The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: db8168a2bd97e71fe506ed2868772f3ab4d8abd4 $
19 *
20 * @file src/lib/tls/base.c
21 * @brief Initialise OpenSSL
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006-2016 The FreeRADIUS server project
26 */
27RCSID("$Id: db8168a2bd97e71fe506ed2868772f3ab4d8abd4 $")
28USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29
30#ifdef WITH_TLS
31#define LOG_PREFIX "tls"
32
33#include "log.h"
34#include "bio.h"
35
36#include <sys/mman.h>
37#include <openssl/conf.h>
38#include <openssl/provider.h>
39
40#include <freeradius-devel/server/base.h>
41#include <freeradius-devel/tls/attrs.h>
42#include <freeradius-devel/tls/base.h>
43#include <freeradius-devel/tls/engine.h>
44#include <freeradius-devel/util/atexit.h>
45#include <freeradius-devel/util/debug.h>
46#include <freeradius-devel/util/math.h>
47#include <freeradius-devel/util/syserror.h>
48
49static uint32_t openssl_instance_count = 0;
50
51/** How big of a stack to allocate for aynsc fibres
52 */
53#define OPENSSL_ASYNC_STACK_SIZE 32768
54
55/** How big of a stack we allocate, rounded up to the nearest page size
56 */
57static size_t openssl_stack_size;
58
59/** Cached page size
60 */
61static size_t openssl_page_size;
62
63/** The context which holds any memory OpenSSL allocates
64 *
65 * This should be used to work around memory leaks in the OpenSSL.
66 */
67_Thread_local TALLOC_CTX *ssl_talloc_ctx;
68
69/** Used to control freeing of thread local OpenSSL resources
70 *
71 */
72static _Thread_local bool *async_pool_init;
73
74static OSSL_PROVIDER *openssl_default_provider = NULL;
75static OSSL_PROVIDER *openssl_legacy_provider = NULL;
76
77static uint32_t tls_instance_count = 0;
78
81fr_dict_t const *dict_tls;
82
83extern fr_dict_autoload_t tls_dict[];
84fr_dict_autoload_t tls_dict[] = {
85 { .out = &dict_freeradius, .proto = "freeradius" },
86 { .out = &dict_tls, .proto = "tls" },
87 { NULL }
88};
89
92
93/*
94 * Certificate decoding attributes
95 */
113
120
126
128
134
135extern fr_dict_attr_autoload_t tls_dict_attr[];
136fr_dict_attr_autoload_t tls_dict_attr[] = {
137 { .out = &attr_allow_session_resumption, .name = "Allow-Session-Resumption", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
138 { .out = &attr_session_resumed, .name = "EAP-Session-Resumed", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
139
140 /*
141 * Certificate decoding attributes
142 */
143 { .out = &attr_tls_certificate, .name = "TLS-Certificate", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
144 { .out = &attr_tls_certificate_serial, .name = "TLS-Certificate.Serial", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
145 { .out = &attr_tls_certificate_signature, .name = "TLS-Certificate.Signature", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
146 { .out = &attr_tls_certificate_signature_algorithm, .name = "TLS-Certificate.Signature-Algorithm", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
147 { .out = &attr_tls_certificate_issuer, .name = "TLS-Certificate.Issuer", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
148 { .out = &attr_tls_certificate_not_before, .name = "TLS-Certificate.Not-Before", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
149 { .out = &attr_tls_certificate_not_after, .name = "TLS-Certificate.Not-After", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
150 { .out = &attr_tls_certificate_subject, .name = "TLS-Certificate.Subject", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
151 { .out = &attr_tls_certificate_common_name, .name = "TLS-Certificate.Common-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
152 { .out = &attr_tls_certificate_subject_alt_name_dns, .name = "TLS-Certificate.Subject-Alt-Name-Dns", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
153 { .out = &attr_tls_certificate_subject_alt_name_email, .name = "TLS-Certificate.Subject-Alt-Name-Email", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
154 { .out = &attr_tls_certificate_subject_alt_name_upn, .name = "TLS-Certificate.Subject-Alt-Name-Upn", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
155 { .out = &attr_tls_certificate_x509v3_extended_key_usage, .name = "TLS-Certificate.X509v3-Extended-Key-Usage", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
156 { .out = &attr_tls_certificate_x509v3_subject_key_identifier, .name = "TLS-Certificate.X509v3-Subject-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
157 { .out = &attr_tls_certificate_x509v3_authority_key_identifier, .name = "TLS-Certificate.X509v3-Authority-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
158 { .out = &attr_tls_certificate_x509v3_basic_constraints, .name = "TLS-Certificate.X509v3-Basic-Constraints", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
159 { .out = &attr_tls_certificate_x509v3_crl_distribution_points, .name = "TLS-Certificate.X509v3-CRL-Distribution-Points", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
160
161 { .out = &attr_tls_certificate_chain_depth, .name = "TLS-Certificate-Chain-Depth", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
162 { .out = &attr_tls_client_error_code, .name = "TLS-Client-Error-Code", .type = FR_TYPE_UINT8, .dict = &dict_freeradius },
163 { .out = &attr_tls_ocsp_cert_valid, .name = "TLS-OCSP-Cert-Valid", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
164 { .out = &attr_tls_ocsp_next_update, .name = "TLS-OCSP-Next-Update", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
165 { .out = &attr_tls_ocsp_response, .name = "TLS-OCSP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
166 { .out = &attr_tls_psk_identity, .name = "TLS-PSK-Identity", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
167
168 { .out = &attr_tls_session_cert_file, .name = "TLS-Session-Certificate-File", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
169 { .out = &attr_tls_session_require_client_cert, .name = "TLS-Session-Require-Client-Certificate", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
170 { .out = &attr_tls_session_cipher_suite, .name = "TLS-Session-Cipher-Suite", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
171 { .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
172 { .out = &attr_tls_session_resume_type, .name = "TLS-Session-Resume-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
173
174 { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
175
176 /*
177 * Eventually all TLS attributes will be in the TLS dictionary
178 */
179 { .out = &attr_tls_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tls },
180 { .out = &attr_tls_session_data, .name = "Session-Data", .type = FR_TYPE_OCTETS, .dict = &dict_tls },
181 { .out = &attr_tls_session_id, .name = "Session-Id", .type = FR_TYPE_OCTETS, .dict = &dict_tls },
182 { .out = &attr_tls_session_resumed, .name = "Session-Resumed", .type = FR_TYPE_BOOL, .dict = &dict_tls },
183 { .out = &attr_tls_session_ttl, .name = "Session-TTL", .type = FR_TYPE_TIME_DELTA, .dict = &dict_tls },
184 { NULL }
185};
186
187/*
188 * request types
189 */
196
197/*
198 * response types
199 */
203
204/*
205 * session resumption
206 */
209
210extern fr_dict_enum_autoload_t tls_dict_enum[];
211fr_dict_enum_autoload_t tls_dict_enum[] = {
212 { .out = &enum_tls_packet_type_load_session, .name = "Load-Session", .attr = &attr_tls_packet_type },
213 { .out = &enum_tls_packet_type_store_session, .name = "Store-Session", .attr = &attr_tls_packet_type },
214 { .out = &enum_tls_packet_type_clear_session, .name = "Clear-Session", .attr = &attr_tls_packet_type },
215 { .out = &enum_tls_packet_type_verify_certificate, .name = "Verify-Certificate", .attr = &attr_tls_packet_type },
216 { .out = &enum_tls_packet_type_new_session, .name = "New-Session", .attr = &attr_tls_packet_type },
217 { .out = &enum_tls_packet_type_establish_session, .name = "Establish-Session", .attr = &attr_tls_packet_type },
218
219 { .out = &enum_tls_packet_type_success, .name = "Success", .attr = &attr_tls_packet_type },
220 { .out = &enum_tls_packet_type_failure, .name = "Failure", .attr = &attr_tls_packet_type },
221 { .out = &enum_tls_packet_type_notfound, .name = "Notfound", .attr = &attr_tls_packet_type },
222
223 { .out = &enum_tls_session_resumed_stateful, .name = "stateful", .attr = &attr_tls_session_resume_type },
224 { .out = &enum_tls_session_resumed_stateless, .name = "stateless", .attr = &attr_tls_session_resume_type },
225 { NULL }
226};
227
228/*
229 * Updated by threads.c in the server, and left alone for everyone else.
