The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 3afcbbd08cf4964b6257f55b401875ff989669dc $
19 *
20 * @file src/lib/tls/base.c
21 * @brief Initialise OpenSSL
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006-2016 The FreeRADIUS server project
26 */
27RCSID("$Id: 3afcbbd08cf4964b6257f55b401875ff989669dc $")
28USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29
30#ifdef WITH_TLS
31#define LOG_PREFIX "tls"
32
33#include "log.h"
34#include "bio.h"
35
36#include <sys/mman.h>
37#include <openssl/conf.h>
38#include <openssl/provider.h>
39
40#include <freeradius-devel/server/base.h>
41#include <freeradius-devel/tls/attrs.h>
42#include <freeradius-devel/tls/base.h>
43#include <freeradius-devel/tls/engine.h>
44#include <freeradius-devel/util/atexit.h>
45#include <freeradius-devel/util/debug.h>
46#include <freeradius-devel/util/math.h>
47#include <freeradius-devel/util/syserror.h>
48
49static uint32_t openssl_instance_count = 0;
50
51/** How big of a stack to allocate for aynsc fibres
52 */
53#define OPENSSL_ASYNC_STACK_SIZE 32768
54
55/** How big of a stack we allocate, rounded up to the nearest page size
56 */
57static size_t openssl_stack_size;
58
59/** Cached page size
60 */
61static size_t openssl_page_size;
62
63/** The context which holds any memory OpenSSL allocates
64 *
65 * This should be used to work around memory leaks in the OpenSSL.
66 */
67_Thread_local TALLOC_CTX *ssl_talloc_ctx;
68
69/** Used to control freeing of thread local OpenSSL resources
70 *
71 */
72static _Thread_local bool *async_pool_init;
73
74static OSSL_PROVIDER *openssl_default_provider = NULL;
75static OSSL_PROVIDER *openssl_legacy_provider = NULL;
76
77static uint32_t tls_instance_count = 0;
78
81fr_dict_t const *dict_tls;
82
83extern fr_dict_autoload_t tls_dict[];
84fr_dict_autoload_t tls_dict[] = {
85 { .out = &dict_freeradius, .proto = "freeradius" },
86 { .out = &dict_tls, .proto = "tls" },
87 { NULL }
88};
89
92
93/*
94 * Certificate decoding attributes
95 */
113
120
126
132
133extern fr_dict_attr_autoload_t tls_dict_attr[];
134fr_dict_attr_autoload_t tls_dict_attr[] = {
135 { .out = &attr_allow_session_resumption, .name = "Allow-Session-Resumption", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
136 { .out = &attr_session_resumed, .name = "EAP-Session-Resumed", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
137
138 /*
139 * Certificate decoding attributes
140 */
141 { .out = &attr_tls_certificate, .name = "TLS-Certificate", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
142 { .out = &attr_tls_certificate_serial, .name = "TLS-Certificate.Serial", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
143 { .out = &attr_tls_certificate_signature, .name = "TLS-Certificate.Signature", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
144 { .out = &attr_tls_certificate_signature_algorithm, .name = "TLS-Certificate.Signature-Algorithm", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
145 { .out = &attr_tls_certificate_issuer, .name = "TLS-Certificate.Issuer", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
146 { .out = &attr_tls_certificate_not_before, .name = "TLS-Certificate.Not-Before", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
147 { .out = &attr_tls_certificate_not_after, .name = "TLS-Certificate.Not-After", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
148 { .out = &attr_tls_certificate_subject, .name = "TLS-Certificate.Subject", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
149 { .out = &attr_tls_certificate_common_name, .name = "TLS-Certificate.Common-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
150 { .out = &attr_tls_certificate_subject_alt_name_dns, .name = "TLS-Certificate.Subject-Alt-Name-Dns", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
151 { .out = &attr_tls_certificate_subject_alt_name_email, .name = "TLS-Certificate.Subject-Alt-Name-Email", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
152 { .out = &attr_tls_certificate_subject_alt_name_upn, .name = "TLS-Certificate.Subject-Alt-Name-Upn", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
153 { .out = &attr_tls_certificate_x509v3_extended_key_usage, .name = "TLS-Certificate.X509v3-Extended-Key-Usage", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
154 { .out = &attr_tls_certificate_x509v3_subject_key_identifier, .name = "TLS-Certificate.X509v3-Subject-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
155 { .out = &attr_tls_certificate_x509v3_authority_key_identifier, .name = "TLS-Certificate.X509v3-Authority-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
156 { .out = &attr_tls_certificate_x509v3_basic_constraints, .name = "TLS-Certificate.X509v3-Basic-Constraints", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
157 { .out = &attr_tls_certificate_x509v3_crl_distribution_points, .name = "TLS-Certificate.X509v3-CRL-Distribution-Points", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
158
159 { .out = &attr_tls_certificate_chain_depth, .name = "TLS-Certificate-Chain-Depth", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
160 { .out = &attr_tls_client_error_code, .name = "TLS-Client-Error-Code", .type = FR_TYPE_UINT8, .dict = &dict_freeradius },
161 { .out = &attr_tls_ocsp_cert_valid, .name = "TLS-OCSP-Cert-Valid", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
162 { .out = &attr_tls_ocsp_next_update, .name = "TLS-OCSP-Next-Update", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
163 { .out = &attr_tls_ocsp_response, .name = "TLS-OCSP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
164 { .out = &attr_tls_psk_identity, .name = "TLS-PSK-Identity", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
165
166 { .out = &attr_tls_session_cert_file, .name = "TLS-Session-Certificate-File", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
167 { .out = &attr_tls_session_require_client_cert, .name = "TLS-Session-Require-Client-Certificate", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
168 { .out = &attr_tls_session_cipher_suite, .name = "TLS-Session-Cipher-Suite", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
169 { .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
170 { .out = &attr_tls_session_resume_type, .name = "TLS-Session-Resume-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
171
172 /*
173 * Eventually all TLS attributes will be in the TLS dictionary
174 */
175 { .out = &attr_tls_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tls },
176 { .out = &attr_tls_session_data, .name = "Session-Data", .type = FR_TYPE_OCTETS, .dict = &dict_tls },
177 { .out = &attr_tls_session_id, .name = "Session-Id", .type = FR_TYPE_OCTETS, .dict = &dict_tls },
178 { .out = &attr_tls_session_resumed, .name = "Session-Resumed", .type = FR_TYPE_BOOL, .dict = &dict_tls },
179 { .out = &attr_tls_session_ttl, .name = "Session-TTL", .type = FR_TYPE_TIME_DELTA, .dict = &dict_tls },
180 { NULL }
181};
182
183/*
184 * request types
185 */
192
193/*
194 * response types
195 */
199
200/*
201 * session resumption
202 */
205
206extern fr_dict_enum_autoload_t tls_dict_enum[];
207fr_dict_enum_autoload_t tls_dict_enum[] = {
208 { .out = &enum_tls_packet_type_load_session, .name = "Load-Session", .attr = &attr_tls_packet_type },
209 { .out = &enum_tls_packet_type_store_session, .name = "Store-Session", .attr = &attr_tls_packet_type },
210 { .out = &enum_tls_packet_type_clear_session, .name = "Clear-Session", .attr = &attr_tls_packet_type },
211 { .out = &enum_tls_packet_type_verify_certificate, .name = "Verify-Certificate", .attr = &attr_tls_packet_type },
212 { .out = &enum_tls_packet_type_new_session, .name = "New-Session", .attr = &attr_tls_packet_type },
213 { .out = &enum_tls_packet_type_establish_session, .name = "Establish-Session", .attr = &attr_tls_packet_type },
214
215 { .out = &enum_tls_packet_type_success, .name = "Success", .attr = &attr_tls_packet_type },
216 { .out = &enum_tls_packet_type_failure, .name = "Failure", .attr = &attr_tls_packet_type },
217 { .out = &enum_tls_packet_type_notfound, .name = "Notfound", .attr = &attr_tls_packet_type },
218
219 { .out = &enum_tls_session_resumed_stateful, .name = "stateful", .attr = &attr_tls_session_resume_type },
220 { .out = &enum_tls_session_resumed_stateless, .name = "stateless", .attr = &attr_tls_session_resume_type },
221 { NULL }
222};
223
224/*
225 * Updated by threads.c in the server, and left alone for everyone else.
