All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
Data Structures | Macros | Typedefs | Enumerations | Functions
eap_tls.h File Reference
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <netdb.h>
#include <fcntl.h>
#include <signal.h>
#include <ctype.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/tls.h>
#include "eap.h"
+ Include dependency graph for eap_tls.h:
+ This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  tls_data_t
 

Macros

#define BUFFER_SIZE   1024
 
#define TLS_HEADER_LEN   4
 

Typedefs

typedef struct tls_data_t eap_tls_data_t
 
typedef enum tls_op tls_op_t
 

Enumerations

enum  tls_op {
  EAP_TLS_START = 1,
  EAP_TLS_ACK = 2,
  EAP_TLS_SUCCESS = 3,
  EAP_TLS_FAIL = 4,
  EAP_TLS_ALERT = 9
}
 

Functions

fr_tls_server_conf_t * eap_tls_conf_parse (CONF_SECTION *cs, char const *key)
 Parse TLS configuration. More...
 
int eap_tls_fail (eap_session_t *eap_session) CC_HINT(nonnull)
 Send an EAP-TLS failure. More...
 
void eap_tls_gen_eap_key (RADIUS_PACKET *packet, SSL *s, uint32_t header)
 
void eap_tls_gen_mppe_keys (REQUEST *request, SSL *s, char const *prf_label)
 Generate keys according to RFC 2716 and add to the reply. More...
 
USES_APPLE_DEPRECATED_API
fr_tls_status_t 
eap_tls_process (eap_session_t *eap_session)
 Process an EAP TLS request. More...
 
int eap_tls_request (eap_session_t *eap_session) CC_HINT(nonnull)
 Frames the OpenSSL data that needs to be sent to the client in an EAP-Request. More...
 
tls_session_t * eap_tls_session_init (eap_session_t *eap_session, fr_tls_server_conf_t *tls_conf, bool client_cert)
 Create a new tls_session_t associated with an eap_session_t. More...
 
int eap_tls_start (eap_session_t *eap_session) CC_HINT(nonnull)
 Send an initial EAP-TLS request to the peer. More...
 
int eap_tls_success (eap_session_t *eap_session) CC_HINT(nonnull)
 Send an EAP-TLS success. More...
 
void eap_ttls_gen_challenge (SSL *s, uint8_t *buffer, size_t size)
 

Data Structure Documentation

struct tls_data_t

Definition at line 83 of file eap_tls.h.

Data Fields
uint8_t data[1]
uint8_t flags

Macro Definition Documentation

#define BUFFER_SIZE   1024

Definition at line 71 of file eap_tls.h.

#define TLS_HEADER_LEN   4

Definition at line 81 of file eap_tls.h.

Typedef Documentation

typedef struct tls_data_t eap_tls_data_t
typedef enum tls_op tls_op_t

Enumeration Type Documentation

enum tls_op
Enumerator
EAP_TLS_START 
EAP_TLS_ACK 
EAP_TLS_SUCCESS 
EAP_TLS_FAIL 
EAP_TLS_ALERT 

Definition at line 73 of file eap_tls.h.

Function Documentation

fr_tls_server_conf_t* eap_tls_conf_parse ( CONF_SECTION cs,
char const *  attr 
)

Parse TLS configuration.

If the option given by 'attr' is set, we find the config section of that name and use that for the TLS configuration. If not, we fall back to compatibility mode and read the TLS options from the 'tls' section.

Parameters
csto derive the configuration from.
attridentifier for common TLS configuration.
Returns
  • NULL on error.
  • A new fr_tls_server_conf_t on success.

Definition at line 891 of file eap_tls.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

int eap_tls_fail ( eap_session_t eap_session)

Send an EAP-TLS failure.

Composes an EAP-TLS-Failure. This is a message with code FR_TLS_FAILURE. It contains no cryptographic material, and is not protected.

In addition to sending the failure, will destroy any cached session data.

Parameters
eap_sessionthat failed.
Returns
  • 0 on success.
  • -1 on failure (to compose a valid packet).

Definition at line 254 of file eap_tls.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void eap_tls_gen_eap_key ( RADIUS_PACKET packet,
SSL *  s,
uint32_t  header 
)

Definition at line 188 of file mppe_keys.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void eap_tls_gen_mppe_keys ( REQUEST request,
SSL *  s,
char const *  prf_label 
)

Generate keys according to RFC 2716 and add to the reply.

