static void ssl_info_callback(const SSL *s, int where, int ret) { const char *str; int w; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str="SSL_connect"; else if (w & SSL_ST_ACCEPT) str="SSL_accept"; else str="undefined"; if (where & SSL_CB_LOOP) { log(L_DEBUG, "SSL: %s", SSL_state_string_long((SSL*)s)); } else if (where & SSL_CB_ALERT) { str=(where & SSL_CB_READ)?"read":"write"; log(L_DEBUG, "SSL: SSL3 alert %s:%s:%s", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) log(L_DEBUG, "SSL: %s:failed in %s", str,SSL_state_string_long((SSL*)s)); else if (ret < 0) { log(L_DEBUG, "SSL: %s:%s", str,SSL_state_string_long((SSL*)s)); } } else if (where & SSL_CB_ALERT) { str=(where & SSL_CB_READ)?"read":"write"; log(L_DEBUG, "SSL: SSL3 alert %s:%s:%s", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) log(L_DEBUG, "SSL: %s:failed in %s", str,SSL_state_string_long((SSL*)s)); else if (ret < 0) { log(L_DEBUG, "SSL: %s:error in %s", str,SSL_state_string_long((SSL*)s)); } } }
static PyObject * sslscan_ssl_alert_get_type(sslscan_ssl_alert_obj *self, PyObject *args) { if (!PyArg_ParseTuple(args, ":get_type")) return Py_BuildValue("");; return PyUnicode_FromString(SSL_alert_type_string_long(self->ret)); }
static void __apn_ssl_info_callback(const SSL *ssl, int where, int ret) { apn_ctx_t *ctx = SSL_CTX_get_ex_data(ssl->ctx, 0); if (!ctx) { return; } if (where & SSL_CB_LOOP) { apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: %s:%s:%s", (where & SSL_ST_CONNECT) ? "connect" : "undef", SSL_state_string_long(ssl), SSL_get_cipher_name(ssl)); } else if (where & SSL_CB_EXIT) { apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: %s:%s", (where & SSL_ST_CONNECT) ? "connect" : "undef", SSL_state_string_long(ssl)); } else if (where & SSL_CB_ALERT) { apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: alert %s:%s", (where & SSL_CB_READ) ? "read" : "write", SSL_state_string_long(ssl), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_HANDSHAKE_START) { apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: handshake started %s:%s:%s", (where & SSL_CB_READ) ? "read" : "write", SSL_state_string_long(ssl), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_HANDSHAKE_DONE) { apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: handshake done %s:%s:%s", (where & SSL_CB_READ) ? "read" : "write", SSL_state_string_long(ssl), SSL_alert_desc_string_long(ret)); } else { apn_log(ctx, APN_LOG_LEVEL_INFO, "ssl: state %s:%s:%s", SSL_state_string_long(ssl), SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } }
static void ssl_info_callback(const SSL *ssl, int where, int ret) { const char *s; int w; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) s = "SSL_connect"; else if (w & SSL_ST_ACCEPT) s = "SSL_accept"; else s = "undefined"; if (where & SSL_CB_LOOP) debug(DBG_DBG, "%s:%s\n", s, SSL_state_string_long(ssl)); else if (where & SSL_CB_ALERT) { s = (where & SSL_CB_READ) ? "read" : "write"; debug(DBG_DBG, "SSL3 alert %s:%s:%s\n", s, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) debug(DBG_DBG, "%s:failed in %s\n", s, SSL_state_string_long(ssl)); else if (ret < 0) debug(DBG_DBG, "%s:error in %s\n", s, SSL_state_string_long(ssl)); } }
static void ssl_info_cb(const SSL *ssl, int where, int ret) { const char *str; int w; wpa_printf(MSG_DEBUG, "SSL: (where=0x%x ret=0x%x)", where, ret); w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str = "SSL_connect"; else if (w & SSL_ST_ACCEPT) str = "SSL_accept"; else str = "undefined"; if (where & SSL_CB_LOOP) { wpa_printf(MSG_DEBUG, "SSL: %s:%s", str, SSL_state_string_long(ssl)); } else if (where & SSL_CB_ALERT) { wpa_printf(MSG_INFO, "SSL: SSL3 alert: %s:%s:%s", where & SSL_CB_READ ? "read (authentication server reported an error)" : "write (local SSL3 detected an error)", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT && ret <= 0) { wpa_printf(MSG_DEBUG, "SSL: %s:%s in %s", str, ret == 0 ? "failed" : "error", SSL_state_string_long(ssl)); } }
/* ** Roughly copied from the openssl sample app in the openssl package */ PRIVATE void apps_ssl_info_callback (SSL * s, int where, int ret) { char *str; int w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str="SSL_connect"; else if (w & SSL_ST_ACCEPT) str="SSL_accept"; else str="undefined"; if (where & SSL_CB_LOOP) { HTTRACE(PROT_TRACE, "%s: %s\n" _ str _ SSL_state_string_long(s)); } else if (where & SSL_CB_ALERT) { str = (where & SSL_CB_READ) ? "read" : "write"; HTTRACE(PROT_TRACE, "SSL3 alert %s:%s:%s\n" _ str _ SSL_alert_type_string_long(ret) _ SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) { HTTRACE(PROT_TRACE, "%s: failed in %s\n" _ str _ SSL_state_string_long(s)); } else if (ret < 0) { HTTRACE(PROT_TRACE, "%s: error in %s\n" _ str _ SSL_state_string_long(s)); } } }
static void openssl_info_callback(const SSL *ssl, int where, int ret) { struct ssl_iostream *ssl_io; ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index); if ((where & SSL_CB_ALERT) != 0) { switch (ret & 0xff) { case SSL_AD_CLOSE_NOTIFY: i_debug("%sSSL alert: %s", ssl_io->log_prefix, SSL_alert_desc_string_long(ret)); break; default: i_debug("%sSSL alert: where=0x%x, ret=%d: %s %s", ssl_io->log_prefix, where, ret, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); break; } } else if (ret == 0) { i_debug("%sSSL failed: where=0x%x: %s", ssl_io->log_prefix, where, SSL_state_string_long(ssl)); } else { i_debug("%sSSL: where=0x%x, ret=%d: %s", ssl_io->log_prefix, where, ret, SSL_state_string_long(ssl)); } }
void apps_ssl_info_callback(const SSL * s, int where, int ret) { const char *str; int w; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str = "SSL_connect"; else if (w & SSL_ST_ACCEPT) str = "SSL_accept"; else str = "undefined"; if (where & SSL_CB_LOOP) { BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s)); } else if (where & SSL_CB_ALERT) { str = (where & SSL_CB_READ) ? "read" : "write"; BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) BIO_printf(bio_err, "%s:failed in %s\n", str, SSL_state_string_long(s)); else if (ret < 0) { BIO_printf(bio_err, "%s:error in %s\n", str, SSL_state_string_long(s)); } } }
void QFrankSSL::K_SSL_Info_Callback(const SSL *ssl,int wo,int rueckgabe) { /* Haben wir das SSL Objekt in unserer Hashtabelle?? Wenn nicht ganz großes Problem */ //int Wo=wo&~SSL_ST_MASK; if(!K_ListeDerSSLVerbindungen.contains(ssl)) qFatal("QFrankSSL SSL_Info_Callback: Das SSL Objekt befindet sich nicht in der Tabelle!!"); //qDebug("wo=0x%X",wo); switch(wo) { case SSL_CB_CONNECT_EXIT: #ifndef QT_NO_DEBUG qDebug("QFrankSSL SSL_Info_Callback: meldet ein Fehler"); #endif qDebug(qPrintable(QString("%1").arg(rueckgabe))); break; case SSL_CB_READ_ALERT: case SSL_CB_WRITE_ALERT: QString Alarmtype=SSL_alert_type_string_long(rueckgabe); QString Alarmtext=SSL_alert_desc_string_long(rueckgabe); #ifndef QT_NO_DEBUG qCritical("QFrankSSL SSL_Info_Callback: meldet einen Alarm"); qCritical("Art des Alams: %s\r\nBeschreibung: %s",Alarmtype.toAscii().constData(),Alarmtext.toAscii().constData()); #endif break; } }
void cbtls_info(const SSL *s, int where, int ret) { const char *str, *state; int w; REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST); char buffer[1024]; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str=" TLS_connect"; else if (w & SSL_ST_ACCEPT) str=" TLS_accept"; else str=" (other)"; state = SSL_state_string_long(s); state = state ? state : "NULL"; buffer[0] = '\0'; if (where & SSL_CB_LOOP) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_HANDSHAKE_START) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_HANDSHAKE_DONE) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_ALERT) { str=(where & SSL_CB_READ)?"read":"write"; snprintf(buffer, sizeof(buffer), "TLS Alert %s:%s:%s", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) { snprintf(buffer, sizeof(buffer), "%s: failed in %s", str, state); } else if (ret < 0) { if (SSL_want_read(s)) { RDEBUG2("%s: Need to read more data: %s", str, state); } else { snprintf(buffer, sizeof(buffer), "%s: error in %s", str, state); } } } if (buffer[0]) { radlog(L_ERR, "%s", buffer); if (request) { VALUE_PAIR *vp; vp = pairmake("Module-Failure-Message", buffer, T_OP_ADD); if (vp) pairadd(&request->packet->vps, vp); } } }
