27RCSID(
"$Id: 756481694ebbac27c9f757c3fa5468974ba777da $")
30#include <freeradius-devel/util/md5.h>
31#include <freeradius-devel/tls/utils.h>
32#include <openssl/rand.h>
33#include <openssl/ssl.h>
94 { .out = &
dict_eap_fast, .base_dir =
"eap/fast", .proto =
"eap-fast" },
187#define RANDFILL(x) do { fr_assert(sizeof(x) % sizeof(uint32_t) == 0); for (size_t i = 0; i < sizeof(x); i += sizeof(uint32_t)) *((uint32_t *)&x[i]) = fr_rand(); } while(0)
199 RDEBUG2(
"Deriving EAP-FAST keys");
206 scratch = talloc_array(request,
uint8_t, ksize +
sizeof(*t->
keyblock));
212 memset(buf, 0, ksize +
sizeof(*t->
keyblock));
263 hdr[1] = htons(length);
265 tls_session->record_from_buff(&tls_session->clean_in, &hdr, 4);
266 tls_session->record_from_buff(&tls_session->clean_in,
data, length);
272 value = htonl(error);
294 RDEBUG2(
"Sending EAP-Identity");
312 memset(&pac, 0,
sizeof(pac));
313 memset(&opaque_plaintext, 0,
sizeof(opaque_plaintext));
333#define MIN(a,b) (((a)>(b)) ? (b) : (a))
347 memcpy(&opaque_plaintext.
type, &pac.
info.
type,
sizeof(opaque_plaintext.
type));
349 memcpy(&opaque_plaintext.
key, &pac.
key,
sizeof(opaque_plaintext.
key));
351 RHEXDUMP3((
uint8_t const *)&opaque_plaintext,
sizeof(opaque_plaintext),
"PAC-Opaque plaintext data section");
356 dlen =
eap_fast_encrypt((
unsigned const char *)&opaque_plaintext,
sizeof(opaque_plaintext),
371 int const len =
sizeof(binding) - (&binding.
reserved - (
uint8_t *)&binding);
373 RDEBUG2(
"Sending Cryptobinding");
376 binding.
length = htons(len);
383 binding.
nonce[
sizeof(binding.
nonce) - 1] &= ~0x01;
386 RHEXDUMP3((
uint8_t const *) &binding,
sizeof(binding),
"Crypto-Binding TLV for Compound MAC calculation");
394#define EAP_FAST_TLV_MAX 11
400 unsigned int remaining = data_len;
408 while (remaining > 0) {
410 RDEBUG2(
"EAP-FAST TLV is too small (%u) to contain a EAP-FAST TLV header", remaining);
414 memcpy(&attr,
data,
sizeof(attr));
426 present |= 1 << attr;
429 REDEBUG(
"Too many EAP-Payload TLVs");
432 if (present & (1 << i))
RDEBUG2(
" - attribute %d is present", i);
439 REDEBUG(
"Too many Intermediate-Result TLVs");
443 if ((
data[0] & 0x80) != 0) {
444 REDEBUG(
"Unknown mandatory TLV %02x", attr);
453 memcpy(&length,
data + 2,
sizeof(length));
454 length = ntohs(length);
459 if (length > remaining) {
460 RDEBUG2(
"EAP-FAST TLV %u is longer than room remaining in the packet (%u > %u).", attr,
472 if (remaining < length) {
473 RDEBUG2(
"EAP-FAST TLV overflows packet!");
486 REDEBUG(
"EAP-FAST TLV %u is too short. Expected 2, got %d", attr, length);
490 memcpy(&status,
data, 2);
491 status = ntohs(status);
494 REDEBUG(
"EAP-FAST TLV %u indicates failure. Rejecting request", attr);
499 REDEBUG(
"EAP-FAST TLV %u contains unknown value. Rejecting request", attr);
515 REDEBUG(
"NAK TLV sent with non-NAK TLVs. Rejecting request");
520 REDEBUG(
"NAK TLV sent with non-NAK TLVs. Rejecting request");
530 REDEBUG(
"Unexpected TLVs in TLS Session Handshake stage");
536 REDEBUG(
"Unexpected TLVs in authentication stage");
