Commit 33c58ae5 authored by Robert Dubner's avatar Robert Dubner
Browse files

Cleaning up tls.c and tls.h

parent 1388d630
......@@ -824,7 +824,7 @@ encrypt_and_send_response( STATE *state,
}
/* Get the dirty data from BIO to send it */
int err = BIO_read( state->from_ssl,
int err = BIO_read( state->outbound_bio,
state->ciphertext_out.data,
sizeof(state->ciphertext_out.data) );
state->ciphertext_out.used = err;
......@@ -2411,7 +2411,7 @@ process_peap_application_data(STATE *state)
ssl_packet_length
+= volatiles->eap_message->TypeData[index++] << 0;
}
int err = BIO_write(state->into_ssl,
int err = BIO_write(state->inbound_bio,
volatiles->eap_message->TypeData + index,
ssl_packet_length);
if (err != (int) ssl_packet_length)
......@@ -2661,7 +2661,7 @@ process_eap_message_peap_or_ttls( RADIUS_INFO *radius_info,
state->tls_record_in_recvd_len = 0;
// We have an entire TLS message. Send it to BIO_write
int err = BIO_write( state->into_ssl,
int err = BIO_write( state->inbound_bio,
state->ciphertext_in.data,
state->ciphertext_in.used);
if (err != (int) state->ciphertext_in.used)
......@@ -2675,7 +2675,7 @@ process_eap_message_peap_or_ttls( RADIUS_INFO *radius_info,
return FAIL_SILENTLY;
}
// And now that it is in the into_ssl BIO, you can
// And now that it is in the inbound_bio BIO, you can
// do the SSL_read...
static int read_count=0;
read_count += 1;
......@@ -2728,10 +2728,10 @@ process_eap_message_peap_or_ttls( RADIUS_INFO *radius_info,
__func__);
}
err = BIO_ctrl_pending(state->from_ssl);
err = BIO_ctrl_pending(state->outbound_bio);
if (err > 0)
{
err = BIO_read( state->from_ssl,
err = BIO_read( state->outbound_bio,
state->ciphertext_out.data,
sizeof(state->ciphertext_out.data));
if (err > 0)
......@@ -2745,7 +2745,7 @@ process_eap_message_peap_or_ttls( RADIUS_INFO *radius_info,
state->dirty_bytes_sent_so_far = 0;
rc = NO_RESPONSE_NECESSARY;
}
else if (BIO_should_retry(state->from_ssl))
else if (BIO_should_retry(state->outbound_bio))
{
record_init(&state->ciphertext_in);
Debug( LDAP_DEBUG_ANY,
......
......@@ -1111,7 +1111,6 @@ radiusov_db_open(BackendDB *be, ConfigReply *cr)
Debug( LDAP_DEBUG_ARGS,
"Initializing SSL_CTX\n");
radius_info->conf = ch_calloc( 1, sizeof(SSL_CONFIGURATION) );
tls_global_init();
if( get_configuration_from_file(
radius_info->conf,
radius_info->radius_tls_config_file) )
......
......@@ -29,6 +29,7 @@
#include <ac/string.h>
#include "tls.h"
#include "md4.h"
// The following should be set to zero in production
#define DANGEROUS_TESTING_ENABLED 0
......@@ -96,8 +97,8 @@ typedef struct _STATE
TLS_INFO info;
// These elements are used for sending/receiving TLS data
BIO *into_ssl;
BIO *from_ssl;
BIO *inbound_bio;
BIO *outbound_bio;
SSL_RECORD ciphertext_in; // Data EAP server receives from the client.
SSL_RECORD cleartext_in; // The decrypted ciphertext_in
......@@ -120,7 +121,8 @@ typedef struct _STATE
// Because a pointer to the state is passed to so many routines, including
// the volatiles in the STATE eliminates a bunch of typing and can avoid
// confusion. But the values *are* volatile, and cannot be expected to
// persist with the rest of the STATE information.
// persist with the rest of the STATE information as incoming packets are
// handled and the STATE is recovered from the linked list
STATE_VOLATILES *volatiles;
......
......@@ -337,20 +337,6 @@ init_x509_store(SSL_CONFIGURATION *conf)
return store;
}
/** Add default ciphers and message digests
*
* This should be called exactly once from main, before reading the main config
* or initialising any modules.
*/
int
tls_global_init()
{
DENTER;
SSL_library_init(); /* initialize library */
return 0;
}
static int
verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
......@@ -505,16 +491,11 @@ passphrase_callback(char *buf, int size, int rwflag, void *passphrase)
return strlen(buf);
}
/** Create SSL context
*
* - Load the trusted CAs
* - Load the Private key & the certificate
* - Set the Context options & Verify options
*/
SSL_CTX *
tls_init_ctx(SSL_CONFIGURATION *conf)
{
// Create the SSL_CTX context that will be used for creating all SSL
// objects.