void SSL_CTX_info_callback(const SSL* ssl, int where, int ret) { FUNC_ENTRY; if (where & SSL_CB_LOOP) { Log(TRACE_PROTOCOL, 1, "SSL state %s:%s:%s", (where & SSL_ST_CONNECT) ? "connect" : (where & SSL_ST_ACCEPT) ? "accept" : "undef", SSL_state_string_long(ssl), SSL_get_cipher_name(ssl)); } else if (where & SSL_CB_EXIT) { Log(TRACE_PROTOCOL, 1, "SSL %s:%s", (where & SSL_ST_CONNECT) ? "connect" : (where & SSL_ST_ACCEPT) ? "accept" : "undef", SSL_state_string_long(ssl)); } else if (where & SSL_CB_ALERT) { Log(TRACE_PROTOCOL, 1, "SSL alert %s:%s:%s", (where & SSL_CB_READ) ? "read" : "write", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_HANDSHAKE_START) { Log(TRACE_PROTOCOL, 1, "SSL handshake started %s:%s:%s", (where & SSL_CB_READ) ? "read" : "write", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_HANDSHAKE_DONE) { Log(TRACE_PROTOCOL, 1, "SSL handshake done %s:%s:%s", (where & SSL_CB_READ) ? "read" : "write", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); Log(TRACE_PROTOCOL, 1, "SSL certificate verification: %s", SSL_get_verify_result_string(SSL_get_verify_result(ssl))); } else { Log(TRACE_PROTOCOL, 1, "SSL state %s:%s:%s", SSL_state_string_long(ssl), SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } FUNC_EXIT; }
USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include <freeradius-devel/radiusd.h> #ifdef WITH_TLS void cbtls_info(SSL const *s, int where, int ret) { char const *str, *state; int w; REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST); char buffer[1024]; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str=" TLS_connect"; else if (w & SSL_ST_ACCEPT) str=" TLS_accept"; else str=" (other)"; state = SSL_state_string_long(s); state = state ? state : "NULL"; buffer[0] = '\0'; if (where & SSL_CB_LOOP) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_HANDSHAKE_START) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_HANDSHAKE_DONE) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_ALERT) { str=(where & SSL_CB_READ)?"read":"write"; snprintf(buffer, sizeof(buffer), "TLS Alert %s:%s:%s", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) { snprintf(buffer, sizeof(buffer), "%s: failed in %s", str, state); } else if (ret < 0) { if (SSL_want_read(s)) { RDEBUG2("%s: Need to read more data: %s", str, state); } else { snprintf(buffer, sizeof(buffer), "%s: error in %s", str, state); } } } if (buffer[0] && request) { REDEBUG("SSL says: %s", buffer); } }
static void transport_ssl_cb(SSL* ssl, int where, int ret) { if (where & SSL_CB_ALERT) { rdpTransport* transport = (rdpTransport*) SSL_get_app_data(ssl); switch (ret) { case (SSL3_AL_FATAL << 8) | SSL_AD_ACCESS_DENIED: { if (!freerdp_get_last_error(transport->context)) { WLog_Print(transport->log, WLOG_ERROR, "%s: ACCESS DENIED", __FUNCTION__); freerdp_set_last_error(transport->context, FREERDP_ERROR_AUTHENTICATION_FAILED); } } break; case (SSL3_AL_FATAL << 8) | SSL_AD_INTERNAL_ERROR: { if (transport->NlaMode) { UINT32 kret = 0; #ifdef WITH_GSSAPI if ((strlen(transport->settings->Domain) != 0) && (strncmp(transport->settings->Domain, ".", 1) != 0)) { kret = transport_krb5_check_account(transport, transport->settings->Username, transport->settings->Domain, transport->settings->Password); } else #endif /* WITH_GSSAPI */ kret = FREERDP_ERROR_CONNECT_PASSWORD_CERTAINLY_EXPIRED; if (!freerdp_get_last_error(transport->context)) freerdp_set_last_error(transport->context, kret); } break; case (SSL3_AL_WARNING << 8) | SSL3_AD_CLOSE_NOTIFY: break; default: WLog_Print(transport->log, WLOG_WARN, "Unhandled SSL error (where=%d, ret=%d [%s, %s])", where, ret, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); break; } } } }
void cbtls_info(const SSL *s, int where, int ret) { const char *str, *state; int w; REQUEST *request = SSL_get_ex_data(s, FR_TLS_EX_INDEX_REQUEST); char buffer[1024]; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str=" TLS_connect"; else if (w & SSL_ST_ACCEPT) str=" TLS_accept"; else str=" (other)"; state = SSL_state_string_long(s); state = state ? state : "NULL"; buffer[0] = '\0'; if (where & SSL_CB_LOOP) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_HANDSHAKE_START) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_HANDSHAKE_DONE) { RDEBUG2("%s: %s", str, state); } else if (where & SSL_CB_ALERT) { str=(where & SSL_CB_READ)?"read":"write"; snprintf(buffer, sizeof(buffer), "TLS Alert %s:%s:%s", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) { snprintf(buffer, sizeof(buffer), "%s: failed in %s", str, state); } else if (ret < 0) { if (SSL_want_read(s)) { RDEBUG2("%s: Need to read more data: %s", str, state); } else { snprintf(buffer, sizeof(buffer), "%s: error in %s", str, state); } } } if (buffer[0] && request) { RDEBUGE("SSL says: %s", buffer); } }
