The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
conf.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: bb190214c501c9f062dc9f78145e7a8c0de6c8d3 $
19 *
20 * @file tls/conf.c
21 * @brief Configuration parsing for TLS servers and clients.
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006-2016 The FreeRADIUS server project
26 */
27RCSID("$Id: bb190214c501c9f062dc9f78145e7a8c0de6c8d3 $")
28USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29
30#ifdef WITH_TLS
31#define LOG_PREFIX "tls"
32
33#ifdef HAVE_SYS_STAT_H
34# include <sys/stat.h>
35#endif
36#include <openssl/conf.h>
37
38#include <freeradius-devel/server/module.h>
39#include <freeradius-devel/server/virtual_servers.h>
40#include <freeradius-devel/util/debug.h>
41#include <freeradius-devel/util/syserror.h>
42#include <freeradius-devel/util/rand.h>
43
44#include "base.h"
45#include "log.h"
46
47static int tls_conf_parse_cache_mode(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
48static int tls_virtual_server_cf_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
49
50/** Certificate formats
51 *
52 */
53static fr_table_num_sorted_t const certificate_format_table[] = {
54 { L("ASN1"), SSL_FILETYPE_ASN1 },
55 { L("DER"), SSL_FILETYPE_ASN1 }, /* Alternate name for ASN1 */
56 { L("PEM"), SSL_FILETYPE_PEM }
57};
58static size_t certificate_format_table_len = NUM_ELEMENTS(certificate_format_table);
59
60static fr_table_num_sorted_t const chain_verify_mode_table[] = {
61 { L("hard"), FR_TLS_CHAIN_VERIFY_HARD },
62 { L("none"), FR_TLS_CHAIN_VERIFY_NONE },
63 { L("soft"), FR_TLS_CHAIN_VERIFY_SOFT }
64};
65static size_t chain_verify_mode_table_len = NUM_ELEMENTS(chain_verify_mode_table);
66
67static fr_table_num_sorted_t const cache_mode_table[] = {
68 { L("auto"), FR_TLS_CACHE_AUTO },
69 { L("disabled"), FR_TLS_CACHE_DISABLED },
70 { L("stateful"), FR_TLS_CACHE_STATEFUL },
71 { L("stateless"), FR_TLS_CACHE_STATELESS }
72};
73static size_t cache_mode_table_len = NUM_ELEMENTS(cache_mode_table);
74
75static fr_table_num_sorted_t const verify_mode_table[] = {
76 { L("all"), FR_TLS_VERIFY_MODE_ALL },
77 { L("client"), FR_TLS_VERIFY_MODE_LEAF },
78 { L("client-and-issuer"), FR_TLS_VERIFY_MODE_LEAF | FR_TLS_VERIFY_MODE_ISSUER },
79 { L("disabled"), FR_TLS_VERIFY_MODE_DISABLED },
80 { L("untrusted"), FR_TLS_VERIFY_MODE_UNTRUSTED }
81};
82static size_t verify_mode_table_len = NUM_ELEMENTS(verify_mode_table);
83
84static conf_parser_t tls_cache_config[] = {
85 { FR_CONF_OFFSET("mode", fr_tls_cache_conf_t, mode),
86 .func = tls_conf_parse_cache_mode,
87 .uctx = &(cf_table_parse_ctx_t){
88 .table = cache_mode_table,
89 .len = &cache_mode_table_len
90 },
91 .dflt = "auto" },
92 { FR_CONF_OFFSET_HINT_TYPE("name", FR_TYPE_STRING, fr_tls_cache_conf_t, id_name),
