27RCSID(
"$Id: f4abb1468815e26c2ca07e960f766609db2777b1 $")
31#define LOG_PREFIX "tls"
37#include <openssl/conf.h>
38#include <openssl/provider.h>
40#include <freeradius-devel/server/base.h>
41#include <freeradius-devel/tls/attrs.h>
42#include <freeradius-devel/tls/base.h>
43#include <freeradius-devel/tls/engine.h>
44#include <freeradius-devel/util/atexit.h>
45#include <freeradius-devel/util/debug.h>
46#include <freeradius-devel/util/math.h>
47#include <freeradius-devel/util/syserror.h>
49static uint32_t openssl_instance_count = 0;
53#define OPENSSL_ASYNC_STACK_SIZE 32768
57static size_t openssl_stack_size;
61static size_t openssl_page_size;
67_Thread_local TALLOC_CTX *ssl_talloc_ctx;
72static _Thread_local
bool *async_pool_init;
74static OSSL_PROVIDER *openssl_default_provider = NULL;
75static OSSL_PROVIDER *openssl_legacy_provider = NULL;
77static uint32_t tls_instance_count = 0;
86 { .out = &
dict_tls, .proto =
"tls" },
223int fr_tls_max_threads = 1;
232 static char const *async_file;
236 chunk = talloc_array(ssl_talloc_ctx,
uint8_t, len);
239 talloc_set_name(chunk,
"fr_openssl_talloc");
257 sep = strrchr(
file,
'/');
263 if (strcmp(sep,
"async_posix.c") == 0) {
268 }
else if (
file == async_file)
goto alloc_stack;
270 chunk = talloc_array(ssl_talloc_ctx,
uint8_t, len);
272 talloc_set_name(chunk,
"%s:%d",
file,
line);
287 chunk = talloc_realloc_size(ssl_talloc_ctx, old, len);
289 talloc_set_name(chunk,
"%s:%d",
file,
line);
303static void fr_openssl_talloc_free(
void *to_free,
char const *
file,
UNUSED int line)
305 (void)_talloc_free(to_free,
file);
308static void fr_openssl_talloc_free(
void *to_free,
char const *
file,
int line)
313 (void)_talloc_free(to_free,
buffer);
320static int _openssl_thread_free(
void *
init)
322 ASYNC_cleanup_thread();
338int fr_openssl_thread_init(
size_t async_pool_size_init,
size_t async_pool_size_max)
343 if (!async_pool_init) {
344 bool *
init = talloc_zero(NULL,
bool);
346 if (ASYNC_init_thread(async_pool_size_max, async_pool_size_init) != 1) {
347 fr_tls_log(NULL,
"Failed initialising OpenSSL async context pool");
364void fr_openssl_free(
void)
366 if (--openssl_instance_count > 0)
return;
373static void _openssl_provider_free(
void)
375 if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
376 fr_tls_log(NULL,
"Failed unloading default provider");
378 openssl_default_provider = NULL;
380 if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
381 fr_tls_log(NULL,
"Failed unloading legacy provider");
383 openssl_legacy_provider = NULL;
386static int fr_openssl_cleanup(
UNUSED void *uctx)
392#if OPENSSL_VERSION_NUMBER >= 0x30400000L
394static void *fr_openssl_stack_alloc(
size_t *len)
398 if (posix_memalign(&
stack, openssl_page_size, openssl_stack_size + openssl_page_size) != 0) {
399 fr_tls_log(NULL,
"Failed allocating OpenSSL stack: %s",
fr_syserror(errno));
406 if (mprotect((
uint8_t *)
stack + openssl_stack_size, openssl_page_size, PROT_NONE) < 0) {
407 fr_tls_log(NULL,
"Failed adding guard page to OpenSSL stack: %s",
fr_syserror(errno));
411 *len = openssl_stack_size;
416static void fr_openssl_stack_free(
void *
stack)
422 if (
unlikely(mprotect((
uint8_t *)
stack + openssl_stack_size, openssl_page_size, PROT_READ | PROT_WRITE) < 0)) {
435int fr_openssl_init(
void)
437 if (openssl_instance_count > 0) {
438 openssl_instance_count++;
442 openssl_page_size = (
size_t)getpagesize();
443 openssl_stack_size =
ROUND_UP_POW2(OPENSSL_ASYNC_STACK_SIZE, openssl_page_size);
450 if (CRYPTO_set_mem_functions(fr_openssl_talloc, fr_openssl_talloc_realloc, fr_openssl_talloc_free) != 1) {
451 fr_tls_log(NULL,
"Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late");
459#if OPENSSL_VERSION_NUMBER >= 0x30400000L
460 if (ASYNC_set_mem_functions(fr_openssl_stack_alloc, fr_openssl_stack_free) != 1) {
461 fr_tls_log(NULL,
"Failed to set OpenSSL async stack allocation functions");
474 if (OPENSSL_init_ssl(OPENSSL_INIT_NO_ATEXIT | OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
475 fr_tls_log(NULL,
"Failed calling OPENSSL_init_crypto()");
482 openssl_default_provider = OSSL_PROVIDER_load(NULL,
"default");
483 if (!openssl_default_provider) {
484 fr_tls_log(NULL,
"Failed loading default provider");
493 openssl_legacy_provider = OSSL_PROVIDER_load(NULL,
"legacy");
494 if (!openssl_legacy_provider) {
495 fr_tls_log(NULL,
"Failed loading legacy provider");
504 OPENSSL_atexit(_openssl_provider_free);
511 EVP_add_digest(EVP_sha256());
527 openssl_instance_count++;
539int fr_openssl_fips_mode(
bool enabled)
541 if (!EVP_set_default_properties(NULL, enabled ?