static void info_callback (INFO_CALLBACK_SSL_CONST SSL * s, int where, int ret) { if (where & SSL_CB_LOOP) { dmsg (D_HANDSHAKE_VERBOSE, "SSL state (%s): %s", where & SSL_ST_CONNECT ? "connect" : where & SSL_ST_ACCEPT ? "accept" : "undefined", SSL_state_string_long (s)); } else if (where & SSL_CB_ALERT) { dmsg (D_HANDSHAKE_VERBOSE, "SSL alert (%s): %s: %s", where & SSL_CB_READ ? "read" : "write", SSL_alert_type_string_long (ret), SSL_alert_desc_string_long (ret)); } }
static void openssl_info_callback(const SSL *ssl, int where, int ret) { struct ssl_iostream *ssl_io; ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index); if ((where & SSL_CB_ALERT) != 0) { i_warning("%s: SSL alert: where=0x%x, ret=%d: %s %s", ssl_io->source, where, ret, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (ret == 0) { i_warning("%s: SSL failed: where=0x%x: %s", ssl_io->source, where, SSL_state_string_long(ssl)); } else { i_debug("%s: SSL: where=0x%x, ret=%d: %s", ssl_io->source, where, ret, SSL_state_string_long(ssl)); } }
static int openssl_ssl_alert_string(lua_State*L) { int v = luaL_checkint(L, 1); int _long = lua_isnoneornil(L, 2) ? 0 : auxiliar_checkboolean(L, 2); const char* val; if (_long) val = SSL_alert_type_string_long(v); else val = SSL_alert_type_string(v); lua_pushstring(L, val); if (_long) val = SSL_alert_desc_string_long(v); else val = SSL_alert_desc_string(v); lua_pushstring(L, val); return 2; }
void cbtls_info(const SSL *s, int where, int ret) { const char *str, *state; int w; EAP_HANDLER *handler = (EAP_HANDLER *)SSL_get_ex_data(s, 0); REQUEST *request = NULL; if (handler) request = handler->request; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str=" TLS_connect"; else if (w & SSL_ST_ACCEPT) str=" TLS_accept"; else str=" (other)"; state = SSL_state_string_long(s); state = state ? state : "NULL"; if (where & SSL_CB_LOOP) { RDEBUG2("%s: %s\n", str, state); } else if (where & SSL_CB_HANDSHAKE_START) { RDEBUG2("%s: %s\n", str, state); } else if (where & SSL_CB_HANDSHAKE_DONE) { RDEBUG2("%s: %s\n", str, state); } else if (where & SSL_CB_ALERT) { str=(where & SSL_CB_READ)?"read":"write"; radlog(L_ERR,"TLS Alert %s:%s:%s\n", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) { radlog(L_ERR, "%s:failed in %s\n", str, state); } else if (ret < 0) { if (SSL_want_read(s)) { RDEBUG2("%s: Need to read more data: %s", str, state); } else { radlog(L_ERR, "%s:error in %s\n", str, state); } } } }
/* Debug callback tracks SSL connection states and errors. * Initialized by SSL_CTX_set_info_callback. Invoked when * tb_errorlevel >= TN_NOTICE. Copied from apps/s_cb.c. */ void info_cb(SSL *s,int where,int ret) { char *str="undefined"; int w=where& ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str="SSL_connect"; else if (w & SSL_ST_ACCEPT) str="SSL_accept"; if (where & SSL_CB_LOOP) fprintf(stderr,"%s:%s\n",str,SSL_state_string_long(s)); else if (where & SSL_CB_ALERT) { str=(where & SSL_CB_READ)?"read":"write"; fprintf(stderr,"SSL3 alert %s:%s:%s\n", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) fprintf(stderr,"%s:failed in %s\n",str,SSL_state_string_long(s)); else if (ret < 0) fprintf(stderr,"%s:error in %s\n",str,SSL_state_string_long(s)); } }
// Nicked straight from the SSL_CTX_set_info_callback man page. void infoCallback(const SSL *ssl, int where, int ret) { const char *str; int w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) { str = "SSL_connect"; } else if (w & SSL_ST_ACCEPT) { str = "SSL_accept"; } else { str = "undefined"; } if (where & SSL_CB_LOOP) { fprintf(stderr,"%s: %s\n",str,SSL_state_string_long(ssl)); } else if (where & SSL_CB_ALERT) { str = (where & SSL_CB_READ)?"read":"write"; fprintf(stderr, "SSL3 alert %s: %s: %s\n", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) { fprintf(stderr, "%s: failed in %s\n", str, SSL_state_string_long(ssl)); } else if (ret < 0) { fprintf(stderr, "%s: error in %s\n", str, SSL_state_string_long(ssl)); } } else if (where & SSL_CB_HANDSHAKE_START) { fprintf(stderr, "SSL3 Handshake start %d\n", ret); } else if (where & SSL_CB_HANDSHAKE_DONE) { fprintf(stderr, "SSL3 Handshake done %d\n", ret); } else { fprintf(stderr,"infoCallback: 0x%04x %d\n", where, ret); } }