Definition at line 108 of file mppe_keys.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

USES_APPLE_DEPRECATED_API fr_tls_status_t eap_tls_process ( eap_session_t eap_session)

Process an EAP TLS request.

Here we implement a basic state machine. The state machine is implicit and is driven by the state of the TLS session and the flags sent. INCOMING DATA:

  1. EAP-TLS should get the compelete TLS data from the peer.
  2. Store that data in a data structure with any other required info
  3. Hand this data structure to the TLS module.
  4. TLS module will perform its operations on the data and hands back to EAP-TLS OUTGOING DATA:
  1. EAP-TLS if necessary will fragment it and send it to the destination.

During EAP-TLS initialization, TLS Context object will be initialised and stored. For every new authentication request, TLS will open a new session object and that session object SHOULD be maintained even after the session is completed, for session resumption.

Parameters
eap_sessionto continue.
Returns
  • FR_TLS_SUCCESS
  • FR_TLS_HANDLED

Definition at line 708 of file eap_tls.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

int eap_tls_request ( eap_session_t eap_session)

Frames the OpenSSL data that needs to be sent to the client in an EAP-Request.

A single TLS record may be up to 16384 octets in length, but a TLS message may span multiple TLS records, and a TLS certificate message may theoretically, be as long as 16MB.

In EAP-TLS with no inner method, this is used primarily to send our certificate chain to the peer.

In other methods this function is also called to package up application data for the inner tunnel method.

The tls_session->length_included flag determines whether we include the extra four byte length field in the request and set the L flag.

If present, the tls_length field indicates the total length of the reassembled TLS record.

If tls_session->length_included this means we include L flag and the tls_length field in EVERY packet we send out.

If !tls_session->length_included this means we include L flag and tls_length field ONLY in First packet of a fragment series. We do not use it anywhere else.

Parameters
eap_sessionthat's continuing.
Returns
  • 0 on success.
  • -1 on failure.

Definition at line 299 of file eap_tls.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

tls_session_t* eap_tls_session_init ( eap_session_t eap_session,
fr_tls_server_conf_t *  tls_conf,
bool  client_cert 
)

Create a new tls_session_t associated with an eap_session_t.

Creates a new server tls_session_t and associates it with an eap_session_t adding EAP specific opaque data to the SSL session created during tls_session_t initialisation.

Parameters
eap_sessionto use as a context for the tls_session_t
tls_confto use to configure the tls_session_t.
client_certWhether we require the peer to prevent a certificate.
Returns
  • A new tls_session on success.
  • NULL on error.

Definition at line 844 of file eap_tls.c.

+ Here is the caller graph for this function:

int eap_tls_start ( eap_session_t eap_session)

Send an initial EAP-TLS request to the peer.

Once having received the peer's Identity, the EAP server MUST respond with an EAP-TLS/Start packet, which is an EAP-Request packet with EAP-Type = EAP-TLS, the Start (S) bit set, and no data.

The EAP-TLS conversation will then begin, with the peer sending an EAP-Response packet with EAP-Type = EAP-TLS. The data field of that packet will be the TLS data.

The S flag is set only within the EAP-TLS start message sent from the EAP server to the peer.

  • len = header + type + tls_typedata
  • tls_typedata = flags(Start (S) bit set, and no data)

Fragment length is Framed-MTU - 4.

Parameters
eap_sessionto initiate.
Returns
  • 0 on success.
  • -1 on failure.

Definition at line 192 of file eap_tls.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

int eap_tls_success ( eap_session_t eap_session)

Send an EAP-TLS success.

Composes an EAP-TLS-Success. This is a message with code FR_TLS_SUCCESS. It contains no cryptographic material, and is not protected.

We add the MPPE keys here. These are used by the NAS. The supplicant will derive the same keys separately.

Parameters
eap_sessionthat completed successfully.
Returns
  • 0 on success.
  • -1 on failure.

Definition at line 211 of file eap_tls.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

void eap_ttls_gen_challenge ( SSL *  s,
uint8_t *  buffer,
size_t  size 
)

Definition at line 161 of file mppe_keys.c.

+ Here is the call graph for this function:

+ Here is the caller graph for this function: