The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: f4abb1468815e26c2ca07e960f766609db2777b1 $
19 *
20 * @file src/lib/tls/base.c
21 * @brief Initialise OpenSSL
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006-2016 The FreeRADIUS server project
26 */
27RCSID("$Id: f4abb1468815e26c2ca07e960f766609db2777b1 $")
28USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29
30#ifdef WITH_TLS
31#define LOG_PREFIX "tls"
32
33#include "log.h"
34#include "bio.h"
35
36#include <sys/mman.h>
37#include <openssl/conf.h>
38#include <openssl/provider.h>
39
40#include <freeradius-devel/server/base.h>
41#include <freeradius-devel/tls/attrs.h>
42#include <freeradius-devel/tls/base.h>
43#include <freeradius-devel/tls/engine.h>
44#include <freeradius-devel/util/atexit.h>
45#include <freeradius-devel/util/debug.h>
46#include <freeradius-devel/util/math.h>
47#include <freeradius-devel/util/syserror.h>
48
49static uint32_t openssl_instance_count = 0;
50
51/** How big of a stack to allocate for aynsc fibres
52 */
53#define OPENSSL_ASYNC_STACK_SIZE 32768
54
55/** How big of a stack we allocate, rounded up to the nearest page size
56 */
57static size_t openssl_stack_size;
58
59/** Cached page size
60 */
61static size_t openssl_page_size;
62
63/** The context which holds any memory OpenSSL allocates
64 *
65 * This should be used to work around memory leaks in the OpenSSL.
66 */
67_Thread_local TALLOC_CTX *ssl_talloc_ctx;
68
69/** Used to control freeing of thread local OpenSSL resources
70 *
71 */
72static _Thread_local bool *async_pool_init;
73
74static OSSL_PROVIDER *openssl_default_provider = NULL;
75static OSSL_PROVIDER *openssl_legacy_provider = NULL;
76
77static uint32_t tls_instance_count = 0;
78
81fr_dict_t const *dict_tls;
82
83extern fr_dict_autoload_t tls_dict[];
84fr_dict_autoload_t tls_dict[] = {
85 { .out = &dict_freeradius, .proto = "freeradius" },
86 { .out = &dict_tls, .proto = "tls" },
87 { NULL }
88};
89
92
93/*
94 * Certificate decoding attributes
95 */
112
118
124
130
131extern fr_dict_attr_autoload_t tls_dict_attr[];
132fr_dict_attr_autoload_t tls_dict_attr[] = {
133 { .out = &attr_allow_session_resumption, .name = "Allow-Session-Resumption", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
134 { .out = &attr_session_resumed, .name = "EAP-Session-Resumed", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
135
136 /*
137 * Certificate decoding attributes
138 */
139 { .out = &attr_tls_certificate, .name = "TLS-Certificate", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
140 { .out = &attr_tls_certificate_serial, .name = "TLS-Certificate.Serial", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
141 { .out = &attr_tls_certificate_signature, .name = "TLS-Certificate.Signature", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
142 { .out = &attr_tls_certificate_signature_algorithm, .name = "TLS-Certificate.Signature-Algorithm", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
143 { .out = &attr_tls_certificate_issuer, .name = "TLS-Certificate.Issuer", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
144 { .out = &attr_tls_certificate_not_before, .name = "TLS-Certificate.Not-Before", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
145 { .out = &attr_tls_certificate_not_after, .name = "TLS-Certificate.Not-After", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
146 { .out = &attr_tls_certificate_subject, .name = "TLS-Certificate.Subject", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
147 { .out = &attr_tls_certificate_common_name, .name = "TLS-Certificate.Common-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
148 { .out = &attr_tls_certificate_subject_alt_name_dns, .name = "TLS-Certificate.Subject-Alt-Name-Dns", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
149 { .out = &attr_tls_certificate_subject_alt_name_email, .name = "TLS-Certificate.Subject-Alt-Name-Email", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
150 { .out = &attr_tls_certificate_subject_alt_name_upn, .name = "TLS-Certificate.Subject-Alt-Name-Upn", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