static void apps_ssl_info_callback(const SSL * s, int where, int ret) { char *str; int w; if (var_imapd_tls_loglevel==0) return; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str = "SSL_connect"; else if (w & SSL_ST_ACCEPT) str = "SSL_accept"; else str = "undefined"; if (where & SSL_CB_LOOP) { if (tls_serverengine && (var_imapd_tls_loglevel >= 2)) syslog(LOG_DEBUG, "%s:%s", str, SSL_state_string_long(s)); } else if (where & SSL_CB_ALERT) { str = (where & SSL_CB_READ) ? "read" : "write"; if ((tls_serverengine && (var_imapd_tls_loglevel >= 2)) || ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)) syslog(LOG_DEBUG, "SSL3 alert %s:%s:%s", str, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) syslog(LOG_DEBUG, "%s:failed in %s", str, SSL_state_string_long(s)); else if (ret < 0) { syslog(LOG_DEBUG, "%s:error in %s", str, SSL_state_string_long(s)); } } }
static void SSLInfoCallback(const SSL *s, int where, int ret) { #else static void SSLInfoCallback(SSL *s, int where, int ret) { #endif if(where & SSL_CB_LOOP) printf("SSL state (%s): %s\r\n", where & SSL_ST_CONNECT ? "connect" : where & SSL_ST_ACCEPT ? "accept" : "undefined", SSL_state_string_long(s)); else if(where & SSL_CB_ALERT) printf("SSL alert (%s): %s: %s\r\n", where & SSL_CB_READ ? "read" : "write", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); else if(where==SSL_CB_HANDSHAKE_DONE) print_stats(); else if (where & SSL_CB_EXIT) { if (ret == 0) printf("%failed in %s\r\n", SSL_state_string_long(s)); } } #endif /*DEBUG_SSL*/ static void CDECL LockSSL(int iMode, int iType, const char* pszFileName, int iLine) { if(iMode & CRYPTO_LOCK) { #ifdef _WIN32 EnterCriticalSection(&lock); #else pthread_mutex_lock(&lock); #endif } else { if(iMode & CRYPTO_UNLOCK) { #ifdef _WIN32 LeaveCriticalSection(&lock); #else pthread_mutex_unlock(&lock); #endif } } } SSL_CTX* SSLMakeCtx(const SSLOptions& sslOpt, int iServer) { SSL_CTX* pSSLCtx; if(iServer) { pSSLCtx = SSL_CTX_new(SSLv23_server_method()); } else { pSSLCtx = SSL_CTX_new(SSLv23_client_method()); } if(!pSSLCtx) { SysLogMessage(LOG_LEV_ERROR, "Cannot create SSL context, ssl support is disabled\r\n"); return (NULL); } int iSSLOpt = SSL_OP_ALL; #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS iSSLOpt |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; #endif SSL_CTX_set_options(pSSLCtx, iSSLOpt); #if SSLEAY_VERSION_NUMBER >= 0x00906000L SSL_CTX_set_mode(pSSLCtx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); #endif /* OpenSSL-0.9.6 */ /* SSL_CTX_set_session_cache_mode(pSSLCtx, SSL_SESS_CACHE_OFF); */ SSL_CTX_set_session_cache_mode(pSSLCtx, SSL_SESS_CACHE_BOTH); SSL_CTX_sess_set_cache_size(pSSLCtx, 128); if(!sslOpt.pszCertFile) { SysLogMessage(LOG_LEV_ERROR, "Certificate file not found, ssl support is disabled\r\n"); SSL_CTX_free(pSSLCtx); return (NULL); } if(!SSL_CTX_use_certificate_chain_file(pSSLCtx, sslOpt.pszCertFile)) { SysLogMessage(LOG_LEV_ERROR, "Error reading certificate file: %s, ssl support is disabled\r\n", sslOpt.pszCertFile); SSL_CTX_free(pSSLCtx); return (NULL); } SSL_CTX_use_RSAPrivateKey_file(pSSLCtx, sslOpt.pszCertFile, SSL_FILETYPE_PEM); if(!SSL_CTX_check_private_key(pSSLCtx)) { SysLogMessage(LOG_LEV_ERROR, "Private key does not match the certificate, ssl support is disabled\r\n"); SSL_CTX_free(pSSLCtx); return (NULL); } #ifdef DEBUG_SSL SSL_CTX_set_info_callback(pSSLCtx, SSLInfoCallback); #endif if(!SSL_CTX_set_cipher_list(pSSLCtx, SSL_DEFAULT_CIPHER_LIST)) { SysLogMessage(LOG_LEV_ERROR, "Cannot set ciphers: %s, ssl support is disabled\r\n", SSL_DEFAULT_CIPHER_LIST); SSL_CTX_free(pSSLCtx); return (NULL); } return (pSSLCtx); }
