static void ssl_info_callback(const SSL *s, int where, int ret)
{
const char *str;
int w;
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) str="SSL_connect";
else if (w & SSL_ST_ACCEPT) str="SSL_accept";
else str="undefined";
if (where & SSL_CB_LOOP)
{
log(L_DEBUG, "SSL: %s", SSL_state_string_long((SSL*)s));
}
else if (where & SSL_CB_ALERT)
{
str=(where & SSL_CB_READ)?"read":"write";
log(L_DEBUG, "SSL: SSL3 alert %s:%s:%s", str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
}
else if (where & SSL_CB_EXIT)
{
if (ret == 0)
log(L_DEBUG, "SSL: %s:failed in %s",
str,SSL_state_string_long((SSL*)s));
else if (ret < 0)
{
log(L_DEBUG, "SSL: %s:%s", str,SSL_state_string_long((SSL*)s));
}
}
else if (where & SSL_CB_ALERT)
{
str=(where & SSL_CB_READ)?"read":"write";
log(L_DEBUG, "SSL: SSL3 alert %s:%s:%s", str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
}
else if (where & SSL_CB_EXIT)
{
if (ret == 0)
log(L_DEBUG, "SSL: %s:failed in %s",
str,SSL_state_string_long((SSL*)s));
else if (ret < 0)
{
log(L_DEBUG, "SSL: %s:error in %s",
str,SSL_state_string_long((SSL*)s));
}
}
}
static PyObject * sslscan_ssl_alert_get_type(sslscan_ssl_alert_obj *self, PyObject *args)
{
if (!PyArg_ParseTuple(args, ":get_type"))
return Py_BuildValue("");;
return PyUnicode_FromString(SSL_alert_type_string_long(self->ret));
}
static void __apn_ssl_info_callback(const SSL *ssl, int where, int ret) {
apn_ctx_t *ctx = SSL_CTX_get_ex_data(ssl->ctx, 0);
if (!ctx) {
return;
}
if (where & SSL_CB_LOOP) {
apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: %s:%s:%s",
(where & SSL_ST_CONNECT) ? "connect" : "undef",
SSL_state_string_long(ssl),
SSL_get_cipher_name(ssl));
} else if (where & SSL_CB_EXIT) {
apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: %s:%s", (where & SSL_ST_CONNECT) ? "connect" : "undef",
SSL_state_string_long(ssl));
} else if (where & SSL_CB_ALERT) {
apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: alert %s:%s", (where & SSL_CB_READ) ? "read" : "write",
SSL_state_string_long(ssl), SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_HANDSHAKE_START) {
apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: handshake started %s:%s:%s", (where & SSL_CB_READ) ? "read" : "write",
SSL_state_string_long(ssl), SSL_alert_desc_string_long(ret));
}
else if (where & SSL_CB_HANDSHAKE_DONE) {
apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: handshake done %s:%s:%s", (where & SSL_CB_READ) ? "read" : "write",
SSL_state_string_long(ssl), SSL_alert_desc_string_long(ret));
} else {
apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: state %s:%s:%s", SSL_state_string_long(ssl),
SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
}
}
static void ssl_info_callback(const SSL *ssl, int where, int ret) {
const char *s;
int w;
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT)
s = "SSL_connect";
else if (w & SSL_ST_ACCEPT)
s = "SSL_accept";
else
s = "undefined";
if (where & SSL_CB_LOOP)
debug(DBG_DBG, "%s:%s\n", s, SSL_state_string_long(ssl));
else if (where & SSL_CB_ALERT) {
s = (where & SSL_CB_READ) ? "read" : "write";
debug(DBG_DBG, "SSL3 alert %s:%s:%s\n", s, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
}
else if (where & SSL_CB_EXIT) {
if (ret == 0)
debug(DBG_DBG, "%s:failed in %s\n", s, SSL_state_string_long(ssl));
else if (ret < 0)
debug(DBG_DBG, "%s:error in %s\n", s, SSL_state_string_long(ssl));
}
}
static void ssl_info_cb(const SSL *ssl, int where, int ret)
{
const char *str;
int w;
wpa_printf(MSG_DEBUG, "SSL: (where=0x%x ret=0x%x)", where, ret);
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT)
str = "SSL_connect";
else if (w & SSL_ST_ACCEPT)
str = "SSL_accept";
else
str = "undefined";
if (where & SSL_CB_LOOP) {
wpa_printf(MSG_DEBUG, "SSL: %s:%s",
str, SSL_state_string_long(ssl));
} else if (where & SSL_CB_ALERT) {
wpa_printf(MSG_INFO, "SSL: SSL3 alert: %s:%s:%s",
where & SSL_CB_READ ?
