The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
conf.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: a658fa21ecc062a7546b2940af7e9714f1f2dcb7 $
19 *
20 * @file tls/conf.c
21 * @brief Configuration parsing for TLS servers and clients.
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006-2016 The FreeRADIUS server project
26 */
27RCSID("$Id: a658fa21ecc062a7546b2940af7e9714f1f2dcb7 $")
28USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29
30#ifdef WITH_TLS
31#define LOG_PREFIX "tls"
32
33#ifdef HAVE_SYS_STAT_H
34# include <sys/stat.h>
35#endif
36#include <openssl/conf.h>
37
38#include <freeradius-devel/server/module.h>
39#include <freeradius-devel/server/virtual_servers.h>
40#include <freeradius-devel/util/debug.h>
41#include <freeradius-devel/util/syserror.h>
42#include <freeradius-devel/util/rand.h>
43
44#include "base.h"
45#include "log.h"
46
47static int tls_conf_parse_cache_mode(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
48static int tls_virtual_server_cf_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
49
50/** Certificate formats
51 *
52 */
53static fr_table_num_sorted_t const certificate_format_table[] = {
54 { L("ASN1"), SSL_FILETYPE_ASN1 },
55 { L("DER"), SSL_FILETYPE_ASN1 }, /* Alternate name for ASN1 */
56 { L("PEM"), SSL_FILETYPE_PEM }
57};
58static size_t certificate_format_table_len = NUM_ELEMENTS(certificate_format_table);
59
60static fr_table_num_sorted_t const chain_verify_mode_table[] = {
61 { L("hard"), FR_TLS_CHAIN_VERIFY_HARD },
62 { L("none"), FR_TLS_CHAIN_VERIFY_NONE },
63 { L("soft"), FR_TLS_CHAIN_VERIFY_SOFT }
64};
65static size_t chain_verify_mode_table_len = NUM_ELEMENTS(chain_verify_mode_table);
66
67static fr_table_num_sorted_t const cache_mode_table[] = {
68 { L("auto"), FR_TLS_CACHE_AUTO },
69 { L("disabled"), FR_TLS_CACHE_DISABLED },
70 { L("stateful"), FR_TLS_CACHE_STATEFUL },
71 { L("stateless"), FR_TLS_CACHE_STATELESS }
72};
73static size_t cache_mode_table_len = NUM_ELEMENTS(cache_mode_table);
74
75static fr_table_num_sorted_t const verify_mode_table[] = {
76 { L("all"), FR_TLS_VERIFY_MODE_ALL },
77 { L("client"), FR_TLS_VERIFY_MODE_LEAF },
78 { L("client-and-issuer"), FR_TLS_VERIFY_MODE_LEAF | FR_TLS_VERIFY_MODE_ISSUER },
79 { L("disabled"), FR_TLS_VERIFY_MODE_DISABLED },
80 { L("untrusted"), FR_TLS_VERIFY_MODE_UNTRUSTED }
81};
82static size_t verify_mode_table_len = NUM_ELEMENTS(verify_mode_table);
83
84static conf_parser_t tls_cache_config[] = {
85 { FR_CONF_OFFSET("mode", fr_tls_cache_conf_t, mode),
86 .func = tls_conf_parse_cache_mode,
87 .uctx = &(cf_table_parse_ctx_t){
88 .table = cache_mode_table,
89 .len = &cache_mode_table_len
90 },
91 .dflt = "auto" },
92 { FR_CONF_OFFSET_HINT_TYPE("name", FR_TYPE_STRING, fr_tls_cache_conf_t, id_name),
93 .dflt = "%{EAP-Type}%interpreter('server')", .quote = T_DOUBLE_QUOTED_STRING },
94 { FR_CONF_OFFSET("lifetime", fr_tls_cache_conf_t, lifetime), .dflt = "1d" },
95
96 { FR_CONF_OFFSET("require_extended_master_secret", fr_tls_cache_conf_t, require_extms), .dflt = "yes" },
97 { FR_CONF_OFFSET("require_perfect_forward_secrecy", fr_tls_cache_conf_t, require_pfs), .dflt = "no" },
98
99 { FR_CONF_OFFSET("session_ticket_key", fr_tls_cache_conf_t, session_ticket_key) },
100
101 /*
102 * Deprecated
103 */
104 { FR_CONF_DEPRECATED("enable", fr_tls_cache_conf_t, NULL) },
105 { FR_CONF_DEPRECATED("max_entries", fr_tls_cache_conf_t, NULL) },
