#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <netdb.h>
#include <fcntl.h>
#include <signal.h>
#include <ctype.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/tls.h>
#include "eap.h"
Go to the source code of this file.
Data Structures | |
struct | tls_data_t |
Macros | |
#define | BUFFER_SIZE 1024 |
#define | TLS_HEADER_LEN 4 |
Typedefs | |
typedef struct tls_data_t | eap_tls_data_t |
typedef enum tls_op | tls_op_t |
Enumerations | |
enum | tls_op { EAP_TLS_START = 1, EAP_TLS_ACK = 2, EAP_TLS_SUCCESS = 3, EAP_TLS_FAIL = 4, EAP_TLS_ALERT = 9 } |
Functions | |
fr_tls_server_conf_t * | eap_tls_conf_parse (CONF_SECTION *cs, char const *key) |
Parse TLS configuration. More... | |
int | eap_tls_fail (eap_session_t *eap_session) CC_HINT(nonnull) |
Send an EAP-TLS failure. More... | |
void | eap_tls_gen_eap_key (RADIUS_PACKET *packet, SSL *s, uint32_t header) |
void | eap_tls_gen_mppe_keys (REQUEST *request, SSL *s, char const *prf_label) |
Generate keys according to RFC 2716 and add to the reply. More... | |
USES_APPLE_DEPRECATED_API fr_tls_status_t | eap_tls_process (eap_session_t *eap_session) |
Process an EAP TLS request. More... | |
int | eap_tls_request (eap_session_t *eap_session) CC_HINT(nonnull) |
Frames the OpenSSL data that needs to be sent to the client in an EAP-Request. More... | |
tls_session_t * | eap_tls_session_init (eap_session_t *eap_session, fr_tls_server_conf_t *tls_conf, bool client_cert) |
Create a new tls_session_t associated with an eap_session_t. More... | |
int | eap_tls_start (eap_session_t *eap_session) CC_HINT(nonnull) |
Send an initial EAP-TLS request to the peer. More... | |
int | eap_tls_success (eap_session_t *eap_session) CC_HINT(nonnull) |
Send an EAP-TLS success. More... | |
void | eap_ttls_gen_challenge (SSL *s, uint8_t *buffer, size_t size) |
struct tls_data_t |
typedef struct tls_data_t eap_tls_data_t |
enum tls_op |
fr_tls_server_conf_t* eap_tls_conf_parse | ( | CONF_SECTION * | cs, |
char const * | attr | ||
) |
Parse TLS configuration.
If the option given by 'attr' is set, we find the config section of that name and use that for the TLS configuration. If not, we fall back to compatibility mode and read the TLS options from the 'tls' section.
cs | to derive the configuration from. |
attr | identifier for common TLS configuration. |
Definition at line 891 of file eap_tls.c.
int eap_tls_fail | ( | eap_session_t * | eap_session | ) |
Send an EAP-TLS failure.
Composes an EAP-TLS-Failure. This is a message with code FR_TLS_FAILURE. It contains no cryptographic material, and is not protected.
In addition to sending the failure, will destroy any cached session data.
eap_session | that failed. |
Definition at line 254 of file eap_tls.c.
void eap_tls_gen_eap_key | ( | RADIUS_PACKET * | packet, |
SSL * | s, | ||
uint32_t | header | ||
) |
Definition at line 188 of file mppe_keys.c.
void eap_tls_gen_mppe_keys | ( | REQUEST * | request, |
SSL * | s, | ||
char const * | prf_label | ||
) |
Generate keys according to RFC 2716 and add to the reply.
Definition at line 108 of file mppe_keys.c.
USES_APPLE_DEPRECATED_API fr_tls_status_t eap_tls_process | ( | eap_session_t * | eap_session | ) |
Process an EAP TLS request.
Here we implement a basic state machine. The state machine is implicit and is driven by the state of the TLS session and the flags sent. INCOMING DATA:
During EAP-TLS initialization, TLS Context object will be initialised and stored. For every new authentication request, TLS will open a new session object and that session object SHOULD be maintained even after the session is completed, for session resumption.
eap_session | to continue. |
Definition at line 708 of file eap_tls.c.
int eap_tls_request | ( | eap_session_t * | eap_session | ) |
Frames the OpenSSL data that needs to be sent to the client in an EAP-Request.
A single TLS record may be up to 16384 octets in length, but a TLS message may span multiple TLS records, and a TLS certificate message may theoretically, be as long as 16MB.
In EAP-TLS with no inner method, this is used primarily to send our certificate chain to the peer.
In other methods this function is also called to package up application data for the inner tunnel method.
The tls_session->length_included flag determines whether we include the extra four byte length field in the request and set the L flag.
If present, the tls_length field indicates the total length of the reassembled TLS record.
If tls_session->length_included this means we include L flag and the tls_length field in EVERY packet we send out.
If !tls_session->length_included this means we include L flag and tls_length field ONLY in First packet of a fragment series. We do not use it anywhere else.
eap_session | that's continuing. |
Definition at line 299 of file eap_tls.c.
tls_session_t* eap_tls_session_init | ( | eap_session_t * | eap_session, |
fr_tls_server_conf_t * | tls_conf, | ||
bool | client_cert | ||
) |
Create a new tls_session_t associated with an eap_session_t.
Creates a new server tls_session_t and associates it with an eap_session_t adding EAP specific opaque data to the SSL session created during tls_session_t initialisation.
eap_session | to use as a context for the tls_session_t |
tls_conf | to use to configure the tls_session_t. |
client_cert | Whether we require the peer to prevent a certificate. |
Definition at line 844 of file eap_tls.c.
int eap_tls_start | ( | eap_session_t * | eap_session | ) |
Send an initial EAP-TLS request to the peer.
Once having received the peer's Identity, the EAP server MUST respond with an EAP-TLS/Start packet, which is an EAP-Request packet with EAP-Type = EAP-TLS, the Start (S) bit set, and no data.
The EAP-TLS conversation will then begin, with the peer sending an EAP-Response packet with EAP-Type = EAP-TLS. The data field of that packet will be the TLS data.
The S flag is set only within the EAP-TLS start message sent from the EAP server to the peer.
Fragment length is Framed-MTU - 4.
eap_session | to initiate. |
Definition at line 192 of file eap_tls.c.
int eap_tls_success | ( | eap_session_t * | eap_session | ) |
Send an EAP-TLS success.
Composes an EAP-TLS-Success. This is a message with code FR_TLS_SUCCESS. It contains no cryptographic material, and is not protected.
We add the MPPE keys here. These are used by the NAS. The supplicant will derive the same keys separately.
eap_session | that completed successfully. |
Definition at line 211 of file eap_tls.c.
void eap_ttls_gen_challenge | ( | SSL * | s, |
uint8_t * | buffer, | ||
size_t | size | ||
) |
Definition at line 161 of file mppe_keys.c.