26RCSID(
"$Id: ac3fb6e2b246cc39096843b104014f663adcaa8b $")
30#define LOG_PREFIX "tls"
32#include <freeradius-devel/internal/internal.h>
33#include <freeradius-devel/server/pair.h>
34#include <freeradius-devel/server/module_rlm.h>
35#include <freeradius-devel/unlang/function.h>
36#include <freeradius-devel/unlang/subrequest.h>
37#include <freeradius-devel/unlang/interpret.h>
38#include <freeradius-devel/util/debug.h>
47#include <openssl/ssl.h>
48#include <openssl/kdf.h>
56uint8_t *fr_tls_cache_id(TALLOC_CTX *ctx, SSL_SESSION *sess)
61 id = SSL_SESSION_get_id(sess, &len);
74static inline CC_HINT(always_inline,
nonnull)
80 id = SSL_SESSION_get_id(sess, &len);
93#define SESSION_ID(_box, _sess) \
95if (unlikely(fr_tls_cache_id_to_box_shallow(&_box, _sess) < 0)) fr_value_box_init_null(&_box)
110static inline CC_HINT(always_inline,
nonnull(2))
111void tls_cache_session_id_to_vp(
request_t *request,
uint8_t const *session_id)
118static inline CC_HINT(always_inline,
nonnull(2))
119void _tls_cache_load_state_reset(
request_t *request, fr_tls_cache_t *cache,
char const *func)
121 if (cache->load.sess) {
123 SESSION_ID(sess_id, cache->load.sess);
127 SSL_SESSION_free(cache->load.sess);
128 cache->load.sess = NULL;
130 cache->load.state = FR_TLS_CACHE_LOAD_INIT;
132#define tls_cache_load_state_reset(_request, _cache) _tls_cache_load_state_reset(_request, _cache, __FUNCTION__)
134static inline CC_HINT(always_inline,
nonnull(2))
135void _tls_cache_store_state_reset(
request_t *request, fr_tls_cache_t *cache,
char const *func)
137 if (cache->store.sess) {
139 SESSION_ID(sess_id, cache->store.sess);
142 SSL_SESSION_free(cache->store.sess);
143 cache->store.sess = NULL;
145 cache->store.state = FR_TLS_CACHE_STORE_INIT;
147#define tls_cache_store_state_reset(_request, _cache) _tls_cache_store_state_reset(_request, _cache, __FUNCTION__)
149static inline CC_HINT(always_inline)
150void _tls_cache_clear_state_reset(
request_t *request, fr_tls_cache_t *cache,
char const *func)
152 if (cache->clear.id) {
156 TALLOC_FREE(cache->clear.id);
159 cache->clear.state = FR_TLS_CACHE_CLEAR_INIT;
161#define tls_cache_clear_state_reset(_request, _cache) _tls_cache_clear_state_reset(_request, _cache, __FUNCTION__)
166static int tls_cache_app_data_set(
request_t *request, SSL_SESSION *sess,
uint32_t resumption_type)
169 fr_dbuff_uctx_talloc_t tctx;
179 type_vp->vp_uint32 = resumption_type;
182 SESSION_ID(sess_id, sess);
184 RDEBUG2(
"Session ID %pV - Adding session-state[*] to data", &sess_id);
206 SESSION_ID(sess_id, sess);
208 RPERROR(
"Session ID %pV - Failed serialising session-state list", &sess_id);
225 SESSION_ID(sess_id, sess);
227 fr_tls_log(request,
"Session ID %pV - Failed setting application data", &sess_id);
234static int tls_cache_app_data_get(
request_t *request, SSL_SESSION *sess)
244 if (SSL_SESSION_get0_ticket_appdata(sess, (
void **)&
data, &data_len) != 1) {
245 SESSION_ID(sess_id, sess);
247 fr_tls_log(request,
"Session ID %pV - Failed retrieving application data", &sess_id);
265 SESSION_ID(sess_id, sess);
268 RPEDEBUG(
"Session-ID %pV - Failed decoding session-state", &sess_id);
274 SESSION_ID(sess_id, sess);
276 RDEBUG2(
"Session-ID %pV - Restoring session-state[*]", &sess_id);
291static void tls_cache_delete_request(SSL_SESSION *sess)
293 fr_tls_session_t *tls_session;
294 fr_tls_cache_t *tls_cache;
297 tls_session = talloc_get_type_abort(SSL_SESSION_get_ex_data(sess, FR_TLS_EX_INDEX_TLS_SESSION), fr_tls_session_t);
299 if (!tls_session->cache)
return;
301 request = fr_tls_session_request(tls_session->ssl);
302 tls_cache = tls_session->cache;
309 fr_assert(tls_cache->clear.state == FR_TLS_CACHE_CLEAR_INIT);
314 tls_cache->clear.id = fr_tls_cache_id(tls_cache, sess);
315 if (!tls_cache->clear.id) {
316 RWDEBUG(
"Error retrieving Session ID");
322 tls_cache->clear.state = FR_TLS_CACHE_CLEAR_REQUESTED;
331 if (tls_session->session == sess) tls_session->session = NULL;
346 if (tls_session->can_pause) ASYNC_pause_job();
353 fr_tls_session_t *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
354 fr_tls_cache_t *tls_cache = tls_session->cache;
361 RWDEBUG(
"Failed acquiring session data");
363 tls_cache->load.state = FR_TLS_CACHE_LOAD_FAILED;
369 RWDEBUG(
"No cached session found");
374 p = (
unsigned char const **)&q;
376 sess = d2i_SSL_SESSION(NULL, p,
vp->vp_length);
378 fr_tls_log(request,
"Failed loading persisted session");
383 SESSION_ID(sess_id, sess);
385 RDEBUG3(
"Session ID %pV - Read %zu bytes of data. "
386 "Session de-serialized successfully", &sess_id,
vp->vp_length);
387 SSL_SESSION_print(fr_tls_request_log_bio(request,
L_DBG,
L_DBG_LVL_3), sess);
399 SSL_SESSION_set_ex_data(sess, FR_TLS_EX_INDEX_TLS_SESSION, fr_tls_session(tls_session->ssl));
401 tls_cache->load.state = FR_TLS_CACHE_LOAD_RETRIEVED;
402 tls_cache->load.sess = sess;
418 fr_tls_cache_t *tls_cache = tls_session->cache;
419 fr_tls_conf_t *
conf = fr_tls_session_conf(tls_session->ssl);
442 tls_cache_session_id_to_vp(child, tls_cache->load.id);
448 ua = fr_tls_call_push(child, tls_cache_load_result,
conf, tls_session,
true);
451 tls_cache_load_state_reset(request, tls_cache);
462 fr_tls_session_t *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
463 fr_tls_cache_t *tls_cache = tls_session->cache;
466 tls_cache_store_state_reset(request, tls_cache);
470 tls_cache->store.state = FR_TLS_CACHE_STORE_PERSISTED;
472 RWDEBUG(
"Failed storing session data");
473 tls_cache->store.state = FR_TLS_CACHE_STORE_INIT;
489static inline CC_HINT(always_inline)
492 fr_tls_cache_t *tls_cache = tls_session->cache;
499 SSL_SESSION *sess = tls_session->cache->store.sess;
501#if OPENSSL_VERSION_NUMBER >= 0x30400000L
509 fr_assert(tls_cache->store.state == FR_TLS_CACHE_STORE_REQUESTED);
513 fr_tls_cache_id_to_box_shallow(&
id, sess);
515 RWDEBUG(
"Session ID %pV - Session has already expired, not storing", &
id);
551 len = i2d_SSL_SESSION(sess, NULL);
554 fr_tls_cache_id_to_box_shallow(&
id, sess);
557 fr_tls_strerror_printf(NULL);
558 RPWDEBUG(
"Session ID %pV - Serialisation failed, couldn't determine "
559 "required buffer length", &
id);
561 tls_cache_store_state_reset(request, tls_cache);
571 ret = i2d_SSL_SESSION(sess, &p);
574 fr_tls_cache_id_to_box_shallow(&
id, sess);
576 fr_tls_strerror_printf(NULL);
577 RPWDEBUG(
"Session ID %pV - Serialisation failed", &
id);
587 ua = fr_tls_call_push(child, tls_cache_store_result,
conf, tls_session,
true);
588 if (ua < 0)
goto error;
597 fr_tls_session_t *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
598 fr_tls_cache_t *tls_cache = tls_session->cache;
601 tls_cache_clear_state_reset(request, tls_cache);
610 RWDEBUG(
"Failed deleting session data - security may be compromised");
624static inline CC_HINT(always_inline)
629 fr_tls_cache_t *tls_cache = tls_session->cache;
632 fr_assert(tls_cache->clear.state == FR_TLS_CACHE_CLEAR_REQUESTED);
649 tls_cache_session_id_to_vp(child, tls_cache->clear.id);
655 ua = fr_tls_call_push(child, tls_cache_clear_result,
conf, tls_session,
true);
658 tls_cache_clear_state_reset(request, tls_cache);
675 fr_tls_cache_t *tls_cache = tls_session->cache;
676 fr_tls_conf_t *
conf = fr_tls_session_conf(tls_session->ssl);
683 if (tls_cache->load.state == FR_TLS_CACHE_LOAD_REQUESTED) {
684 return tls_cache_load_push(request, tls_session);
691 if (tls_cache->clear.state == FR_TLS_CACHE_CLEAR_REQUESTED) {
697 if (tls_cache->store.state == FR_TLS_CACHE_STORE_REQUESTED) {
701 id = SSL_SESSION_get_id(tls_cache->store.sess, &len);
702 if ((len == talloc_array_length(tls_cache->clear.id)) &&
703 (memcmp(tls_cache->clear.id,
id, len) == 0)) {
704 tls_cache_store_state_reset(request, tls_cache);
708 return tls_cache_clear_push(request,
conf, tls_session);
711 if (tls_cache->store.state == FR_TLS_CACHE_STORE_REQUESTED) {
712 return tls_cache_store_push(request,
conf, tls_session);
731static int tls_cache_store_cb(SSL *ssl, SSL_SESSION *sess)
734 fr_tls_session_t *tls_session;
735 fr_tls_cache_t *tls_cache;
744 tls_session = fr_tls_session(ssl);
745 request = fr_tls_session_request(tls_session->ssl);
746 tls_cache = tls_session->cache;
754 id = SSL_SESSION_get_id(sess, &id_len);
760 tls_cache->store.sess = sess;
761 tls_cache->store.state = FR_TLS_CACHE_STORE_REQUESTED;
778static SSL_SESSION *tls_cache_load_cb(SSL *ssl,
779 unsigned char const *key,
780 int key_len,
int *copy)
782 fr_tls_session_t *tls_session;
783 fr_tls_cache_t *tls_cache;
786 tls_session = fr_tls_session(ssl);
787 request = fr_tls_session_request(tls_session->ssl);
788 tls_cache = tls_session->cache;
800 if (!tls_cache || !tls_session->allow_session_resumption)
return NULL;
815 switch (tls_cache->load.state) {
816 case FR_TLS_CACHE_LOAD_INIT:
819 tls_cache->load.state = FR_TLS_CACHE_LOAD_REQUESTED;
830 if (
unlikely(!tls_session->can_pause)) {
833 "tls_session_async_handshake_cont must be in call stack", __FUNCTION__);
852 tls_cache_load_state_reset(request, tls_cache);
858 case FR_TLS_CACHE_LOAD_REQUESTED:
860 tls_cache->load.state = FR_TLS_CACHE_LOAD_FAILED;
863 case FR_TLS_CACHE_LOAD_RETRIEVED:
867 TALLOC_FREE(tls_cache->load.id);
869 RDEBUG3(
"Setting session data");
881 if (tls_cache_app_data_get(request, tls_cache->load.sess) < 0) {
882 REDEBUG(
"Denying session resumption via session-id");
888 tls_cache_delete_request(tls_cache->load.sess);
889 tls_cache_load_state_reset(request, tls_session->cache);
901 fr_tls_verify_cert_request(tls_session,
true);
903 if (
unlikely(!tls_session->can_pause))
goto cant_pause;
920 tls_cache_load_state_reset(request, tls_cache);
921 fr_tls_verify_cert_reset(tls_session);
930 if (!fr_tls_verify_cert_result(tls_session)) {
931 RDEBUG2(
"Certificate re-validation failed, denying session resumption via session-id");
934 sess = tls_cache->load.sess;
943 SESSION_ID(sess_id, tls_cache->load.sess);
945 RDEBUG3(
"Session ID %pV - Session ownership transferred to libssl", &sess_id);
947 tls_cache->load.sess = NULL;
953 case FR_TLS_CACHE_LOAD_FAILED:
954 RDEBUG3(
"Session data load failed");
958 TALLOC_FREE(tls_cache->load.id);
969static void tls_cache_delete_cb(
UNUSED SSL_CTX *ctx, SSL_SESSION *sess)
977 if (!SSL_SESSION_get_ex_data(sess, FR_TLS_EX_INDEX_TLS_SESSION))
return;
978 tls_cache_delete_request(sess);
992int fr_tls_cache_disable_cb(SSL *ssl,
int is_forward_secure)
996 fr_tls_session_t *tls_session;
999 tls_session = fr_tls_session(ssl);
1000 request = fr_tls_session_request(tls_session->ssl);
1009 fr_tls_conf_t *
conf;
1011 conf = talloc_get_type_abort(SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_CONF), fr_tls_conf_t);
1012 if (
conf->cache.require_extms && (SSL_get_extms_support(tls_session->ssl) == 0)) {
1013 RDEBUG2(
"Client does not support the Extended Master Secret extension, "
1014 "denying session resumption");
1018 if (
conf->cache.require_pfs && !is_forward_secure) {
1019 RDEBUG2(
"Cipher suite is not forward secure, denying session resumption");
1033 if (!tls_session->allow_session_resumption) {
1034 RDEBUG2(
"Session resumption not enabled for this TLS session, denying session resumption");
1039 if (
vp && (
vp->vp_uint32 == 0)) {
1040 RDEBUG2(
"control.Allow-Session-Resumption == no, denying session resumption");
1042 SSL_CTX_remove_session(tls_session->ctx, tls_session->session);
1043 tls_session->allow_session_resumption =
false;
1047 RDEBUG2(
"Allowing future session-resumption");
1070void fr_tls_cache_deny(
request_t *request, fr_tls_session_t *tls_session)
1072 fr_tls_cache_t *tls_cache = tls_session->cache;
1073 bool tmp_bind = !fr_tls_session_request_bound(tls_session->ssl);
1081 fr_tls_session_request_bind(tls_session->ssl, request);
1087 fr_assert(fr_tls_session_request(tls_session->ssl) == request);
1107 if (tls_session->session) SSL_CTX_remove_session(tls_session->ctx, tls_session->session);
1108 tls_session->allow_session_resumption =
false;
1113 tls_cache_store_state_reset(fr_tls_session_request(tls_session->ssl), tls_cache);
1118 if (tmp_bind) fr_tls_session_request_unbind(tls_session->ssl);
1123static int _tls_cache_free(fr_tls_cache_t *tls_cache)
1125 tls_cache_load_state_reset(NULL, tls_cache);
1126 tls_cache_store_state_reset(NULL, tls_cache);
1137void fr_tls_cache_session_alloc(fr_tls_session_t *tls_session)
1141 MEM(tls_session->cache = talloc_zero(tls_session, fr_tls_cache_t));
1142 talloc_set_destructor(tls_session->cache, _tls_cache_free);
1149static inline CC_HINT(always_inline)
1150void tls_cache_disable_stateless_resumption(SSL_CTX *ctx)
1152 long ctx_options = SSL_CTX_get_options(ctx);
1157 ctx_options |= SSL_OP_NO_TICKET;
1158 SSL_CTX_set_options(ctx, ctx_options);
1166 SSL_CTX_set_num_tickets(ctx, 0);
1173static inline CC_HINT(always_inline)
1174void tls_cache_disable_statefull_resumption(SSL_CTX *ctx)
1187 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1196static int tls_cache_session_ticket_app_data_set(SSL *ssl,
void *arg)
1198 fr_tls_session_t *tls_session = fr_tls_session(ssl);
1199 fr_tls_cache_conf_t *tls_cache_conf = arg;
1209 if (!fr_tls_session_request_bound(ssl))
return 1;
1217 request = fr_tls_session_request(ssl);
1229 if (!tls_session->allow_session_resumption ||
1230 (!(tls_cache_conf->mode & FR_TLS_CACHE_STATELESS))) {
1231 REDEBUG(
"Generating session-tickets is not allowed");
1235 sess = SSL_get_session(ssl);
1237 REDEBUG(
"Failed retrieving session in session generation callback");
1250static SSL_TICKET_RETURN tls_cache_session_ticket_app_data_get(SSL *ssl, SSL_SESSION *sess,
1251 UNUSED unsigned char const *keyname,
1252 UNUSED size_t keyname_len,
1253 SSL_TICKET_STATUS status,
1256 fr_tls_session_t *tls_session = fr_tls_session(ssl);
1257 fr_tls_conf_t *
conf = fr_tls_session_conf(tls_session->ssl);
1258 fr_tls_cache_conf_t *tls_cache_conf = arg;
1261 if (fr_tls_session_request_bound(ssl)) {
1262 request = fr_tls_session_request(ssl);
1266 if (!tls_session->allow_session_resumption ||
1267 (!(tls_cache_conf->mode & FR_TLS_CACHE_STATELESS))) {
1269 "denying session resumption via session-ticket");
1270 return SSL_TICKET_RETURN_IGNORE;
1274 case SSL_TICKET_EMPTY:
1275 case SSL_TICKET_NO_DECRYPT:
1276 case SSL_TICKET_FATAL_ERR_MALLOC:
1277 case SSL_TICKET_FATAL_ERR_OTHER:
1278 case SSL_TICKET_NONE:
1279#ifdef STATIC_ANALYZER
1282 return SSL_TICKET_RETURN_IGNORE_RENEW;
1284 case SSL_TICKET_SUCCESS:
1285 if (!request)
return SSL_TICKET_RETURN_USE;
1288 case SSL_TICKET_SUCCESS_RENEW:
1289 if (!request)
return SSL_TICKET_RETURN_USE_RENEW;
1303 if (tls_cache_app_data_get(request, sess) < 0) {
1304 REDEBUG(
"Denying session resumption via session-ticket");
1305 return SSL_TICKET_RETURN_IGNORE_RENEW;
1308 if (
conf->virtual_server && tls_session->verify_client_cert) {
1309 RDEBUG2(
"Requesting certificate re-validation for session-ticket");
1318 fr_tls_verify_cert_request(tls_session,
true);
1326 if (
unlikely(!tls_session->can_pause)) {
1328 "tls_session_async_handshake_cont must be in call stack", __FUNCTION__);
1329 return SSL_TICKET_RETURN_IGNORE_RENEW;
1346 fr_tls_verify_cert_reset(tls_session);
1347 return SSL_TICKET_RETURN_ABORT;
1355 if (!fr_tls_verify_cert_result(tls_session)) {
1356 RDEBUG2(
"Certificate re-validation failed, denying session resumption via session-ticket");
1357 return SSL_TICKET_RETURN_IGNORE_RENEW;
1361 return (status == SSL_TICKET_SUCCESS_RENEW) ? SSL_TICKET_RETURN_USE_RENEW : SSL_TICKET_RETURN_USE;
1372int fr_tls_cache_ctx_init(SSL_CTX *ctx, fr_tls_cache_conf_t
const *cache_conf)
1374 switch (cache_conf->mode) {
1375 case FR_TLS_CACHE_DISABLED:
1376 tls_cache_disable_stateless_resumption(ctx);
1377 tls_cache_disable_statefull_resumption(ctx);
1380 case FR_TLS_CACHE_AUTO:
1381 case FR_TLS_CACHE_STATEFUL:
1386 SSL_CTX_sess_set_new_cb(ctx, tls_cache_store_cb);
1387 SSL_CTX_sess_set_get_cb(ctx, tls_cache_load_cb);
1388 SSL_CTX_sess_set_remove_cb(ctx, tls_cache_delete_cb);
1396 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL);
1406 if (!(cache_conf->mode & FR_TLS_CACHE_STATELESS)) {
1407 tls_cache_disable_stateless_resumption(ctx);
1412 case FR_TLS_CACHE_STATELESS:
1416 EVP_PKEY_CTX *pkey_ctx = NULL;
1418 if (!(cache_conf->mode & FR_TLS_CACHE_STATEFUL)) tls_cache_disable_statefull_resumption(ctx);
1429 key_len = SSL_CTX_set_tlsext_ticket_keys(ctx, NULL, 0);
1431 if (
unlikely((pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL)) {
1432 fr_tls_strerror_printf(NULL);
1433 PERROR(
"Failed initialising KDF");
1435 if (pkey_ctx) EVP_PKEY_CTX_free(pkey_ctx);
1438 if (
unlikely(EVP_PKEY_derive_init(pkey_ctx) != 1)) {
1439 fr_tls_strerror_printf(NULL);
1440 PERROR(
"Failed initialising KDF derivation ctx");
1443 if (
unlikely(EVP_PKEY_CTX_set_hkdf_md(pkey_ctx,
UNCONST(
struct evp_md_st *, EVP_sha256())) != 1)) {
1444 fr_tls_strerror_printf(NULL);
1445 PERROR(
"Failed setting KDF MD");
1448 if (
unlikely(EVP_PKEY_CTX_set1_hkdf_key(pkey_ctx,
1449 UNCONST(
unsigned char *, cache_conf->session_ticket_key),
1450 talloc_array_length(cache_conf->session_ticket_key)) != 1)) {
1451 fr_tls_strerror_printf(NULL);
1452 PERROR(
"Failed setting KDF key");
1455 if (
unlikely(EVP_PKEY_CTX_add1_hkdf_info(pkey_ctx,
1456 UNCONST(
unsigned char *,
"freeradius-session-ticket"),
1457 sizeof(
"freeradius-session-ticket") - 1) != 1)) {
1458 fr_tls_strerror_printf(NULL);
1459 PERROR(
"Failed setting KDF label");
1467 MEM(key_buff = talloc_array(NULL,
uint8_t, key_len));
1468 if (EVP_PKEY_derive(pkey_ctx, key_buff, &key_len) != 1) {
1469 fr_tls_strerror_printf(NULL);
1470 PERROR(
"Failed deriving session ticket key");
1475 EVP_PKEY_CTX_free(pkey_ctx);
1477 fr_assert(talloc_array_length(key_buff) == key_len);
1481 if (SSL_CTX_set_tlsext_ticket_keys(ctx,
1482 key_buff, key_len) != 1) {
1483 fr_tls_strerror_printf(NULL);
1484 PERROR(
"Failed setting session ticket keys");
1488 DEBUG3(
"Derived session-ticket-key:");
1496 if (
unlikely(SSL_CTX_set_session_ticket_cb(ctx,
1497 tls_cache_session_ticket_app_data_set,
1498 tls_cache_session_ticket_app_data_get,
1499 UNCONST(fr_tls_cache_conf_t *, cache_conf)) != 1)) {
1500 fr_tls_strerror_printf(NULL);
1501 PERROR(
"Failed setting session ticket callbacks");
1511 SSL_CTX_set_num_tickets(ctx, 1);
1516 SSL_CTX_set_not_resumable_session_callback(ctx, fr_tls_cache_disable_cb);
1517 SSL_CTX_set_quiet_shutdown(ctx, 1);
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
@ UNLANG_ACTION_FAIL
Encountered an unexpected error.
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
#define USES_APPLE_DEPRECATED_API
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
#define fr_dbuff_used(_dbuff_or_marker)
Return the number of bytes remaining between the start of the dbuff or marker and the current positio...
static void fr_dbuff_free_talloc(fr_dbuff_t *dbuff)
Free the talloc buffer associated with a dbuff.
#define fr_dbuff_len(_dbuff_or_marker)
The length of the underlying buffer.
#define fr_dbuff_init(_out, _start, _len_or_end)
Initialise an dbuff for encoding or decoding.
#define fr_dbuff_start(_dbuff_or_marker)
Return the 'start' position of a dbuff or marker.
#define fr_dbuff_remaining(_dbuff_or_marker)
Return the number of bytes remaining between the dbuff or marker and the end of the buffer.
static fr_dbuff_t * fr_dbuff_init_talloc(TALLOC_CTX *ctx, fr_dbuff_t *dbuff, fr_dbuff_uctx_talloc_t *tctx, size_t init, size_t max)
Initialise a special dbuff which automatically extends as additional data is written.
static void * fr_dcursor_current(fr_dcursor_t *cursor)
Return the item the cursor current points to.
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
bool unlang_request_is_cancelled(request_t const *request)
Return whether a request has been cancelled.
fr_dict_t const * dict_tls
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
#define REXDENT()
Exdent (unindent) R* messages by one level.
#define ROPTIONAL(_l_request, _l_global, _fmt,...)
Use different logging functions depending on whether request is NULL or not.
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
#define RHEXDUMP4(_data, _len, _fmt,...)
#define ROPTIONAL_ENABLED(_e_request, _e_global)
Check if a debug level is set by the request (if !NULL) or by the global log.
#define RPEDEBUG(fmt,...)
#define HEXDUMP3(_data, _len, _fmt,...)
#define RPWDEBUG(fmt,...)
#define DEBUG_ENABLED3
True if global debug level 1-3 messages are enabled.
#define RINDENT()
Indent R* messages by one level.
fr_value_box_t const * enum_tls_packet_type_store_session
HIDDEN fr_dict_attr_t const * attr_tls_packet_type
fr_value_box_t const * enum_tls_packet_type_success
HIDDEN fr_dict_attr_t const * attr_tls_session_ttl
fr_value_box_t const * enum_tls_session_resumed_stateful
HIDDEN fr_dict_attr_t const * attr_tls_session_data
fr_value_box_t const * enum_tls_packet_type_load_session
HIDDEN fr_dict_attr_t const * attr_tls_session_id
fr_value_box_t const * enum_tls_packet_type_clear_session
fr_value_box_t const * enum_tls_session_resumed_stateless
fr_value_box_t const * enum_tls_packet_type_notfound
HIDDEN fr_dict_attr_t const * attr_tls_session_resume_type
HIDDEN fr_dict_attr_t const * attr_allow_session_resumption
@ L_DBG_LVL_3
3rd highest priority debug messages (-xxx | -Xx).
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
@ L_DBG
Only displayed when debugging is enabled.
int fr_pair_value_memdup_buffer(fr_pair_t *vp, uint8_t const *src, bool tainted)
Copy data from a talloced buffer into an "octets" data type.
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
int fr_pair_value_memdup_buffer_shallow(fr_pair_t *vp, uint8_t const *src, bool tainted)
Assign a talloced buffer to a "octets" type value pair.
ssize_t fr_internal_decode_pair_dbuff(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_t const *parent, fr_dbuff_t *dbuff, void *decode_ctx)
ssize_t fr_internal_encode_pair(fr_dbuff_t *dbuff, fr_dcursor_t *cursor, void *encode_ctx)
Encode a data structure into an internal attribute.
#define pair_update_request(_attr, _da)
#define RDEBUG_ENABLED2()
#define pair_append_session_state(_attr, _da)
Allocate and append a fr_pair_t to session-state list.
#define pair_prepend_request(_attr, _da)
Allocate and prepend a fr_pair_t to the request list.
#define fr_time()
Allow us to arbitrarily manipulate time.
Stores an attribute, a value and various bits of other data.
request_t * unlang_subrequest_alloc(request_t *parent, fr_dict_t const *namespace)
Allocate a subrequest to run through a virtual server at some point in the future.
uint8_t * talloc_typed_memdup(TALLOC_CTX *ctx, uint8_t const *in, size_t inlen)
Call talloc_memdup, setting the type on the new chunk correctly.
#define fr_time_lteq(_a, _b)
static int64_t fr_time_delta_to_sec(fr_time_delta_t delta)
static fr_time_t fr_time_from_sec(time_t when)
Convert a time_t (wallclock time) to a fr_time_t (internal time)
#define fr_time_sub(_a, _b)
Subtract one time from another.
fr_pair_t * fr_pair_remove(fr_pair_list_t *list, fr_pair_t *vp)
Remove fr_pair_t from a list without freeing.
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
void fr_pair_list_append(fr_pair_list_t *dst, fr_pair_list_t *src)
Appends a list of fr_pair_t from a temporary list to a destination list.
#define fr_pair_dcursor_init(_cursor, _list)
Initialises a special dcursor with callbacks that will maintain the attr sublists correctly.
void fr_value_box_memdup_shallow(fr_value_box_t *dst, fr_dict_attr_t const *enumv, uint8_t const *src, size_t len, bool tainted)
Assign a buffer to a box, but don't copy it.
#define fr_box_octets_buffer(_val)
static size_t char ** out
#define fr_box_octets(_val, _len)