106 { FR_CONF_DEPRECATED("persist_dir", fr_tls_cache_conf_t, NULL) },
107
108 CONF_PARSER_TERMINATOR
109};
110
111static conf_parser_t tls_chain_config[] = {
112 { FR_CONF_OFFSET("format", fr_tls_chain_conf_t, file_format),
113 .func = cf_table_parse_int,
114 .uctx = &(cf_table_parse_ctx_t){
115 .table = certificate_format_table,
116 .len = &certificate_format_table_len
117 },
118 .dflt = "pem" },
119 { FR_CONF_OFFSET_FLAGS("certificate_file", CONF_FLAG_FILE_READABLE | CONF_FLAG_FILE_EXISTS | CONF_FLAG_REQUIRED, fr_tls_chain_conf_t, certificate_file) },
120 { FR_CONF_OFFSET_FLAGS("private_key_password", CONF_FLAG_SECRET, fr_tls_chain_conf_t, password) },
121 { FR_CONF_OFFSET_FLAGS("private_key_file", CONF_FLAG_FILE_READABLE | CONF_FLAG_FILE_EXISTS | CONF_FLAG_REQUIRED, fr_tls_chain_conf_t, private_key_file) },
122
123 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_READABLE | CONF_FLAG_MULTI, fr_tls_chain_conf_t, ca_files) },
124
125 { FR_CONF_OFFSET("verify_mode", fr_tls_chain_conf_t, verify_mode),
126 .func = cf_table_parse_int,
127 .uctx = &(cf_table_parse_ctx_t){
128 .table = chain_verify_mode_table,
129 .len = &chain_verify_mode_table_len
130 },
131 .dflt = "hard" },
132 { FR_CONF_OFFSET("include_root_ca", fr_tls_chain_conf_t, include_root_ca), .dflt = "no" },
133 CONF_PARSER_TERMINATOR
134};
135
136static conf_parser_t tls_verify_config[] = {
137 { FR_CONF_OFFSET("mode", fr_tls_verify_conf_t, mode),
138 .func = cf_table_parse_int,
139 .uctx = &(cf_table_parse_ctx_t){
140 .table = verify_mode_table,
141 .len = &verify_mode_table_len
142 },
143 .dflt = "all" },
144 { FR_CONF_OFFSET("attribute_mode", fr_tls_verify_conf_t, attribute_mode),
145 .func = cf_table_parse_int,
146 .uctx = &(cf_table_parse_ctx_t){
147 .table = verify_mode_table,
148 .len = &verify_mode_table_len
149 },
150 .dflt = "client-and-issuer" },
151 { FR_CONF_OFFSET("check_crl", fr_tls_verify_conf_t, check_crl), .dflt = "no" },
152 { FR_CONF_OFFSET("allow_expired_crl", fr_tls_verify_conf_t, allow_expired_crl) },
153 { FR_CONF_OFFSET("allow_not_yet_valid_crl", fr_tls_verify_conf_t, allow_not_yet_valid_crl) },
154 { FR_CONF_OFFSET("der_decode", fr_tls_verify_conf_t, der_decode) },
155 CONF_PARSER_TERMINATOR
156};
157
158conf_parser_t fr_tls_server_config[] = {
159 { FR_CONF_OFFSET_TYPE_FLAGS("virtual_server", FR_TYPE_VOID, 0, fr_tls_conf_t, virtual_server), .func = tls_virtual_server_cf_parse },
160
161 { FR_CONF_OFFSET_SUBSECTION("chain", CONF_FLAG_MULTI, fr_tls_conf_t, chains, tls_chain_config),
162 .subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t", .name2 = CF_IDENT_ANY },
163
164 { FR_CONF_DEPRECATED("pem_file_type", fr_tls_conf_t, NULL) },
165 { FR_CONF_DEPRECATED("certificate_file", fr_tls_conf_t, NULL) },
166 { FR_CONF_DEPRECATED("private_key_password", fr_tls_conf_t, NULL) },
167 { FR_CONF_DEPRECATED("private_key_file", fr_tls_conf_t, NULL) },
168
169 { FR_CONF_OFFSET("verify_depth", fr_tls_conf_t, verify_depth), .dflt = "0" },
170 { FR_CONF_OFFSET_FLAGS("ca_path", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, ca_path) },
171 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, ca_file) },
172
173#ifdef PSK_MAX_IDENTITY_LEN
174 { FR_CONF_OFFSET("psk_identity", fr_tls_conf_t, psk_identity) },
175 { FR_CONF_OFFSET_FLAGS("psk_hexphrase", CONF_FLAG_SECRET, fr_tls_conf_t, psk_password) },
176 { FR_CONF_OFFSET("psk_query", fr_tls_conf_t, psk_query) },
177#endif
178 { FR_CONF_OFFSET("keylog_file", fr_tls_conf_t, keylog_file) },