"fips=yes" :
"fips=no")) {
542 fr_tls_log(NULL,
"Failed %s OpenSSL FIPS mode", enabled ?
"enabling" :
"disabling");
558int fr_tls_dict_init(
void)
560 if (tls_instance_count > 0) {
561 tls_instance_count++;
565 tls_instance_count++;
568 PERROR(
"Failed initialising protocol library");
570 tls_instance_count--;
576 PERROR(
"Failed resolving attributes");
581 PERROR(
"Failed resolving enums");
588void fr_tls_dict_free(
void)
590 if (--tls_instance_count > 0)
return;
static int const char char buffer[256]
#define fr_atexit_global(_func, _uctx)
Add a free function to the global free list.
#define fr_atexit_thread_local(_name, _free, _uctx)
#define USES_APPLE_DEPRECATED_API
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
#define fr_exit(_x)
Exit, producing a log message in debug builds.
int fr_dict_enum_autoload(fr_dict_enum_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
#define fr_dict_autofree(_to_free)
fr_value_box_t const ** out
Enumeration value.
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
#define fr_dict_autoload(_to_load)
Specifies an attribute which must be present for the module to function.
Specifies a dictionary which must be loaded/loadable for the module to function.
Specifies a value which must be present for the module to function.
static fr_dict_t const * dict_freeradius
fr_dict_attr_t const * attr_tls_certificate
Attribute definitions for lib curl.
fr_dict_t const * dict_tls
fr_dict_t const * dict_radius
fr_value_box_t const * enum_tls_packet_type_store_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_extended_key_usage
HIDDEN fr_dict_attr_t const * attr_tls_packet_type
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_authority_key_identifier
HIDDEN fr_dict_attr_t const * attr_session_resumed
fr_value_box_t const * enum_tls_packet_type_failure
HIDDEN fr_dict_attr_t const * attr_tls_session_resumed
HIDDEN fr_dict_attr_t const * attr_tls_session_version
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_cert_valid
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_basic_constraints
fr_value_box_t const * enum_tls_packet_type_success
HIDDEN fr_dict_attr_t const * attr_tls_certificate_serial
HIDDEN fr_dict_attr_t const * attr_tls_session_require_client_cert
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_dns
HIDDEN fr_dict_attr_t const * attr_tls_session_ttl
fr_value_box_t const * enum_tls_session_resumed_stateful
HIDDEN fr_dict_attr_t const * attr_tls_session_data
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_after
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_before
fr_value_box_t const * enum_tls_packet_type_new_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature_algorithm
HIDDEN fr_dict_attr_t const * attr_tls_client_error_code
fr_value_box_t const * enum_tls_packet_type_load_session
fr_value_box_t const * enum_tls_packet_type_establish_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_upn
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_response
HIDDEN fr_dict_attr_t const * attr_tls_session_id
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_subject_key_identifier
fr_value_box_t const * enum_tls_packet_type_clear_session
HIDDEN fr_dict_attr_t const * attr_tls_session_cipher_suite
HIDDEN fr_dict_attr_t const * attr_tls_certificate_common_name
HIDDEN fr_dict_attr_t const * attr_tls_psk_identity
HIDDEN fr_dict_attr_t const * attr_tls_certificate_issuer
fr_value_box_t const * enum_tls_session_resumed_stateless
fr_value_box_t const * enum_tls_packet_type_notfound
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature
HIDDEN fr_dict_attr_t const * attr_tls_session_resume_type
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_next_update
fr_value_box_t const * enum_tls_packet_type_verify_certificate
HIDDEN fr_dict_attr_t const * attr_tls_session_cert_file
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_email
HIDDEN fr_dict_attr_t const * attr_allow_session_resumption
static char * stack[MAX_STACK]
#define ROUND_UP_POW2(_num, _mul)
Round up - Only works if _mul is a power of 2 but avoids division.
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
@ FR_TYPE_UINT8
8 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_OCTETS
Raw octets.
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.