The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
rlm_eap_ttls.c
Go to the documentation of this file.
1 /*
2  * This program is is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or (at
5  * your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 1bd95d5a2af0feb68ef92609078a82b778b620f6 $
19  * @file rlm_eap_ttls.c
20  * @brief EAP-TTLS as defined by RFC 5281
21  *
22  * @copyright 2003 Alan DeKok (aland@freeradius.org)
23  * @copyright 2006 The FreeRADIUS server project
24  */
25 
26 RCSID("$Id: 1bd95d5a2af0feb68ef92609078a82b778b620f6 $")
27 USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
28 
29 #include <freeradius-devel/eap/tls.h>
30 #include "eap_ttls.h"
31 
32 typedef struct {
33  SSL_CTX *ssl_ctx; //!< Thread local SSL_CTX.
34 } rlm_eap_ttls_thread_t;
35 
36 typedef struct {
37  /*
38  * TLS configuration
39  */
40  char const *tls_conf_name;
41  fr_tls_conf_t *tls_conf;
42 
43  /*
44  * RFC 5281 (TTLS) says that the length field MUST NOT be
45  * in fragments after the first one. However, we've done
46  * it that way for years, and no one has complained.
47  *
48  * In the interests of allowing the server to follow the
49  * RFC, we add the option here. If set to "no", it sends
50  * the length field in ONLY the first fragment.
51  */
52  bool include_length;
53 
54  /*
55  * Virtual server for inner tunnel session.
56  */
57  char const *virtual_server;
58 
59  /*
60  * Do we do require a client cert?
61  */
62  bool req_client_cert;
63 } rlm_eap_ttls_t;
64 
65 
66 static conf_parser_t submodule_config[] = {
67  { FR_CONF_OFFSET("tls", rlm_eap_ttls_t, tls_conf_name) },
68  { FR_CONF_DEPRECATED("copy_request_to_tunnel", rlm_eap_ttls_t, NULL), .dflt = "no" },
69  { FR_CONF_DEPRECATED("use_tunneled_reply", rlm_eap_ttls_t, NULL), .dflt = "no" },
70  { FR_CONF_OFFSET_FLAGS("virtual_server", CONF_FLAG_REQUIRED | CONF_FLAG_NOT_EMPTY, rlm_eap_ttls_t, virtual_server) },
71  { FR_CONF_OFFSET("include_length", rlm_eap_ttls_t, include_length), .dflt = "yes" },
72  { FR_CONF_OFFSET("require_client_cert", rlm_eap_ttls_t, req_client_cert), .dflt = "no" },
73  CONF_PARSER_TERMINATOR
74 };
75 
76 static fr_dict_t const *dict_freeradius;
77 static fr_dict_t const *dict_radius;
78 
79 extern fr_dict_autoload_t rlm_eap_ttls_dict[];
80 fr_dict_autoload_t rlm_eap_ttls_dict[] = {
81  { .out = &dict_freeradius, .proto = "freeradius" },
82  { .out = &dict_radius, .proto = "radius" },
83  { NULL }
84 };
85 
86 fr_dict_attr_t const *attr_eap_tls_require_client_cert;
87 fr_dict_attr_t const *attr_proxy_to_realm;
88 
89 fr_dict_attr_t const *attr_chap_challenge;
90 fr_dict_attr_t const *attr_ms_chap2_success;
91 fr_dict_attr_t const *attr_eap_message;
92 fr_dict_attr_t const *attr_freeradius_proxied_to;
93 fr_dict_attr_t const *attr_ms_chap_challenge;
94 fr_dict_attr_t const *attr_reply_message;
95 fr_dict_attr_t const *attr_eap_channel_binding_message;
96 fr_dict_attr_t const *attr_user_name;
97 fr_dict_attr_t const *attr_user_password;
98 fr_dict_attr_t const *attr_vendor_specific;
99 
100 extern fr_dict_attr_autoload_t rlm_eap_ttls_dict_attr[];
101 fr_dict_attr_autoload_t rlm_eap_ttls_dict_attr[] = {
102  { .out = &attr_eap_tls_require_client_cert, .name = "EAP-TLS-Require-Client-Cert", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
103  { .out = &attr_proxy_to_realm, .name = "Proxy-To-Realm", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
