The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
conf.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 76c45b1808ce09cc5903322d1d67e387b4f9d8b2 $
19 *
20 * @file tls/conf.c
21 * @brief Configuration parsing for TLS servers and clients.
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006-2016 The FreeRADIUS server project
26 */
27RCSID("$Id: 76c45b1808ce09cc5903322d1d67e387b4f9d8b2 $")
28USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29
30#ifdef WITH_TLS
31#define LOG_PREFIX "tls"
32
33#ifdef HAVE_SYS_STAT_H
34# include <sys/stat.h>
35#endif
36#include <openssl/conf.h>
37
38#include <freeradius-devel/server/module.h>
39#include <freeradius-devel/server/virtual_servers.h>
40#include <freeradius-devel/util/debug.h>
41#include <freeradius-devel/util/syserror.h>
42#include <freeradius-devel/util/rand.h>
43
44#include "base.h"
45#include "log.h"
46
47static int tls_conf_parse_cache_mode(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
48static int tls_virtual_server_cf_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
49
50/** Certificate formats
51 *
52 */
53static fr_table_num_sorted_t const certificate_format_table[] = {
54 { L("ASN1"), SSL_FILETYPE_ASN1 },
55 { L("DER"), SSL_FILETYPE_ASN1 }, /* Alternate name for ASN1 */
56 { L("PEM"), SSL_FILETYPE_PEM }
57};
58static size_t certificate_format_table_len = NUM_ELEMENTS(certificate_format_table);
59
60static fr_table_num_sorted_t const chain_verify_mode_table[] = {
61 { L("hard"), FR_TLS_CHAIN_VERIFY_HARD },
62 { L("none"), FR_TLS_CHAIN_VERIFY_NONE },
63 { L("soft"), FR_TLS_CHAIN_VERIFY_SOFT }
64};
65static size_t chain_verify_mode_table_len = NUM_ELEMENTS(chain_verify_mode_table);
66
67static fr_table_num_sorted_t const cache_mode_table[] = {
68 { L("auto"), FR_TLS_CACHE_AUTO },
69 { L("disabled"), FR_TLS_CACHE_DISABLED },
70 { L("stateful"), FR_TLS_CACHE_STATEFUL },
71 { L("stateless"), FR_TLS_CACHE_STATELESS }
72};
73static size_t cache_mode_table_len = NUM_ELEMENTS(cache_mode_table);
74
75static fr_table_num_sorted_t const verify_mode_table[] = {
76 { L("all"), FR_TLS_VERIFY_MODE_ALL },
77 { L("client"), FR_TLS_VERIFY_MODE_LEAF },
78 { L("client-and-issuer"), FR_TLS_VERIFY_MODE_LEAF | FR_TLS_VERIFY_MODE_ISSUER },
79 { L("disabled"), FR_TLS_VERIFY_MODE_DISABLED },
80 { L("untrusted"), FR_TLS_VERIFY_MODE_UNTRUSTED }
81};
82static size_t verify_mode_table_len = NUM_ELEMENTS(verify_mode_table);
83
84static conf_parser_t tls_cache_config[] = {
85 { FR_CONF_OFFSET("mode", fr_tls_cache_conf_t, mode),
86 .func = tls_conf_parse_cache_mode,
87 .uctx = &(cf_table_parse_ctx_t){
88 .table = cache_mode_table,
89 .len = &cache_mode_table_len
90 },
91 .dflt = "auto" },
92 { FR_CONF_OFFSET("name", fr_tls_cache_conf_t, id_name),
93 .dflt = "%{EAP-Type}%interpreter(server)", .quote = T_DOUBLE_QUOTED_STRING },
94 { FR_CONF_OFFSET("lifetime", fr_tls_cache_conf_t, lifetime), .dflt = "1d" },
95
96 { FR_CONF_OFFSET("require_extended_master_secret", fr_tls_cache_conf_t, require_extms), .dflt = "yes" },
97 { FR_CONF_OFFSET("require_perfect_forward_secrecy", fr_tls_cache_conf_t, require_pfs), .dflt = "no" },
98
99 { FR_CONF_OFFSET("session_ticket_key", fr_tls_cache_conf_t, session_ticket_key) },
100
101 /*
102 * Deprecated
103 */
104 { FR_CONF_DEPRECATED("enable", fr_tls_cache_conf_t, NULL) },
105 { FR_CONF_DEPRECATED("max_entries", fr_tls_cache_conf_t, NULL) },
106 { FR_CONF_DEPRECATED("persist_dir", fr_tls_cache_conf_t, NULL) },
107
108 CONF_PARSER_TERMINATOR
109};
110
111static conf_parser_t tls_chain_config[] = {
112 { FR_CONF_OFFSET("format", fr_tls_chain_conf_t, file_format),
113 .func = cf_table_parse_int,
114 .uctx = &(cf_table_parse_ctx_t){
115 .table = certificate_format_table,
116 .len = &certificate_format_table_len
117 },
118 .dflt = "pem" },
119 { FR_CONF_OFFSET_FLAGS("certificate_file", CONF_FLAG_FILE_INPUT | CONF_FLAG_FILE_EXISTS | CONF_FLAG_REQUIRED, fr_tls_chain_conf_t, certificate_file) },
120 { FR_CONF_OFFSET_FLAGS("private_key_password", CONF_FLAG_SECRET, fr_tls_chain_conf_t, password) },
121 { FR_CONF_OFFSET_FLAGS("private_key_file", CONF_FLAG_FILE_INPUT | CONF_FLAG_FILE_EXISTS | CONF_FLAG_REQUIRED, fr_tls_chain_conf_t, private_key_file) },
122
123 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_INPUT | CONF_FLAG_MULTI, fr_tls_chain_conf_t, ca_files) },
124
125 { FR_CONF_OFFSET("verify_mode", fr_tls_chain_conf_t, verify_mode),
126 .func = cf_table_parse_int,
127 .uctx = &(cf_table_parse_ctx_t){
128 .table = chain_verify_mode_table,
129 .len = &chain_verify_mode_table_len
130 },
131 .dflt = "hard" },
132 { FR_CONF_OFFSET("include_root_ca", fr_tls_chain_conf_t, include_root_ca), .dflt = "no" },
133 CONF_PARSER_TERMINATOR
134};
135
136static conf_parser_t tls_verify_config[] = {
137 { FR_CONF_OFFSET("mode", fr_tls_verify_conf_t, mode),
138 .func = cf_table_parse_int,
139 .uctx = &(cf_table_parse_ctx_t){
140 .table = verify_mode_table,
141 .len = &verify_mode_table_len
142 },
143 .dflt = "all" },
144 { FR_CONF_OFFSET("attribute_mode", fr_tls_verify_conf_t, attribute_mode),
145 .func = cf_table_parse_int,
146 .uctx = &(cf_table_parse_ctx_t){
147 .table = verify_mode_table,
148 .len = &verify_mode_table_len
149 },
150 .dflt = "client-and-issuer" },
151 { FR_CONF_OFFSET("check_crl", fr_tls_verify_conf_t, check_crl), .dflt = "no" },
152 { FR_CONF_OFFSET("allow_expired_crl", fr_tls_verify_conf_t, allow_expired_crl) },
153 { FR_CONF_OFFSET("allow_not_yet_valid_crl", fr_tls_verify_conf_t, allow_not_yet_valid_crl) },
154 CONF_PARSER_TERMINATOR
155};
156
157conf_parser_t fr_tls_server_config[] = {
158 { FR_CONF_OFFSET_TYPE_FLAGS("virtual_server", FR_TYPE_VOID, 0, fr_tls_conf_t, virtual_server), .func = tls_virtual_server_cf_parse },
159
160 { FR_CONF_OFFSET_SUBSECTION("chain", CONF_FLAG_MULTI, fr_tls_conf_t, chains, tls_chain_config),
161 .subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t", .name2 = CF_IDENT_ANY },
162
163 { FR_CONF_DEPRECATED("pem_file_type", fr_tls_conf_t, NULL) },
164 { FR_CONF_DEPRECATED("certificate_file", fr_tls_conf_t, NULL) },
165 { FR_CONF_DEPRECATED("private_key_password", fr_tls_conf_t, NULL) },
166 { FR_CONF_DEPRECATED("private_key_file", fr_tls_conf_t, NULL) },
167
168 { FR_CONF_OFFSET("verify_depth", fr_tls_conf_t, verify_depth), .dflt = "0" },
169 { FR_CONF_OFFSET_FLAGS("ca_path", CONF_FLAG_FILE_INPUT, fr_tls_conf_t, ca_path) },
170 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_INPUT, fr_tls_conf_t, ca_file) },
171
172#ifdef PSK_MAX_IDENTITY_LEN
173 { FR_CONF_OFFSET("psk_identity", fr_tls_conf_t, psk_identity) },
174 { FR_CONF_OFFSET_FLAGS("psk_hexphrase", CONF_FLAG_SECRET, fr_tls_conf_t, psk_password) },
175 { FR_CONF_OFFSET("psk_query", fr_tls_conf_t, psk_query) },
176#endif
177 { FR_CONF_OFFSET("keylog_file", fr_tls_conf_t, keylog_file) },
178
179 { FR_CONF_OFFSET_FLAGS("dh_file", CONF_FLAG_FILE_INPUT, fr_tls_conf_t, dh_file) },
180 { FR_CONF_OFFSET("fragment_size", fr_tls_conf_t, fragment_size), .dflt = "1024" },
181 { FR_CONF_OFFSET("padding", fr_tls_conf_t, padding_block_size), },
182
183 { FR_CONF_OFFSET("disable_single_dh_use", fr_tls_conf_t, disable_single_dh_use) },
184
185 { FR_CONF_OFFSET("cipher_list", fr_tls_conf_t, cipher_list) },
186 { FR_CONF_OFFSET("cipher_server_preference", fr_tls_conf_t, cipher_server_preference), .dflt = "yes" },
187#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
188 { FR_CONF_OFFSET("allow_renegotiation", fr_tls_conf_t, allow_renegotiation), .dflt = "no" },
189#endif
190
191#ifndef OPENSSL_NO_ECDH
192 { FR_CONF_OFFSET("ecdh_curve", fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
193#endif
194 { FR_CONF_OFFSET("tls_max_version", fr_tls_conf_t, tls_max_version) },
195
196 { FR_CONF_OFFSET("tls_min_version", fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
197
198 { FR_CONF_OFFSET_SUBSECTION("session", 0, fr_tls_conf_t, cache, tls_cache_config) },
199
200 { FR_CONF_OFFSET_SUBSECTION("verify", 0, fr_tls_conf_t, verify, tls_verify_config) },
201
202 { FR_CONF_DEPRECATED("check_cert_issuer", fr_tls_conf_t, check_cert_issuer) },
203 { FR_CONF_DEPRECATED("check_cert_cn", fr_tls_conf_t, check_cert_cn) },
204 CONF_PARSER_TERMINATOR
205};
206
207conf_parser_t fr_tls_client_config[] = {
208 { FR_CONF_OFFSET_SUBSECTION("chain", CONF_FLAG_OK_MISSING | CONF_FLAG_MULTI, fr_tls_conf_t, chains, tls_chain_config),