NOEXPORT void info_callback(const SSL *ssl, int where, int ret) { CLI *c; SSL_CTX *ctx; const char *state_string; c=SSL_get_ex_data((SSL *)ssl, index_cli); if(c) { int state=SSL_get_state((SSL *)ssl); #if 0 s_log(LOG_DEBUG, "state = %x", state); #endif /* log the client certificate request (if received) */ #ifndef SSL3_ST_CR_CERT_REQ_A if(state==TLS_ST_CR_CERT_REQ) #else if(state==SSL3_ST_CR_CERT_REQ_A) #endif print_client_CA_list(SSL_get_client_CA_list(ssl)); #ifndef SSL3_ST_CR_SRVR_DONE_A if(state==TLS_ST_CR_SRVR_DONE) #else if(state==SSL3_ST_CR_SRVR_DONE_A) #endif if(!SSL_get_client_CA_list(ssl)) s_log(LOG_INFO, "Client certificate not requested"); /* prevent renegotiation DoS attack */ if((where&SSL_CB_HANDSHAKE_DONE) && c->reneg_state==RENEG_INIT) { /* first (initial) handshake was completed, remember this, * so that further renegotiation attempts can be detected */ c->reneg_state=RENEG_ESTABLISHED; } else if((where&SSL_CB_ACCEPT_LOOP) && c->reneg_state==RENEG_ESTABLISHED) { #ifndef SSL3_ST_SR_CLNT_HELLO_A if(state==TLS_ST_SR_CLNT_HELLO || state==TLS_ST_SR_CLNT_HELLO) { #else if(state==SSL3_ST_SR_CLNT_HELLO_A || state==SSL23_ST_SR_CLNT_HELLO_A) { #endif /* client hello received after initial handshake, * this means renegotiation -> mark it */ c->reneg_state=RENEG_DETECTED; } } if(c->opt->log_level<LOG_DEBUG) /* performance optimization */ return; } if(where & SSL_CB_LOOP) { state_string=SSL_state_string_long(ssl); if(strcmp(state_string, "unknown state")) s_log(LOG_DEBUG, "SSL state (%s): %s", where & SSL_ST_CONNECT ? "connect" : where & SSL_ST_ACCEPT ? "accept" : "undefined", state_string); } else if(where & SSL_CB_ALERT) { s_log(LOG_DEBUG, "SSL alert (%s): %s: %s", where & SSL_CB_READ ? "read" : "write", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if(where==SSL_CB_HANDSHAKE_DONE) { ctx=SSL_get_SSL_CTX((SSL *)ssl); if(c->opt->option.client) { s_log(LOG_DEBUG, "%6ld client connect(s) requested", SSL_CTX_sess_connect(ctx)); s_log(LOG_DEBUG, "%6ld client connect(s) succeeded", SSL_CTX_sess_connect_good(ctx)); s_log(LOG_DEBUG, "%6ld client renegotiation(s) requested", SSL_CTX_sess_connect_renegotiate(ctx)); } else { s_log(LOG_DEBUG, "%6ld server accept(s) requested", SSL_CTX_sess_accept(ctx)); s_log(LOG_DEBUG, "%6ld server accept(s) succeeded", SSL_CTX_sess_accept_good(ctx)); s_log(LOG_DEBUG, "%6ld server renegotiation(s) requested", SSL_CTX_sess_accept_renegotiate(ctx)); } /* according to the source it not only includes internal and external session caches, but also session tickets */ s_log(LOG_DEBUG, "%6ld session reuse(s)", SSL_CTX_sess_hits(ctx)); if(!c->opt->option.client) { /* server session cache stats */ s_log(LOG_DEBUG, "%6ld internal session cache item(s)", SSL_CTX_sess_number(ctx)); s_log(LOG_DEBUG, "%6ld internal session cache fill-up(s)", SSL_CTX_sess_cache_full(ctx)); s_log(LOG_DEBUG, "%6ld internal session cache miss(es)", SSL_CTX_sess_misses(ctx)); s_log(LOG_DEBUG, "%6ld external session cache hit(s)", SSL_CTX_sess_cb_hits(ctx)); s_log(LOG_DEBUG, "%6ld expired session(s) retrieved", SSL_CTX_sess_timeouts(ctx)); } } } /**************************************** SSL error reporting */ void sslerror(char *txt) { /* OpenSSL error handler */ unsigned long err; err=ERR_get_error(); if(err) { sslerror_queue(); sslerror_log(err, txt); } else { s_log(LOG_ERR, "%s: Peer suddenly disconnected", txt); } }
/** Record session state changes * * Called by OpenSSL whenever the session state changes, an alert is received or an error occurs. * * @param[in] ssl session. * @param[in] where Which context the callback is being called in. * See https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_info_callback.html * for additional info. * @param[in] ret 0 if an error occurred, or the alert type if an alert was received. */ void tls_session_info_cb(SSL const *ssl, int where, int ret) { char const *role, *state; REQUEST *request = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_REQUEST); if ((where & ~SSL_ST_MASK) & SSL_ST_CONNECT) { role = "Client "; } else if (((where & ~SSL_ST_MASK)) & SSL_ST_ACCEPT) { role = "Server "; } else { role = ""; } state = SSL_state_string_long(ssl); state = state ? state : "<INVALID>"; if ((where & SSL_CB_LOOP) || (where & SSL_CB_HANDSHAKE_START) || (where & SSL_CB_HANDSHAKE_DONE)) { if (RDEBUG_ENABLED3) { char const *abbrv = SSL_state_string(ssl); size_t len; /* * Trim crappy OpenSSL state strings... */ len = strlen(abbrv); if ((len > 1) && (abbrv[len - 1] == ' ')) len--; RDEBUG3("Handshake state [%.