1856  tls_session->verify_client_cert = client_cert;
1857 
1858  SSL_set_verify(tls_session->ssl, verify_mode, fr_tls_verify_cert_cb);
1859  SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
1860  SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
1861 
1862  /*
1863  * We use default fragment size, unless the Framed-MTU
1864  * tells us it's too big. Note that we do NOT account
1865  * for the EAP-TLS headers if conf->fragment_size is
1866  * large, because that config item looks to be confusing.
1867  *
1868  * i.e. it should REALLY be called MTU, and the code here
1869  * should figure out what that means for TLS fragment size.
1870  * asking the administrator to know the internal details
1871  * of EAP-TLS in order to calculate fragment sizes is
1872  * just too much.
1873  */
1874  tls_session->mtu = conf->fragment_size;
1875  vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_framed_mtu);
1876  if (vp && (vp->vp_uint32 > 100) && (vp->vp_uint32 < tls_session->mtu)) {
1877  RDEBUG2("Setting fragment_len to %u from &Framed-MTU", vp->vp_uint32);
1878  tls_session->mtu = vp->vp_uint32;
1879  }
1880 
1881  if (conf->cache.mode != FR_TLS_CACHE_DISABLED) {
1882  tls_session->allow_session_resumption = true; /* otherwise it's false */
1883  fr_tls_cache_session_alloc(tls_session);
1884  }
1885 
1886  fr_tls_session_request_unbind(tls_session->ssl); /* Was bound in this function */
1887 
1888  return tls_session;
1889 }
1890 #endif /* WITH_TLS */
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition: action.h:35
UNLANG_ACTION_PUSHED_CHILD
@ UNLANG_ACTION_PUSHED_CHILD
unlang_t pushed a new child onto the stack, execute it instead of continuing.
Definition: action.h:39
UNLANG_ACTION_FAIL
@ UNLANG_ACTION_FAIL
Encountered an unexpected error.
Definition: action.h:36
UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition: action.h:37
buffer
static int const char char buffer[256]
Definition: acutest.h:574
line
int const char int line
Definition: acutest.h:702
fr_base16_decode
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition: base16.h:95
IGNORE
#define IGNORE(_expr, _type)
Definition: build.h:468
DIAG_UNKNOWN_PRAGMAS
#define DIAG_UNKNOWN_PRAGMAS
Definition: build.h:417
DIAG_ON
#define DIAG_ON(_x)
Definition: build.h:419
static_assert
#define static_assert
For systems with an old version libc, define static_assert.
Definition: build.h:35
unlikely
#define unlikely(_x)
Definition: build.h:378
UNUSED
#define UNUSED
Definition: build.h:313
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition: build.h:335
DIAG_OFF
#define DIAG_OFF(_x)
Definition: build.h:418
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition: dbuff.h:509
fr_cond_assert
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition: debug.h:137
ERROR
#define ERROR(fmt,...)
Definition: dhcpclient.c:41
DEBUG
#define DEBUG(fmt,...)
Definition: dhcpclient.c:39
err
static fr_slen_t err
Definition: dict.h:645
in
static fr_slen_t in
Definition: dict.h:645
unlang_function_clear
int unlang_function_clear(request_t *request)
Clear pending repeat function calls, and remove the signal handler.
Definition: function.c:160
unlang_function_repeat_set
#define unlang_function_repeat_set(_request, _repeat)
Set a new repeat function for an existing function frame.
Definition: function.h:89
unlang_function_push
#define unlang_function_push(_request, _func, _repeat, _signal, _sigmask, _top_frame, _uctx)
Push a generic function onto the unlang stack.
Definition: function.h:111
UNLANG_SUB_FRAME
#define UNLANG_SUB_FRAME
Definition: interpret.h:36
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition: log.h:443
DEBUG_ENABLED2
#define DEBUG_ENABLED2
True if global debug level 1-2 messages are enabled.
Definition: log.h:258
DEBUG3
#define DEBUG3(_fmt,...)
Definition: log.h:266
ROPTIONAL
#define ROPTIONAL(_l_request, _l_global, _fmt,...)
Use different logging functions depending on whether request is NULL or not.
Definition: log.h:528
RWDEBUG
#define RWDEBUG(fmt,...)
Definition: log.h:361
RDEBUG_ENABLED3
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition: log.h:335
RDEBUG3
#define RDEBUG3(fmt,...)
Definition: log.h:343
DEBUG_ENABLED4
#define DEBUG_ENABLED4
True if global debug level 1-3 messages are enabled.
Definition: log.h:260
RHEXDUMP4
#define RHEXDUMP4(_data, _len, _fmt,...)
Definition: log.h:706
RERROR
#define RERROR(fmt,...)
Definition: log.h:298
DEBUG4
#define DEBUG4(_fmt,...)
Definition: log.h:267
ROPTIONAL_ENABLED
#define ROPTIONAL_ENABLED(_e_request, _e_global)
Check if a debug level is set by the request (if !NULL) or by the global log.
Definition: log.h:542
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition: log.h:376
RHEXDUMP3
#define RHEXDUMP3(_data, _len, _fmt,...)
Definition: log.h:705
RDEBUG4
#define RDEBUG4(fmt,...)
Definition: log.h:344
DEBUG_ENABLED3
#define DEBUG_ENABLED3
True if global debug level 1-3 messages are enabled.
Definition: log.h:259
RDEBUG_ENABLED4
#define RDEBUG_ENABLED4
True if request debug level 1-4 messages are enabled.
Definition: log.h:336
HEXDUMP4
#define HEXDUMP4(_data, _len, _fmt,...)
Definition: log.h:724
RPWDEBUG2
#define RPWDEBUG2(fmt,...)
Definition: log.h:367
REDEBUG4
#define REDEBUG4(fmt,...)
Definition: log.h:374
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition: log.h:430
attr_session_resumed
HIDDEN fr_dict_attr_t const * attr_session_resumed
attr_tls_session_version
HIDDEN fr_dict_attr_t const * attr_tls_session_version
attr_tls_session_require_client_cert
HIDDEN fr_dict_attr_t const * attr_tls_session_require_client_cert
attr_framed_mtu
HIDDEN fr_dict_attr_t const * attr_framed_mtu
attr_tls_client_error_code
HIDDEN fr_dict_attr_t const * attr_tls_client_error_code
attr_tls_session_cipher_suite
HIDDEN fr_dict_attr_t const * attr_tls_session_cipher_suite
attr_tls_psk_identity
HIDDEN fr_dict_attr_t const * attr_tls_psk_identity
attr_tls_session_cert_file
HIDDEN fr_dict_attr_t const * attr_tls_session_cert_file
talloc_free
talloc_free(reap)
L_DBG_LVL_3
@ L_DBG_LVL_3
3rd highest priority debug messages (-xxx | -Xx).
Definition: log.h:72
L_DBG
@ L_DBG
Only displayed when debugging is enabled.
Definition: log.h:59
xlat_eval
ssize_t xlat_eval(char *out, size_t outlen, request_t *request, char const *fmt, xlat_escape_legacy_t escape, void const *escape_ctx)
Definition: merged_model.c:215
uint8_t
unsigned char uint8_t
Definition: merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition: merged_model.c:32
request_t
Definition: merged_model.c:210
used
static size_t used
Definition: message_set_test.c:51
fr_skip_whitespace
#define fr_skip_whitespace(_p)
Skip whitespace ('\t', '\n', '\v', '\f', '\r', ' ')
Definition: misc.h:59
fr_nbo_to_uint16
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition: nbo.h:137
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition: pair.c:688
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition: pair.c:278
fr_pair_value_strdup
int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted)
Copy data into an "string" data type.
Definition: pair.c:2631
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition: pair.c:1340
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition: pair.c:46
fr_pair_value_from_str
int fr_pair_value_from_str(fr_pair_t *vp, char const *value, size_t inlen, fr_sbuff_unescape_rules_t const *uerules, bool tainted)
Convert string value to native attribute value.
Definition: pair.c:2586
pair_update_request
#define pair_update_request(_attr, _da)
Definition: radclient-ng.c:60
REDEBUG
#define REDEBUG(fmt,...)
Definition: radclient.h:52
RDEBUG_ENABLED2
#define RDEBUG_ENABLED2()
Definition: radclient.h:50
RDEBUG2
#define RDEBUG2(fmt,...)
Definition: radclient.h:54
DEBUG2
#define DEBUG2(fmt,...)
Definition: radclient.h:43
conf
static rs_t * conf
Definition: radsniff.c:53
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition: rcode.h:40
FR_SBUFF_IN
#define FR_SBUFF_IN(_start, _len_or_end)
tmpl_aexpand
#define tmpl_aexpand(_ctx, _out, _request, _vpt, _escape, _escape_ctx)
Expand a tmpl to a C type, allocing a new buffer to hold the string.
Definition: tmpl.h:1054
fr_signal_t
fr_signal_t
Definition: signal.h:48
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition: snprintf.c:689
fr_assert
fr_assert(0)
MEM
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
vp
fr_pair_t * vp
Definition: state_machine.c:2271
strlcpy
size_t strlcpy(char *dst, char const *src, size_t siz)
Definition: strlcpy.c:34
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition: pair.h:68
close
close(uq->fd)
data
static fr_slen_t data
Definition: value.h:1259
inlen
static size_t char fr_sbuff_t size_t inlen
Definition: value.h:984
out
static size_t char ** out
Definition: value.h:984
Generated by   doxygen 1.9.1