226 */
227int fr_tls_max_threads = 1;
228
229/** Allocate memory for OpenSSL in the NULL context
230 *
231 * @param len to alloc.
232 * @return realloc.
233 */
234static void *fr_openssl_talloc(size_t len, char const *file, NDEBUG_UNUSED int line)
235{
236 static char const *async_file;
237 void *chunk;
238
239 if (!file) {
240 chunk = talloc_array(ssl_talloc_ctx, uint8_t, len);
241
242#ifndef NDEBUG
243 talloc_set_name(chunk, "fr_openssl_talloc");
244#endif
245 return chunk;
246 }
247
248 /*
249 * Cache the filename pointer for the async_posix.c
250 * source file, so we can figure out when we're
251 * being asked for stack memory.
252 *
253 * This is terrible, we're basically guessing at the
254 * stack size. OpenSSL 3.1.0 will have proper
255 * allocation functions so we can something more
256 * sensible.
257 */
258 if (!async_file) {
259 char const *sep;
260
261 sep = strrchr(file, '/');
262 if (!sep) {
263 sep = file;
264 } else {
265 sep++;
266 }
267 if (strcmp(sep, "async_posix.c") == 0) {
268 async_file = file;
269 alloc_stack:
270 len *= 4;
271 }
272 } else if (file == async_file) goto alloc_stack;
273
274 chunk = talloc_array(ssl_talloc_ctx, uint8_t, len);
275#ifndef NDEBUG
276 talloc_set_name(chunk, "%s:%d", file, line);
277#endif
278 return chunk;
279}
280
281/** Reallocate memory for OpenSSL in the NULL context
282 *
283 * @param old memory to realloc.
284 * @param len to extend to.
285 * @return realloced memory.
286 */
287static void *fr_openssl_talloc_realloc(void *old, size_t len, NDEBUG_UNUSED char const *file, NDEBUG_UNUSED int line)
288{
289 void *chunk;
290
291 chunk = talloc_realloc_size(ssl_talloc_ctx, old, len);
292#ifndef NDEBUG
293 talloc_set_name(chunk, "%s:%d", file, line);
294#endif
295 return chunk;
296}
297
298/** Free memory allocated by OpenSSL
299 *
300 * @param to_free memory to free.
301 */
302#ifdef NDEBUG
303/*
304 * If we're not debugging, use only the filename. Otherwise the
305 * cost of snprintf() is too large.
306 */
307static void fr_openssl_talloc_free(void *to_free, char const *file, UNUSED int line)
308{
309 (void)_talloc_free(to_free, file);
310}
311#else
312static void fr_openssl_talloc_free(void *to_free, char const *file, int line)
313{
314 char buffer[256];
315
316 snprintf(buffer, sizeof(buffer), "%s:%i", file, line);
317 (void)_talloc_free(to_free, buffer);
318}
319#endif
320
321/** Cleanup async pools if the thread exits
322 *
323 */
324static int _openssl_thread_free(void *init)
325{
326 ASYNC_cleanup_thread();
327 return talloc_free(init);
328}
329
330/** Perform thread-specific initialisation for OpenSSL
331 *
332 * Async contexts are what OpenSSL uses to track
333 *
334 * @param[in] async_pool_size_init The initial number of async contexts
335 * we keep in the pool.
336 * @param[in] async_pool_size_max The maximum number of async contexts
337 * we keep in the thread-local pool.
338 * @return
339 * - 0 on success.
340 * - -1 on failure.
