The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
Data Structures | Enumerations | Functions | Variables
rlm_crl.c File Reference

Check a certificate's serial number against a CRL. More...

#include <freeradius-devel/server/base.h>
#include <freeradius-devel/server/module_rlm.h>
#include <freeradius-devel/tls/strerror.h>
#include <freeradius-devel/tls/utils.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
#include <openssl/asn1.h>
#include <openssl/bn.h>
+ Include dependency graph for rlm_crl.c:

Go to the source code of this file.

Data Structures

struct  crl_entry_t
 A single CRL in the global list of CRLs. More...
 
struct  crl_pending_t
 Structure to record a request which is waiting for CRL fetching to complete. More...
 
struct  rlm_crl_env_t
 
struct  rlm_crl_mutable_t
 Global tree of CRLs. More...
 
struct  rlm_crl_rctx_t
 
struct  rlm_crl_t
 
struct  rlm_crl_thread_t
 Thread specific structure to hold requests awaiting CRL fetching. More...
 

Enumerations

enum  crl_check_status_t {
  CRL_CHECK_BASE = 0 ,
  CRL_CHECK_FETCH_DELTA ,
  CRL_CHECK_DELTA
}
 A status used to track which CRL is being checked. More...
 
enum  crl_ret_t {
  CRL_ERROR = -1 ,
  CRL_ENTRY_NOT_FOUND = 0 ,
  CRL_ENTRY_FOUND = 1 ,
  CRL_ENTRY_REMOVED = 2 ,
  CRL_NOT_FOUND = 3 ,
  CRL_MISSING_DELTA = 4
}
 

Functions

static int mod_instantiate (module_inst_ctx_t const *mctx)
 Instantiate the module.
 

Variables

static fr_dict_attr_t const * attr_crl_cdp_url
 
static fr_dict_attr_t const * attr_crl_data
 
static fr_dict_t const * dict_freeradius
 
static conf_parser_t module_config []
 
module_rlm_t rlm_crl
 
fr_dict_autoload_t rlm_crl_dict []
 
fr_dict_attr_autoload_t rlm_crl_dict_attr []
 

Detailed Description

Check a certificate's serial number against a CRL.

Id
eda5843eeb0802451d2a638e203ce466574780b8
Author
Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)
Copyright
2025 Network RADIUS SAS (legal.nosp@m.@net.nosp@m.workr.nosp@m.adiu.nosp@m.s.com)

Definition in file rlm_crl.c.

Data Structure Documentation

◆ crl_entry_t

struct crl_entry_t

A single CRL in the global list of CRLs.

Definition at line 72 of file rlm_crl.c.

+ Collaboration diagram for crl_entry_t:
Data Fields
char const * cdp_url The URL of the CRL.
X509_CRL * crl The CRL.
ASN1_INTEGER * crl_num The CRL number.
fr_value_box_list_t delta_urls URLs from which a delta CRL can be retrieved.
fr_timer_t * ev When to expire the CRL.
rlm_crl_t const * inst The instance of the CRL module.
fr_rb_node_t node The node in the tree.
rlm_crl_thread_t * thread The thread which fetched this entry.

◆ crl_pending_t

struct crl_pending_t

Structure to record a request which is waiting for CRL fetching to complete.

Definition at line 84 of file rlm_crl.c.

+ Collaboration diagram for crl_pending_t:
Data Fields
fr_rb_node_t node
request_t * request

◆ rlm_crl_env_t

struct rlm_crl_env_t

Definition at line 132 of file rlm_crl.c.

+ Collaboration diagram for rlm_crl_env_t:
Data Fields
fr_value_box_list_head_t * cdp The CRL distribution points.
tmpl_t * ftp_exp The xlat expansion used to retrieve the CRL via ftp://.
tmpl_t * http_exp The xlat expansion used to retrieve the CRL via http://.
tmpl_t * ldap_exp The xlat expansion used to retrieve the CRL via ldap://.
fr_value_box_t serial The serial to check.

◆ rlm_crl_mutable_t

struct rlm_crl_mutable_t

Global tree of CRLs.

Separate from the instance data because that's protected.

Definition at line 47 of file rlm_crl.c.

+ Collaboration diagram for rlm_crl_mutable_t:
Data Fields
fr_rb_tree_t * crls A tree of CRLs organised by CDP URL.
rlm_crl_thread_t * fetching Pointer to thread instance data of thread which is fetching a CRL.
pthread_mutex_t mutex
fr_timer_list_t * timer_list The timer list to use for CRL expiry.

This gets serviced by the main loop.

◆ rlm_crl_rctx_t

struct rlm_crl_rctx_t

Definition at line 96 of file rlm_crl.c.

+ Collaboration diagram for rlm_crl_rctx_t:
Data Fields
crl_entry_t * base_crl The base CRL relating to the delta currently being fetched.
fr_value_box_t * cdp_url The URL we're currently attempting to load.
fr_value_box_list_t crl_data Data from CRL expansion.
fr_value_box_list_t missing_crls CRLs missing from the tree.
crl_check_status_t status Status of the current CRL check.

◆ rlm_crl_t

struct rlm_crl_t

Definition at line 56 of file rlm_crl.c.

+ Collaboration diagram for rlm_crl_t:
Data Fields
char const * ca_file File containing certs for verifying CRL signatures.
char const * ca_path Directory containing certs for verifying CRL signatures.
CONF_SECTION * cs Module instance config.
fr_time_delta_t early_refresh Time interval before nextUpdate to refresh.
fr_time_delta_t force_delta_expiry Force expiry of delta CRLs after this time.
bool force_delta_expiry_is_set
fr_time_delta_t force_expiry Force expiry of CRLs after this time.
bool force_expiry_is_set
rlm_crl_mutable_t * mutable Mutable data that's shared between all threads.
bool trigger_rate_limit Rate limit triggers.
X509_STORE * verify_store Store of certificates to verify CRL signatures.
CONF_SECTION * virtual_server Virtual server to use when retrieving CRLs.

◆ rlm_crl_thread_t

struct rlm_crl_thread_t

Thread specific structure to hold requests awaiting CRL fetching.

Definition at line 39 of file rlm_crl.c.

+ Collaboration diagram for rlm_crl_thread_t:
Data Fields
fr_rb_tree_t pending Requests yielded while the CRL is being fetched.

Enumeration Type Documentation

◆ crl_check_status_t

enum crl_check_status_t

A status used to track which CRL is being checked.

Enumerator
CRL_CHECK_BASE 

The base CRL is being checked.

CRL_CHECK_FETCH_DELTA 

The delta CRL is being fetched.

CRL_CHECK_DELTA 

The delta CRL exists and is being checked.

Definition at line 90 of file rlm_crl.c.

◆ crl_ret_t

enum crl_ret_t
Enumerator
CRL_ERROR 

Unspecified error ocurred.

CRL_ENTRY_NOT_FOUND 

Serial not found in this CRL.

CRL_ENTRY_FOUND 

Serial was found in this CRL.

CRL_ENTRY_REMOVED 

Serial was "un-revoked" in this delta CRL.

CRL_NOT_FOUND 

No CRL found, need to load it from the CDP URL.

CRL_MISSING_DELTA 

Need to load a delta CRL to supplement this CRL.

Definition at line 140 of file rlm_crl.c.

Function Documentation

◆ mod_instantiate()

static int mod_instantiate ( module_inst_ctx_t const *  mctx)
static

Instantiate the module.

Definition at line 837 of file rlm_crl.c.

+ Here is the call graph for this function:

Variable Documentation

◆ attr_crl_cdp_url

fr_dict_attr_t const* attr_crl_cdp_url
static

Definition at line 123 of file rlm_crl.c.

◆ attr_crl_data

fr_dict_attr_t const* attr_crl_data
static

Definition at line 122 of file rlm_crl.c.

◆ dict_freeradius

fr_dict_t const* dict_freeradius
static

Definition at line 114 of file rlm_crl.c.

◆ module_config

conf_parser_t module_config[]
static
Initial value:
= {
{ FR_CONF_OFFSET_IS_SET("force_expiry", FR_TYPE_TIME_DELTA, 0, rlm_crl_t, force_expiry) },
{ FR_CONF_OFFSET_IS_SET("force_delta_expiry", FR_TYPE_TIME_DELTA, 0, rlm_crl_t, force_delta_expiry) },
{ FR_CONF_OFFSET("early_refresh", rlm_crl_t, early_refresh) },
{ FR_CONF_OFFSET("ca_file", rlm_crl_t, ca_file) },
{ FR_CONF_OFFSET("ca_path", rlm_crl_t, ca_path) },
{ FR_CONF_OFFSET("trigger_rate_limit", rlm_crl_t, trigger_rate_limit), .dflt = "yes" },
CONF_PARSER_TERMINATOR
}
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:657
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:280
FR_CONF_OFFSET_IS_SET
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition cf_parse.h:294
FR_TYPE_TIME_DELTA
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
Definition merged_model.c:113
rlm_crl_t
Definition rlm_crl.c:56

Definition at line 104 of file rlm_crl.c.

◆ rlm_crl

module_rlm_t rlm_crl
Initial value:
= {
.common = {
.magic = MODULE_MAGIC_INIT,
.inst_size = sizeof(rlm_crl_t),
.instantiate = mod_instantiate,
.name = "crl",
.config = module_config,
MODULE_THREAD_INST(rlm_crl_thread_t),
},
}
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
config
static const conf_parser_t config[]
Definition base.c:163
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Instantiate the module.
Definition rlm_crl.c:837
module_config
static conf_parser_t module_config[]
Definition rlm_crl.c:104
rlm_crl_thread_t
Thread specific structure to hold requests awaiting CRL fetching.
Definition rlm_crl.c:39
name
static char const * name
Definition rlm_redis_ippool_tool.c:156
MODULE_THREAD_INST
#define MODULE_THREAD_INST(_ctype)
Definition module.h:258

Definition at line 873 of file rlm_crl.c.

◆ rlm_crl_dict

fr_dict_autoload_t rlm_crl_dict
Initial value:
= {
{ .out = &dict_freeradius, .proto = "freeradius" },
DICT_AUTOLOAD_TERMINATOR
}
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:311
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition rlm_crl.c:114

Definition at line 117 of file rlm_crl.c.

◆ rlm_crl_dict_attr

fr_dict_attr_autoload_t rlm_crl_dict_attr
Initial value:
= {
{ .out = &attr_crl_data, .name = "CRL.Data", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
{ .out = &attr_crl_cdp_url, .name = "CRL.CDP-URL", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
DICT_AUTOLOAD_TERMINATOR
}
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
attr_crl_cdp_url
static fr_dict_attr_t const * attr_crl_cdp_url
Definition rlm_crl.c:123
attr_crl_data
static fr_dict_attr_t const * attr_crl_data
Definition rlm_crl.c:122

Definition at line 126 of file rlm_crl.c.

Generated by   doxygen 1.9.8