All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
cb.c
Go to the documentation of this file.
1 /*
2  * cb.c
3  *
4  * Version: $Id: 6a74e7d1b77b6f56a9d89a6001cb4fa154115706 $
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19  *
20  * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21  * Copyright 2006 The FreeRADIUS server project
22  */
23 
24 RCSID("$Id: 6a74e7d1b77b6f56a9d89a6001cb4fa154115706 $")
25 USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
26 
27 #include <freeradius-devel/radiusd.h>
28 
29 #ifdef WITH_TLS
30 void cbtls_info(SSL const *s, int where, int ret)
31 {
32  char const *str, *state;
33  REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST);
34 
35  if ((where & ~SSL_ST_MASK) & SSL_ST_CONNECT) {
36  str = "TLS Connect";
37  } else if (((where & ~SSL_ST_MASK)) & SSL_ST_ACCEPT) {
38  str = "TLS Accept";
39  } else {
40  str = NULL;
41  }
42 
43  state = SSL_state_string_long(s);
44  state = state ? state : "<none>";
45 
46  if ((where & SSL_CB_LOOP) || (where & SSL_CB_HANDSHAKE_START) || (where & SSL_CB_HANDSHAKE_DONE)) {
47  if (str) {
48  RDEBUG2("%s: %s", str, state);
49  } else {
50  RDEBUG2("%s", state);
51  }
52  return;
53  }
54 
55  if (where & SSL_CB_ALERT) {
56  if ((ret & 0xff) == SSL_AD_CLOSE_NOTIFY) return;
57 
58  if (where & SSL_CB_READ) {
59  RERROR("Client sent %s TLS alert: %s", SSL_alert_type_string_long(ret),
60  SSL_alert_desc_string_long(ret));
61 
62  /*
63  * Offer helpful advice... Should be expanded.
64  */
65  switch (ret & 0xff) {
66  case TLS1_AD_UNKNOWN_CA:
67  RERROR("Verify client has copy of CA certificate, and trusts CA");
68  break;
69 
70  default:
71  break;
72  }
73  } else {
74  RERROR("Sending client %s TLS alert: %s", SSL_alert_type_string_long(ret),
75  SSL_alert_desc_string_long(ret));
76  }
77  return;
78  }
79 
80  if (where & SSL_CB_EXIT) {
81  if (ret == 0) {
82  RERROR("%s: Failed in %s", str, state);
83  return;
84  }
85 
86  if (ret < 0) {
87  if (SSL_want_read(s)) {
88  RDEBUG2("%s: Need to read more data: %s", str, state);
89  return;
90  }
91  ERROR("tls: %s: Error in %s", str, state);
92  }
93  }
94 }
95 
96 /*
97  * Fill in our 'info' with TLS data.
98  */
99 void cbtls_msg(int write_p, int msg_version, int content_type,
100  void const *inbuf, size_t len,
101  SSL *ssl UNUSED, void *arg)
102 {
103  uint8_t const *buf = inbuf;
104  tls_session_t *state = (tls_session_t *)arg;
105 
106  /*
107  * OpenSSL 1.0.2 calls this function with 'pseudo'
108  * content types. Which breaks our tracking of
109  * the SSL Session state.
110  */
111  if ((msg_version == 0) && (content_type > UINT8_MAX)) {
112  DEBUG4("Ignoring cbtls_msg call with pseudo content type %i, version %i",
113  content_type, msg_version);
114  return;
115  }
116 
117  if ((write_p != 0) && (write_p != 1)) {
118  DEBUG4("Ignoring cbtls_msg call with invalid write_p %d", write_p);
119  return;
120  }
121 
122  /*
123  * Work around bug #298, where we may be called with a NULL
124  * argument. We should really log a serious error
125  */
126  if (!state) return;
127 
128  /*
129  * 0 - received (from peer)
130  * 1 - sending (to peer)
131  */
132  state->info.origin = write_p;
133  state->info.content_type = content_type;
134  state->info.record_len = len;
135  state->info.initialized = true;
136 
137  if (content_type == SSL3_RT_ALERT) {
138  state->info.alert_level = buf[0];
139  state->info.alert_description = buf[1];
140  state->info.handshake_type = 0x00;
141 
142  } else if (content_type == SSL3_RT_HANDSHAKE) {
143  state->info.handshake_type = buf[0];
144  state->info.alert_level = 0x00;
145  state->info.alert_description = 0x00;
146 
147 #ifdef SSL3_RT_HEARTBEAT
148  } else if (content_type == TLS1_RT_HEARTBEAT) {
149  uint8_t *p = buf;
150 
151  if ((len >= 3) && (p[0] == 1)) {
152  size_t payload_len;
153 
154  payload_len = (p[1] << 8) | p[2];
155 
156  if ((payload_len + 3) > len) {
157  state->invalid_hb_used = true;
158  ERROR("OpenSSL Heartbeat attack detected. Closing connection");
159  return;
160  }
161  }
162 #endif
163  }
164  tls_session_information(state);
165 }
166 
167 int cbtls_password(char *buf,
168  int num UNUSED,
169  int rwflag UNUSED,
170  void *userdata)
171 {
172  strcpy(buf, (char *)userdata);
173  return(strlen((char *)userdata));
174 }
175 
176 #endif
#define RERROR(fmt,...)
Definition: log.h:207
#define UNUSED
Definition: libradius.h:134
#define DEBUG4(fmt,...)
Definition: log.h:178
#define RDEBUG2(fmt,...)
Definition: log.h:244
unsigned int state
Definition: proto_bfd.c:200
#define RCSID(id)
Definition: build.h:135
#define ERROR(fmt,...)
Definition: log.h:145
#define USES_APPLE_DEPRECATED_API
Definition: build.h:122