151 { .out = &attr_tls_certificate_x509v3_extended_key_usage, .name = "TLS-Certificate.X509v3-Extended-Key-Usage", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
152 { .out = &attr_tls_certificate_x509v3_subject_key_identifier, .name = "TLS-Certificate.X509v3-Subject-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
153 { .out = &attr_tls_certificate_x509v3_authority_key_identifier, .name = "TLS-Certificate.X509v3-Authority-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
154 { .out = &attr_tls_certificate_x509v3_basic_constraints, .name = "TLS-Certificate.X509v3-Basic-Constraints", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
155
156 { .out = &attr_tls_client_error_code, .name = "TLS-Client-Error-Code", .type = FR_TYPE_UINT8, .dict = &dict_freeradius },
157 { .out = &attr_tls_ocsp_cert_valid, .name = "TLS-OCSP-Cert-Valid", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
158 { .out = &attr_tls_ocsp_next_update, .name = "TLS-OCSP-Next-Update", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
159 { .out = &attr_tls_ocsp_response, .name = "TLS-OCSP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
160 { .out = &attr_tls_psk_identity, .name = "TLS-PSK-Identity", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
161
162 { .out = &attr_tls_session_cert_file, .name = "TLS-Session-Certificate-File", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
163 { .out = &attr_tls_session_require_client_cert, .name = "TLS-Session-Require-Client-Certificate", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
164 { .out = &attr_tls_session_cipher_suite, .name = "TLS-Session-Cipher-Suite", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
165 { .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
166 { .out = &attr_tls_session_resume_type, .name = "TLS-Session-Resume-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
167
168 /*
169 * Eventually all TLS attributes will be in the TLS dictionary
170 */
171 { .out = &attr_tls_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tls },
172 { .out = &attr_tls_session_data, .name = "Session-Data", .type = FR_TYPE_OCTETS, .dict = &dict_tls },
173 { .out = &attr_tls_session_id, .name = "Session-Id", .type = FR_TYPE_OCTETS, .dict = &dict_tls },
174 { .out = &attr_tls_session_resumed, .name = "Session-Resumed", .type = FR_TYPE_BOOL, .dict = &dict_tls },
175 { .out = &attr_tls_session_ttl, .name = "Session-TTL", .type = FR_TYPE_TIME_DELTA, .dict = &dict_tls },
176 { NULL }
177};
178
179/*
180 * request types
181 */
188
189/*
190 * response types
191 */
195
196/*
197 * session resumption
198 */
201
202extern fr_dict_enum_autoload_t tls_dict_enum[];
203fr_dict_enum_autoload_t tls_dict_enum[] = {
204 { .out = &enum_tls_packet_type_load_session, .name = "Load-Session", .attr = &attr_tls_packet_type },
205 { .out = &enum_tls_packet_type_store_session, .name = "Store-Session", .attr = &attr_tls_packet_type },
206 { .out = &enum_tls_packet_type_clear_session, .name = "Clear-Session", .attr = &attr_tls_packet_type },
207 { .out = &enum_tls_packet_type_verify_certificate, .name = "Verify-Certificate", .attr = &attr_tls_packet_type },
208 { .out = &enum_tls_packet_type_new_session, .name = "New-Session", .attr = &attr_tls_packet_type },
209 { .out = &enum_tls_packet_type_establish_session, .name = "Establish-Session", .attr = &attr_tls_packet_type },
210
211 { .out = &enum_tls_packet_type_success, .name = "Success", .attr = &attr_tls_packet_type },
212 { .out = &enum_tls_packet_type_failure, .name = "Failure", .attr = &attr_tls_packet_type },
213 { .out = &enum_tls_packet_type_notfound, .name = "Notfound", .attr = &attr_tls_packet_type },
214
215 { .out = &enum_tls_session_resumed_stateful, .name = "stateful", .attr = &attr_tls_session_resume_type },
216 { .out = &enum_tls_session_resumed_stateless, .name = "stateless", .attr = &attr_tls_session_resume_type },
217 { NULL }
218};
219
220/*
221 * Updated by threads.c in the server, and left alone for everyone else.