"read (authentication server reported an error)" :
"write (local SSL3 detected an error)",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT && ret <= 0) {
wpa_printf(MSG_DEBUG, "SSL: %s:%s in %s",
str, ret == 0 ? "failed" : "error",
SSL_state_string_long(ssl));
}
}
/*
** Roughly copied from the openssl sample app in the openssl package
*/
PRIVATE void apps_ssl_info_callback (SSL * s, int where, int ret)
{
char *str;
int w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT)
str="SSL_connect";
else if (w & SSL_ST_ACCEPT)
str="SSL_accept";
else
str="undefined";
if (where & SSL_CB_LOOP) {
HTTRACE(PROT_TRACE, "%s: %s\n" _ str _ SSL_state_string_long(s));
} else if (where & SSL_CB_ALERT) {
str = (where & SSL_CB_READ) ? "read" : "write";
HTTRACE(PROT_TRACE, "SSL3 alert %s:%s:%s\n" _ str _
SSL_alert_type_string_long(ret) _
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0) {
HTTRACE(PROT_TRACE, "%s: failed in %s\n" _ str _ SSL_state_string_long(s));
} else if (ret < 0) {
HTTRACE(PROT_TRACE, "%s: error in %s\n" _ str _ SSL_state_string_long(s));
}
}
}
static void openssl_info_callback(const SSL *ssl, int where, int ret)
{
struct ssl_iostream *ssl_io;
ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index);
if ((where & SSL_CB_ALERT) != 0) {
switch (ret & 0xff) {
case SSL_AD_CLOSE_NOTIFY:
i_debug("%sSSL alert: %s",
ssl_io->log_prefix,
SSL_alert_desc_string_long(ret));
break;
default:
i_debug("%sSSL alert: where=0x%x, ret=%d: %s %s",
ssl_io->log_prefix, where, ret,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
break;
}
} else if (ret == 0) {
i_debug("%sSSL failed: where=0x%x: %s",
ssl_io->log_prefix, where, SSL_state_string_long(ssl));
} else {
i_debug("%sSSL: where=0x%x, ret=%d: %s",
ssl_io->log_prefix, where, ret,
SSL_state_string_long(ssl));
}
}
void
apps_ssl_info_callback(const SSL * s, int where, int ret)
{
const char *str;
int w;
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT)
str = "SSL_connect";
else if (w & SSL_ST_ACCEPT)
str = "SSL_accept";
else
str = "undefined";
if (where & SSL_CB_LOOP) {
BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s));
} else if (where & SSL_CB_ALERT) {
str = (where & SSL_CB_READ) ? "read" : "write";
BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0)
BIO_printf(bio_err, "%s:failed in %s\n",
str, SSL_state_string_long(s));
else if (ret < 0) {
BIO_printf(bio_err, "%s:error in %s\n",
str, SSL_state_string_long(s));
}
}
}
void QFrankSSL::K_SSL_Info_Callback(const SSL *ssl,int wo,int rueckgabe)
{
/* Haben wir das SSL Objekt in unserer Hashtabelle??
Wenn nicht ganz großes Problem
*/
//int Wo=wo&~SSL_ST_MASK;
if(!K_ListeDerSSLVerbindungen.contains(ssl))
qFatal("QFrankSSL SSL_Info_Callback: Das SSL Objekt befindet sich nicht in der Tabelle!!");
//qDebug("wo=0x%X",wo);
switch(wo)
{
case SSL_CB_CONNECT_EXIT:
#ifndef QT_NO_DEBUG
qDebug("QFrankSSL SSL_Info_Callback: meldet ein Fehler");
#endif
qDebug(qPrintable(QString("%1").arg(rueckgabe)));
break;
case SSL_CB_READ_ALERT:
case SSL_CB_WRITE_ALERT:
QString Alarmtype=SSL_alert_type_string_long(rueckgabe);
QString Alarmtext=SSL_alert_desc_string_long(rueckgabe);
#ifndef QT_NO_DEBUG
qCritical("QFrankSSL SSL_Info_Callback: meldet einen Alarm");
qCritical("Art des Alams: %s\r\nBeschreibung: %s",Alarmtype.toAscii().constData(),Alarmtext.toAscii().constData());
#endif
break;
}
}
void cbtls_info(const SSL *s, int where, int ret)
{
const char *str, *state;
int w;
REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST);
char buffer[1024];
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) str=" TLS_connect";
else if (w & SSL_ST_ACCEPT) str=" TLS_accept";
else str=" (other)";
state = SSL_state_string_long(s);
state = state ? state : "NULL";
buffer[0] = '\0';
if (where & SSL_CB_LOOP) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_HANDSHAKE_START) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_HANDSHAKE_DONE) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_ALERT) {
str=(where & SSL_CB_READ)?"read":"write";
snprintf(buffer, sizeof(buffer), "TLS Alert %s:%s:%s",
str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0) {
snprintf(buffer, sizeof(buffer), "%s: failed in %s",
str, state);
} else if (ret < 0) {
if (SSL_want_read(s)) {