93 .dflt = "%{EAP-Type}%interpreter('server')", .quote = T_DOUBLE_QUOTED_STRING },
94 { FR_CONF_OFFSET("lifetime", fr_tls_cache_conf_t, lifetime), .dflt = "1d" },
95
96 { FR_CONF_OFFSET("require_extended_master_secret", fr_tls_cache_conf_t, require_extms), .dflt = "yes" },
97 { FR_CONF_OFFSET("require_perfect_forward_secrecy", fr_tls_cache_conf_t, require_pfs), .dflt = "no" },
98
99 { FR_CONF_OFFSET("session_ticket_key", fr_tls_cache_conf_t, session_ticket_key) },
100
101 /*
102 * Deprecated
103 */
104 { FR_CONF_DEPRECATED("enable", fr_tls_cache_conf_t, NULL) },
105 { FR_CONF_DEPRECATED("max_entries", fr_tls_cache_conf_t, NULL) },
106 { FR_CONF_DEPRECATED("persist_dir", fr_tls_cache_conf_t, NULL) },
107
109};
110
111static conf_parser_t tls_chain_config[] = {
112 { FR_CONF_OFFSET("format", fr_tls_chain_conf_t, file_format),
114 .uctx = &(cf_table_parse_ctx_t){
115 .table = certificate_format_table,
116 .len = &certificate_format_table_len
117 },
118 .dflt = "pem" },
119 { FR_CONF_OFFSET_FLAGS("certificate_file", CONF_FLAG_FILE_READABLE | CONF_FLAG_FILE_EXISTS | CONF_FLAG_REQUIRED, fr_tls_chain_conf_t, certificate_file) },
120 { FR_CONF_OFFSET_FLAGS("private_key_password", CONF_FLAG_SECRET, fr_tls_chain_conf_t, password) },
121 { FR_CONF_OFFSET_FLAGS("private_key_file", CONF_FLAG_FILE_READABLE | CONF_FLAG_FILE_EXISTS | CONF_FLAG_REQUIRED, fr_tls_chain_conf_t, private_key_file) },
122
123 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_READABLE | CONF_FLAG_MULTI, fr_tls_chain_conf_t, ca_files) },
124
125 { FR_CONF_OFFSET("verify_mode", fr_tls_chain_conf_t, verify_mode),
126 .func = cf_table_parse_int,
127 .uctx = &(cf_table_parse_ctx_t){
128 .table = chain_verify_mode_table,
129 .len = &chain_verify_mode_table_len
130 },
131 .dflt = "hard" },
132 { FR_CONF_OFFSET("include_root_ca", fr_tls_chain_conf_t, include_root_ca), .dflt = "no" },
134};
135
136static conf_parser_t tls_verify_config[] = {
137 { FR_CONF_OFFSET("mode", fr_tls_verify_conf_t, mode),
139 .uctx = &(cf_table_parse_ctx_t){
140 .table = verify_mode_table,
141 .len = &verify_mode_table_len
142 },
143 .dflt = "all" },
144 { FR_CONF_OFFSET("attribute_mode", fr_tls_verify_conf_t, attribute_mode),
145 .func = cf_table_parse_int,
146 .uctx = &(cf_table_parse_ctx_t){
147 .table = verify_mode_table,
148 .len = &verify_mode_table_len
149 },
150 .dflt = "client-and-issuer" },
151 { FR_CONF_OFFSET("check_crl", fr_tls_verify_conf_t, check_crl), .dflt = "no" },
152 { FR_CONF_OFFSET("allow_expired_crl", fr_tls_verify_conf_t, allow_expired_crl) },
153 { FR_CONF_OFFSET("allow_not_yet_valid_crl", fr_tls_verify_conf_t, allow_not_yet_valid_crl) },
155};
156
157conf_parser_t fr_tls_server_config[] = {
158 { FR_CONF_OFFSET_TYPE_FLAGS("virtual_server", FR_TYPE_VOID, 0, fr_tls_conf_t, virtual_server), .func = tls_virtual_server_cf_parse },
159
160 { FR_CONF_OFFSET_SUBSECTION("chain", CONF_FLAG_MULTI, fr_tls_conf_t, chains, tls_chain_config),
161 .subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t", .name2 = CF_IDENT_ANY },
162
163 { FR_CONF_DEPRECATED("pem_file_type", fr_tls_conf_t, NULL) },
164 { FR_CONF_DEPRECATED("certificate_file", fr_tls_conf_t, NULL) },
165 { FR_CONF_DEPRECATED("private_key_password", fr_tls_conf_t, NULL) },
166 { FR_CONF_DEPRECATED("private_key_file", fr_tls_conf_t, NULL) },
167
168 { FR_CONF_OFFSET("verify_depth", fr_tls_conf_t, verify_depth), .dflt = "0" },
169 { FR_CONF_OFFSET_FLAGS("ca_path", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, ca_path) },
170 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, ca_file) },
171
172#ifdef PSK_MAX_IDENTITY_LEN
173 { FR_CONF_OFFSET("psk_identity", fr_tls_conf_t, psk_identity) },
174 { FR_CONF_OFFSET_FLAGS("psk_hexphrase", CONF_FLAG_SECRET, fr_tls_conf_t, psk_password) },
175 { FR_CONF_OFFSET("psk_query", fr_tls_conf_t, psk_query) },
176#endif
177 { FR_CONF_OFFSET("keylog_file", fr_tls_conf_t, keylog_file) },
178
179 { FR_CONF_OFFSET_FLAGS("dh_file", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, dh_file) },
180 { FR_CONF_OFFSET("fragment_size", fr_tls_conf_t, fragment_size), .dflt = "1024" },
181 { FR_CONF_OFFSET("padding", fr_tls_conf_t, padding_block_size), },
182
183 { FR_CONF_OFFSET("disable_single_dh_use", fr_tls_conf_t, disable_single_dh_use) },
184
185 { FR_CONF_OFFSET("cipher_list", fr_tls_conf_t, cipher_list) },
186 { FR_CONF_OFFSET("cipher_server_preference", fr_tls_conf_t, cipher_server_preference), .dflt = "yes" },
187#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
188 { FR_CONF_OFFSET("allow_renegotiation", fr_tls_conf_t, allow_renegotiation), .dflt = "no" },
189#endif
190
191#ifndef OPENSSL_NO_ECDH
192 { FR_CONF_OFFSET("ecdh_curve", fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
193#endif
194 { FR_CONF_OFFSET("tls_max_version", fr_tls_conf_t, tls_max_version) },
195
196 { FR_CONF_OFFSET("tls_min_version", fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
197
198 { FR_CONF_OFFSET_SUBSECTION("session", 0, fr_tls_conf_t, cache, tls_cache_config) },
199
200 { FR_CONF_OFFSET_SUBSECTION("verify", 0, fr_tls_conf_t, verify, tls_verify_config) },
201
202 { FR_CONF_DEPRECATED("check_cert_issuer", fr_tls_conf_t, check_cert_issuer) },
203 { FR_CONF_DEPRECATED("check_cert_cn", fr_tls_conf_t, check_cert_cn) },
205};
206
207conf_parser_t fr_tls_client_config[] = {
208 { FR_CONF_OFFSET_SUBSECTION("chain", CONF_FLAG_OK_MISSING | CONF_FLAG_MULTI, fr_tls_conf_t, chains, tls_chain_config),
209 .subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t" },
210
211 { FR_CONF_DEPRECATED("pem_file_type", fr_tls_conf_t, NULL) },
212 { FR_CONF_DEPRECATED("certificate_file", fr_tls_conf_t, NULL) },
213 { FR_CONF_DEPRECATED("private_key_password", fr_tls_conf_t, NULL) },
214 { FR_CONF_DEPRECATED("private_key_file", fr_tls_conf_t, NULL) },
215
216#ifdef PSK_MAX_IDENTITY_LEN
217 { FR_CONF_OFFSET("psk_identity", fr_tls_conf_t, psk_identity) },
218 { FR_CONF_OFFSET_FLAGS("psk_hexphrase", CONF_FLAG_SECRET, fr_tls_conf_t, psk_password) },
219#endif
220
221 { FR_CONF_OFFSET("keylog_file", fr_tls_conf_t, keylog_file) },
222
223 { FR_CONF_OFFSET("verify_depth", fr_tls_conf_t, verify_depth), .dflt = "0" },
224 { FR_CONF_OFFSET_FLAGS("ca_path", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, ca_path) },
225
226 { FR_CONF_OFFSET_FLAGS("ca_file", CONF_FLAG_FILE_READABLE, fr_tls_conf_t, ca_file) },
227 { FR_CONF_OFFSET("dh_file", fr_tls_conf_t, dh_file) },
228 { FR_CONF_OFFSET("random_file", fr_tls_conf_t, random_file) },
229 { FR_CONF_OFFSET("fragment_size", fr_tls_conf_t, fragment_size), .dflt = "1024" },
230
231 { FR_CONF_OFFSET("cipher_list", fr_tls_conf_t, cipher_list) },
232
233#ifndef OPENSSL_NO_ECDH
234 { FR_CONF_OFFSET("ecdh_curve", fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
235#endif
236
237 { FR_CONF_OFFSET("tls_max_version", fr_tls_conf_t, tls_max_version) },
238
239 { FR_CONF_OFFSET("tls_min_version", fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
240
241 { FR_CONF_DEPRECATED("check_cert_issuer", fr_tls_conf_t, check_cert_issuer) },
242 { FR_CONF_DEPRECATED("check_cert_cn", fr_tls_conf_t, check_cert_cn) },
244};
245
246static int tls_virtual_server_cf_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
247{
248 fr_tls_conf_t *conf = talloc_get_type_abort(parent, fr_tls_conf_t);
249 virtual_server_t const *vs = NULL;
250
251 if (virtual_server_cf_parse(ctx, &vs, parent, ci, rule) < 0) return -1;
252
253 if (!vs) return 0;
254
255 /*
256 * `out` points to conf->virtual_server
257 */
258 *((CONF_SECTION const **)out) = virtual_server_cs(vs);
259 conf->verify_certificate = cf_section_find(conf->virtual_server, "verify", "certificate") ? true : false;
260 conf->new_session = cf_section_find(conf->virtual_server, "new", "session") ? true : false;
261 conf->establish_session = cf_section_find(conf->virtual_server, "establish", "session") ? true : false;
262 return 0;
263}
264
265static int tls_conf_parse_cache_mode(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
266{
267 fr_tls_conf_t *conf = talloc_get_type_abort((uint8_t *)parent - offsetof(fr_tls_conf_t, cache), fr_tls_conf_t);
268 int cache_mode;
269
270 if (cf_table_parse_int(ctx, &cache_mode, parent, ci, rule) < 0) return -1;
271
272 /*
273 * Ensure our virtual server contains the
274 * correct sections for the specified
275 * cache mode.
276 */
277 switch (cache_mode) {
278 case FR_TLS_CACHE_DISABLED:
279 case FR_TLS_CACHE_STATELESS:
280 break;
281
282 case FR_TLS_CACHE_STATEFUL:
283 if (!conf->virtual_server) {
284 cf_log_err(ci, "A virtual_server must be set when cache.mode = \"stateful\"");
285 error:
286 return -1;
287 }
288
289 if (!cf_section_find(conf->virtual_server, "load", "session")) {
290 cf_log_err(ci, "Specified virtual_server must contain a \"load session { ... }\" section "
291 "when cache.mode = \"stateful\"");
292 goto error;
293 }
294
295 if (!cf_section_find(conf->virtual_server, "store", "session")) {
296 cf_log_err(ci, "Specified virtual_server must contain a \"store session { ... }\" section "
297 "when cache.mode = \"stateful\"");
298 goto error;
299 }
300
301 if (!cf_section_find(conf->virtual_server, "clear", "session")) {
302 cf_log_err(ci, "Specified virtual_server must contain a \"clear session { ... }\" section "
303 "when cache.mode = \"stateful\"");
304 goto error;
305 }
306
307 if (conf->tls_min_version >= (float)1.3) {
308 cf_log_err(ci, "cache.mode = \"stateful\" is not supported with tls_min_version >= 1.3");
309 goto error;
310 }
311 break;
312
313 case FR_TLS_CACHE_AUTO:
314 if (!conf->virtual_server) {
315 WARN("A virtual_server must be provided for stateful caching. "
316 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
317 cache_stateless:
318 cache_mode = FR_TLS_CACHE_STATELESS;
319 break;
320 }
321
322 if (!cf_section_find(conf->virtual_server, "load", "session")) {
323 cf_log_warn(ci, "Specified virtual_server missing \"load session { ... }\" section. "
324 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
325 goto cache_stateless;
326 }
327
328 if (!cf_section_find(conf->virtual_server, "store", "session")) {
329 cf_log_warn(ci, "Specified virtual_server missing \"store session { ... }\" section. "
330 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
331 goto cache_stateless;
332 }
333
334 if (!cf_section_find(conf->virtual_server, "clear", "session")) {
335 cf_log_warn(ci, "Specified virtual_server missing \"clear cache { ... }\" section. "
336 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
337 goto cache_stateless;
338 }
339
340 if (conf->tls_min_version >= (float)1.3) {
341 cf_log_err(ci, "stateful session-resumption is not supported with tls_min_version >= 1.3. "
342 "cache.mode = \"auto\" rewritten to cache.mode = \"stateless\"");
343 goto error;
344 }
345 break;
346 }
347
348 /*
349 * Generate random, ephemeral, session-ticket keys.
350 */
351 if (cache_mode & FR_TLS_CACHE_STATELESS) {
352 /*
353 * Fill the key with randomness if one
354 * wasn't specified by the user.
355 */
356 if (!conf->cache.session_ticket_key) {
357 MEM(conf->cache.session_ticket_key = talloc_array(conf, uint8_t, 256));
358 fr_rand_buffer(UNCONST(uint8_t *, conf->cache.session_ticket_key),
359 talloc_array_length(conf->cache.session_ticket_key));
360 }
361 }
362
363 *((int *)out) = cache_mode;
364
365 return 0;
366}
367
368#ifdef __APPLE__
369/*
370 * We don't want to put the private key password in eap.conf, so check
371 * for our special string which indicates we should get the password
372 * programmatically.
373 */
374static char const *special_string = "Apple:UsecertAdmin";
375
376/** Use cert_admin to retrieve the password for the private key
377 *
378 */
379static int conf_cert_admin_password(fr_tls_conf_t *conf)
380{
381 size_t i, cnt;
382
383 if (!conf->chains) return 0;
384
385 cnt = talloc_array_length(conf->chains);
386 for (i = 0; i < cnt; i++) {
387 char cmd[256];
388 char *password;
389 long const max_password_len = 128;
390 FILE *cmd_pipe;