222 */
223int fr_tls_max_threads = 1;
224
225/** Allocate memory for OpenSSL in the NULL context
226 *
227 * @param len to alloc.
228 * @return realloc.
229 */
230static void *fr_openssl_talloc(size_t len, char const *file, NDEBUG_UNUSED int line)
231{
232 static char const *async_file;
233 void *chunk;
234
235 if (!file) {
236 chunk = talloc_array(ssl_talloc_ctx, uint8_t, len);
237
238#ifndef NDEBUG
239 talloc_set_name(chunk, "fr_openssl_talloc");
240#endif
241 return chunk;
242 }
243
244 /*
245 * Cache the filename pointer for the async_posix.c
246 * source file, so we can figure out when we're
247 * being asked for stack memory.
248 *
249 * This is terrible, we're basically guessing at the
250 * stack size. OpenSSL 3.1.0 will have proper
251 * allocation functions so we can something more
252 * sensible.
253 */
254 if (!async_file) {
255 char const *sep;
256
257 sep = strrchr(file, '/');
258 if (!sep) {
259 sep = file;
260 } else {
261 sep++;
262 }
263 if (strcmp(sep, "async_posix.c") == 0) {
264 async_file = file;
265 alloc_stack:
266 len *= 4;
267 }
268 } else if (file == async_file) goto alloc_stack;
269
270 chunk = talloc_array(ssl_talloc_ctx, uint8_t, len);
271#ifndef NDEBUG
272 talloc_set_name(chunk, "%s:%d", file, line);
273#endif
274 return chunk;
275}
276
277/** Reallocate memory for OpenSSL in the NULL context
278 *
279 * @param old memory to realloc.
280 * @param len to extend to.
281 * @return realloced memory.
282 */
283static void *fr_openssl_talloc_realloc(void *old, size_t len, NDEBUG_UNUSED char const *file, NDEBUG_UNUSED int line)
284{
285 void *chunk;
286
287 chunk = talloc_realloc_size(ssl_talloc_ctx, old, len);
288#ifndef NDEBUG
289 talloc_set_name(chunk, "%s:%d", file, line);
290#endif
291 return chunk;
292}
293
294/** Free memory allocated by OpenSSL
295 *
296 * @param to_free memory to free.
297 */
298#ifdef NDEBUG
299/*
300 * If we're not debugging, use only the filename. Otherwise the
301 * cost of snprintf() is too large.
302 */
303static void fr_openssl_talloc_free(void *to_free, char const *file, UNUSED int line)
304{
305 (void)_talloc_free(to_free, file);
306}
307#else
308static void fr_openssl_talloc_free(void *to_free, char const *file, int line)
309{
310 char buffer[256];
311
312 snprintf(buffer, sizeof(buffer), "%s:%i", file, line);
313 (void)_talloc_free(to_free, buffer);
314}
315#endif
316
317/** Cleanup async pools if the thread exits
318 *
319 */
320static int _openssl_thread_free(void *init)
321{
322 ASYNC_cleanup_thread();
323 return talloc_free(init);
324}
325
326/** Perform thread-specific initialisation for OpenSSL
327 *
328 * Async contexts are what OpenSSL uses to track
329 *
330 * @param[in] async_pool_size_init The initial number of async contexts
331 * we keep in the pool.
332 * @param[in] async_pool_size_max The maximum number of async contexts
333 * we keep in the thread-local pool.
334 * @return
335 * - 0 on success.
336 * - -1 on failure.