179
180 { FR_CONF_OFFSET_FLAGS("dh_file", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, dh_file) },
181 { FR_CONF_OFFSET("fragment_size", fr_tls_conf_t, fragment_size), .dflt = "1024" },
182 { FR_CONF_OFFSET("padding", fr_tls_conf_t, padding_block_size), },
183
184 { FR_CONF_OFFSET("disable_single_dh_use", fr_tls_conf_t, disable_single_dh_use) },
185
186 { FR_CONF_OFFSET("cipher_list", fr_tls_conf_t, cipher_list) },
187 { FR_CONF_OFFSET("cipher_server_preference", fr_tls_conf_t, cipher_server_preference), .dflt = "yes" },
188#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
189 { FR_CONF_OFFSET("allow_renegotiation", fr_tls_conf_t, allow_renegotiation), .dflt = "no" },
190#endif
191
192#ifndef OPENSSL_NO_ECDH
193 { FR_CONF_OFFSET("ecdh_curve", fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
194#endif
195 { FR_CONF_OFFSET("tls_max_version", fr_tls_conf_t, tls_max_version) },
196
197 { FR_CONF_OFFSET("tls_min_version", fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
198
199 { FR_CONF_OFFSET_SUBSECTION("session", 0, fr_tls_conf_t, cache, tls_cache_config) },
200
201 { FR_CONF_OFFSET_SUBSECTION("verify", 0, fr_tls_conf_t, verify, tls_verify_config) },
202
203 { FR_CONF_DEPRECATED("check_cert_issuer", fr_tls_conf_t, check_cert_issuer) },
204 { FR_CONF_DEPRECATED("check_cert_cn", fr_tls_conf_t, check_cert_cn) },
205 CONF_PARSER_TERMINATOR
206};
207
208conf_parser_t fr_tls_client_config[] = {
209 { FR_CONF_OFFSET_SUBSECTION("chain", CONF_FLAG_OK_MISSING | CONF_FLAG_MULTI, fr_tls_conf_t, chains, tls_chain_config),
210 .subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t" },
211
212 { FR_CONF_DEPRECATED("pem_file_type", fr_tls_conf_t, NULL) },
213 { FR_CONF_DEPRECATED("certificate_file", fr_tls_conf_t, NULL) },
214 { FR_CONF_DEPRECATED("private_key_password", fr_tls_conf_t, NULL) },
215 { FR_CONF_DEPRECATED("private_key_file", fr_tls_conf_t, NULL) },
216
217#ifdef PSK_MAX_IDENTITY_LEN
218 { FR_CONF_OFFSET("psk_identity", fr_tls_conf_t, psk_identity) },
219 { FR_CONF_OFFSET_FLAGS("psk_hexphrase", CONF_FLAG_SECRET, fr_tls_conf_t, psk_password) },
220#endif
221
222 { FR_CONF_OFFSET("keylog_file", fr_tls_conf_t, keylog_file) },
223
224 { FR_CONF_OFFSET("verify_depth", fr_tls_conf_t, verify_depth), .dflt = "0" },
225 { FR_CONF_OFFSET_FLAGS("ca_path", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, ca_path) },
226
227 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, ca_file) },
228 { FR_CONF_OFFSET("dh_file", fr_tls_conf_t, dh_file) },
229 { FR_CONF_OFFSET("random_file", fr_tls_conf_t, random_file) },
230 { FR_CONF_OFFSET("fragment_size", fr_tls_conf_t, fragment_size), .dflt = "1024" },
231
232 { FR_CONF_OFFSET("cipher_list", fr_tls_conf_t, cipher_list) },
233
234#ifndef OPENSSL_NO_ECDH
235 { FR_CONF_OFFSET("ecdh_curve", fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
236#endif
237
238 { FR_CONF_OFFSET("tls_max_version", fr_tls_conf_t, tls_max_version) },
239
240 { FR_CONF_OFFSET("tls_min_version", fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
241
242 { FR_CONF_DEPRECATED("check_cert_issuer", fr_tls_conf_t, check_cert_issuer) },
243 { FR_CONF_DEPRECATED("check_cert_cn", fr_tls_conf_t, check_cert_cn) },
244 CONF_PARSER_TERMINATOR
245};
246
247static int tls_virtual_server_cf_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
248{
249 fr_tls_conf_t *conf = talloc_get_type_abort(parent, fr_tls_conf_t);
250 virtual_server_t const *vs = NULL;
251
252 if (virtual_server_cf_parse(ctx, &vs, parent, ci, rule) < 0) return -1;
253
254 if (!vs) return 0;
255
256 /*
257 * `out` points to conf->virtual_server
258 */
259 *((CONF_SECTION const **)out) = virtual_server_cs(vs);
260 conf->verify_certificate = cf_section_find(conf->virtual_server, "verify", "certificate") ? true : false;
261 conf->new_session = cf_section_find(conf->virtual_server, "new", "session") ? true : false;
262 conf->establish_session = cf_section_find(conf->virtual_server, "establish", "session") ? true : false;
263 return 0;
264}
265
266static int tls_conf_parse_cache_mode(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
267{
268 fr_tls_conf_t *conf = talloc_get_type_abort((uint8_t *)parent - offsetof(fr_tls_conf_t, cache), fr_tls_conf_t);
269 int cache_mode;
270
271 if (cf_table_parse_int(ctx, &cache_mode, parent, ci, rule) < 0) return -1;
272
273 /*
274 * Ensure our virtual server contains the
275 * correct sections for the specified
276 * cache mode.
277 */
278 switch (cache_mode) {
279 case FR_TLS_CACHE_DISABLED:
280 case FR_TLS_CACHE_STATELESS:
281 break;
282
283 case FR_TLS_CACHE_STATEFUL:
284 if (!conf->virtual_server) {
285 cf_log_err(ci, "A virtual_server must be set when cache.mode = \"stateful\"");
286 error:
287 return -1;
288 }
289
290 if (!cf_section_find(conf->virtual_server, "load", "session")) {
291 cf_log_err(ci, "Specified virtual_server must contain a \"load session { ... }\" section "
292 "when cache.mode = \"stateful\"");
293 goto error;
294 }
295
296 if (!cf_section_find(conf->virtual_server, "store", "session")) {
297 cf_log_err(ci, "Specified virtual_server must contain a \"store session { ... }\" section "
298 "when cache.mode = \"stateful\"");
299 goto error;
300 }
301
302 if (!cf_section_find(conf->virtual_server, "clear", "session")) {
303 cf_log_err(ci, "Specified virtual_server must contain a \"clear session { ... }\" section "
304 "when cache.mode = \"stateful\"");
305 goto error;
306 }
307
308 if (conf->tls_min_version >= (float)1.3) {
309 cf_log_err(ci, "cache.mode = \"stateful\" is not supported with tls_min_version >= 1.3");
310 goto error;
311 }
312 break;
313
314 case FR_TLS_CACHE_AUTO:
315 if (!conf->virtual_server) {
316 WARN("A virtual_server must be provided for stateful caching. "
317 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
318 cache_stateless:
319 cache_mode = FR_TLS_CACHE_STATELESS;
320 break;
321 }
322
323 if (!cf_section_find(conf->virtual_server, "load", "session")) {
324 cf_log_warn(ci, "Specified virtual_server missing \"load session { ... }\" section. "
325 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
326 goto cache_stateless;
327 }
328
329 if (!cf_section_find(conf->virtual_server, "store", "session")) {
330 cf_log_warn(ci, "Specified virtual_server missing \"store session { ... }\" section. "
331 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
332 goto cache_stateless;
333 }
334
335 if (!cf_section_find(conf->virtual_server, "clear", "session")) {
336 cf_log_warn(ci, "Specified virtual_server missing \"clear cache { ... }\" section. "
337 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
338 goto cache_stateless;
339 }
340
341 if (conf->tls_min_version >= (float)1.3) {
342 cf_log_err(ci, "stateful session-resumption is not supported with tls_min_version >= 1.3. "
343 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
344 goto error;
345 }
346 break;
347 }
348
349 /*
350 * Generate random, ephemeral, session-ticket keys.
351 */
352 if (cache_mode & FR_TLS_CACHE_STATELESS) {
353 /*
354 * Fill the key with randomness if one
355 * wasn't specified by the user.
356 */
357 if (!conf->cache.session_ticket_key) {
358 MEM(conf->cache.session_ticket_key = talloc_array(conf, uint8_t, 256));
359 fr_rand_buffer(UNCONST(uint8_t *, conf->cache.session_ticket_key),
360 talloc_array_length(conf->cache.session_ticket_key));
361 }
362 }
363
364 *((int *)out) = cache_mode;
365
366 return 0;
367}
368
369#ifdef __APPLE__
370/*
371 * We don't want to put the private key password in eap.conf, so check
372 * for our special string which indicates we should get the password
373 * programmatically.
374 */
375static char const *special_string = "Apple:UsecertAdmin";
376
377/** Use cert_admin to retrieve the password for the private key
378 *
379 */
380static int conf_cert_admin_password(fr_tls_conf_t *conf)
381{
382 size_t i, cnt;
383
384 if (!conf->chains) return 0;
385
386 cnt = talloc_array_length(conf->chains);
387 for (i = 0; i < cnt; i++) {
388 char cmd[256];
389 char *password;
390 long const max_password_len = 128;
391 FILE *cmd_pipe;
392
393 if (!conf->chains[i]->password) continue;
394
395 if (strncmp(conf->chains[i]->password, special_string, strlen(special_string)) != 0) continue;
396
397 snprintf(cmd, sizeof(cmd) - 1, "/usr/sbin/certadmin --get-private-key-passphrase \"%s\"",
398 conf->chains[i]->private_key_file);
399
400 DEBUG2("Getting private key passphrase using command \"%s\"", cmd);
401
402 cmd_pipe = popen(cmd, "r");
403 if (!cmd_pipe) {
404 ERROR("%s command failed: Unable to get private_key_password", cmd);
405 ERROR("Error reading private_key_file %s", conf->chains[i]->private_key_file);
406 return -1;
407 }
408
409 password = talloc_array(conf, char, max_password_len);
410 if (!password) {
411 ERROR("Can't allocate space for private_key_password");
412 ERROR("Error reading private_key_file %s", conf->chains[i]->private_key_file);
413 pclose(cmd_pipe);
414 return -1;
415 }
416
417 fgets(password, max_password_len, cmd_pipe);
418 pclose(cmd_pipe);
419
420 /* Get rid of newline at end of password. */
421 password[strlen(password) - 1] = '\0';
422
423 DEBUG3("Password from command = \"%s\"", password);
424 talloc_const_free(conf->chains[i]->password);
425 conf->chains[i]->password = password;
426 }
427
428 return 0;
429}
430#endif
431
432#ifdef HAVE_OPENSSL_OCSP_H
433/*
434 * Create Global X509 revocation store and use it to verify
435 * OCSP responses
436 *
437 * - Load the trusted CAs
438 * - Load the trusted issuer certificates
439 */
440static X509_STORE *conf_ocsp_revocation_store(fr_tls_conf_t *conf)
441{
442 X509_STORE *store = NULL;
443
444 store = X509_STORE_new();
445
446 /* Load the CAs we trust */
447 if (conf->ca_file || conf->ca_path)
448 if (!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) {
449 fr_tls_log(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file);
450 X509_STORE_free(store);
451 return NULL;
452 }
453
454#ifdef X509_V_FLAG_CRL_CHECK_ALL
455 if (conf->verify.check_crl) X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
456#endif
457
458 return store;
459}
460#endif
461
462/*
463 * Free TLS client/server config
464 * Should not be called outside this code, as a callback is
465 * added to automatically free the data when the CONF_SECTION
466 * is freed.
467 */
468static int _conf_server_free(fr_tls_conf_t *conf)
469{
470 memset(conf, 0, sizeof(*conf));
471 return 0;
472}
473
474fr_tls_conf_t *fr_tls_conf_alloc(TALLOC_CTX *ctx)
475{
476 fr_tls_conf_t *conf;
477
478 MEM(conf = talloc_zero(ctx, fr_tls_conf_t));
479 talloc_set_destructor(conf, _conf_server_free);
480
481 return conf;
482}
483
484fr_tls_conf_t *fr_tls_conf_parse_server(CONF_SECTION *cs)
485{
486 fr_tls_conf_t *conf;
487
488 /*
489 * If cs has already been parsed there should be a cached copy
490 * of conf already stored, so just return that.
491 */
492 conf = cf_data_value(cf_data_find(cs, fr_tls_conf_t, NULL));
493 if (conf) {
494 DEBUG("Using cached TLS configuration from previous invocation");
495 return conf;
496 }
497
498 if (cf_section_rules_push(cs, fr_tls_server_config) < 0) return NULL;
499
500 conf = fr_tls_conf_alloc(cs);
501
502 if ((cf_section_parse(conf, conf, cs) < 0) ||
503 (cf_section_parse_pass2(conf, cs) < 0)) {
504#ifdef __APPLE__
505 error:
506#endif
507 talloc_free(conf);
508 return NULL;
509 }
510
511 /*
512 * Save people from their own stupidity.
513 */
514 if (conf->fragment_size < 100) conf->fragment_size = 100;
515
516 FR_INTEGER_BOUND_CHECK("padding", conf->padding_block_size, <=, SSL3_RT_MAX_PLAIN_LENGTH);
517
518#ifdef __APPLE__
519 if (conf_cert_admin_password(conf) < 0) goto error;
520#endif
521
522 /*
523 * Cache conf in cs in case we're asked to parse this again.
524 */
525 cf_data_add(cs, conf, NULL, false);
526
527 return conf;
528}
529
530fr_tls_conf_t *fr_tls_conf_parse_client(CONF_SECTION *cs)
531{
532 fr_tls_conf_t *conf;
533
534 conf = cf_data_value(cf_data_find(cs, fr_tls_conf_t, NULL));
535 if (conf) {
536 DEBUG2("Using cached TLS configuration from previous invocation");
537 return conf;
538 }
539
540 if (cf_section_rules_push(cs, fr_tls_client_config) < 0) return NULL;
541
542 conf = fr_tls_conf_alloc(cs);
543
544 if ((cf_section_parse(conf, conf, cs) < 0) ||
545 (cf_section_parse_pass2(conf, cs) < 0)) {
546#ifdef __APPLE__
547 error:
548#endif
549 talloc_free(conf);
550 return NULL;
551 }
552
553 /*
554 * Save people from their own stupidity.
555 */
556 if (conf->fragment_size < 100) conf->fragment_size = 100;
557
558 /*
559 * Initialize TLS
560 */
561#ifdef __APPLE__
562 if (conf_cert_admin_password(conf) < 0) goto error;
563#endif
564
565 cf_data_add(cs, conf, NULL, false);
566
567 return conf;
568}
569#endif /* WITH_TLS */
store
#define store(_store, _var)
Definition atomic_queue.h:48
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
RCSID
#define RCSID(id)
Definition build.h:485
L
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition build.h:339
cf_section_parse
int cf_section_parse(TALLOC_CTX *ctx, void *base, CONF_SECTION *cs)
Parse a configuration section into user-supplied variables.
Definition cf_parse.c:1195
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1633
cf_section_parse_pass2
int cf_section_parse_pass2(void *base, CONF_SECTION *cs)
Fixup xlat expansions and attributes.
Definition cf_parse.c:1315
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:660
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:614
FR_CONF_DEPRECATED
#define FR_CONF_DEPRECATED(_name, _struct, _field)
conf_parser_t entry which raises an error if a matching CONF_PAIR is found
Definition cf_parse.h:412
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:520
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:283
cf_section_rules_push
#define cf_section_rules_push(_cs, _rule)
Definition cf_parse.h:692
FR_CONF_OFFSET_HINT_TYPE
#define FR_CONF_OFFSET_HINT_TYPE(_name, _type, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:256
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:271
FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:312
CONF_FLAG_REQUIRED
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:432
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:449
CONF_FLAG_SECRET
@ CONF_FLAG_SECRET
Only print value if debug level >= 3.
Definition cf_parse.h:436
CONF_FLAG_FILE_READABLE
@ CONF_FLAG_FILE_READABLE
File matching value must exist, and must be readable.
Definition cf_parse.h:438
CONF_FLAG_OK_MISSING
@ CONF_FLAG_OK_MISSING
OK if it's missing.
Definition cf_parse.h:457
CONF_FLAG_FILE_EXISTS
@ CONF_FLAG_FILE_EXISTS
File matching value must exist.
Definition cf_parse.h:444
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
cf_table_parse_ctx_t
Definition cf_parse.h:655
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:597
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_data_value
void * cf_data_value(CONF_DATA const *cd)
Return the user assigned value of CONF_DATA.
Definition cf_util.c:1750
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:286
cf_data_add
#define cf_data_add(_cf, _data, _name, _free)
Definition cf_util.h:252
cf_data_find
#define cf_data_find(_cf, _type, _name)
Definition cf_util.h:241
cf_log_warn
#define cf_log_warn(_cf, _fmt,...)
Definition cf_util.h:287
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
MEM
#define MEM(x)
Definition debug.h:36
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
DEBUG
#define DEBUG(fmt,...)
Definition dhcpclient.c:39
DEBUG3
#define DEBUG3(_fmt,...)
Definition log.h:266
talloc_free
talloc_free(reap)
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
_conf_server_free
static int _conf_server_free(fr_tls_conf_t *conf)
Definition conf.c:75
DEBUG2
#define DEBUG2(fmt,...)
Definition radclient.h:43
WARN
#define WARN(fmt,...)
Definition radclient.h:47
conf
static rs_t * conf
Definition radsniff.c:53
fr_rand_buffer
void fr_rand_buffer(void *start, size_t length)
Definition rand.c:125
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
fr_table_num_sorted_t
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
talloc_const_free
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:229
T_DOUBLE_QUOTED_STRING
@ T_DOUBLE_QUOTED_STRING
Definition token.h:121
parent
static fr_slen_t parent
Definition pair.h:841
out
static size_t char ** out
Definition value.h:1023
virtual_server_cf_parse
int virtual_server_cf_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Wrapper for the config parser to allow pass1 resolution of virtual servers.
Definition virtual_servers.c:1014
virtual_server_cs
CONF_SECTION * virtual_server_cs(virtual_server_t const *vs)
Return the configuration section for a virtual server.
Definition virtual_servers.c:941
virtual_server_s
Definition virtual_servers.c:57
Generated by   doxygen 1.9.8