341 */
342int fr_openssl_thread_init(size_t async_pool_size_init, size_t async_pool_size_max)
343{
344 /*
345 * Hack to use thread local destructor code
346 */
347 if (!async_pool_init) {
348 bool *init = talloc_zero(NULL, bool);
349
350 if (ASYNC_init_thread(async_pool_size_max, async_pool_size_init) != 1) {
351 fr_tls_log(NULL, "Failed initialising OpenSSL async context pool");
352 return -1;
353 }
354
355 fr_atexit_thread_local(async_pool_init, _openssl_thread_free, init);
356 }
357
358 return 0;
359}
360
361/** Free any memory alloced by libssl
362 *
363 * OpenSSL >= 1.1.0 uses an atexit handler to automatically free
364 * memory. However, we need to call OPENSSL_cleanup manually because
365 * some of the SSL ctx is parented to the main config which will get
366 * freed before the atexit handler, causing a segfault on exit.
367 */
368void fr_openssl_free(void)
369{
370 if (--openssl_instance_count > 0) return;
371
372 fr_tls_log_free();
373
374 fr_tls_bio_free();
375}
376
377static void _openssl_provider_free(void)
378{
379 if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
380 fr_tls_log(NULL, "Failed unloading default provider");
381 }
382 openssl_default_provider = NULL;
383
384 if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
385 fr_tls_log(NULL, "Failed unloading legacy provider");
386 }
387 openssl_legacy_provider = NULL;
388}
389
390static int fr_openssl_cleanup(UNUSED void *uctx)
391{
392 OPENSSL_cleanup();
393 return 0;
394}
395
396#if OPENSSL_VERSION_NUMBER >= 0x30400000L
397
398static void *fr_openssl_stack_alloc(size_t *len)
399{
400 void *stack;
401
402 if (posix_memalign(&stack, openssl_page_size, openssl_stack_size + openssl_page_size) != 0) {
403 fr_tls_log(NULL, "Failed allocating OpenSSL stack: %s", fr_syserror(errno));
404 return NULL;
405 }
406
407 /*
408 * Catch reads and writes going off the end of the stack.
409 */
410 if (mprotect((uint8_t *)stack + openssl_stack_size, openssl_page_size, PROT_NONE) < 0) {
411 fr_tls_log(NULL, "Failed adding guard page to OpenSSL stack: %s", fr_syserror(errno));
412 free(stack);
413 return NULL;
414 }
415 *len = openssl_stack_size;
416
417 return stack;
418}
419
420static void fr_openssl_stack_free(void *stack)
421{
422 /*
423 * Remove the guard page. If this failed, we can't continue
424 * as we'll have random protected memory chunks
425 */
426 if (unlikely(mprotect((uint8_t *)stack + openssl_stack_size, openssl_page_size, PROT_READ | PROT_WRITE) < 0)) {
427 fr_assert_msg(0, "Uprotecting OpenSSL stack memory failed, can't continue: %s", fr_syserror(errno));
428 fr_exit(1);
429 }
430 free(stack);
431}
432#endif
433
434/** Add all the default ciphers and message digests to our context.
435 *
436 * This should be called exactly once from main, before reading the main config
437 * or initialising any modules.
438 */
439int fr_openssl_init(void)
440{
441 if (openssl_instance_count > 0) {
442 openssl_instance_count++;
443 return 0;
444 }
445
446 openssl_page_size = (size_t)getpagesize();
447 openssl_stack_size = ROUND_UP_POW2(OPENSSL_ASYNC_STACK_SIZE, openssl_page_size);
448
449
450 /*
451 * This will only fail if memory has already been allocated
452 * by OpenSSL.
453 */
454 if (CRYPTO_set_mem_functions(fr_openssl_talloc, fr_openssl_talloc_realloc, fr_openssl_talloc_free) != 1) {
455 fr_tls_log(NULL, "Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late");
456 return -1;
457 }
458
459 /*
460 * Setup custom memory allocators for allocating greenthread
461 * stacks, so we can add guard pages.
462 */
463#if OPENSSL_VERSION_NUMBER >= 0x30400000L
464 if (ASYNC_set_mem_functions(fr_openssl_stack_alloc, fr_openssl_stack_free) != 1) {
465 fr_tls_log(NULL, "Failed to set OpenSSL async stack allocation functions");
466 return -1;
467 }
468#endif
469
470 /*
471 * NO_ATEXIT has no effect if init is done after
472 * loading providers, and we need to control the
473 * exit handler as it needs to be executed last
474 * after all the EVP_MD ctx have been called, as
475 * they may unload elements of providers once all
476 * the contexts have been cleaned up.
477 */
478 if (OPENSSL_init_ssl(OPENSSL_INIT_NO_ATEXIT | OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
479 fr_tls_log(NULL, "Failed calling OPENSSL_init_crypto()");
480 return -1;
481 }
482
483 /*
484 * Load the default provider for most algorithms
485 */
486 openssl_default_provider = OSSL_PROVIDER_load(NULL, "default");
487 if (!openssl_default_provider) {
488 fr_tls_log(NULL, "Failed loading default provider");
489 return -1;
490 }
491
492 /*
493 * Needed for MD4
494 *
495 * https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms
496 */
497 openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
498 if (!openssl_legacy_provider) {
499 fr_tls_log(NULL, "Failed loading legacy provider");
500 return -1;
501 }
502
503 /*
504 * It's best to use OpenSSL's cleanup stack
505 * as then everything is cleaned up relative
506 * to the OPENSSL_cleanup() call.
507 */
508 OPENSSL_atexit(_openssl_provider_free);
509
510 /*
511 * SHA256 is in all versions of OpenSSL, but isn't
512 * initialized by default. It's needed for WiMAX
513 * certificates.
514 */
515 EVP_add_digest(EVP_sha256());
516
517 fr_tls_log_init();
518
519 fr_tls_bio_init();
520
521 /*
522 * Use an atexit handler to try and ensure
523 * that OpenSSL gets freed last.
524 *
525 * All EVP_*ctxs need to be freed before we
526 * de-initialise the libraries else we get
527 * crashes (at least with OpenSSL 3.0.1).
528 */
529 fr_atexit_global(fr_openssl_cleanup, NULL);
530
531 openssl_instance_count++;
532
533 return 0;
534}
535
536/** Enable or disable fips mode
537 *
538 * @param[in] enabled If true enable fips mode if false disable fips mode.
539 * @return
540 * - 0 on success.
541 * - -1 on failure
542 */
543int fr_openssl_fips_mode(bool enabled)
544{
545 if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
546 fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
547 return -1;
548 }
549
550 return 0;
551}
552
553/** Load dictionary attributes
554 *
555 * This is a separate function because of ordering issues.
556 * OpenSSL may need to be initialised before anything else
557 * including the dictionary loader.
558 *
559 * fr_openssl_free will unload both the dictionary and the
560 * OpenSSL library.
561 */
562int fr_tls_dict_init(void)
563{
564 if (tls_instance_count > 0) {
565 tls_instance_count++;
566 return 0;
567 }
568
569 tls_instance_count++;
570
571 if (fr_dict_autoload(tls_dict) < 0) {
572 PERROR("Failed initialising protocol library");
573 fail:
574 tls_instance_count--;
575 fr_openssl_free();
576 return -1;
577 }
578
579 if (fr_dict_attr_autoload(tls_dict_attr) < 0) {
580 PERROR("Failed resolving attributes");
581 goto fail;
582 }
583
584 if (fr_dict_enum_autoload(tls_dict_enum) < 0) {
585 PERROR("Failed resolving enums");
586 goto fail;
587 }
588
589 return 0;
590}
591
592void fr_tls_dict_free(void)
593{
594 if (--tls_instance_count > 0) return;
595
596 fr_dict_autofree(tls_dict);
597}
598#endif /* WITH_TLS */
static int const char char buffer[256]
Definition acutest.h:576
int const char * file
Definition acutest.h:702
int const char int line
Definition acutest.h:702
#define fr_atexit_global(_func, _uctx)
Add a free function to the global free list.