104 
105  { .out = &attr_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
106  { .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
107  { .out = &attr_freeradius_proxied_to, .name = "Vendor-Specific.FreeRADIUS.Proxied-To", .type = FR_TYPE_IPV4_ADDR, .dict = &dict_radius },
108  { .out = &attr_ms_chap_challenge, .name = "Vendor-Specific.Microsoft.CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
109  { .out = &attr_ms_chap2_success, .name = "Vendor-Specific.Microsoft.CHAP2-Success", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
110  { .out = &attr_reply_message, .name = "Reply-Message", .type = FR_TYPE_STRING, .dict = &dict_radius },
111  { .out = &attr_eap_channel_binding_message, .name = "Vendor-Specific.UKERNA.EAP-Channel-Binding-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
112  { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },
113  { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },
114  { .out = &attr_vendor_specific, .name = "Vendor-Specific", .type = FR_TYPE_VSA, .dict = &dict_radius },
115  { NULL }
116 };
117 
118 /*
119  * Allocate the TTLS per-session data
120  */
121 static ttls_tunnel_t *ttls_alloc(TALLOC_CTX *ctx, rlm_eap_ttls_t *inst)
122 {
123  ttls_tunnel_t *t;
124 
125  t = talloc_zero(ctx, ttls_tunnel_t);
126  t->virtual_server = inst->virtual_server;
127 
128  return t;
129 }
130 
131 static unlang_action_t mod_handshake_resume(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
132 {
133  eap_session_t *eap_session = talloc_get_type_abort(mctx->rctx, eap_session_t);
134  eap_tls_session_t *eap_tls_session = talloc_get_type_abort(eap_session->opaque, eap_tls_session_t);
135  fr_tls_session_t *tls_session = eap_tls_session->tls_session;
136 
137  ttls_tunnel_t *tunnel = talloc_get_type_abort(tls_session->opaque, ttls_tunnel_t);
138 
139  if ((eap_tls_session->state == EAP_TLS_INVALID) || (eap_tls_session->state == EAP_TLS_FAIL)) {
140  REDEBUG("[eap-tls process] = %s", fr_table_str_by_value(eap_tls_status_table, eap_tls_session->state, "<INVALID>"));
141  } else {
142  RDEBUG2("[eap-tls process] = %s", fr_table_str_by_value(eap_tls_status_table, eap_tls_session->state, "<INVALID>"));
143  }
144 
145  switch (eap_tls_session->state) {
146  /*
147  * EAP-TLS handshake was successful, tell the
148  * client to keep talking.
149  *
150  * If this was EAP-TLS, we would just return
151  * an EAP-TLS-Success packet here.
152  */
153  case EAP_TLS_ESTABLISHED:
154  if (SSL_session_reused(tls_session->ssl)) {
155  RDEBUG2("Skipping Phase2 due to session resumption");
156  goto do_keys;
157  }
158 
159  if (tunnel && tunnel->authenticated) {
160  eap_tls_prf_label_t prf_label;
161 
162  do_keys:
163  eap_crypto_prf_label_init(&prf_label, eap_session,
164  "ttls keying material",
165  sizeof("ttls keying material") - 1);
166  /*
167  * Success: Automatically return MPPE keys.
168  */
169  if (eap_tls_success(request, eap_session, &prf_label) < 0) RETURN_MODULE_FAIL;
170 
171  /*
172  * Result is always OK, even if we fail to persist the
173  * session data.
174  */
175  *p_result = RLM_MODULE_OK;
176 
177  /*
178  * Write the session to the session cache
179  *
180  * We do this here (instead of relying on OpenSSL to call the
181  * session caching callback), because we only want to write
182  * session data to the cache if all phases were successful.
183  *
184  * If we wrote out the cache data earlier, and the server
185  * exited whilst the session was in progress, the supplicant
186  * could resume the session (and get access) even if phase2
187  * never completed.
188  */
189  return fr_tls_cache_pending_push(request, tls_session);
190  }
191 
192  eap_tls_request(request, eap_session);
193  RETURN_MODULE_OK;
194 
195  /*
196  * The TLS code is still working on the TLS
197  * exchange, and it's a valid TLS request.
198  * do nothing.
199  */
200  case EAP_TLS_HANDLED:
201  RETURN_MODULE_HANDLED;
202 
203  /*
204  * Handshake is done, proceed with decoding tunneled
205  * data.
206  */
207  case EAP_TLS_RECORD_RECV_COMPLETE:
208  break;
209 
210  /*
211  * Anything else: fail.
212  */
213  default:
214  RETURN_MODULE_FAIL;
215  }
216 
217  /*
218  * Session is established, proceed with decoding
219  * tunneled data.
220  */
221  RDEBUG2("Session established. Decoding Diameter attributes");
222 
223  /*
224  * Process the TTLS portion of the request.
225  */
226  switch (eap_ttls_process(request, eap_session, tls_session)) {
227  case FR_RADIUS_CODE_ACCESS_REJECT:
228  eap_tls_fail(request, eap_session);
229  RETURN_MODULE_REJECT;
230 
231  /*
232  * Access-Challenge, continue tunneled conversation.
233  */
234  case FR_RADIUS_CODE_ACCESS_CHALLENGE:
235  eap_tls_request(request, eap_session);
236  RETURN_MODULE_OK;
237 
238  /*
239  * Success: Automatically return MPPE keys.
240  */
241  case FR_RADIUS_CODE_ACCESS_ACCEPT:
242  goto do_keys;
243 
244  /*
245  * No response packet, MUST be proxying it.
246  * The main EAP module will take care of discovering
247  * that the request now has a "proxy" packet, and
248  * will proxy it, rather than returning an EAP packet.
249  */
250  case FR_RADIUS_CODE_STATUS_CLIENT:
251  RETURN_MODULE_OK;
252 
253  default:
254  break;
255  }
256 
257  /*
258  * Something we don't understand: Reject it.
259  */
260  eap_tls_fail(request, eap_session);
261  RETURN_MODULE_INVALID;
262 }
263 
264 /*
265  * Do authentication, by letting EAP-TLS do most of the work.
266  */
267 static unlang_action_t mod_handshake_process(UNUSED rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx,
268  request_t *request)
269 {
270  eap_session_t *eap_session = eap_session_get(request->parent);
271 
272  /*
273  * Setup the resumption frame to process the result
274  */
275  (void)unlang_module_yield(request, mod_handshake_resume, NULL, 0, eap_session);
276 
277  /*
278  * Process TLS layer until done.
279  */
280  return eap_tls_process(request, eap_session);
281 }
282 
283 /*
284  * Send an initial eap-tls request to the peer, using the libeap functions.
285  */
286 static unlang_action_t mod_session_init(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
287 {
288  rlm_eap_ttls_t *inst = talloc_get_type_abort(mctx->inst->data, rlm_eap_ttls_t);
289  rlm_eap_ttls_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_eap_ttls_thread_t);
290  eap_session_t *eap_session = eap_session_get(request->parent);
291 
292  eap_tls_session_t *eap_tls_session;
293  fr_tls_session_t *tls_session;
294  fr_pair_t *vp;
295  bool client_cert;
296 
297  eap_session->tls = true;
298 
299  /*
300  * EAP-TLS-Require-Client-Cert attribute will override
301  * the require_client_cert configuration option.
302  */
303  vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_eap_tls_require_client_cert);
304  if (vp) {
305  client_cert = vp->vp_uint32 ? true : false;
306  } else {
307  client_cert = inst->req_client_cert;
308  }
309 
310  eap_session->opaque = eap_tls_session = eap_tls_session_init(request, eap_session, t->ssl_ctx, client_cert);
311  if (!eap_tls_session) RETURN_MODULE_FAIL;
312  tls_session = eap_tls_session->tls_session;
313 
314  eap_tls_session->include_length = inst->include_length;
315 
316  /*
317  * TLS session initialization is over. Now handle TLS
318  * related handshaking or application data.
319  */
320  if (eap_tls_start(request, eap_session) < 0) {
321  talloc_free(eap_tls_session);
322  RETURN_MODULE_FAIL;
323  }
324 
325  tls_session->opaque = ttls_alloc(tls_session, inst);
326 
327  eap_session->process = mod_handshake_process;
328 
329  RETURN_MODULE_OK;
330 }
331 
332 static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
333 {
334  rlm_eap_ttls_t *inst = talloc_get_type_abort(mctx->inst->data, rlm_eap_ttls_t);
335  rlm_eap_ttls_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_eap_ttls_thread_t);
336 
337  t->ssl_ctx = fr_tls_ctx_alloc(inst->tls_conf, false);
338  if (!t->ssl_ctx) return -1;
339 
340  return 0;
341 }
342 
343 static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
344 {
345  rlm_eap_ttls_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_eap_ttls_thread_t);
346 
347  if (likely(t->ssl_ctx != NULL)) SSL_CTX_free(t->ssl_ctx);
348  t->ssl_ctx = NULL;
349 
350  return 0;
351 }
352 
353 /*
354  * Attach the module.
355  */
356 static int mod_instantiate(module_inst_ctx_t const *mctx)
357 {
358  rlm_eap_ttls_t *inst = talloc_get_type_abort(mctx->inst->data, rlm_eap_ttls_t);
359  CONF_SECTION *conf = mctx->inst->conf;
360 
361  if (!virtual_server_find(inst->virtual_server)) {
362  cf_log_err_by_child(conf, "virtual_server", "Unknown virtual server '%s'", inst->virtual_server);
363  return -1;
364  }
365 
366  /*
367  * Read tls configuration, either from group given by 'tls'
368  * option, or from the eap-tls configuration.
369  */
370  inst->tls_conf = eap_tls_conf_parse(conf, "tls");
371  if (!inst->tls_conf) {
372  cf_log_err(conf, "Failed initializing SSL context");
373  return -1;
374  }
375 
376  return 0;
377 }
378 
379 /*
380  * The module name should be the only globally exported symbol.
381  * That is, everything else should be 'static'.
382  */
383 extern rlm_eap_submodule_t rlm_eap_ttls;
384 rlm_eap_submodule_t rlm_eap_ttls = {
385  .common = {
386  .magic = MODULE_MAGIC_INIT,
387  .name = "eap_ttls",
388 
389  .inst_size = sizeof(rlm_eap_ttls_t),
390  .config = submodule_config,
391  .instantiate = mod_instantiate, /* Create new submodule instance */
392 
393  .thread_inst_size = sizeof(rlm_eap_ttls_thread_t),
394  .thread_instantiate = mod_thread_instantiate,
395  .thread_detach = mod_thread_detach,
396  },
397  .provides = { FR_EAP_METHOD_TTLS },
398  .session_init = mod_session_init, /* Initialise a new EAP session */
399 };
true
#define true
Definition: abinary.c:57
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition: action.h:35
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition: build.h:431
RCSID
#define RCSID(id)
Definition: build.h:444
UNUSED
#define UNUSED
Definition: build.h:313
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:626
FR_CONF_DEPRECATED
#define FR_CONF_DEPRECATED(_name, _struct, _field)
conf_parser_t entry which raises an error if a matching CONF_PAIR is found
Definition: cf_parse.h:385
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:256
CONF_FLAG_REQUIRED
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition: cf_parse.h:406
CONF_FLAG_NOT_EMPTY
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition: cf_parse.h:421
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:563
cf_section
A section grouping multiple CONF_PAIR.
Definition: cf_priv.h:89
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition: cf_util.h:265
cf_log_err_by_child
#define cf_log_err_by_child(_parent, _child, _fmt,...)
Log an error message against a specified child.
Definition: cf_util.h:292
FR_RADIUS_CODE_ACCESS_CHALLENGE
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
Definition: defs.h:43
FR_RADIUS_CODE_STATUS_CLIENT
@ FR_RADIUS_CODE_STATUS_CLIENT
RFC2865/RFC5997 - Status Server (response)
Definition: defs.h:45
FR_RADIUS_CODE_ACCESS_ACCEPT
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
Definition: defs.h:34
FR_RADIUS_CODE_ACCESS_REJECT
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
Definition: defs.h:35
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition: dict.h:250
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition: dict.h:263
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition: dict.h:249
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition: dict.h:262
dl_module_instance_s::data
void *_CONST data
Module instance's parsed configuration.
Definition: dl_module.h:165
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:65
dl_module_instance_s::conf
CONF_SECTION *_CONST conf
Module's instance configuration.
Definition: dl_module.h:166
eap_crypto_prf_label_init
void eap_crypto_prf_label_init(eap_tls_prf_label_t *prf_label, eap_session_t *eap_session, char const *keying_prf_label, size_t keying_prf_label_len)
Initialize the PRF label fields.
Definition: crypto.c:48
FR_EAP_METHOD_TTLS
@ FR_EAP_METHOD_TTLS
Definition: types.h:66
eap_ttls.h
Declarations for EAP-TTLS as defined by RFC 5281.
ttls_tunnel_t::authenticated
bool authenticated
Definition: eap_ttls.h:47
eap_ttls_process
fr_radius_packet_code_t eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session)
Definition: ttls.c:617
ttls_tunnel_t::virtual_server
char const * virtual_server
Definition: eap_ttls.h:48
ttls_tunnel_t
Definition: eap_ttls.h:45
eap_session_s::opaque
void * opaque
Opaque data used by EAP methods.
Definition: session.h:62
eap_session_s::tls
bool tls
Whether EAP method uses TLS.
Definition: session.h:70
eap_session_s::process
module_method_t process
Callback that should be used to process the next round.
Definition: session.h:64
eap_session_get
static eap_session_t * eap_session_get(request_t *request)
Definition: session.h:82
eap_session_s
Tracks the progress of a single session of any EAP method.
Definition: session.h:40
talloc_free
talloc_free(reap)
FR_TYPE_IPV4_ADDR
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition: merged_model.c:86
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition: merged_model.c:83
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition: merged_model.c:99
FR_TYPE_VSA
@ FR_TYPE_VSA
Vendor-Specific, for RADIUS attribute 26.
Definition: merged_model.c:121
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition: merged_model.c:84
fr_dict_attr_t
Definition: merged_model.c:133
fr_dict_t
Definition: merged_model.c:198
request_t
Definition: merged_model.c:210
module_ctx_t::thread
void * thread
Thread specific instance data.
Definition: module_ctx.h:43
module_ctx_t::rctx
void * rctx
Resume ctx that a module previously set.
Definition: module_ctx.h:45
module_inst_ctx_t::inst
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Definition: module_ctx.h:52
module_thread_inst_ctx_t::thread
void * thread
Thread instance data.
Definition: module_ctx.h:62
module_ctx_t::inst
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Definition: module_ctx.h:42
module_thread_inst_ctx_t::inst
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Definition: module_ctx.h:59
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition: module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:51
module_thread_inst_ctx_t
Temporary structure to hold arguments for thread_instantiation calls.
Definition: module_ctx.h:58
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition: pair.c:688
config
static const conf_parser_t config[]
Definition: base.c:188
REDEBUG
#define REDEBUG(fmt,...)
Definition: radclient.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition: radclient.h:54
conf
static rs_t * conf
Definition: radsniff.c:53
RETURN_MODULE_REJECT
#define RETURN_MODULE_REJECT
Definition: rcode.h:55
RETURN_MODULE_HANDLED
#define RETURN_MODULE_HANDLED
Definition: rcode.h:58
RETURN_MODULE_INVALID
#define RETURN_MODULE_INVALID
Definition: rcode.h:59
RETURN_MODULE_OK
#define RETURN_MODULE_OK
Definition: rcode.h:57
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition: rcode.h:40
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition: rcode.h:43
attr_user_password
fr_dict_attr_t const * attr_user_password
Definition: rlm_eap_ttls.c:97
mod_handshake_resume
static unlang_action_t mod_handshake_resume(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition: rlm_eap_ttls.c:131
rlm_eap_ttls_t::tls_conf_name
char const * tls_conf_name
Definition: rlm_eap_ttls.c:40
rlm_eap_ttls_t::req_client_cert
bool req_client_cert
Definition: rlm_eap_ttls.c:62
attr_freeradius_proxied_to
fr_dict_attr_t const * attr_freeradius_proxied_to
Definition: rlm_eap_ttls.c:92
attr_eap_message
fr_dict_attr_t const * attr_eap_message
Definition: rlm_eap_ttls.c:91
mod_handshake_process
static unlang_action_t mod_handshake_process(UNUSED rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)
Definition: rlm_eap_ttls.c:267
attr_eap_channel_binding_message
fr_dict_attr_t const * attr_eap_channel_binding_message
Definition: rlm_eap_ttls.c:95
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition: rlm_eap_ttls.c:76
attr_eap_tls_require_client_cert
fr_dict_attr_t const * attr_eap_tls_require_client_cert
Definition: rlm_eap_ttls.c:86
rlm_eap_ttls_thread_t::ssl_ctx
SSL_CTX * ssl_ctx
Thread local SSL_CTX.
Definition: rlm_eap_ttls.c:33
rlm_eap_ttls_t::include_length
bool include_length
Definition: rlm_eap_ttls.c:52
attr_ms_chap2_success
fr_dict_attr_t const * attr_ms_chap2_success
Definition: rlm_eap_ttls.c:90
dict_radius
static fr_dict_t const * dict_radius
Definition: rlm_eap_ttls.c:77
attr_ms_chap_challenge
fr_dict_attr_t const * attr_ms_chap_challenge
Definition: rlm_eap_ttls.c:93
attr_chap_challenge
fr_dict_attr_t const * attr_chap_challenge
Definition: rlm_eap_ttls.c:89
attr_vendor_specific
fr_dict_attr_t const * attr_vendor_specific
Definition: rlm_eap_ttls.c:98
attr_reply_message
fr_dict_attr_t const * attr_reply_message
Definition: rlm_eap_ttls.c:94
rlm_eap_ttls_t::virtual_server
char const * virtual_server
Definition: rlm_eap_ttls.c:57
ttls_alloc
static ttls_tunnel_t * ttls_alloc(TALLOC_CTX *ctx, rlm_eap_ttls_t *inst)
Definition: rlm_eap_ttls.c:121
mod_thread_instantiate
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
Definition: rlm_eap_ttls.c:332
rlm_eap_ttls_t::tls_conf
fr_tls_conf_t * tls_conf
Definition: rlm_eap_ttls.c:41
attr_user_name
fr_dict_attr_t const * attr_user_name
Definition: rlm_eap_ttls.c:96
attr_proxy_to_realm
fr_dict_attr_t const * attr_proxy_to_realm
Definition: rlm_eap_ttls.c:87
submodule_config
static conf_parser_t submodule_config[]
Definition: rlm_eap_ttls.c:66
rlm_eap_ttls_dict_attr
fr_dict_attr_autoload_t rlm_eap_ttls_dict_attr[]
Definition: rlm_eap_ttls.c:101
mod_thread_detach
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
Definition: rlm_eap_ttls.c:343
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition: rlm_eap_ttls.c:356
rlm_eap_ttls_dict
fr_dict_autoload_t rlm_eap_ttls_dict[]
Definition: rlm_eap_ttls.c:80
rlm_eap_ttls
rlm_eap_submodule_t rlm_eap_ttls
Definition: rlm_eap_ttls.c:384
mod_session_init
static unlang_action_t mod_session_init(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition: rlm_eap_ttls.c:286
rlm_eap_ttls_t
Definition: rlm_eap_ttls.c:36
rlm_eap_ttls_thread_t
Definition: rlm_eap_ttls.c:32
instantiate
static int instantiate(module_inst_ctx_t const *mctx)
Definition: rlm_rest.c:1312
unlang_module_yield
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition: module.c:575
RETURN_MODULE_FAIL
RETURN_MODULE_FAIL
Definition: state_machine.c:1220
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3633
vp
fr_pair_t * vp
Definition: state_machine.c:2271
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition: pair.h:68
rlm_eap_submodule_t::common
module_t common
Common fields provided by all modules.
Definition: submodule.h:50
rlm_eap_submodule_t
Interface exported by EAP submodules.
Definition: submodule.h:49
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition: table.h:253
eap_tls_success
int eap_tls_success(request_t *request, eap_session_t *eap_session, eap_tls_prf_label_t *prf_label)
Send an EAP-TLS success.
Definition: tls.c:262
eap_tls_session_init
eap_tls_session_t * eap_tls_session_init(request_t *request, eap_session_t *eap_session, SSL_CTX *ssl_ctx, bool client_cert)
Create a new fr_tls_session_t associated with an eap_session_t.
Definition: tls.c:1125
eap_tls_start
int eap_tls_start(request_t *request, eap_session_t *eap_session)
Send an initial EAP-TLS request to the peer.
Definition: tls.c:237
eap_tls_request
int eap_tls_request(request_t *request, eap_session_t *eap_session)
Frames the OpenSSL data that needs to be sent to the client in an EAP-Request.
Definition: tls.c:370
eap_tls_fail
int eap_tls_fail(request_t *request, eap_session_t *eap_session)
Send an EAP-TLS failure.
Definition: tls.c:320
eap_tls_status_table
USES_APPLE_DEPRECATED_API fr_table_num_ordered_t const eap_tls_status_table[]
Definition: tls.c:78
eap_tls_conf_parse
fr_tls_conf_t * eap_tls_conf_parse(CONF_SECTION *cs, char const *attr)
Parse TLS configuration.
Definition: tls.c:1210
eap_tls_process
unlang_action_t eap_tls_process(request_t *request, eap_session_t *eap_session)
Process an EAP TLS request.
Definition: tls.c:957
eap_tls_session_t::state
eap_tls_status_t state
The state of the EAP-TLS session.
Definition: tls.h:127
EAP_TLS_INVALID
@ EAP_TLS_INVALID
Invalid, don't reply.
Definition: tls.h:91
EAP_TLS_HANDLED
@ EAP_TLS_HANDLED
TLS code has handled it.
Definition: tls.h:94
EAP_TLS_RECORD_RECV_COMPLETE
@ EAP_TLS_RECORD_RECV_COMPLETE
Received final fragment of a record.
Definition: tls.h:111
EAP_TLS_FAIL
@ EAP_TLS_FAIL
Fail, send fail.
Definition: tls.h:93
EAP_TLS_ESTABLISHED
@ EAP_TLS_ESTABLISHED
Session established, send success (or start phase2).
Definition: tls.h:92
eap_tls_session_t::tls_session
fr_tls_session_t * tls_session
TLS session used to authenticate peer or tunnel sensitive data.
Definition: tls.h:129
eap_tls_session_t::include_length
bool include_length
A flag to include length in every TLS Data/Alert packet.
Definition: tls.h:138
eap_tls_prf_label_t
Definition: tls.h:154
eap_tls_session_t
Tracks the state of an EAP-TLS session.
Definition: tls.h:126
virtual_server_find
CONF_SECTION * virtual_server_find(char const *name)
Return virtual server matching the specified name.
Definition: virtual_servers.c:766
Generated by   doxygen 1.9.1