RDEBUG2("%s: Need to read more data: %s",
str, state);
} else {
snprintf(buffer, sizeof(buffer),
"%s: error in %s", str, state);
}
}
}
if (buffer[0]) {
radlog(L_ERR, "%s", buffer);
if (request) {
VALUE_PAIR *vp;
vp = pairmake("Module-Failure-Message", buffer, T_OP_ADD);
if (vp) pairadd(&request->packet->vps, vp);
}
}
}
void SSL_CTX_info_callback(const SSL* ssl, int where, int ret)
{
FUNC_ENTRY;
if (where & SSL_CB_LOOP)
{
Log(TRACE_PROTOCOL, 1, "SSL state %s:%s:%s",
(where & SSL_ST_CONNECT) ? "connect" : (where & SSL_ST_ACCEPT) ? "accept" : "undef",
SSL_state_string_long(ssl), SSL_get_cipher_name(ssl));
}
else if (where & SSL_CB_EXIT)
{
Log(TRACE_PROTOCOL, 1, "SSL %s:%s",
(where & SSL_ST_CONNECT) ? "connect" : (where & SSL_ST_ACCEPT) ? "accept" : "undef",
SSL_state_string_long(ssl));
}
else if (where & SSL_CB_ALERT)
{
Log(TRACE_PROTOCOL, 1, "SSL alert %s:%s:%s",
(where & SSL_CB_READ) ? "read" : "write",
SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
}
else if (where & SSL_CB_HANDSHAKE_START)
{
Log(TRACE_PROTOCOL, 1, "SSL handshake started %s:%s:%s",
(where & SSL_CB_READ) ? "read" : "write",
SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
}
else if (where & SSL_CB_HANDSHAKE_DONE)
{
Log(TRACE_PROTOCOL, 1, "SSL handshake done %s:%s:%s",
(where & SSL_CB_READ) ? "read" : "write",
SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
Log(TRACE_PROTOCOL, 1, "SSL certificate verification: %s",
SSL_get_verify_result_string(SSL_get_verify_result(ssl)));
}
else
{
Log(TRACE_PROTOCOL, 1, "SSL state %s:%s:%s", SSL_state_string_long(ssl),
SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
}
FUNC_EXIT;
}
USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#include <freeradius-devel/radiusd.h>
#ifdef WITH_TLS
void cbtls_info(SSL const *s, int where, int ret)
{
char const *str, *state;
int w;
REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST);
char buffer[1024];
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) str=" TLS_connect";
else if (w & SSL_ST_ACCEPT) str=" TLS_accept";
else str=" (other)";
state = SSL_state_string_long(s);
state = state ? state : "NULL";
buffer[0] = '\0';
if (where & SSL_CB_LOOP) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_HANDSHAKE_START) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_HANDSHAKE_DONE) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_ALERT) {
str=(where & SSL_CB_READ)?"read":"write";
snprintf(buffer, sizeof(buffer), "TLS Alert %s:%s:%s",
str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0) {
snprintf(buffer, sizeof(buffer), "%s: failed in %s",
str, state);
} else if (ret < 0) {
if (SSL_want_read(s)) {
RDEBUG2("%s: Need to read more data: %s",
str, state);
} else {
snprintf(buffer, sizeof(buffer),
"%s: error in %s", str, state);
}
}
}
if (buffer[0] && request) {
REDEBUG("SSL says: %s", buffer);
}
}
static void transport_ssl_cb(SSL* ssl, int where, int ret)
{
if (where & SSL_CB_ALERT)
{
rdpTransport* transport = (rdpTransport*) SSL_get_app_data(ssl);
switch (ret)
{
case (SSL3_AL_FATAL << 8) | SSL_AD_ACCESS_DENIED:
{
if (!freerdp_get_last_error(transport->context))
{
WLog_Print(transport->log, WLOG_ERROR, "%s: ACCESS DENIED", __FUNCTION__);
freerdp_set_last_error(transport->context, FREERDP_ERROR_AUTHENTICATION_FAILED);
}
}
break;
case (SSL3_AL_FATAL << 8) | SSL_AD_INTERNAL_ERROR:
{
if (transport->NlaMode)
{
UINT32 kret = 0;
#ifdef WITH_GSSAPI
if ((strlen(transport->settings->Domain) != 0) &&
(strncmp(transport->settings->Domain, ".", 1) != 0))
{
kret = transport_krb5_check_account(transport, transport->settings->Username,
transport->settings->Domain,
transport->settings->Password);
}
else
#endif /* WITH_GSSAPI */
kret = FREERDP_ERROR_CONNECT_PASSWORD_CERTAINLY_EXPIRED;
if (!freerdp_get_last_error(transport->context))
freerdp_set_last_error(transport->context, kret);
}
break;
case (SSL3_AL_WARNING << 8) | SSL3_AD_CLOSE_NOTIFY:
break;
default:
WLog_Print(transport->log, WLOG_WARN, "Unhandled SSL error (where=%d, ret=%d [%s, %s])", where, ret,
SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
break;
}
}
}
}
void cbtls_info(const SSL *s, int where, int ret)
{
const char *str, *state;
int w;
REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST);
char buffer[1024];
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) str=" TLS_connect";
else if (w & SSL_ST_ACCEPT) str=" TLS_accept";
else str=" (other)";
state = SSL_state_string_long(s);
state = state ? state : "NULL";
buffer[0] = '\0';
if (where & SSL_CB_LOOP) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_HANDSHAKE_START) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_HANDSHAKE_DONE) {
RDEBUG2("%s: %s", str, state);
} else if (where & SSL_CB_ALERT) {
str=(where & SSL_CB_READ)?"read":"write";
snprintf(buffer, sizeof(buffer), "TLS Alert %s:%s:%s",
str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0) {
snprintf(buffer, sizeof(buffer), "%s: failed in %s",
str, state);
} else if (ret < 0) {
if (SSL_want_read(s)) {
RDEBUG2("%s: Need to read more data: %s",
str, state);
} else {
snprintf(buffer, sizeof(buffer),
"%s: error in %s", str, state);
}
}
}
if (buffer[0] && request) {
RDEBUGE("SSL says: %s", buffer);
}
}
static void
info_callback (INFO_CALLBACK_SSL_CONST SSL * s, int where, int ret)
{
if (where & SSL_CB_LOOP)
{
dmsg (D_HANDSHAKE_VERBOSE, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", SSL_state_string_long (s));
}
else if (where & SSL_CB_ALERT)
{
dmsg (D_HANDSHAKE_VERBOSE, "SSL alert (%s): %s: %s",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long (ret),
SSL_alert_desc_string_long (ret));
}
}
static void openssl_info_callback(const SSL *ssl, int where, int ret)
{
struct ssl_iostream *ssl_io;
ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index);
if ((where & SSL_CB_ALERT) != 0) {
i_warning("%s: SSL alert: where=0x%x, ret=%d: %s %s",
ssl_io->source, where, ret,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (ret == 0) {
i_warning("%s: SSL failed: where=0x%x: %s",
ssl_io->source, where, SSL_state_string_long(ssl));
} else {
i_debug("%s: SSL: where=0x%x, ret=%d: %s",
ssl_io->source, where, ret,
SSL_state_string_long(ssl));
}
}
static int openssl_ssl_alert_string(lua_State*L)
{
int v = luaL_checkint(L, 1);
int _long = lua_isnoneornil(L, 2) ? 0 : auxiliar_checkboolean(L, 2);
const char* val;
if (_long)
val = SSL_alert_type_string_long(v);
else
val = SSL_alert_type_string(v);
lua_pushstring(L, val);
if (_long)
val = SSL_alert_desc_string_long(v);
else
val = SSL_alert_desc_string(v);
lua_pushstring(L, val);
return 2;
}
void cbtls_info(const SSL *s, int where, int ret)
{
const char *str, *state;
int w;
EAP_HANDLER *handler = (EAP_HANDLER *)SSL_get_ex_data(s, 0);
REQUEST *request = NULL;
if (handler) request = handler->request;
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) str=" TLS_connect";
else if (w & SSL_ST_ACCEPT) str=" TLS_accept";
else str=" (other)";
state = SSL_state_string_long(s);
state = state ? state : "NULL";
if (where & SSL_CB_LOOP) {
RDEBUG2("%s: %s\n", str, state);
} else if (where & SSL_CB_HANDSHAKE_START) {
RDEBUG2("%s: %s\n", str, state);
} else if (where & SSL_CB_HANDSHAKE_DONE) {
RDEBUG2("%s: %s\n", str, state);
} else if (where & SSL_CB_ALERT) {
str=(where & SSL_CB_READ)?"read":"write";
radlog(L_ERR,"TLS Alert %s:%s:%s\n", str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0) {
radlog(L_ERR, "%s:failed in %s\n", str, state);
} else if (ret < 0) {
if (SSL_want_read(s)) {
RDEBUG2("%s: Need to read more data: %s",
str, state);
} else {
radlog(L_ERR, "%s:error in %s\n", str, state);
}
}
}
}
/* Debug callback tracks SSL connection states and errors.
* Initialized by SSL_CTX_set_info_callback. Invoked when
* tb_errorlevel >= TN_NOTICE. Copied from apps/s_cb.c.
*/
void info_cb(SSL *s,int where,int ret) {
char *str="undefined";
int w=where& ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) str="SSL_connect";
else if (w & SSL_ST_ACCEPT) str="SSL_accept";
if (where & SSL_CB_LOOP)
fprintf(stderr,"%s:%s\n",str,SSL_state_string_long(s));
else if (where & SSL_CB_ALERT) {
str=(where & SSL_CB_READ)?"read":"write";
fprintf(stderr,"SSL3 alert %s:%s:%s\n",
str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
}
else if (where & SSL_CB_EXIT) {
if (ret == 0)
fprintf(stderr,"%s:failed in %s\n",str,SSL_state_string_long(s));
else if (ret < 0)
fprintf(stderr,"%s:error in %s\n",str,SSL_state_string_long(s));
}
}
// Nicked straight from the SSL_CTX_set_info_callback man page.
void infoCallback(const SSL *ssl, int where, int ret)
{
const char *str;
int w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) {
str = "SSL_connect";
} else if (w & SSL_ST_ACCEPT) {
str = "SSL_accept";
} else {
str = "undefined";
}
if (where & SSL_CB_LOOP) {
fprintf(stderr,"%s: %s\n",str,SSL_state_string_long(ssl));
} else if (where & SSL_CB_ALERT) {
str = (where & SSL_CB_READ)?"read":"write";
fprintf(stderr, "SSL3 alert %s: %s: %s\n",
str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0) {
fprintf(stderr, "%s: failed in %s\n",
str, SSL_state_string_long(ssl));
} else if (ret < 0) {
fprintf(stderr, "%s: error in %s\n",
str, SSL_state_string_long(ssl));
}
} else if (where & SSL_CB_HANDSHAKE_START) {
fprintf(stderr, "SSL3 Handshake start %d\n", ret);
} else if (where & SSL_CB_HANDSHAKE_DONE) {
fprintf(stderr, "SSL3 Handshake done %d\n", ret);
} else {
fprintf(stderr,"infoCallback: 0x%04x %d\n", where, ret);
}
}
static void apps_ssl_info_callback(const SSL * s, int where, int ret)
{
char *str;
int w;
if (var_imapd_tls_loglevel==0) return;
w = where & ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT)
str = "SSL_connect";
else if (w & SSL_ST_ACCEPT)
str = "SSL_accept";
else
str = "undefined";
if (where & SSL_CB_LOOP) {
if (tls_serverengine && (var_imapd_tls_loglevel >= 2))
syslog(LOG_DEBUG, "%s:%s", str, SSL_state_string_long(s));
} else if (where & SSL_CB_ALERT) {
str = (where & SSL_CB_READ) ? "read" : "write";
if ((tls_serverengine && (var_imapd_tls_loglevel >= 2)) ||
((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY))
syslog(LOG_DEBUG, "SSL3 alert %s:%s:%s", str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if (where & SSL_CB_EXIT) {
if (ret == 0)
syslog(LOG_DEBUG, "%s:failed in %s",
str, SSL_state_string_long(s));
else if (ret < 0) {
syslog(LOG_DEBUG, "%s:error in %s",
str, SSL_state_string_long(s));
}
}
}
static void SSLInfoCallback(const SSL *s, int where, int ret) {
#else
static void SSLInfoCallback(SSL *s, int where, int ret) {
#endif
if(where & SSL_CB_LOOP)
printf("SSL state (%s): %s\r\n",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", SSL_state_string_long(s));
else if(where & SSL_CB_ALERT)
printf("SSL alert (%s): %s: %s\r\n",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
else if(where==SSL_CB_HANDSHAKE_DONE)
print_stats();
else
if (where & SSL_CB_EXIT)
{
if (ret == 0)
printf("%failed in %s\r\n",
SSL_state_string_long(s));
}
}
#endif /*DEBUG_SSL*/
static void CDECL LockSSL(int iMode,
int iType,
const char* pszFileName,
int iLine)
{
if(iMode & CRYPTO_LOCK)
{
#ifdef _WIN32
EnterCriticalSection(&lock);
#else
pthread_mutex_lock(&lock);
#endif
}
else
{
if(iMode & CRYPTO_UNLOCK)
{
#ifdef _WIN32
LeaveCriticalSection(&lock);
#else
pthread_mutex_unlock(&lock);
#endif
}
}
}
SSL_CTX* SSLMakeCtx(const SSLOptions& sslOpt,
int iServer)
{
SSL_CTX* pSSLCtx;
if(iServer)
{
pSSLCtx = SSL_CTX_new(SSLv23_server_method());
}
else
{
pSSLCtx = SSL_CTX_new(SSLv23_client_method());
}
if(!pSSLCtx)
{
SysLogMessage(LOG_LEV_ERROR,
"Cannot create SSL context, ssl support is disabled\r\n");
return (NULL);
}
int iSSLOpt = SSL_OP_ALL;
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
iSSLOpt |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
SSL_CTX_set_options(pSSLCtx,
iSSLOpt);
#if SSLEAY_VERSION_NUMBER >= 0x00906000L
SSL_CTX_set_mode(pSSLCtx,
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif /* OpenSSL-0.9.6 */
/*
SSL_CTX_set_session_cache_mode(pSSLCtx,
SSL_SESS_CACHE_OFF);
*/
SSL_CTX_set_session_cache_mode(pSSLCtx,
SSL_SESS_CACHE_BOTH);
SSL_CTX_sess_set_cache_size(pSSLCtx,
128);
if(!sslOpt.pszCertFile)
{
SysLogMessage(LOG_LEV_ERROR,
"Certificate file not found, ssl support is disabled\r\n");
SSL_CTX_free(pSSLCtx);
return (NULL);
}
if(!SSL_CTX_use_certificate_chain_file(pSSLCtx,
sslOpt.pszCertFile))
{
SysLogMessage(LOG_LEV_ERROR,
"Error reading certificate file: %s, ssl support is disabled\r\n",
sslOpt.pszCertFile);
SSL_CTX_free(pSSLCtx);
return (NULL);
}
SSL_CTX_use_RSAPrivateKey_file(pSSLCtx,
sslOpt.pszCertFile,
SSL_FILETYPE_PEM);
if(!SSL_CTX_check_private_key(pSSLCtx))
{
SysLogMessage(LOG_LEV_ERROR,
"Private key does not match the certificate, ssl support is disabled\r\n");
SSL_CTX_free(pSSLCtx);
return (NULL);
}
#ifdef DEBUG_SSL
SSL_CTX_set_info_callback(pSSLCtx,
SSLInfoCallback);
#endif
if(!SSL_CTX_set_cipher_list(pSSLCtx,
SSL_DEFAULT_CIPHER_LIST))
{
SysLogMessage(LOG_LEV_ERROR,
"Cannot set ciphers: %s, ssl support is disabled\r\n",
SSL_DEFAULT_CIPHER_LIST);
SSL_CTX_free(pSSLCtx);
return (NULL);
}
return (pSSLCtx);
}
NOEXPORT void info_callback(const SSL *ssl, int where, int ret) {
CLI *c;
SSL_CTX *ctx;
const char *state_string;
c=SSL_get_ex_data((SSL *)ssl, index_cli);
if(c) {
int state=SSL_get_state((SSL *)ssl);
#if 0
s_log(LOG_DEBUG, "state = %x", state);
#endif
/* log the client certificate request (if received) */
#ifndef SSL3_ST_CR_CERT_REQ_A
if(state==TLS_ST_CR_CERT_REQ)
#else
if(state==SSL3_ST_CR_CERT_REQ_A)
#endif
print_client_CA_list(SSL_get_client_CA_list(ssl));
#ifndef SSL3_ST_CR_SRVR_DONE_A
if(state==TLS_ST_CR_SRVR_DONE)
#else
if(state==SSL3_ST_CR_SRVR_DONE_A)
#endif
if(!SSL_get_client_CA_list(ssl))
s_log(LOG_INFO, "Client certificate not requested");
/* prevent renegotiation DoS attack */
if((where&SSL_CB_HANDSHAKE_DONE)
&& c->reneg_state==RENEG_INIT) {
/* first (initial) handshake was completed, remember this,
* so that further renegotiation attempts can be detected */
c->reneg_state=RENEG_ESTABLISHED;
} else if((where&SSL_CB_ACCEPT_LOOP)
&& c->reneg_state==RENEG_ESTABLISHED) {
#ifndef SSL3_ST_SR_CLNT_HELLO_A
if(state==TLS_ST_SR_CLNT_HELLO
|| state==TLS_ST_SR_CLNT_HELLO) {
#else
if(state==SSL3_ST_SR_CLNT_HELLO_A
|| state==SSL23_ST_SR_CLNT_HELLO_A) {
#endif
/* client hello received after initial handshake,
* this means renegotiation -> mark it */
c->reneg_state=RENEG_DETECTED;
}
}
if(c->opt->log_level<LOG_DEBUG) /* performance optimization */
return;
}
if(where & SSL_CB_LOOP) {
state_string=SSL_state_string_long(ssl);
if(strcmp(state_string, "unknown state"))
s_log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", state_string);
} else if(where & SSL_CB_ALERT) {
s_log(LOG_DEBUG, "SSL alert (%s): %s: %s",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if(where==SSL_CB_HANDSHAKE_DONE) {
ctx=SSL_get_SSL_CTX((SSL *)ssl);
if(c->opt->option.client) {
s_log(LOG_DEBUG, "%6ld client connect(s) requested",
SSL_CTX_sess_connect(ctx));
s_log(LOG_DEBUG, "%6ld client connect(s) succeeded",
SSL_CTX_sess_connect_good(ctx));
s_log(LOG_DEBUG, "%6ld client renegotiation(s) requested",
SSL_CTX_sess_connect_renegotiate(ctx));
} else {
s_log(LOG_DEBUG, "%6ld server accept(s) requested",
SSL_CTX_sess_accept(ctx));
s_log(LOG_DEBUG, "%6ld server accept(s) succeeded",
SSL_CTX_sess_accept_good(ctx));
s_log(LOG_DEBUG, "%6ld server renegotiation(s) requested",
SSL_CTX_sess_accept_renegotiate(ctx));
}
/* according to the source it not only includes internal
and external session caches, but also session tickets */
s_log(LOG_DEBUG, "%6ld session reuse(s)",
SSL_CTX_sess_hits(ctx));
if(!c->opt->option.client) { /* server session cache stats */
s_log(LOG_DEBUG, "%6ld internal session cache item(s)",
SSL_CTX_sess_number(ctx));
s_log(LOG_DEBUG, "%6ld internal session cache fill-up(s)",
SSL_CTX_sess_cache_full(ctx));
s_log(LOG_DEBUG, "%6ld internal session cache miss(es)",
SSL_CTX_sess_misses(ctx));
s_log(LOG_DEBUG, "%6ld external session cache hit(s)",
SSL_CTX_sess_cb_hits(ctx));
s_log(LOG_DEBUG, "%6ld expired session(s) retrieved",
SSL_CTX_sess_timeouts(ctx));
}
}
}
/**************************************** SSL error reporting */
void sslerror(char *txt) { /* OpenSSL error handler */
unsigned long err;
err=ERR_get_error();
if(err) {
sslerror_queue();
sslerror_log(err, txt);
} else {
s_log(LOG_ERR, "%s: Peer suddenly disconnected", txt);
}
}
/** Record session state changes
*
* Called by OpenSSL whenever the session state changes, an alert is received or an error occurs.
*
* @param[in] ssl session.
* @param[in] where Which context the callback is being called in.
* See https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_info_callback.html
* for additional info.
* @param[in] ret 0 if an error occurred, or the alert type if an alert was received.
*/
void tls_session_info_cb(SSL const *ssl, int where, int ret)
{
char const *role, *state;
REQUEST *request = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST);
if ((where & ~SSL_ST_MASK) & SSL_ST_CONNECT) {
role = "Client ";
} else if (((where & ~SSL_ST_MASK)) & SSL_ST_ACCEPT) {
role = "Server ";
} else {
role = "";
}
state = SSL_state_string_long(ssl);
state = state ? state : "<INVALID>";
if ((where & SSL_CB_LOOP) || (where & SSL_CB_HANDSHAKE_START) || (where & SSL_CB_HANDSHAKE_DONE)) {
if (RDEBUG_ENABLED3) {
char const *abbrv = SSL_state_string(ssl);
size_t len;
/*
* Trim crappy OpenSSL state strings...
*/
len = strlen(abbrv);
if ((len > 1) && (abbrv[len - 1] == ' ')) len--;
RDEBUG3("Handshake state [%.*s] - %s%s", (int)len, abbrv, role, state);
} else {
RDEBUG2("Handshake state - %s%s", role, state);
}
return;
}
if (where & SSL_CB_ALERT) {
if ((ret & 0xff) == SSL_AD_CLOSE_NOTIFY) return;
if (where & SSL_CB_READ) {
VALUE_PAIR *vp;
REDEBUG("Client sent %s TLS alert: %s", SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
/*
* Offer helpful advice... Should be expanded.
*/
switch (ret & 0xff) {
case TLS1_AD_UNKNOWN_CA:
REDEBUG("Verify client has copy of CA certificate, and trusts CA");
break;
default:
break;
}
MEM(pair_update_request(&vp, attr_tls_client_error_code) >= 0);
vp->vp_uint8 = ret & 0xff;
RDEBUG2("&TLS-Client-Error-Code := %pV", &vp->data);
} else {
REDEBUG("Sending client %s TLS alert: %s %i", SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret), ret & 0xff);
}
return;
}
if (where & SSL_CB_EXIT) {
if (ret == 0) {
REDEBUG("Handshake exit state %s%s", role, state);
return;
}
if (ret < 0) {
if (SSL_want_read(ssl)) {
RDEBUG2("Need more data from client"); /* State same as previous call, don't print */
return;
}
REDEBUG("Handshake exit state %s%s", role, state);
}
}
}
void Tls_openssl_info_callback(const SSL *s, int where, int ret)
{
const char *str;
int w;
w=where& ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) str="Handshake";
else if (w & SSL_ST_ACCEPT) str="SSL_accept";
else str="undefined";
if (where & SSL_CB_LOOP)
{
DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:%s\n",str,SSL_state_string_long(s)));
}
if (where & SSL_CB_ALERT)
{
str=(where & SSL_CB_READ)?"read":"write";
DEBUG_LOG_PRINT_LEV2(("TlsDebug : SSLv3 alert %s:%s:%s\n",\
str,\
SSL_alert_type_string_long(ret),\
SSL_alert_desc_string_long(ret)));
}
if (where & SSL_CB_EXIT)
{
if (ret == 0)
{
DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:failed in %s\n",\
str,SSL_state_string_long(s)));
}
else if (ret < 0)
{
int ret1 = SSL_get_error(s,ret);
switch(ret1)
{
case SSL_ERROR_WANT_READ:
DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:incomplete : %s\n",\
str,SSL_state_string_long(s)));
break;
case SSL_ERROR_WANT_WRITE:
DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:incomplete : %s\n",\
str,SSL_state_string_long(s)));
break;
default:
DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:error in %s\n",\
str,SSL_state_string_long(s)));
if (w & SSL_ST_CONNECT)
DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:Done",str));
}
}
}
if( where & SSL_CB_HANDSHAKE_START)
{
DEBUG_LOG_PRINT_LEV2(("TlsDebug : Handshake:Start"));
}
if( where & SSL_CB_HANDSHAKE_DONE )
{
DEBUG_LOG_PRINT_LEV2(("TlsDebug : Handshake:Done"));
}
}
NOEXPORT void info_callback(const SSL *ssl, int where, int ret) {
CLI *c;
SSL_CTX *ctx;
c=SSL_get_ex_data((SSL *)ssl, index_cli);
if(c) {
if((where&SSL_CB_HANDSHAKE_DONE)
&& c->reneg_state==RENEG_INIT) {
/* first (initial) handshake was completed, remember this,
* so that further renegotiation attempts can be detected */
c->reneg_state=RENEG_ESTABLISHED;
} else if((where&SSL_CB_ACCEPT_LOOP)
&& c->reneg_state==RENEG_ESTABLISHED) {
int state=SSL_get_state((SSL *)ssl);
if(state==SSL3_ST_SR_CLNT_HELLO_A
|| state==SSL23_ST_SR_CLNT_HELLO_A) {
/* client hello received after initial handshake,
* this means renegotiation -> mark it */
c->reneg_state=RENEG_DETECTED;
}
}
if(c->opt->log_level<LOG_DEBUG)
return; /* performance optimization */
}
if(where & SSL_CB_LOOP) {
s_log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", SSL_state_string_long(ssl));
} else if(where & SSL_CB_ALERT) {
s_log(LOG_DEBUG, "SSL alert (%s): %s: %s",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if(where==SSL_CB_HANDSHAKE_DONE) {
ctx=SSL_get_SSL_CTX((SSL *)ssl);
if(c->opt->option.client) {
s_log(LOG_DEBUG, "%4ld client connect(s) requested",
SSL_CTX_sess_connect(ctx));
s_log(LOG_DEBUG, "%4ld client connect(s) succeeded",
SSL_CTX_sess_connect_good(ctx));
s_log(LOG_DEBUG, "%4ld client renegotiation(s) requested",
SSL_CTX_sess_connect_renegotiate(ctx));
} else {
s_log(LOG_DEBUG, "%4ld server accept(s) requested",
SSL_CTX_sess_accept(ctx));
s_log(LOG_DEBUG, "%4ld server accept(s) succeeded",
SSL_CTX_sess_accept_good(ctx));
s_log(LOG_DEBUG, "%4ld server renegotiation(s) requested",