*s] - %s%s", (int)len, abbrv, role, state); } else { RDEBUG2("Handshake state - %s%s", role, state); } return; } if (where & SSL_CB_ALERT) { if ((ret & 0xff) == SSL_AD_CLOSE_NOTIFY) return; if (where & SSL_CB_READ) { VALUE_PAIR *vp; REDEBUG("Client sent %s TLS alert: %s", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); /* * Offer helpful advice... Should be expanded. */ switch (ret & 0xff) { case TLS1_AD_UNKNOWN_CA: REDEBUG("Verify client has copy of CA certificate, and trusts CA"); break; default: break; } MEM(pair_update_request(&vp, attr_tls_client_error_code) >= 0); vp->vp_uint8 = ret & 0xff; RDEBUG2("&TLS-Client-Error-Code := %pV", &vp->data); } else { REDEBUG("Sending client %s TLS alert: %s %i", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret), ret & 0xff); } return; } if (where & SSL_CB_EXIT) { if (ret == 0) { REDEBUG("Handshake exit state %s%s", role, state); return; } if (ret < 0) { if (SSL_want_read(ssl)) { RDEBUG2("Need more data from client"); /* State same as previous call, don't print */ return; } REDEBUG("Handshake exit state %s%s", role, state); } } }
void Tls_openssl_info_callback(const SSL *s, int where, int ret) { const char *str; int w; w=where& ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) str="Handshake"; else if (w & SSL_ST_ACCEPT) str="SSL_accept"; else str="undefined"; if (where & SSL_CB_LOOP) { DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:%s\n",str,SSL_state_string_long(s))); } if (where & SSL_CB_ALERT) { str=(where & SSL_CB_READ)?"read":"write"; DEBUG_LOG_PRINT_LEV2(("TlsDebug : SSLv3 alert %s:%s:%s\n",\ str,\ SSL_alert_type_string_long(ret),\ SSL_alert_desc_string_long(ret))); } if (where & SSL_CB_EXIT) { if (ret == 0) { DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:failed in %s\n",\ str,SSL_state_string_long(s))); } else if (ret < 0) { int ret1 = SSL_get_error(s,ret); switch(ret1) { case SSL_ERROR_WANT_READ: DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:incomplete : %s\n",\ str,SSL_state_string_long(s))); break; case SSL_ERROR_WANT_WRITE: DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:incomplete : %s\n",\ str,SSL_state_string_long(s))); break; default: DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:error in %s\n",\ str,SSL_state_string_long(s))); if (w & SSL_ST_CONNECT) DEBUG_LOG_PRINT_LEV2(("TlsDebug : %s:Done",str)); } } } if( where & SSL_CB_HANDSHAKE_START) { DEBUG_LOG_PRINT_LEV2(("TlsDebug : Handshake:Start")); } if( where & SSL_CB_HANDSHAKE_DONE ) { DEBUG_LOG_PRINT_LEV2(("TlsDebug : Handshake:Done")); } }
NOEXPORT void info_callback(const SSL *ssl, int where, int ret) { CLI *c; SSL_CTX *ctx; c=SSL_get_ex_data((SSL *)ssl, index_cli); if(c) { if((where&SSL_CB_HANDSHAKE_DONE) && c->reneg_state==RENEG_INIT) { /* first (initial) handshake was completed, remember this, * so that further renegotiation attempts can be detected */ c->reneg_state=RENEG_ESTABLISHED; } else if((where&SSL_CB_ACCEPT_LOOP) && c->reneg_state==RENEG_ESTABLISHED) { int state=SSL_get_state((SSL *)ssl); if(state==SSL3_ST_SR_CLNT_HELLO_A || state==SSL23_ST_SR_CLNT_HELLO_A) { /* client hello received after initial handshake, * this means renegotiation -> mark it */ c->reneg_state=RENEG_DETECTED; } } if(c->opt->log_level<LOG_DEBUG) return; /* performance optimization */ } if(where & SSL_CB_LOOP) { s_log(LOG_DEBUG, "SSL state (%s): %s", where & SSL_ST_CONNECT ? "connect" : where & SSL_ST_ACCEPT ? "accept" : "undefined", SSL_state_string_long(ssl)); } else if(where & SSL_CB_ALERT) { s_log(LOG_DEBUG, "SSL alert (%s): %s: %s", where & SSL_CB_READ ? "read" : "write", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if(where==SSL_CB_HANDSHAKE_DONE) { ctx=SSL_get_SSL_CTX((SSL *)ssl); if(c->opt->option.client) { s_log(LOG_DEBUG, "%4ld client connect(s) requested", SSL_CTX_sess_connect(ctx)); s_log(LOG_DEBUG, "%4ld client connect(s) succeeded", SSL_CTX_sess_connect_good(ctx)); s_log(LOG_DEBUG, "%4ld client renegotiation(s) requested", SSL_CTX_sess_connect_renegotiate(ctx)); } else { s_log(LOG_DEBUG, "%4ld server accept(s) requested", SSL_CTX_sess_accept(ctx)); s_log(LOG_DEBUG, "%4ld server accept(s) succeeded", SSL_CTX_sess_accept_good(ctx)); s_log(LOG_DEBUG, "%4ld server renegotiation(s) requested", SSL_CTX_sess_accept_renegotiate(ctx)); } /* according to the source it not only includes internal and external session caches, but also session tickets */ s_log(LOG_DEBUG, "%4ld session reuse(s)", SSL_CTX_sess_hits(ctx)); if(!c->opt->option.client) { /* server session cache stats */ s_log(LOG_DEBUG, "%4ld internal session cache item(s)", SSL_CTX_sess_number(ctx)); s_log(LOG_DEBUG, "%4ld internal session cache fill-up(s)", SSL_CTX_sess_cache_full(ctx)); s_log(LOG_DEBUG, "%4ld internal session cache miss(es)", SSL_CTX_sess_misses(ctx)); s_log(LOG_DEBUG, "%4ld external session cache hit(s)", SSL_CTX_sess_cb_hits(ctx)); s_log(LOG_DEBUG, "%4ld expired session(s) retrieved", SSL_CTX_sess_timeouts(ctx)); } } }
NOEXPORT void info_callback( #if OPENSSL_VERSION_NUMBER>=0x0090700fL const #endif SSL *ssl, int where, int ret) { CLI *c; c=SSL_get_ex_data(ssl, cli_index); if(c) { if((where&SSL_CB_HANDSHAKE_DONE) && c->reneg_state==RENEG_INIT) { /* first (initial) handshake was completed, remember this, * so that further renegotiation attempts can be detected */ c->reneg_state=RENEG_ESTABLISHED; } else if((where&SSL_CB_ACCEPT_LOOP) && c->reneg_state==RENEG_ESTABLISHED) { int state=SSL_get_state(ssl); if(state==SSL3_ST_SR_CLNT_HELLO_A || state==SSL23_ST_SR_CLNT_HELLO_A) { /* client hello received after initial handshake, * this means renegotiation -> mark it */ c->reneg_state=RENEG_DETECTED; } } } if(global_options.debug_level<LOG_DEBUG) return; /* performance optimization */ if(where & SSL_CB_LOOP) { s_log(LOG_DEBUG, "SSL state (%s): %s", where & SSL_ST_CONNECT ? "connect" : where & SSL_ST_ACCEPT ? "accept" : "undefined", SSL_state_string_long(ssl)); } else if(where & SSL_CB_ALERT) { s_log(LOG_DEBUG, "SSL alert (%s): %s: %s", where & SSL_CB_READ ? "read" : "write", SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if(where==SSL_CB_HANDSHAKE_DONE) { s_log(LOG_DEBUG, "%4ld items in the session cache", SSL_CTX_sess_number(ssl->ctx)); s_log(LOG_DEBUG, "%4ld client connects (SSL_connect())", SSL_CTX_sess_connect(ssl->ctx)); s_log(LOG_DEBUG, "%4ld client connects that finished", SSL_CTX_sess_connect_good(ssl->ctx)); s_log(LOG_DEBUG, "%4ld client renegotiations requested", SSL_CTX_sess_connect_renegotiate(ssl->ctx)); s_log(LOG_DEBUG, "%4ld server connects (SSL_accept())", SSL_CTX_sess_accept(ssl->ctx)); s_log(LOG_DEBUG, "%4ld server connects that finished", SSL_CTX_sess_accept_good(ssl->ctx)); s_log(LOG_DEBUG, "%4ld server renegotiations requested", SSL_CTX_sess_accept_renegotiate(ssl->ctx)); s_log(LOG_DEBUG, "%4ld session cache hits", SSL_CTX_sess_hits(ssl->ctx)); s_log(LOG_DEBUG, "%4ld external session cache hits", SSL_CTX_sess_cb_hits(ssl->ctx)); s_log(LOG_DEBUG, "%4ld session cache misses", SSL_CTX_sess_misses(ssl->ctx)); s_log(LOG_DEBUG, "%4ld session cache timeouts", SSL_CTX_sess_timeouts(ssl->ctx)); } }
/* Derived from openssl/apps/s_cb.c */ static void tlso_info_cb( const SSL *ssl, int where, int ret ) { int w; char *op; char *state = (char *) SSL_state_string_long( (SSL *)ssl ); w = where & ~SSL_ST_MASK; if ( w & SSL_ST_CONNECT ) { op = "SSL_connect"; } else if ( w & SSL_ST_ACCEPT ) { op = "SSL_accept"; } else { op = "undefined"; } #ifdef HAVE_EBCDIC if ( state ) { state = LDAP_STRDUP( state ); __etoa( state ); } #endif if ( where & SSL_CB_LOOP ) { Debug( LDAP_DEBUG_TRACE, "TLS trace: %s:%s\n", op, state, 0 ); } else if ( where & SSL_CB_ALERT ) { char *atype = (char *) SSL_alert_type_string_long( ret ); char *adesc = (char *) SSL_alert_desc_string_long( ret ); op = ( where & SSL_CB_READ ) ? "read" : "write"; #ifdef HAVE_EBCDIC if ( atype ) { atype = LDAP_STRDUP( atype ); __etoa( atype ); } if ( adesc ) { adesc = LDAP_STRDUP( adesc ); __etoa( adesc ); } #endif Debug( LDAP_DEBUG_TRACE, "TLS trace: SSL3 alert %s:%s:%s\n", op, atype, adesc ); #ifdef HAVE_EBCDIC if ( atype ) LDAP_FREE( atype ); if ( adesc ) LDAP_FREE( adesc ); #endif } else if ( where & SSL_CB_EXIT ) { if ( ret == 0 ) { Debug( LDAP_DEBUG_TRACE, "TLS trace: %s:failed in %s\n", op, state, 0 ); } else if ( ret < 0 ) { Debug( LDAP_DEBUG_TRACE, "TLS trace: %s:error in %s\n", op, state, 0 ); } } #ifdef HAVE_EBCDIC if ( state ) LDAP_FREE( state ); #endif }