209 .subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t" },
210
211 { FR_CONF_DEPRECATED("pem_file_type", fr_tls_conf_t, NULL) },
212 { FR_CONF_DEPRECATED("certificate_file", fr_tls_conf_t, NULL) },
213 { FR_CONF_DEPRECATED("private_key_password", fr_tls_conf_t, NULL) },
214 { FR_CONF_DEPRECATED("private_key_file", fr_tls_conf_t, NULL) },
215
216#ifdef PSK_MAX_IDENTITY_LEN
217 { FR_CONF_OFFSET("psk_identity", fr_tls_conf_t, psk_identity) },
218 { FR_CONF_OFFSET_FLAGS("psk_hexphrase", CONF_FLAG_SECRET, fr_tls_conf_t, psk_password) },
219#endif
220
221 { FR_CONF_OFFSET("keylog_file", fr_tls_conf_t, keylog_file) },
222
223 { FR_CONF_OFFSET("verify_depth", fr_tls_conf_t, verify_depth), .dflt = "0" },
224 { FR_CONF_OFFSET_FLAGS("ca_path", CONF_FLAG_FILE_INPUT, fr_tls_conf_t, ca_path) },
225
226 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_INPUT, fr_tls_conf_t, ca_file) },
227 { FR_CONF_OFFSET("dh_file", fr_tls_conf_t, dh_file) },
228 { FR_CONF_OFFSET("random_file", fr_tls_conf_t, random_file) },
229 { FR_CONF_OFFSET("fragment_size", fr_tls_conf_t, fragment_size), .dflt = "1024" },
230
231 { FR_CONF_OFFSET("cipher_list", fr_tls_conf_t, cipher_list) },
232
233#ifndef OPENSSL_NO_ECDH
234 { FR_CONF_OFFSET("ecdh_curve", fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
235#endif
236
237 { FR_CONF_OFFSET("tls_max_version", fr_tls_conf_t, tls_max_version) },
238
239 { FR_CONF_OFFSET("tls_min_version", fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
240
241 { FR_CONF_DEPRECATED("check_cert_issuer", fr_tls_conf_t, check_cert_issuer) },
242 { FR_CONF_DEPRECATED("check_cert_cn", fr_tls_conf_t, check_cert_cn) },
243 CONF_PARSER_TERMINATOR
244};
245
246static int tls_virtual_server_cf_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
247{
248 fr_tls_conf_t *conf = talloc_get_type_abort(parent, fr_tls_conf_t);
249
250 if (virtual_server_cf_parse(ctx, out, parent, ci, rule) < 0) return -1;
251
252 if (!conf->virtual_server) return 0;
253
254 conf->verify_certificate = cf_section_find(conf->virtual_server, "verify", "certificate") ? true : false;
255 conf->new_session = cf_section_find(conf->virtual_server, "new", "session") ? true : false;
256 conf->establish_session = cf_section_find(conf->virtual_server, "establish", "session") ? true : false;
257 return 0;
258}
259
260static int tls_conf_parse_cache_mode(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
261{
262 fr_tls_conf_t *conf = talloc_get_type_abort((uint8_t *)parent - offsetof(fr_tls_conf_t, cache), fr_tls_conf_t);
263 int cache_mode;
264
265 if (cf_table_parse_int(ctx, &cache_mode, parent, ci, rule) < 0) return -1;
266
267 /*
268 * Ensure our virtual server contains the
269 * correct sections for the specified
270 * cache mode.