230 */
231int fr_tls_max_threads = 1;
232
233/** Allocate memory for OpenSSL in the NULL context
234 *
235 * @param len to alloc.
236 * @return realloc.
237 */
238static void *fr_openssl_talloc(size_t len, char const *file, NDEBUG_UNUSED int line)
239{
240 static char const *async_file;
241 void *chunk;
242
243 if (!file) {
244 chunk = talloc_array(ssl_talloc_ctx, uint8_t, len);
245
246#ifndef NDEBUG
247 talloc_set_name(chunk, "fr_openssl_talloc");
248#endif
249 return chunk;
250 }
251
252 /*
253 * Cache the filename pointer for the async_posix.c
254 * source file, so we can figure out when we're
255 * being asked for stack memory.
256 *
257 * This is terrible, we're basically guessing at the
258 * stack size. OpenSSL 3.1.0 will have proper
259 * allocation functions so we can something more
260 * sensible.
261 */
262 if (!async_file) {
263 char const *sep;
264
265 sep = strrchr(file, '/');
266 if (!sep) {
267 sep = file;
268 } else {
269 sep++;
270 }
271 if (strcmp(sep, "async_posix.c") == 0) {
272 async_file = file;
273 alloc_stack:
274 len *= 4;
275 }
276 } else if (file == async_file) goto alloc_stack;
277
278 chunk = talloc_array(ssl_talloc_ctx, uint8_t, len);
279#ifndef NDEBUG
280 talloc_set_name(chunk, "%s:%d", file, line);
281#endif
282 return chunk;
283}
284
285/** Reallocate memory for OpenSSL in the NULL context
286 *
287 * @param old memory to realloc.
288 * @param len to extend to.
289 * @return realloced memory.
290 */
291static void *fr_openssl_talloc_realloc(void *old, size_t len, NDEBUG_UNUSED char const *file, NDEBUG_UNUSED int line)
292{
293 void *chunk;
294
295 chunk = talloc_realloc_size(ssl_talloc_ctx, old, len);
296#ifndef NDEBUG
297 talloc_set_name(chunk, "%s:%d", file, line);
298#endif
299 return chunk;
300}
301
302/** Free memory allocated by OpenSSL
303 *
304 * @param to_free memory to free.
305 */
306#ifdef NDEBUG
307/*
308 * If we're not debugging, use only the filename. Otherwise the
309 * cost of snprintf() is too large.
310 */
311static void fr_openssl_talloc_free(void *to_free, char const *file, UNUSED int line)
312{
313 (void)_talloc_free(to_free, file);
314}
315#else
316static void fr_openssl_talloc_free(void *to_free, char const *file, int line)
317{
318 char buffer[256];
319
320 snprintf(buffer, sizeof(buffer), "%s:%i", file, line);
321 (void)_talloc_free(to_free, buffer);
322}
323#endif
324
325/** Cleanup async pools if the thread exits
326 *
327 */
328static int _openssl_thread_free(void *init)
329{
330 ASYNC_cleanup_thread();
331 return talloc_free(init);
332}
333
334/** Perform thread-specific initialisation for OpenSSL
335 *
336 * Async contexts are what OpenSSL uses to track
337 *
338 * @param[in] async_pool_size_init The initial number of async contexts
339 * we keep in the pool.
340 * @param[in] async_pool_size_max The maximum number of async contexts
341 * we keep in the thread-local pool.
342 * @return
343 * - 0 on success.
344 * - -1 on failure.
345 */
346int fr_openssl_thread_init(size_t async_pool_size_init, size_t async_pool_size_max)
347{
348 /*
349 * Hack to use thread local destructor code
350 */
351 if (!async_pool_init) {
352 bool *init = talloc_zero(NULL, bool);
353
354 if (ASYNC_init_thread(async_pool_size_max, async_pool_size_init) != 1) {
355 fr_tls_log(NULL, "Failed initialising OpenSSL async context pool");
356 return -1;
357 }
358
359 fr_atexit_thread_local(async_pool_init, _openssl_thread_free, init);
360 }
361
362 return 0;
363}
364
365/** Free any memory alloced by libssl
366 *
367 * OpenSSL >= 1.1.0 uses an atexit handler to automatically free
368 * memory. However, we need to call OPENSSL_cleanup manually because
369 * some of the SSL ctx is parented to the main config which will get
370 * freed before the atexit handler, causing a segfault on exit.
371 */
372void fr_openssl_free(void)
373{
374 if (--openssl_instance_count > 0) return;
375
376 fr_tls_log_free();
377
378 fr_tls_bio_free();
379}
380
381static void _openssl_provider_free(void)
382{
383 if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
384 fr_tls_log(NULL, "Failed unloading default provider");
385 }
386 openssl_default_provider = NULL;
387
388 if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
389 fr_tls_log(NULL, "Failed unloading legacy provider");
390 }
391 openssl_legacy_provider = NULL;
392}
393
394static int fr_openssl_cleanup(UNUSED void *uctx)
395{
396 OPENSSL_cleanup();
397 return 0;
398}
399
400#if OPENSSL_VERSION_NUMBER >= 0x30400000L
401
402static void *fr_openssl_stack_alloc(size_t *len)
403{
404 void *stack;
405
406 if (posix_memalign(&stack, openssl_page_size, openssl_stack_size + openssl_page_size) != 0) {
407 fr_tls_log(NULL, "Failed allocating OpenSSL stack: %s", fr_syserror(errno));
408 return NULL;
409 }
410
411 /*
412 * Catch reads and writes going off the end of the stack.
413 */
414 if (mprotect((uint8_t *)stack + openssl_stack_size, openssl_page_size, PROT_NONE) < 0) {
415 fr_tls_log(NULL, "Failed adding guard page to OpenSSL stack: %s", fr_syserror(errno));
416 free(stack);
417 return NULL;
418 }
419 *len = openssl_stack_size;
420
421 return stack;
422}
423
424static void fr_openssl_stack_free(void *stack)
425{
426 /*
427 * Remove the guard page. If this failed, we can't continue
428 * as we'll have random protected memory chunks
429 */
430 if (unlikely(mprotect((uint8_t *)stack + openssl_stack_size, openssl_page_size, PROT_READ | PROT_WRITE) < 0)) {
431 fr_assert_msg(0, "Uprotecting OpenSSL stack memory failed, can't continue: %s", fr_syserror(errno));
432 fr_exit(1);
433 }
434 free(stack);
435}
436#endif
437
438/** Add all the default ciphers and message digests to our context.
439 *
440 * This should be called exactly once from main, before reading the main config
441 * or initialising any modules.
442 */
443int fr_openssl_init(void)
444{
445 if (openssl_instance_count > 0) {
446 openssl_instance_count++;
447 return 0;
448 }
449
450 openssl_page_size = (size_t)getpagesize();
451 openssl_stack_size = ROUND_UP_POW2(OPENSSL_ASYNC_STACK_SIZE, openssl_page_size);
452
453
454 /*
455 * This will only fail if memory has already been allocated
456 * by OpenSSL.
457 */
458 if (CRYPTO_set_mem_functions(fr_openssl_talloc, fr_openssl_talloc_realloc, fr_openssl_talloc_free) != 1) {
459 fr_tls_log(NULL, "Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late");
460 return -1;
461 }
462
463 /*
464 * Setup custom memory allocators for allocating greenthread
465 * stacks, so we can add guard pages.
466 */
467#if OPENSSL_VERSION_NUMBER >= 0x30400000L
468 if (ASYNC_set_mem_functions(fr_openssl_stack_alloc, fr_openssl_stack_free) != 1) {
469 fr_tls_log(NULL, "Failed to set OpenSSL async stack allocation functions");
470 return -1;
471 }
472#endif
473
474 /*
475 * NO_ATEXIT has no effect if init is done after
476 * loading providers, and we need to control the
477 * exit handler as it needs to be executed last
478 * after all the EVP_MD ctx have been called, as
479 * they may unload elements of providers once all
480 * the contexts have been cleaned up.
481 */
482 if (OPENSSL_init_ssl(OPENSSL_INIT_NO_ATEXIT | OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
483 fr_tls_log(NULL, "Failed calling OPENSSL_init_crypto()");
484 return -1;
485 }
486
487 /*
488 * Load the default provider for most algorithms
489 */
490 openssl_default_provider = OSSL_PROVIDER_load(NULL, "default");
491 if (!openssl_default_provider) {
492 fr_tls_log(NULL, "Failed loading default provider");
493 return -1;
494 }
495
496 /*
497 * Needed for MD4
498 *
499 * https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms
500 */
501 openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
502 if (!openssl_legacy_provider) {
503 fr_tls_log(NULL, "Failed loading legacy provider");
504 return -1;
505 }
506
507 /*
508 * It's best to use OpenSSL's cleanup stack
509 * as then everything is cleaned up relative
510 * to the OPENSSL_cleanup() call.
511 */
512 OPENSSL_atexit(_openssl_provider_free);
513
514 /*
515 * SHA256 is in all versions of OpenSSL, but isn't
516 * initialized by default. It's needed for WiMAX
517 * certificates.
518 */
519 EVP_add_digest(EVP_sha256());
520
521 fr_tls_log_init();
522
523 fr_tls_bio_init();
524
525 /*
526 * Use an atexit handler to try and ensure
527 * that OpenSSL gets freed last.
528 *
529 * All EVP_*ctxs need to be freed before we
530 * de-initialise the libraries else we get
531 * crashes (at least with OpenSSL 3.0.1).
532 */
533 fr_atexit_global(fr_openssl_cleanup, NULL);
534
535 openssl_instance_count++;
536
537 return 0;
538}
539
540/** Enable or disable fips mode
541 *
542 * @param[in] enabled If true enable fips mode if false disable fips mode.
543 * @return
544 * - 0 on success.
545 * - -1 on failure
546 */
547int fr_openssl_fips_mode(bool enabled)
548{
549 if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
550 fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
551 return -1;
552 }
553
554 return 0;
555}
556
557/** Load dictionary attributes
558 *
559 * This is a separate function because of ordering issues.
560 * OpenSSL may need to be initialised before anything else
561 * including the dictionary loader.
562 *
563 * fr_openssl_free will unload both the dictionary and the
564 * OpenSSL library.
565 */
566int fr_tls_dict_init(void)
567{
568 if (tls_instance_count > 0) {
569 tls_instance_count++;
570 return 0;
571 }
572
573 tls_instance_count++;
574
575 if (fr_dict_autoload(tls_dict) < 0) {
576 PERROR("Failed initialising protocol library");
577 fail:
578 tls_instance_count--;
579 fr_openssl_free();
580 return -1;
581 }
582
583 if (fr_dict_attr_autoload(tls_dict_attr) < 0) {
584 PERROR("Failed resolving attributes");
585 goto fail;
586 }
587
588 if (fr_dict_enum_autoload(tls_dict_enum) < 0) {
589 PERROR("Failed resolving enums");
590 goto fail;
591 }
592
593 return 0;
594}
595
596void fr_tls_dict_free(void)
597{
598 if (--tls_instance_count > 0) return;
599
600 fr_dict_autofree(tls_dict);
601}
602#endif /* WITH_TLS */
static int const char char buffer[256]
Definition acutest.h:576
int const char * file
Definition acutest.h:702
int const char int line
Definition acutest.h:702
#define fr_atexit_global(_func, _uctx)
Add a free function to the global free list.
Definition atexit.h:59
#define fr_atexit_thread_local(_name, _free, _uctx)
Definition atexit.h:221
static bool init
Definition fuzzer.c:41
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
#define RCSID(id)
Definition build.h:485
#define NDEBUG_UNUSED
Definition build.h:328
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
Definition debug.h:210
#define fr_exit(_x)
Exit, producing a log message in debug builds.
Definition debug.h:228
int fr_dict_enum_autoload(fr_dict_enum_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4095
#define fr_dict_autofree(_to_free)
Definition dict.h:870
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:263
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:274
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:287
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4134
#define fr_dict_autoload(_to_load)
Definition dict.h:867
Specifies an attribute which must be present for the module to function.
Definition dict.h:273
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:286
Specifies a value which must be present for the module to function.
Definition dict.h:262
free(array)
static fr_dict_t const * dict_freeradius
Definition base.c:37
fr_dict_attr_t const * attr_tls_certificate
Attribute definitions for lib curl.
Definition base.c:36
fr_dict_t const * dict_tls
Definition base.c:79
fr_dict_t const * dict_radius
Definition base.c:78
static fr_dict_attr_t const * attr_module_failure_message
Definition log.c:206
#define PERROR(_fmt,...)
Definition log.h:228
fr_value_box_t const * enum_tls_packet_type_store_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_extended_key_usage
HIDDEN fr_dict_attr_t const * attr_tls_packet_type
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_authority_key_identifier
HIDDEN fr_dict_attr_t const * attr_session_resumed
fr_value_box_t const * enum_tls_packet_type_failure
HIDDEN fr_dict_attr_t const * attr_tls_session_resumed
HIDDEN fr_dict_attr_t const * attr_tls_session_version
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_cert_valid
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_basic_constraints
fr_value_box_t const * enum_tls_packet_type_success
HIDDEN fr_dict_attr_t const * attr_tls_certificate_serial
HIDDEN fr_dict_attr_t const * attr_tls_session_require_client_cert
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_dns
HIDDEN fr_dict_attr_t const * attr_tls_session_ttl
fr_value_box_t const * enum_tls_session_resumed_stateful
HIDDEN fr_dict_attr_t const * attr_tls_session_data
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_after
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_before
fr_value_box_t const * enum_tls_packet_type_new_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature_algorithm
HIDDEN fr_dict_attr_t const * attr_tls_client_error_code
fr_value_box_t const * enum_tls_packet_type_load_session
fr_value_box_t const * enum_tls_packet_type_establish_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_upn
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_response
HIDDEN fr_dict_attr_t const * attr_tls_session_id
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_subject_key_identifier
fr_value_box_t const * enum_tls_packet_type_clear_session
HIDDEN fr_dict_attr_t const * attr_tls_session_cipher_suite
HIDDEN fr_dict_attr_t const * attr_tls_certificate_common_name
HIDDEN fr_dict_attr_t const * attr_tls_psk_identity
HIDDEN fr_dict_attr_t const * attr_tls_certificate_issuer
fr_value_box_t const * enum_tls_session_resumed_stateless
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_crl_distribution_points
fr_value_box_t const * enum_tls_packet_type_notfound
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature
HIDDEN fr_dict_attr_t const * attr_tls_session_resume_type
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_next_update
fr_value_box_t const * enum_tls_packet_type_verify_certificate
HIDDEN fr_dict_attr_t const * attr_tls_session_cert_file
HIDDEN fr_dict_attr_t const * attr_tls_certificate_chain_depth
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_email
HIDDEN fr_dict_attr_t const * attr_allow_session_resumption
talloc_free(reap)
static char * stack[MAX_STACK]
Definition radmin.c:159
#define ROUND_UP_POW2(_num, _mul)
Round up - Only works if _mul is a power of 2 but avoids division.
Definition math.h:144
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
@ FR_TYPE_UINT8
8 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
unsigned char uint8_t
unsigned long int size_t
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243