Definition atexit.h:59
#define fr_atexit_thread_local(_name, _free, _uctx)
Definition atexit.h:221
static bool init
Definition fuzzer.c:41
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
#define RCSID(id)
Definition build.h:485
#define NDEBUG_UNUSED
Definition build.h:328
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
Definition debug.h:210
#define fr_exit(_x)
Exit, producing a log message in debug builds.
Definition debug.h:228
int fr_dict_enum_autoload(fr_dict_enum_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4095
#define fr_dict_autofree(_to_free)
Definition dict.h:869
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:262
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:273
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:286
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4134
#define fr_dict_autoload(_to_load)
Definition dict.h:866
Specifies an attribute which must be present for the module to function.
Definition dict.h:272
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:285
Specifies a value which must be present for the module to function.
Definition dict.h:261
free(array)
static fr_dict_t const * dict_freeradius
Definition base.c:37
fr_dict_attr_t const * attr_tls_certificate
Attribute definitions for lib curl.
Definition base.c:36
fr_dict_t const * dict_tls
Definition base.c:79
fr_dict_t const * dict_radius
Definition base.c:78
#define PERROR(_fmt,...)
Definition log.h:228
fr_value_box_t const * enum_tls_packet_type_store_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_extended_key_usage
HIDDEN fr_dict_attr_t const * attr_tls_packet_type
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_authority_key_identifier
HIDDEN fr_dict_attr_t const * attr_session_resumed
fr_value_box_t const * enum_tls_packet_type_failure
HIDDEN fr_dict_attr_t const * attr_tls_session_resumed
HIDDEN fr_dict_attr_t const * attr_tls_session_version
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_cert_valid
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_basic_constraints
fr_value_box_t const * enum_tls_packet_type_success
HIDDEN fr_dict_attr_t const * attr_tls_certificate_serial
HIDDEN fr_dict_attr_t const * attr_tls_session_require_client_cert
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_dns
HIDDEN fr_dict_attr_t const * attr_tls_session_ttl
fr_value_box_t const * enum_tls_session_resumed_stateful
HIDDEN fr_dict_attr_t const * attr_tls_session_data
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_after
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_before
fr_value_box_t const * enum_tls_packet_type_new_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature_algorithm
HIDDEN fr_dict_attr_t const * attr_tls_client_error_code
fr_value_box_t const * enum_tls_packet_type_load_session
fr_value_box_t const * enum_tls_packet_type_establish_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_upn
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_response
HIDDEN fr_dict_attr_t const * attr_tls_session_id
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_subject_key_identifier
fr_value_box_t const * enum_tls_packet_type_clear_session
HIDDEN fr_dict_attr_t const * attr_tls_session_cipher_suite
HIDDEN fr_dict_attr_t const * attr_tls_certificate_common_name
HIDDEN fr_dict_attr_t const * attr_tls_psk_identity
HIDDEN fr_dict_attr_t const * attr_tls_certificate_issuer
fr_value_box_t const * enum_tls_session_resumed_stateless
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_crl_distribution_points
fr_value_box_t const * enum_tls_packet_type_notfound
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature
HIDDEN fr_dict_attr_t const * attr_tls_session_resume_type
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_next_update
fr_value_box_t const * enum_tls_packet_type_verify_certificate
HIDDEN fr_dict_attr_t const * attr_tls_session_cert_file
HIDDEN fr_dict_attr_t const * attr_tls_certificate_chain_depth
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_email
HIDDEN fr_dict_attr_t const * attr_allow_session_resumption
talloc_free(reap)
static char * stack[MAX_STACK]
Definition radmin.c:159
#define ROUND_UP_POW2(_num, _mul)
Round up - Only works if _mul is a power of 2 but avoids division.
Definition math.h:144
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
@ FR_TYPE_UINT8
8 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
unsigned char uint8_t
unsigned long int size_t
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243