SSL_CTX_sess_accept_renegotiate(ctx));
}
/* according to the source it not only includes internal
and external session caches, but also session tickets */
s_log(LOG_DEBUG, "%4ld session reuse(s)",
SSL_CTX_sess_hits(ctx));
if(!c->opt->option.client) { /* server session cache stats */
s_log(LOG_DEBUG, "%4ld internal session cache item(s)",
SSL_CTX_sess_number(ctx));
s_log(LOG_DEBUG, "%4ld internal session cache fill-up(s)",
SSL_CTX_sess_cache_full(ctx));
s_log(LOG_DEBUG, "%4ld internal session cache miss(es)",
SSL_CTX_sess_misses(ctx));
s_log(LOG_DEBUG, "%4ld external session cache hit(s)",
SSL_CTX_sess_cb_hits(ctx));
s_log(LOG_DEBUG, "%4ld expired session(s) retrieved",
SSL_CTX_sess_timeouts(ctx));
}
}
}
NOEXPORT void info_callback(
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
const
#endif
SSL *ssl, int where, int ret) {
CLI *c;
c=SSL_get_ex_data(ssl, cli_index);
if(c) {
if((where&SSL_CB_HANDSHAKE_DONE)
&& c->reneg_state==RENEG_INIT) {
/* first (initial) handshake was completed, remember this,
* so that further renegotiation attempts can be detected */
c->reneg_state=RENEG_ESTABLISHED;
} else if((where&SSL_CB_ACCEPT_LOOP)
&& c->reneg_state==RENEG_ESTABLISHED) {
int state=SSL_get_state(ssl);
if(state==SSL3_ST_SR_CLNT_HELLO_A
|| state==SSL23_ST_SR_CLNT_HELLO_A) {
/* client hello received after initial handshake,
* this means renegotiation -> mark it */
c->reneg_state=RENEG_DETECTED;
}
}
}
if(global_options.debug_level<LOG_DEBUG)
return; /* performance optimization */
if(where & SSL_CB_LOOP) {
s_log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", SSL_state_string_long(ssl));
} else if(where & SSL_CB_ALERT) {
s_log(LOG_DEBUG, "SSL alert (%s): %s: %s",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if(where==SSL_CB_HANDSHAKE_DONE) {
s_log(LOG_DEBUG, "%4ld items in the session cache",
SSL_CTX_sess_number(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client connects (SSL_connect())",
SSL_CTX_sess_connect(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client connects that finished",
SSL_CTX_sess_connect_good(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client renegotiations requested",
SSL_CTX_sess_connect_renegotiate(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server connects (SSL_accept())",
SSL_CTX_sess_accept(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server connects that finished",
SSL_CTX_sess_accept_good(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server renegotiations requested",
SSL_CTX_sess_accept_renegotiate(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache hits",
SSL_CTX_sess_hits(ssl->ctx));
s_log(LOG_DEBUG, "%4ld external session cache hits",
SSL_CTX_sess_cb_hits(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache misses",
SSL_CTX_sess_misses(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache timeouts",
SSL_CTX_sess_timeouts(ssl->ctx));
}
}
/* Derived from openssl/apps/s_cb.c */
static void
tlso_info_cb( const SSL *ssl, int where, int ret )
{
int w;
char *op;
char *state = (char *) SSL_state_string_long( (SSL *)ssl );
w = where & ~SSL_ST_MASK;
if ( w & SSL_ST_CONNECT ) {
op = "SSL_connect";
} else if ( w & SSL_ST_ACCEPT ) {
op = "SSL_accept";
} else {
op = "undefined";
}
#ifdef HAVE_EBCDIC
if ( state ) {
state = LDAP_STRDUP( state );
__etoa( state );
}
#endif
if ( where & SSL_CB_LOOP ) {
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:%s\n",
op, state, 0 );
} else if ( where & SSL_CB_ALERT ) {
char *atype = (char *) SSL_alert_type_string_long( ret );
char *adesc = (char *) SSL_alert_desc_string_long( ret );
op = ( where & SSL_CB_READ ) ? "read" : "write";
#ifdef HAVE_EBCDIC
if ( atype ) {
atype = LDAP_STRDUP( atype );
__etoa( atype );
}
if ( adesc ) {
adesc = LDAP_STRDUP( adesc );
__etoa( adesc );
}
#endif
Debug( LDAP_DEBUG_TRACE,
"TLS trace: SSL3 alert %s:%s:%s\n",
op, atype, adesc );
#ifdef HAVE_EBCDIC
if ( atype ) LDAP_FREE( atype );
if ( adesc ) LDAP_FREE( adesc );
#endif
} else if ( where & SSL_CB_EXIT ) {
if ( ret == 0 ) {
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:failed in %s\n",
op, state, 0 );
} else if ( ret < 0 ) {
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:error in %s\n",
op, state, 0 );
}
}
#ifdef HAVE_EBCDIC
if ( state ) LDAP_FREE( state );
#endif
}