271 */
272 switch (cache_mode) {
273 case FR_TLS_CACHE_DISABLED:
274 case FR_TLS_CACHE_STATELESS:
275 break;
276
277 case FR_TLS_CACHE_STATEFUL:
278 if (!conf->virtual_server) {
279 cf_log_err(ci, "A virtual_server must be set when cache.mode = \"stateful\"");
280 error:
281 return -1;
282 }
283
284 if (!cf_section_find(conf->virtual_server, "load", "session")) {
285 cf_log_err(ci, "Specified virtual_server must contain a \"load session { ... }\" section "
286 "when cache.mode = \"stateful\"");
287 goto error;
288 }
289
290 if (!cf_section_find(conf->virtual_server, "store", "session")) {
291 cf_log_err(ci, "Specified virtual_server must contain a \"store session { ... }\" section "
292 "when cache.mode = \"stateful\"");
293 goto error;
294 }
295
296 if (!cf_section_find(conf->virtual_server, "clear", "session")) {
297 cf_log_err(ci, "Specified virtual_server must contain a \"clear session { ... }\" section "
298 "when cache.mode = \"stateful\"");
299 goto error;
300 }
301
302 if (conf->tls_min_version >= (float)1.3) {
303 cf_log_err(ci, "cache.mode = \"stateful\" is not supported with tls_min_version >= 1.3");
304 goto error;
305 }
306 break;
307
308 case FR_TLS_CACHE_AUTO:
309 if (!conf->virtual_server) {
310 WARN("A virtual_server must be provided for stateful caching. "
311 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
312 cache_stateless:
313 cache_mode = FR_TLS_CACHE_STATELESS;
314 break;
315 }
316
317 if (!cf_section_find(conf->virtual_server, "load", "session")) {
318 cf_log_warn(ci, "Specified virtual_server missing \"load session { ... }\" section. "
319 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
320 goto cache_stateless;
321 }
322
323 if (!cf_section_find(conf->virtual_server, "store", "session")) {
324 cf_log_warn(ci, "Specified virtual_server missing \"store session { ... }\" section. "
325 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
326 goto cache_stateless;
327 }
328
329 if (!cf_section_find(conf->virtual_server, "clear", "session")) {
330 cf_log_warn(ci, "Specified virtual_server missing \"clear cache { ... }\" section. "
331 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
332 goto cache_stateless;
333 }
334
335 if (conf->tls_min_version >= (float)1.3) {
336 cf_log_err(ci, "stateful session-resumption is not supported with tls_min_version >= 1.3. "
337 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
338 goto error;
339 }
340 break;
341 }
342
343 /*
344 * Generate random, ephemeral, session-ticket keys.
345 */
346 if (cache_mode & FR_TLS_CACHE_STATELESS) {
347 /*
348 * Fill the key with randomness if one
349 * wasn't specified by the user.
350 */
351 if (!conf->cache.session_ticket_key) {
352 MEM(conf->cache.session_ticket_key = talloc_array(conf, uint8_t, 256));
353 fr_rand_buffer(UNCONST(uint8_t *, conf->cache.session_ticket_key),
354 talloc_array_length(conf->cache.session_ticket_key));
355 }
356 }
357
358 *((int *)out) = cache_mode;
359
360 return 0;
361}
362
363#ifdef __APPLE__
364/*
365 * We don't want to put the private key password in eap.conf, so check
366 * for our special string which indicates we should get the password
367 * programmatically.
368 */
369static char const *special_string = "Apple:UsecertAdmin";
370
371/** Use cert_admin to retrieve the password for the private key
372 *
373 */
374static int conf_cert_admin_password(fr_tls_conf_t *conf)
375{
376 size_t i, cnt;
377
378 if (!conf->chains) return 0;
379
380 cnt = talloc_array_length(conf->chains);
381 for (i = 0; i < cnt; i++) {
382 char cmd[256];
383 char *password;
384 long const max_password_len = 128;
385 FILE *cmd_pipe;
386
387 if (!conf->chains[i]->password) continue;
388
389 if (strncmp(conf->chains[i]->password, special_string, strlen(special_string)) != 0) continue;
390
391 snprintf(cmd, sizeof(cmd) - 1, "/usr/sbin/certadmin --get-private-key-passphrase \"%s\"",
392 conf->chains[i]->private_key_file);
393
394 DEBUG2("Getting private key passphrase using command \"%s\"", cmd);
395
396 cmd_pipe = popen(cmd, "r");
397 if (!cmd_pipe) {
398 ERROR("%s command failed: Unable to get private_key_password", cmd);
399 ERROR("Error reading private_key_file %s", conf->chains[i]->private_key_file);
400 return -1;
401 }
402
403 password = talloc_array(conf, char, max_password_len);
404 if (!password) {
405 ERROR("Can't allocate space for private_key_password");
406 ERROR("Error reading private_key_file %s", conf->chains[i]->private_key_file);
407 pclose(cmd_pipe);
408 return -1;
409 }
410
411 fgets(password, max_password_len, cmd_pipe);
412 pclose(cmd_pipe);
413
414 /* Get rid of newline at end of password. */
415 password[strlen(password) - 1] = '\0';
416
417 DEBUG3("Password from command = \"%s\"", password);
418 talloc_const_free(conf->chains[i]->password);
419 conf->chains[i]->password = password;
420 }
421
422 return 0;
423}
424#endif
425
426#ifdef HAVE_OPENSSL_OCSP_H
427/*
428 * Create Global X509 revocation store and use it to verify
429 * OCSP responses
430 *
431 * - Load the trusted CAs
432 * - Load the trusted issuer certificates
433 */
434static X509_STORE *conf_ocsp_revocation_store(fr_tls_conf_t *conf)
435{
436 X509_STORE *store = NULL;
437
438 store = X509_STORE_new();
439
440 /* Load the CAs we trust */
441 if (conf->ca_file || conf->ca_path)
442 if (!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) {
443 fr_tls_log(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file);
444 X509_STORE_free(store);
445 return NULL;
446 }
447
448#ifdef X509_V_FLAG_CRL_CHECK_ALL
449 if (conf->verify.check_crl) X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
450#endif
451
452 return store;
453}
454#endif
455
456/*
457 * Free TLS client/server config
458 * Should not be called outside this code, as a callback is
459 * added to automatically free the data when the CONF_SECTION
460 * is freed.
461 */
462static int _conf_server_free(fr_tls_conf_t *conf)
463{
464 memset(conf, 0, sizeof(*conf));
465 return 0;
466}
467
468fr_tls_conf_t *fr_tls_conf_alloc(TALLOC_CTX *ctx)
469{
470 fr_tls_conf_t *conf;
471
472 MEM(conf = talloc_zero(ctx, fr_tls_conf_t));
473 talloc_set_destructor(conf, _conf_server_free);
474
475 return conf;
476}
477
478fr_tls_conf_t *fr_tls_conf_parse_server(CONF_SECTION *cs)
479{
480 fr_tls_conf_t *conf;
481
482 /*
483 * If cs has already been parsed there should be a cached copy
484 * of conf already stored, so just return that.
485 */
486 conf = cf_data_value(cf_data_find(cs, fr_tls_conf_t, NULL));
487 if (conf) {
488 DEBUG("Using cached TLS configuration from previous invocation");
489 return conf;
490 }
491
492 if (cf_section_rules_push(cs, fr_tls_server_config) < 0) return NULL;
493
494 conf = fr_tls_conf_alloc(cs);
495
496 if ((cf_section_parse(conf, conf, cs) < 0) ||
497 (cf_section_parse_pass2(conf, cs) < 0)) {
498#ifdef __APPLE__
499 error:
500#endif
501 talloc_free(conf);
502 return NULL;
503 }
504
505 /*
506 * Save people from their own stupidity.
507 */
508 if (conf->fragment_size < 100) conf->fragment_size = 100;
509
510 FR_INTEGER_BOUND_CHECK("padding", conf->padding_block_size, <=, SSL3_RT_MAX_PLAIN_LENGTH);
511
512#ifdef __APPLE__
513 if (conf_cert_admin_password(conf) < 0) goto error;
514#endif
515
516 /*
517 * Cache conf in cs in case we're asked to parse this again.
518 */
519 cf_data_add(cs, conf, NULL, false);
520
521 return conf;
522}
523
524fr_tls_conf_t *fr_tls_conf_parse_client(CONF_SECTION *cs)
525{
526 fr_tls_conf_t *conf;
527
528 conf = cf_data_value(cf_data_find(cs, fr_tls_conf_t, NULL));
529 if (conf) {
530 DEBUG2("Using cached TLS configuration from previous invocation");
531 return conf;
532 }
533
534 if (cf_section_rules_push(cs, fr_tls_client_config) < 0) return NULL;
535
536 conf = fr_tls_conf_alloc(cs);
537
538 if ((cf_section_parse(conf, conf, cs) < 0) ||
539 (cf_section_parse_pass2(conf, cs) < 0)) {
540#ifdef __APPLE__
541 error:
542#endif
543 talloc_free(conf);
544 return NULL;
545 }
546
547 /*
548 * Save people from their own stupidity.
549 */
550 if (conf->fragment_size < 100) conf->fragment_size = 100;
551
552 /*
553 * Initialize TLS
554 */
555#ifdef __APPLE__
556 if (conf_cert_admin_password(conf) < 0) goto error;
557#endif
558
559 cf_data_add(cs, conf, NULL, false);
560
561 return conf;
562}
563#endif /* WITH_TLS */
store
#define store(_store, _var)
Definition atomic_queue.h:48
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:470
RCSID
#define RCSID(id)
Definition build.h:483
L
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition build.h:337
cf_section_parse
int cf_section_parse(TALLOC_CTX *ctx, void *base, CONF_SECTION *cs)
Parse a configuration section into user-supplied variables.
Definition cf_parse.c:1124
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1550
cf_section_parse_pass2
int cf_section_parse_pass2(void *base, CONF_SECTION *cs)
Fixup xlat expansions and attributes.
Definition cf_parse.c:1232
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:642
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:596
FR_CONF_DEPRECATED
#define FR_CONF_DEPRECATED(_name, _struct, _field)
conf_parser_t entry which raises an error if a matching CONF_PAIR is found
Definition cf_parse.h:398
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:502
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:268
cf_section_rules_push
#define cf_section_rules_push(_cs, _rule)
Definition cf_parse.h:674
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:256
FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:297
CONF_FLAG_REQUIRED
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:418
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:432
CONF_FLAG_SECRET
@ CONF_FLAG_SECRET
Only print value if debug level >= 3.
Definition cf_parse.h:422
CONF_FLAG_FILE_INPUT
@ CONF_FLAG_FILE_INPUT
File matching value must exist, and must be readable.
Definition cf_parse.h:424
CONF_FLAG_OK_MISSING
@ CONF_FLAG_OK_MISSING
OK if it's missing.
Definition cf_parse.h:440
CONF_FLAG_FILE_EXISTS
@ CONF_FLAG_FILE_EXISTS
File matching value must exist.
Definition cf_parse.h:435
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
cf_table_parse_ctx_t
Definition cf_parse.h:637
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:579
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_data_value
void * cf_data_value(CONF_DATA const *cd)
Return the user assigned value of CONF_DATA.
Definition cf_util.c:1763
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1028
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:289
cf_data_add
#define cf_data_add(_cf, _data, _name, _free)
Definition cf_util.h:255
cf_data_find
#define cf_data_find(_cf, _type, _name)
Definition cf_util.h:244
cf_log_warn
#define cf_log_warn(_cf, _fmt,...)
Definition cf_util.h:290
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
MEM
#define MEM(x)
Definition debug.h:36
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
DEBUG
#define DEBUG(fmt,...)
Definition dhcpclient.c:39
DEBUG3
#define DEBUG3(_fmt,...)
Definition log.h:266
talloc_free
talloc_free(reap)
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
_conf_server_free
static int _conf_server_free(fr_tls_conf_t *conf)
Definition conf.c:73
DEBUG2
#define DEBUG2(fmt,...)
Definition radclient.h:43
WARN
#define WARN(fmt,...)
Definition radclient.h:47
conf
static rs_t * conf
Definition radsniff.c:53
fr_rand_buffer
void fr_rand_buffer(void *start, size_t length)
Definition rand.c:125
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
fr_table_num_sorted_t
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
talloc_const_free
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:224
T_DOUBLE_QUOTED_STRING
@ T_DOUBLE_QUOTED_STRING
Definition token.h:121
parent
static fr_slen_t parent
Definition pair.h:851
out
static size_t char ** out
Definition value.h:997
virtual_server_cf_parse
int virtual_server_cf_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Wrapper for the config parser to allow pass1 resolution of virtual servers.
Definition virtual_servers.c:946
Generated by   doxygen 1.9.8