#define LOG_PREFIX "tls"
#include <freeradius-devel/server/pair.h>
+#include <freeradius-devel/server/log.h>
#include <freeradius-devel/util/debug.h>
#include <freeradius-devel/util/base16.h>
state = state ? state : "<INVALID>";
if ((where & SSL_CB_LOOP) || (where & SSL_CB_HANDSHAKE_START) || (where & SSL_CB_HANDSHAKE_DONE)) {
- if (RDEBUG_ENABLED3) {
+ if (ROPTIONAL_ENABLED(RDEBUG_ENABLED3, DEBUG_ENABLED3)) {
char const *abbrv = SSL_state_string(ssl);
size_t len;
len = strlen(abbrv);
if ((len > 1) && (abbrv[len - 1] == ' ')) len--;
- RDEBUG3("Handshake state [%.*s] - %s%s", (int)len, abbrv, role, state);
+ ROPTIONAL(RDEBUG3, DEBUG3, "Handshake state [%.*s] - %s%s", (int)len, abbrv, role, state);
#ifdef OPENSSL_NO_SSL_TRACE
{
int num_ciphers;
const SSL_CIPHER *this_cipher;
-
server_ciphers = SSL_get_ciphers(ssl);
/*
* These are printed on startup, so not usually
* required.
*/
- RDEBUG4("Our preferred ciphers (by priority)");
- if (RDEBUG_ENABLED4) {
- RINDENT();
+ ROPTIONAL(RDEBUG4, DEBUG4, "Our preferred ciphers (by priority)");
+ if (ROPTIONAL_ENABLED(RDEBUG_ENABLED4, DEBUG_ENABLED4)) {
+ if (request) RINDENT();
num_ciphers = sk_SSL_CIPHER_num(server_ciphers);
for (i = 0; i < num_ciphers; i++) {
this_cipher = sk_SSL_CIPHER_value(server_ciphers, i);
- RDEBUG4("[%i] %s", i, SSL_CIPHER_get_name(this_cipher));
+ ROPTIONAL(RDEBUG4, DEBUG4, "[%i] %s", i, SSL_CIPHER_get_name(this_cipher));
}
- REXDENT();
+ if (request) REXDENT();
}
/*
* Print information about the client's
* handshake message.
*/
- if (RDEBUG_ENABLED3) {
- RDEBUG3("Client's preferred ciphers (by priority)");
- RINDENT();
+ if (ROPTIONAL_ENABLED(RDEBUG_ENABLED3, DEBUG_ENABLED3)) {
+ ROPTIONAL(RDEBUG3, DEBUG3, "Client's preferred ciphers (by priority)");
+ if (request) RINDENT();
num_ciphers = sk_SSL_CIPHER_num(client_ciphers);
for (i = 0; i < num_ciphers; i++) {
this_cipher = sk_SSL_CIPHER_value(client_ciphers, i);
- RDEBUG3("[%i] %s", i, SSL_CIPHER_get_name(this_cipher));
+ ROPTIONAL(RDEBUG3, DEBUG3, "[%i] %s", i, SSL_CIPHER_get_name(this_cipher));
}
- REXDENT();
+ if (request) REXDENT();
}
}
}
# endif
} else {
- RDEBUG2("Handshake state - %s%s (%i)", role, state, SSL_get_state(ssl));
+ ROPTIONAL(RDEBUG2, DEBUG2, "Handshake state - %s%s (%i)", role, state, SSL_get_state(ssl));
}
return;
}
if (where & SSL_CB_READ) {
fr_pair_t *vp;
- REDEBUG("Client sent %s TLS alert (%i) - %s", SSL_alert_type_string_long(ret),
- ret & 0xff, SSL_alert_desc_string_long(ret));
+ ROPTIONAL(REDEBUG, ERROR, "Client sent %s TLS alert (%i) - %s", SSL_alert_type_string_long(ret),
+ ret & 0xff, SSL_alert_desc_string_long(ret));
/*
* Offer helpful advice... Should be expanded.
MEM(pair_update_request(&vp, attr_tls_client_error_code) >= 0);
vp->vp_uint8 = ret & 0xff;
- RDEBUG2("&TLS-Client-Error-Code := %pV", &vp->data);
+ ROPTIONAL(RDEBUG2, DEBUG2, "&TLS-Client-Error-Code := %pV", &vp->data);
/*
* We're sending the client an alert.
*/
} else {
- REDEBUG("Sending client %s TLS alert (%i) - %s", SSL_alert_type_string_long(ret),
- ret & 0xff, SSL_alert_desc_string_long(ret));
+ ROPTIONAL(REDEBUG, ERROR, "Sending client %s TLS alert (%i) - %s",
+ SSL_alert_type_string_long(ret), ret & 0xff, SSL_alert_desc_string_long(ret));
/*
* Offer helpful advice... Should be expanded.
*/
switch (ret & 0xff) {
case TLS1_AD_PROTOCOL_VERSION:
- REDEBUG("Client requested a TLS protocol version that is not enabled or not supported. "
- "Upgrade FreeRADIUS + OpenSSL to their latest versions and/or adjust "
- "'tls_max_version'/'tls_min_version' if you want authentication to "
- "succeed");
+ ROPTIONAL(REDEBUG, ERROR, "Client requested a TLS protocol version that is not "
+ "enabled or not supported. Upgrade FreeRADIUS + OpenSSL to their latest "
+ "versions and/or adjust 'tls_max_version'/'tls_min_version' if you want "
+ "authentication to succeed");
break;
default:
if (where & SSL_CB_EXIT) {
if (ret == 0) {
- REDEBUG("Handshake exit state %s%s", role, state);
+ ROPTIONAL(REDEBUG, ERROR, "Handshake exit state %s%s", role, state);
return;
}
RDEBUG2("Need more data from client"); /* State same as previous call, don't print */
return;
}
- REDEBUG("Handshake exit state %s%s", role, state);
+ ROPTIONAL(REDEBUG, ERROR, "Handshake exit state %s%s", role, state);
}
}
}
* Mostly to check for memory corruption...
*/
if (!fr_cond_assert(tls_session->ssl = ssl)) {
- ERROR("fr_tls_session_t and ssl arg do not match in fr_tls_session_msg_cb");
+ ROPTIONAL(REDEBUG, ERROR, "fr_tls_session_t and ssl arg do not match in fr_tls_session_msg_cb");
tls_session->invalid = true;
return;
}
* the SSL Session state.
*/
if ((msg_version == 0) && (content_type > UINT8_MAX)) {
- DEBUG4("Ignoring fr_tls_session_msg_cb call with pseudo content type %i, version %i",
+ ROPTIONAL(REDEBUG4, DEBUG4, "Ignoring fr_tls_session_msg_cb call with pseudo content type %i, version %i",
content_type, msg_version);
return;
}
if ((write_p != 0) && (write_p != 1)) {
- DEBUG4("Ignoring fr_tls_session_msg_cb call with invalid write_p %d", write_p);
+ ROPTIONAL(REDEBUG4, DEBUG4, "Ignoring fr_tls_session_msg_cb call with invalid write_p %d", write_p);
return;
}
fr_tls_log_io_error(request, code, "SSL_read (%s)", __FUNCTION__);
goto error;
}
-
}
/*
*/
fr_tls_session_t *fr_tls_session_alloc_client(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx)
{
- int ret;
int verify_mode;
fr_tls_session_t *tls_session = NULL;
- request_t *request;
fr_tls_conf_t *conf = fr_tls_ctx_conf(ssl_ctx);
MEM(tls_session = talloc_zero(ctx, fr_tls_session_t));
return NULL;
}
- request = request_alloc_internal(tls_session, NULL);
-
- fr_tls_session_request_bind(tls_session->ssl, request); /* Is unbound in this function */
-
/*
* Add the message callback to identify what type of
* message/handshake is passed
DEBUG2("Requiring Server certificate");
verify_mode = SSL_VERIFY_PEER;
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
- SSL_set_verify(tls_session->ssl, verify_mode, fr_tls_verify_cert_cb);
+ /*
+ * Callback should be fr_tls_verify_cert_cb but this
+ * requires support around SSL_connect for dealing
+ * with async.
+ *
+ * If the callback is NULL OpenSSL uses its own validation
+ * function, and the flags modifies that function's
+ * behaviour.
+ */
+ SSL_set_verify(tls_session->ssl, verify_mode, NULL);
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
- ret = SSL_connect(tls_session->ssl);
- if (ret <= 0) {
- fr_tls_log_io_error(NULL, SSL_get_error(tls_session->ssl, ret), "SSL_connect (%s)", __FUNCTION__);
- fr_tls_session_request_unbind(tls_session->ssl); /* Was bound in this function */
- talloc_free(tls_session);
-
- return NULL;
- }
-
tls_session->mtu = conf->fragment_size;
- fr_tls_session_request_unbind(tls_session->ssl); /* Was bound in this function */
-
return tls_session;
}
projects / thirdparty / freeradius-server.git / commitdiff