337 */
338int fr_openssl_thread_init(size_t async_pool_size_init, size_t async_pool_size_max)
339{
340 /*
341 * Hack to use thread local destructor code
342 */
343 if (!async_pool_init) {
344 bool *init = talloc_zero(NULL, bool);
345
346 if (ASYNC_init_thread(async_pool_size_max, async_pool_size_init) != 1) {
347 fr_tls_log(NULL, "Failed initialising OpenSSL async context pool");
348 return -1;
349 }
350
351 fr_atexit_thread_local(async_pool_init, _openssl_thread_free, init);
352 }
353
354 return 0;
355}
356
357/** Free any memory alloced by libssl
358 *
359 * OpenSSL >= 1.1.0 uses an atexit handler to automatically free
360 * memory. However, we need to call OPENSSL_cleanup manually because
361 * some of the SSL ctx is parented to the main config which will get
362 * freed before the atexit handler, causing a segfault on exit.
363 */
364void fr_openssl_free(void)
365{
366 if (--openssl_instance_count > 0) return;
367
368 fr_tls_log_free();
369
370 fr_tls_bio_free();
371}
372
373static void _openssl_provider_free(void)
374{
375 if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
376 fr_tls_log(NULL, "Failed unloading default provider");
377 }
378 openssl_default_provider = NULL;
379
380 if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
381 fr_tls_log(NULL, "Failed unloading legacy provider");
382 }
383 openssl_legacy_provider = NULL;
384}
385
386static int fr_openssl_cleanup(UNUSED void *uctx)
387{
388 OPENSSL_cleanup();
389 return 0;
390}
391
392#if OPENSSL_VERSION_NUMBER >= 0x30400000L
393
394static void *fr_openssl_stack_alloc(size_t *len)
395{
396 void *stack;
397
398 if (posix_memalign(&stack, openssl_page_size, openssl_stack_size + openssl_page_size) != 0) {
399 fr_tls_log(NULL, "Failed allocating OpenSSL stack: %s", fr_syserror(errno));
400 return NULL;
401 }
402
403 /*
404 * Catch reads and writes going off the end of the stack.
405 */
406 if (mprotect((uint8_t *)stack + openssl_stack_size, openssl_page_size, PROT_NONE) < 0) {
407 fr_tls_log(NULL, "Failed adding guard page to OpenSSL stack: %s", fr_syserror(errno));
408 free(stack);
409 return NULL;
410 }
411 *len = openssl_stack_size;
412
413 return stack;
414}
415
416static void fr_openssl_stack_free(void *stack)
417{
418 /*
419 * Remove the guard page. If this failed, we can't continue
420 * as we'll have random protected memory chunks
421 */
422 if (unlikely(mprotect((uint8_t *)stack + openssl_stack_size, openssl_page_size, PROT_READ | PROT_WRITE) < 0)) {
423 fr_assert_msg(0, "Uprotecting OpenSSL stack memory failed, can't continue: %s", fr_syserror(errno));
424 fr_exit(1);
425 }
426 free(stack);
427}
428#endif
429
430/** Add all the default ciphers and message digests to our context.
431 *
432 * This should be called exactly once from main, before reading the main config
433 * or initialising any modules.
434 */
435int fr_openssl_init(void)
436{
437 if (openssl_instance_count > 0) {
438 openssl_instance_count++;
439 return 0;
440 }
441
442 openssl_page_size = (size_t)getpagesize();
443 openssl_stack_size = ROUND_UP_POW2(OPENSSL_ASYNC_STACK_SIZE, openssl_page_size);
444
445
446 /*
447 * This will only fail if memory has already been allocated
448 * by OpenSSL.
449 */
450 if (CRYPTO_set_mem_functions(fr_openssl_talloc, fr_openssl_talloc_realloc, fr_openssl_talloc_free) != 1) {
451 fr_tls_log(NULL, "Failed to set OpenSSL memory allocation functions. fr_openssl_init() called too late");
452 return -1;
453 }
454
455 /*
456 * Setup custom memory allocators for allocating greenthread
457 * stacks, so we can add guard pages.
458 */
459#if OPENSSL_VERSION_NUMBER >= 0x30400000L
460 if (ASYNC_set_mem_functions(fr_openssl_stack_alloc, fr_openssl_stack_free) != 1) {
461 fr_tls_log(NULL, "Failed to set OpenSSL async stack allocation functions");
462 return -1;
463 }
464#endif
465
466 /*
467 * NO_ATEXIT has no effect if init is done after
468 * loading providers, and we need to control the
469 * exit handler as it needs to be executed last
470 * after all the EVP_MD ctx have been called, as
471 * they may unload elements of providers once all
472 * the contexts have been cleaned up.
473 */
474 if (OPENSSL_init_ssl(OPENSSL_INIT_NO_ATEXIT | OPENSSL_INIT_LOAD_CONFIG, NULL) != 1) {
475 fr_tls_log(NULL, "Failed calling OPENSSL_init_crypto()");
476 return -1;
477 }
478
479 /*
480 * Load the default provider for most algorithms
481 */
482 openssl_default_provider = OSSL_PROVIDER_load(NULL, "default");
483 if (!openssl_default_provider) {
484 fr_tls_log(NULL, "Failed loading default provider");
485 return -1;
486 }
487
488 /*
489 * Needed for MD4
490 *
491 * https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms
492 */
493 openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
494 if (!openssl_legacy_provider) {
495 fr_tls_log(NULL, "Failed loading legacy provider");
496 return -1;
497 }
498
499 /*
500 * It's best to use OpenSSL's cleanup stack
501 * as then everything is cleaned up relative
502 * to the OPENSSL_cleanup() call.
503 */
504 OPENSSL_atexit(_openssl_provider_free);
505
506 /*
507 * SHA256 is in all versions of OpenSSL, but isn't
508 * initialized by default. It's needed for WiMAX
509 * certificates.
510 */
511 EVP_add_digest(EVP_sha256());
512
513 fr_tls_log_init();
514
515 fr_tls_bio_init();
516
517 /*
518 * Use an atexit handler to try and ensure
519 * that OpenSSL gets freed last.
520 *
521 * All EVP_*ctxs need to be freed before we
522 * de-initialise the libraries else we get
523 * crashes (at least with OpenSSL 3.0.1).
524 */
525 fr_atexit_global(fr_openssl_cleanup, NULL);
526
527 openssl_instance_count++;
528
529 return 0;
530}
531
532/** Enable or disable fips mode
533 *
534 * @param[in] enabled If true enable fips mode if false disable fips mode.
535 * @return
536 * - 0 on success.
537 * - -1 on failure
538 */
539int fr_openssl_fips_mode(bool enabled)
540{
541 if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
542 fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
543 return -1;
544 }
545
546 return 0;
547}
548
549/** Load dictionary attributes
550 *
551 * This is a separate function because of ordering issues.
552 * OpenSSL may need to be initialised before anything else
553 * including the dictionary loader.
554 *
555 * fr_openssl_free will unload both the dictionary and the
556 * OpenSSL library.
557 */
558int fr_tls_dict_init(void)
559{
560 if (tls_instance_count > 0) {
561 tls_instance_count++;
562 return 0;
563 }
564
565 tls_instance_count++;
566
567 if (fr_dict_autoload(tls_dict) < 0) {
568 PERROR("Failed initialising protocol library");
569 fail:
570 tls_instance_count--;
571 fr_openssl_free();
572 return -1;
573 }
574
575 if (fr_dict_attr_autoload(tls_dict_attr) < 0) {
576 PERROR("Failed resolving attributes");
577 goto fail;
578 }
579
580 if (fr_dict_enum_autoload(tls_dict_enum) < 0) {
581 PERROR("Failed resolving enums");
582 goto fail;
583 }
584
585 return 0;
586}
587
588void fr_tls_dict_free(void)
589{
590 if (--tls_instance_count > 0) return;
591
592 fr_dict_autofree(tls_dict);
593}
594#endif /* WITH_TLS */
static int const char char buffer[256]
Definition acutest.h:576
int const char * file
Definition acutest.h:702
int const char int line
Definition acutest.h:702
#define fr_atexit_global(_func, _uctx)
Add a free function to the global free list.
Definition atexit.h:59
#define fr_atexit_thread_local(_name, _free, _uctx)
Definition atexit.h:221
static bool init
Definition fuzzer.c:41
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
#define RCSID(id)
Definition build.h:485
#define NDEBUG_UNUSED
Definition build.h:328
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
Definition debug.h:210
#define fr_exit(_x)
Exit, producing a log message in debug builds.
Definition debug.h:228
int fr_dict_enum_autoload(fr_dict_enum_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4053
#define fr_dict_autofree(_to_free)
Definition dict.h:862
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:261
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:272
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:285
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4092
#define fr_dict_autoload(_to_load)
Definition dict.h:859
Specifies an attribute which must be present for the module to function.
Definition dict.h:271
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:284
Specifies a value which must be present for the module to function.
Definition dict.h:260
free(array)
static fr_dict_t const * dict_freeradius
Definition base.c:37
fr_dict_attr_t const * attr_tls_certificate
Attribute definitions for lib curl.
Definition base.c:36
fr_dict_t const * dict_tls
Definition base.c:79
fr_dict_t const * dict_radius
Definition base.c:78
#define PERROR(_fmt,...)
Definition log.h:228
fr_value_box_t const * enum_tls_packet_type_store_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_extended_key_usage
HIDDEN fr_dict_attr_t const * attr_tls_packet_type
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_authority_key_identifier
HIDDEN fr_dict_attr_t const * attr_session_resumed
fr_value_box_t const * enum_tls_packet_type_failure
HIDDEN fr_dict_attr_t const * attr_tls_session_resumed
HIDDEN fr_dict_attr_t const * attr_tls_session_version
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_cert_valid
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_basic_constraints
fr_value_box_t const * enum_tls_packet_type_success
HIDDEN fr_dict_attr_t const * attr_tls_certificate_serial
HIDDEN fr_dict_attr_t const * attr_tls_session_require_client_cert
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_dns
HIDDEN fr_dict_attr_t const * attr_tls_session_ttl
fr_value_box_t const * enum_tls_session_resumed_stateful
HIDDEN fr_dict_attr_t const * attr_tls_session_data
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_after
HIDDEN fr_dict_attr_t const * attr_tls_certificate_not_before
fr_value_box_t const * enum_tls_packet_type_new_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature_algorithm
HIDDEN fr_dict_attr_t const * attr_tls_client_error_code
fr_value_box_t const * enum_tls_packet_type_load_session
fr_value_box_t const * enum_tls_packet_type_establish_session
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_upn
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_response
HIDDEN fr_dict_attr_t const * attr_tls_session_id
HIDDEN fr_dict_attr_t const * attr_tls_certificate_x509v3_subject_key_identifier
fr_value_box_t const * enum_tls_packet_type_clear_session
HIDDEN fr_dict_attr_t const * attr_tls_session_cipher_suite
HIDDEN fr_dict_attr_t const * attr_tls_certificate_common_name
HIDDEN fr_dict_attr_t const * attr_tls_psk_identity
HIDDEN fr_dict_attr_t const * attr_tls_certificate_issuer
fr_value_box_t const * enum_tls_session_resumed_stateless
fr_value_box_t const * enum_tls_packet_type_notfound
HIDDEN fr_dict_attr_t const * attr_tls_certificate_signature
HIDDEN fr_dict_attr_t const * attr_tls_session_resume_type
HIDDEN fr_dict_attr_t const * attr_tls_ocsp_next_update
fr_value_box_t const * enum_tls_packet_type_verify_certificate
HIDDEN fr_dict_attr_t const * attr_tls_session_cert_file
HIDDEN fr_dict_attr_t const * attr_tls_certificate_subject_alt_name_email
HIDDEN fr_dict_attr_t const * attr_allow_session_resumption
talloc_free(reap)
static char * stack[MAX_STACK]
Definition radmin.c:158
#define ROUND_UP_POW2(_num, _mul)
Round up - Only works if _mul is a power of 2 but avoids division.
Definition math.h:144
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
@ FR_TYPE_UINT8
8 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_BOOL
A truth value.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
unsigned char uint8_t
unsigned long int size_t
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243