"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/main/tls.c" between
freeradius-server-3.0.22.tar.bz2 and freeradius-server-3.0.23.tar.bz2

About: FreeRADIUS Server Project - a high performance and highly configurable RADIUS server.

tls.c  (freeradius-server-3.0.22.tar.bz2):tls.c  (freeradius-server-3.0.23.tar.bz2)
/* /*
* tls.c * tls.c
* *
* Version: $Id: 9085272c769a530dcedd83f1dc72c6f728b0dc20 $ * Version: $Id: e032c408e0c1d3911ccaad7b81ceffce9fc82d4c $
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or * the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, * This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details. * GNU General Public License for more details.
* *
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software * along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
* *
* Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com> * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
* Copyright 2003 Alan DeKok <aland@freeradius.org> * Copyright 2003 Alan DeKok <aland@freeradius.org>
* Copyright 2006 The FreeRADIUS server project * Copyright 2006 The FreeRADIUS server project
*/ */
RCSID("$Id: 9085272c769a530dcedd83f1dc72c6f728b0dc20 $") RCSID("$Id: e032c408e0c1d3911ccaad7b81ceffce9fc82d4c $")
USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#include <freeradius-devel/radiusd.h> #include <freeradius-devel/radiusd.h>
#include <freeradius-devel/process.h> #include <freeradius-devel/process.h>
#include <freeradius-devel/modules.h> #include <freeradius-devel/modules.h>
#include <freeradius-devel/rad_assert.h> #include <freeradius-devel/rad_assert.h>
#ifdef HAVE_SYS_STAT_H #ifdef HAVE_SYS_STAT_H
#include <sys/stat.h> #include <sys/stat.h>
#endif #endif
skipping to change at line 645 skipping to change at line 645
} }
#ifdef TLS1_3_VERSION #ifdef TLS1_3_VERSION
/* /*
* Disallow TLS 1.3 for TTLS, PEAP, and FAST. * Disallow TLS 1.3 for TTLS, PEAP, and FAST.
* *
* We need another magic configuration option to allow * We need another magic configuration option to allow
* it. * it.
*/ */
if (!allow_tls13 && (conf->max_version == TLS1_3_VERSION)) { if (!allow_tls13 && (conf->max_version == TLS1_3_VERSION)) {
WARN("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!");
WARN("!! FORCING MAXIMUM TLS VERSION TO TLS 1.
2 !!");
WARN("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!");
WARN("!! There is no standard for using this EAP method with TLS
1.3");
WARN("!! Please set tls_max_version = \"1.2\"");
WARN("!! FreeRADIUS only supports TLS 1.3 for special builds of w
pa_supplicant and Windows");
WARN("!! This limitation is likely to change in late 2021.");
WARN("!! If you are using this version of FreeRADIUS after 2021,
you will probably need to upgrade");
WARN("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!");
if (SSL_set_max_proto_version(new_tls, TLS1_2_VERSION) == 0) { if (SSL_set_max_proto_version(new_tls, TLS1_2_VERSION) == 0) {
tls_error_log(request, "Failed limiting maximum version t o TLS 1.3"); tls_error_log(request, "Failed limiting maximum version t o TLS 1.2");
return NULL; return NULL;
} }
} }
#endif #endif
/* We use the SSL's "app_data" to indicate a call-back */ /* We use the SSL's "app_data" to indicate a call-back */
SSL_set_app_data(new_tls, NULL); SSL_set_app_data(new_tls, NULL);
if ((state = talloc_zero(ctx, tls_session_t)) == NULL) { if ((state = talloc_zero(ctx, tls_session_t)) == NULL) {
RERROR("Error allocating memory for SSL state"); RERROR("Error allocating memory for SSL state");
skipping to change at line 1060 skipping to change at line 1070
if (rec->used > 0) memmove(rec->data, rec->data + taken, rec->used); if (rec->used > 0) memmove(rec->data, rec->data + taken, rec->used);
return taken; return taken;
} }
void tls_session_information(tls_session_t *tls_session) void tls_session_information(tls_session_t *tls_session)
{ {
char const *str_write_p, *str_version, *str_content_type = ""; char const *str_write_p, *str_version, *str_content_type = "";
char const *str_details1 = "", *str_details2= ""; char const *str_details1 = "", *str_details2= "";
REQUEST *request; REQUEST *request;
VALUE_PAIR *vp;
char content_type[16], alert_buf[16]; char content_type[16], alert_buf[16];
char buffer[32]; char buffer[32];
/* /*
* Don't print this out in the normal course of * Don't print this out in the normal course of
* operations. * operations.
*/ */
if (rad_debug_lvl == 0) return; if (rad_debug_lvl == 0) return;
/* /*
skipping to change at line 1392 skipping to change at line 1403
} }
} }
} }
snprintf(tls_session->info.info_description, snprintf(tls_session->info.info_description,
sizeof(tls_session->info.info_description), sizeof(tls_session->info.info_description),
"%s %s%s%s%s\n", "%s %s%s%s%s\n",
str_write_p, str_version, str_content_type, str_write_p, str_version, str_content_type,
str_details1, str_details2); str_details1, str_details2);
/*
* Cache the TLS session information in the session-state
* list, so it can be accessed by Post-Auth-Type
* Client-Lost { ... }
*/
vp = fr_pair_afrom_num(request->state_ctx, PW_TLS_SESSION_INFORMATION, 0)
;
if (vp) {
fr_pair_value_strcpy(vp, tls_session->info.info_description);
fr_pair_add(&request->state, vp);
}
RDEBUG2("%s", tls_session->info.info_description); RDEBUG2("%s", tls_session->info.info_description);
} }
static CONF_PARSER cache_config[] = { static CONF_PARSER cache_config[] = {
{ "enable", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, session _cache_enable), "no" }, { "enable", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, session _cache_enable), "no" },
{ "lifetime", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, sessi on_lifetime), "24" }, { "lifetime", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, sessi on_lifetime), "24" },
{ "name", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, session_id _name), NULL }, { "name", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, session_id _name), NULL },
{ "max_entries", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, se ssion_cache_size), "255" }, { "max_entries", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, se ssion_cache_size), "255" },
skipping to change at line 3754 skipping to change at line 3776
if (!max_version) { if (!max_version) {
ERROR("Invalid value for tls_max_version '%s'", conf->tls _max_version); ERROR("Invalid value for tls_max_version '%s'", conf->tls _max_version);
return NULL; return NULL;
} }
} else { } else {
/* /*
* Pick the maximum version available at compile * Pick the maximum version available at compile
* time. * time.
*/ */
#if defined(TLS1_3_VERSION) #if defined(TLS1_3_VERSION)
max_version = TLS1_3_VERSION; max_version = TLS1_2_VERSION; /* yes, we only use TLS 1.3 if it's EXPLICITELY ENABLED */
#elif defined(TLS1_2_VERSION) #elif defined(TLS1_2_VERSION)
max_version = TLS1_2_VERSION; max_version = TLS1_2_VERSION;
#elif defined(TLS1_1_VERSION) #elif defined(TLS1_1_VERSION)
max_version = TLS1_1_VERSION; max_version = TLS1_1_VERSION;
#else #else
max_version = TLS1_VERSION; max_version = TLS1_VERSION;
#endif #endif
} }
/* /*
skipping to change at line 3896 skipping to change at line 3918
if (min_version > TLS1_2_VERSION) ctx_options |= SSL_OP_NO_TLSv1_2; if (min_version > TLS1_2_VERSION) ctx_options |= SSL_OP_NO_TLSv1_2;
if (max_version < TLS1_2_VERSION) ctx_options |= SSL_OP_NO_TLSv1_2; if (max_version < TLS1_2_VERSION) ctx_options |= SSL_OP_NO_TLSv1_2;
#endif #endif
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
ctx_available |= SSL_OP_NO_TLSv1_3; ctx_available |= SSL_OP_NO_TLSv1_3;
if (min_version > TLS1_3_VERSION) ctx_options |= SSL_OP_NO_TLSv1_3; if (min_version > TLS1_3_VERSION) ctx_options |= SSL_OP_NO_TLSv1_3;
if (max_version < TLS1_3_VERSION) ctx_options |= SSL_OP_NO_TLSv1_3; if (max_version < TLS1_3_VERSION) ctx_options |= SSL_OP_NO_TLSv1_3;
#endif #endif
/*
* Tell OpenSSL PRETTY PLEASE MAY WE USE TLS 1.1.
*
* Because saying "use TLS 1.1" isn't enough. We have to
* send it flowers and cake.
*/
if ((min_version <= TLS1_1_VERSION) &&
!strstr(conf->cipher_list, "DEFAULT@SECLEVEL=1")) {
WARN(LOG_PREFIX ": In order to use TLS 1.0 and/or TLS 1.1, you li
kely need to set: cipher_list = \"DEFAULT@SECLEVEL=1\"");
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L
if (conf->disable_tlsv1) { if (conf->disable_tlsv1) {
WARN(LOG_PREFIX ": Please use 'tls_min_version' and 'tls_max_vers ion' instead of 'disable_tlsv1'"); WARN(LOG_PREFIX ": Please use 'tls_min_version' and 'tls_max_vers ion' instead of 'disable_tlsv1'");
} }
if (conf->disable_tlsv1_1) { if (conf->disable_tlsv1_1) {
WARN(LOG_PREFIX ": Please use 'tls_min_version' and 'tls_max_vers ion' instead of 'disable_tlsv1_1'"); WARN(LOG_PREFIX ": Please use 'tls_min_version' and 'tls_max_vers ion' instead of 'disable_tlsv1_1'");
} }
if (conf->disable_tlsv1_2) { if (conf->disable_tlsv1_2) {
WARN(LOG_PREFIX ": Please use 'tls_min_version' and 'tls_max_vers ion' instead of 'disable_tlsv1_2'"); WARN(LOG_PREFIX ": Please use 'tls_min_version' and 'tls_max_vers ion' instead of 'disable_tlsv1_2'");
} }
 End of changes. 8 change blocks. 
4 lines changed or deleted 46 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)