391
392 if (!conf->chains[i]->password) continue;
393
394 if (strncmp(conf->chains[i]->password, special_string, strlen(special_string)) != 0) continue;
395
396 snprintf(cmd, sizeof(cmd) - 1, "/usr/sbin/certadmin --get-private-key-passphrase \"%s\"",
397 conf->chains[i]->private_key_file);
398
399 DEBUG2("Getting private key passphrase using command \"%s\"", cmd);
400
401 cmd_pipe = popen(cmd, "r");
402 if (!cmd_pipe) {
403 ERROR("%s command failed: Unable to get private_key_password", cmd);
404 ERROR("Error reading private_key_file %s", conf->chains[i]->private_key_file);
405 return -1;
406 }
407
408 password = talloc_array(conf, char, max_password_len);
409 if (!password) {
410 ERROR("Can't allocate space for private_key_password");
411 ERROR("Error reading private_key_file %s", conf->chains[i]->private_key_file);
412 pclose(cmd_pipe);
413 return -1;
414 }
415
416 fgets(password, max_password_len, cmd_pipe);
417 pclose(cmd_pipe);
418
419 /* Get rid of newline at end of password. */
420 password[strlen(password) - 1] = '\0';
421
422 DEBUG3("Password from command = \"%s\"", password);
423 talloc_const_free(conf->chains[i]->password);
424 conf->chains[i]->password = password;
425 }
426
427 return 0;
428}
429#endif
430
431#ifdef HAVE_OPENSSL_OCSP_H
432/*
433 * Create Global X509 revocation store and use it to verify
434 * OCSP responses
435 *
436 * - Load the trusted CAs
437 * - Load the trusted issuer certificates
438 */
439static X509_STORE *conf_ocsp_revocation_store(fr_tls_conf_t *conf)
440{
441 X509_STORE *store = NULL;
442
443 store = X509_STORE_new();
444
445 /* Load the CAs we trust */
446 if (conf->ca_file || conf->ca_path)
447 if (!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) {
448 fr_tls_log(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file);
449 X509_STORE_free(store);
450 return NULL;
451 }
452
453#ifdef X509_V_FLAG_CRL_CHECK_ALL
454 if (conf->verify.check_crl) X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
455#endif
456
457 return store;
458}
459#endif
460
461/*
462 * Free TLS client/server config
463 * Should not be called outside this code, as a callback is
464 * added to automatically free the data when the CONF_SECTION
465 * is freed.
466 */
467static int _conf_server_free(fr_tls_conf_t *conf)
468{
469 memset(conf, 0, sizeof(*conf));
470 return 0;
471}
472
473fr_tls_conf_t *fr_tls_conf_alloc(TALLOC_CTX *ctx)
474{
475 fr_tls_conf_t *conf;
476
477 MEM(conf = talloc_zero(ctx, fr_tls_conf_t));
478 talloc_set_destructor(conf, _conf_server_free);
479
480 return conf;
481}
482
483fr_tls_conf_t *fr_tls_conf_parse_server(CONF_SECTION *cs)
484{
485 fr_tls_conf_t *conf;
486
487 /*
488 * If cs has already been parsed there should be a cached copy
489 * of conf already stored, so just return that.
490 */
491 conf = cf_data_value(cf_data_find(cs, fr_tls_conf_t, NULL));
492 if (conf) {
493 DEBUG("Using cached TLS configuration from previous invocation");
494 return conf;
495 }
496
497 if (cf_section_rules_push(cs, fr_tls_server_config) < 0) return NULL;
498
499 conf = fr_tls_conf_alloc(cs);
500
501 if ((cf_section_parse(conf, conf, cs) < 0) ||
502 (cf_section_parse_pass2(conf, cs) < 0)) {
503#ifdef __APPLE__
504 error:
505#endif
507 return NULL;
508 }
509
510 /*
511 * Save people from their own stupidity.
512 */
513 if (conf->fragment_size < 100) conf->fragment_size = 100;
514
515 FR_INTEGER_BOUND_CHECK("padding", conf->padding_block_size, <=, SSL3_RT_MAX_PLAIN_LENGTH);
516
517#ifdef __APPLE__
518 if (conf_cert_admin_password(conf) < 0) goto error;
519#endif
520
521 /*
522 * Cache conf in cs in case we're asked to parse this again.
523 */
524 cf_data_add(cs, conf, NULL, false);
525
526 return conf;
527}
528
529fr_tls_conf_t *fr_tls_conf_parse_client(CONF_SECTION *cs)
530{
531 fr_tls_conf_t *conf;
532
533 conf = cf_data_value(cf_data_find(cs, fr_tls_conf_t, NULL));
534 if (conf) {
535 DEBUG2("Using cached TLS configuration from previous invocation");
536 return conf;
537 }
538
539 if (cf_section_rules_push(cs, fr_tls_client_config) < 0) return NULL;
540
541 conf = fr_tls_conf_alloc(cs);
542
543 if ((cf_section_parse(conf, conf, cs) < 0) ||
544 (cf_section_parse_pass2(conf, cs) < 0)) {
545#ifdef __APPLE__
546 error:
547#endif
549 return NULL;
550 }
551
552 /*
553 * Save people from their own stupidity.
554 */
555 if (conf->fragment_size < 100) conf->fragment_size = 100;
556
557 /*
558 * Initialize TLS
559 */
560#ifdef __APPLE__
561 if (conf_cert_admin_password(conf) < 0) goto error;
562#endif
563
564 cf_data_add(cs, conf, NULL, false);
565
566 return conf;
567}
568#endif /* WITH_TLS */
#define store(_store, _var)
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
#define USES_APPLE_DEPRECATED_API
Definition build.h:472
#define RCSID(id)
Definition build.h:485
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
#define NUM_ELEMENTS(_t)
Definition build.h:339
int cf_section_parse(TALLOC_CTX *ctx, void *base, CONF_SECTION *cs)
Parse a configuration section into user-supplied variables.
Definition cf_parse.c:1195
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1633
int cf_section_parse_pass2(void *base, CONF_SECTION *cs)
Fixup xlat expansions and attributes.
Definition cf_parse.c:1315
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:662
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:616
#define FR_CONF_DEPRECATED(_name, _struct, _field)
conf_parser_t entry which raises an error if a matching CONF_PAIR is found
Definition cf_parse.h:414
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:522
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
#define cf_section_rules_push(_cs, _rule)
Definition cf_parse.h:694
#define FR_CONF_OFFSET_HINT_TYPE(_name, _type, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:257
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:272
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:434
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:451
@ CONF_FLAG_SECRET
Only print value if debug level >= 3.
Definition cf_parse.h:438
@ CONF_FLAG_FILE_READABLE
File matching value must exist, and must be readable.
Definition cf_parse.h:440
@ CONF_FLAG_OK_MISSING
OK if it's missing.
Definition cf_parse.h:459
@ CONF_FLAG_FILE_EXISTS
File matching value must exist.
Definition cf_parse.h:446
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:599
Common header for all CONF_* types.
Definition cf_priv.h:49
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
void * cf_data_value(CONF_DATA const *cd)
Return the user assigned value of CONF_DATA.
Definition cf_util.c:1750
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:286
#define cf_data_add(_cf, _data, _name, _free)
Definition cf_util.h:252
#define cf_data_find(_cf, _type, _name)
Definition cf_util.h:241
#define cf_log_warn(_cf, _fmt,...)
Definition cf_util.h:287
#define CF_IDENT_ANY
Definition cf_util.h:78
#define MEM(x)
Definition debug.h:36
#define ERROR(fmt,...)
Definition dhcpclient.c:41
#define DEBUG(fmt,...)
Definition dhcpclient.c:39
#define DEBUG3(_fmt,...)
Definition log.h:266
talloc_free(reap)
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_VOID
User data.
unsigned char uint8_t
static int _conf_server_free(fr_tls_conf_t *conf)
Definition conf.c:75
#define DEBUG2(fmt,...)
Definition radclient.h:43
#define WARN(fmt,...)
Definition radclient.h:47
static rs_t * conf
Definition radsniff.c:53
void fr_rand_buffer(void *start, size_t length)
Definition rand.c:125
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:229
@ T_DOUBLE_QUOTED_STRING
Definition token.h:121
static fr_slen_t parent
Definition pair.h:841
static size_t char ** out
Definition value.h:1023
int virtual_server_cf_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Wrapper for the config parser to allow pass1 resolution of virtual servers.
CONF_SECTION * virtual_server_cs(virtual_server_t const *vs)
Return the configuration section for a virtual server.