DENTER;
SSL_CTX *ctx;
X509_STORE *certstore;
......@@ -522,7 +503,7 @@ tls_init_ctx(SSL_CONFIGURATION *conf)
int type;
// load & register all cryptos, etc.
SSL_library_init();
// SSL_library_init();
// create new server context
if( conf->is_server )
......@@ -691,10 +672,6 @@ tls_init_ctx(SSL_CONFIGURATION *conf)
}
}
// Load our keys and certificates
/*
* Load the CAs we trust and configure CRL checks if needed
*/
......@@ -875,7 +852,6 @@ tls_session_information(STATE *tls_session)
{
char const *str_write_p, *str_version, *str_content_type = "";
char const *str_details1 = "", *str_details2= "";
STATE *request;
char content_type[16], alert_buf[16];
char buffer[32];
......@@ -897,9 +873,6 @@ tls_session_information(STATE *tls_session)
return;
}
request = SSL_get_ex_data(tls_session->ssl, TLS_EX_INDEX_REQUEST);
if (!request) return;
str_write_p = tls_session->info.origin ? "(TLS) send" : "(TLS) recv";
switch (tls_session->info.version)
......@@ -1357,9 +1330,9 @@ tls_new_session(SSL_CTX *ctx,
* and we can update those BIOs from the packets we've
* received.
*/
state->into_ssl = BIO_new(BIO_s_mem());
state->from_ssl = BIO_new(BIO_s_mem());
SSL_set_bio(state->ssl, state->into_ssl, state->from_ssl);
state->inbound_bio = BIO_new(BIO_s_mem());
state->outbound_bio = BIO_new(BIO_s_mem());
SSL_set_bio(state->ssl, state->inbound_bio, state->outbound_bio);
/*
* Add the message callback to identify what type of
......@@ -1373,8 +1346,6 @@ tls_new_session(SSL_CTX *ctx,
SSL_set_accept_state(state->ssl);
SSL_set_ex_data(state->ssl, TLS_EX_INDEX_CONF, (void *)conf);
SSL_set_ex_data(state->ssl, TLS_EX_INDEX_SSN, (void *)state);
SSL_set_ex_data(state->ssl, TLS_EX_INDEX_REQUEST, (void *)state);
state->mtu = conf->fragment_size;
......
......@@ -12,24 +12,19 @@
* <http://www.OpenLDAP.org/license.html>.
*/
#ifndef __TLS_H
#define __TLS_H
#ifndef _h_TLS_H
#define _h_TLS_H
#include <openssl/ssl.h>
#include <openssl/conf.h>
#include "md4.h"
#define TLS_EX_INDEX_CONF (10)
#define TLS_EX_INDEX_CONF (11)
#define TLS_EX_INDEX_REQUEST (12)
#define TLS_EX_INDEX_STORE (14)
#define TLS_EX_INDEX_SSN (15)
#define MAX_RECORD_SIZE 16384
#define MAX_TLS_RECORD_SIZE 16384
typedef struct _SSL_RECORD
{
uint8_t data[MAX_RECORD_SIZE];
uint8_t data[MAX_TLS_RECORD_SIZE];
ssize_t used;
} SSL_RECORD;
......@@ -53,13 +48,6 @@ typedef struct _SSL_CONFIGURATION
SSL_CTX *ctx; // pointer to the SSL_CTX created from us
// Note: The following members are established by get_config_from_file().
// Like so much of openssl coding, many of these were copied from other
// working programs, including freeRADIUS. They may not all be in use in
// this code, but have been included as reminders and placeholders. Keep
// in mind that the code I copied was designed to handle versions of
// OpenSSL prior to Version 1.1.1.
// I am writing for Version 1.1.1, released on 2018-09-11 and listed as
// supported until 2023-11-09.
//
......@@ -80,9 +68,9 @@ typedef struct _SSL_CONFIGURATION
int tls_min_version; // As of 2021-09-17, probably TLS1_2_VERSION
int tls_max_version; // As of 2021-09-17, probably TLS1_3_VERSION
// // or TLS_MAX_VERSION, or zero for "max supported
// // by the library"
int include_length; // Always include the four-byte length in the
// // or TLS_MAX_VERSION, or zero for
// // "max supported by the library"
int include_length; // Always include the 4-byte length in the
// // TLS header
int check_crl; // Bool; check Certificate Revocation List
int check_all_crl; // Likewise
......@@ -104,11 +92,9 @@ typedef struct _SSL_CONFIGURATION
int verify_mode;
int verify_depth;
time_t ca_path_last_reload;
pthread_mutex_t mutex; // For pthread_mutex_lock/unlock
} SSL_CONFIGURATION;
extern int tls_global_init();
extern SSL_CTX *tls_init_ctx(SSL_CONFIGURATION *conf);
int get_configuration_from_file(SSL_CONFIGURATION *conf, const char *filename);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment