27RCSID(
"$Id: 3afcbbd08cf4964b6257f55b401875ff989669dc $")
31#define LOG_PREFIX "tls"
37#include <openssl/conf.h>
38#include <openssl/provider.h>
40#include <freeradius-devel/server/base.h>
41#include <freeradius-devel/tls/attrs.h>
42#include <freeradius-devel/tls/base.h>
43#include <freeradius-devel/tls/engine.h>
44#include <freeradius-devel/util/atexit.h>
45#include <freeradius-devel/util/debug.h>
46#include <freeradius-devel/util/math.h>
47#include <freeradius-devel/util/syserror.h>
49static uint32_t openssl_instance_count = 0;
53#define OPENSSL_ASYNC_STACK_SIZE 32768
57static size_t openssl_stack_size;
61static size_t openssl_page_size;
67_Thread_local TALLOC_CTX *ssl_talloc_ctx;
72static _Thread_local
bool *async_pool_init;
74static OSSL_PROVIDER *openssl_default_provider = NULL;
75static OSSL_PROVIDER *openssl_legacy_provider = NULL;
77static uint32_t tls_instance_count = 0;
86 { .out = &
dict_tls, .proto =
"tls" },
227int fr_tls_max_threads = 1;
236 static char const *async_file;
240 chunk = talloc_array(ssl_talloc_ctx,
uint8_t, len);
243 talloc_set_name(chunk,
"fr_openssl_talloc");
261 sep = strrchr(
file,
'/');
267 if (strcmp(sep,
"async_posix.c") == 0) {
272 }
else if (
file == async_file)
goto alloc_stack;
274 chunk = talloc_array(ssl_talloc_ctx,
uint8_t, len);
276 talloc_set_name(chunk,
"%s:%d",
file,
line);
291 chunk = talloc_realloc_size(ssl_talloc_ctx, old, len);
293 talloc_set_name(chunk,
"%s:%d",
file,
line);
307static void fr_openssl_talloc_free(
void *to_free,
char const *
file,
UNUSED int line)
309 (void)_talloc_free(to_free,
file);
312static void fr_openssl_talloc_free(
void *to_free,
char const *
file,
int line)
317 (void)_talloc_free(to_free,
buffer);
324static int _openssl_thread_free(
void *
init)
326 ASYNC_cleanup_thread();
342int fr_openssl_thread_init(
size_t async_pool_size_init,
size_t async_pool_size_max)
347 if (!async_pool_init) {
348 bool *
init = talloc_zero(NULL,
bool);
350 if (ASYNC_init_thread(async_pool_size_max, async_pool_size_init) != 1) {
351 fr_tls_log(NULL,
"Failed initialising OpenSSL async context pool");
368void fr_openssl_free(
void)
370 if (--openssl_instance_count > 0)
return;
377static void _openssl_provider_free(
void)
379 if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
380 fr_tls_log(NULL,
"Failed unloading default provider");
382 openssl_default_provider = NULL;
384 if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
385 fr_tls_log(NULL,
"Failed unloading legacy provider");
387 openssl_legacy_provider = NULL;
390static int fr_openssl_cleanup(
UNUSED void *uctx)
396#if OPENSSL_VERSION_NUMBER >= 0x30400000L
398static void *fr_openssl_stack_alloc(
size_t *len)
402 if (posix_memalign(&
stack, openssl_page_size, openssl_stack_size + openssl_page_size) != 0) {
403 fr_tls_log(NULL,
"Failed allocating OpenSSL stack: %s",
fr_syserror(errno));
410 if (mprotect((
uint8_t *)
stack + openssl_stack_size, openssl_page_size, PROT_NONE) < 0) {
411 fr_tls_log(NULL,
"Failed adding guard page to OpenSSL stack: %s",
fr_syserror(errno));
415 *len = openssl_stack_size;
420static void fr_openssl_stack_free(
void *
stack)
426 if (
unlikely(mprotect((
uint8_t *)
stack + openssl_stack_size, openssl_page_size, PROT_READ | PROT_WRITE) < 0)) {
439int fr_openssl_init(
void)
441 if (openssl_instance_count > 0) {
442 openssl_instance_count++;
446 openssl_page_size = (
size_t)getpagesize();
447 openssl_stack_size =
ROUND_UP_POW2(OPENSSL_ASYNC_STACK_SIZE, openssl_page_size);
454 if (CRYPTO_set_mem_functions(fr_openssl_talloc, fr_openssl_talloc_realloc, fr_openssl_talloc_free) != 1) {
455 fr_tls_log(NULL,
"Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late");
463#if OPENSSL_VERSION_NUMBER >= 0x30400000L
464 if (ASYNC_set_mem_functions(fr_openssl_stack_alloc, fr_openssl_stack_free) != 1) {
465 fr_tls_log(NULL,
"Failed to set OpenSSL async stack allocation functions");
478 if (OPENSSL_init_ssl(OPENSSL_INIT_NO_ATEXIT | OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
479 fr_tls_log(NULL,
"Failed calling OPENSSL_init_crypto()");
486 openssl_default_provider = OSSL_PROVIDER_load(NULL,
"default");
487 if (!openssl_default_provider) {
488 fr_tls_log(NULL,
"Failed loading default provider");
497 openssl_legacy_provider = OSSL_PROVIDER_load(NULL,
"legacy");
498 if (!openssl_legacy_provider) {
499 fr_tls_log(NULL,
"Failed loading legacy provider");
508 OPENSSL_atexit(_openssl_provider_free);
515 EVP_add_digest(EVP_sha256());
531 openssl_instance_count++;
543int fr_openssl_fips_mode(
bool enabled)
545 if (!EVP_set_default_properties(NULL, enabled ?
"fips=yes" :
"fips=no")) {
546 fr_tls_log(NULL,
"Failed %s OpenSSL FIPS mode", enabled ?
"enabling" :
"disabling");
562int fr_tls_dict_init(
void)
564 if (tls_instance_count > 0) {
565 tls_instance_count++;
569 tls_instance_count++;
572 PERROR(
"Failed initialising protocol library");
574 tls_instance_count--;
580 PERROR(
"Failed resolving attributes");
585 PERROR(
"Failed resolving enums");
592void fr_tls_dict_free(
void)
594 if (--tls_instance_count > 0)
return;
static int const char char buffer[256]
#define fr_atexit_global(_func, _uctx)
Add a free function to the global free list.
#define fr_atexit_thread_local(_name, _free, _uctx)
#define USES_APPLE_DEPRECATED_API
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
#define fr_exit(_x)
Exit, producing a log message in debug builds.
int fr_dict_enum_autoload(fr_dict_enum_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
#define fr_dict_autofree(_to_free)
fr_value_box_t const ** out
Enumeration value.
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
#define fr_dict_autoload(_to_load)
Specifies an attribute which must be present for the module to function.
Specifies a dictionary which must be loaded/loadable for the module to function.
Specifies a value which must be present for the module to function.
static fr_dict_t const * dict_freeradius
fr_dict_attr_t const * attr_tls_certificate
Attribute definitions for lib curl.
fr_dict_t const * dict_tls
fr_dict_t const * dict_radius
fr_value_box_t const * enum_tls_packet_type_store_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_extended_key_usage
HIDDEN fr_dict_attr_t const * attr_tls_packet_type
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_authority_key_identifier
HIDDEN fr_dict_attr_t const * attr_session_resumed
fr_value_box_t const * enum_tls_packet_type_failure
HIDDEN fr_dict_attr_t const * attr_tls_session_resumed
HIDDEN fr_dict_attr_t const * attr_tls_session_version
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_cert_valid
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_basic_constraints
fr_value_box_t const * enum_tls_packet_type_success
HIDDEN fr_dict_attr_t const * attr_tls_certificate_serial
HIDDEN fr_dict_attr_t const * attr_tls_session_require_client_cert
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_dns
HIDDEN fr_dict_attr_t const * attr_tls_session_ttl
fr_value_box_t const * enum_tls_session_resumed_stateful
HIDDEN fr_dict_attr_t const * attr_tls_session_data
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_after
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_before
fr_value_box_t const * enum_tls_packet_type_new_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature_algorithm
HIDDEN fr_dict_attr_t const * attr_tls_client_error_code
fr_value_box_t const * enum_tls_packet_type_load_session
fr_value_box_t const * enum_tls_packet_type_establish_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_upn
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_response
HIDDEN fr_dict_attr_t const * attr_tls_session_id
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_subject_key_identifier
fr_value_box_t const * enum_tls_packet_type_clear_session
HIDDEN fr_dict_attr_t const * attr_tls_session_cipher_suite
HIDDEN fr_dict_attr_t const * attr_tls_certificate_common_name
HIDDEN fr_dict_attr_t const * attr_tls_psk_identity
HIDDEN fr_dict_attr_t const * attr_tls_certificate_issuer
fr_value_box_t const * enum_tls_session_resumed_stateless
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_crl_distribution_points
fr_value_box_t const * enum_tls_packet_type_notfound
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature
HIDDEN fr_dict_attr_t const * attr_tls_session_resume_type
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_next_update
fr_value_box_t const * enum_tls_packet_type_verify_certificate
HIDDEN fr_dict_attr_t const * attr_tls_session_cert_file
HIDDEN fr_dict_attr_t const * attr_tls_certificate_chain_depth
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_email
HIDDEN fr_dict_attr_t const * attr_allow_session_resumption
static char * stack[MAX_STACK]
#define ROUND_UP_POW2(_num, _mul)
Round up - Only works if _mul is a power of 2 but avoids division.
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
@ FR_TYPE_UINT8
8 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_OCTETS
Raw octets.
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.