546 REDEBUG(
"Unexpected TLVs in cryptobind checking stage");
553 REDEBUG(
"Unexpected TLVs in provisioning stage");
559 REDEBUG(
"Unexpected TLVs in complete stage");
628 fr_tls_session_t *tls_session,
645 switch (reply->
code) {
647 RDEBUG2(
"Got tunneled Access-Accept");
659 switch (
vp->
da->attr) {
663 REDEBUG(
"Found %s with incorrect length. Expected %u, got %zu",
678 RDEBUG2(
"Got %s, tunneling it to the client in a challenge",
vp->
da->name);
691 REDEBUG(
"Got tunneled Access-Reject");
696 RDEBUG2(
"Got tunneled Access-Challenge");
712 REDEBUG(
"Unknown RADIUS packet type %d: rejecting tunneled user", reply->
code);
721 fr_tls_session_t *tls_session,
fr_pair_t *tlv_eap_payload)
730 RDEBUG2(
"Processing received EAP Payload");
748 RDEBUG2(
"Got tunneled request");
782 RWDEBUG2(
"No EAP-Identity found to start EAP conversation");
823 switch (
fake->reply->code) {
831 RDEBUG2(
"Tunneled authentication will be proxied to %pV", &
vp->data);
847 request->proxy = request_alloc_internal(request, &(
request_init_args_t){ .parent = request });
849 request->proxy->packet = talloc_steal(request->proxy,
fake->packet);
850 memset(&request->proxy->packet->src_ipaddr, 0,
851 sizeof(request->proxy->packet->src_ipaddr));
852 memset(&request->proxy->packet->src_ipaddr, 0,
853 sizeof(request->proxy->packet->src_ipaddr));
854 request->proxy->packet->src_port = 0;
855 request->proxy->packet->dst_port = 0;
870 tunnel,
false,
false,
false);
880 fake,
true,
false,
false);
893 REDEBUG(
"No tunneled reply was found, and the request was not proxied: rejecting the user");
937 RHEXDUMP3((
uint8_t const *) binding,
sizeof(*binding),
"Crypto-Binding TLV for Compound MAC calculation");
938 RHEXDUMP3(cmac,
sizeof(cmac),
"Received Compound MAC");
941 if (memcmp(binding->
compound_mac, cmac,
sizeof(cmac))) {
942 RDEBUG2(
"Crypto-Binding TLV mismatch");
944 sizeof(binding->
compound_mac),
"Calculated Compound MAC");
958 memset(&my_binding, 0,
sizeof(my_binding));
977 binding = &my_binding;
982 switch (
vp->
da->attr) {
996 if (
vp->vp_length >=
sizeof(binding->
nonce)) {
997 memcpy(binding->
nonce,
vp->vp_octets,
vp->vp_length);
1012 t->
pac.expired =
false;
1017 RDEBUG2(
"only able to serve Tunnel PAC's, ignoring request");
1023 RDEBUG2(
"ignoring unknown EAP-FAST-PAC-TLV %pP",
vp);
1027 RDEBUG2(
"ignoring non-EAP-FAST TLV %pP",
vp);
1062 data_len = tls_session->clean_out.used;
1063 tls_session->clean_out.used = 0;
1064 data = tls_session->clean_out.data;
1078 if (strstr(SSL_CIPHER_description(SSL_get_current_cipher(tls_session->ssl),
1079 buf,
sizeof(buf)),
"Au=None")) {
1081 RDEBUG2(
"Using anonymous provisioning");
1087 if (SSL_session_reused(tls_session->ssl)) {
1088 RDEBUG2(
"Session Resumed from PAC");
1091 RDEBUG2(
"Using authenticated provisioning");
1119 RDEBUG2(
"Got Tunneled FAST TLVs");
1150 RDEBUG2(
"Peer requires new PAC");
1163 if (t->
pac.type && t->
pac.expired) {
1164 REDEBUG(
"Rejecting expired PAC.");
1170 REDEBUG(
"Rejecting unauthenticated provisioning");
1179 #define EAPTLS_MPPE_KEY_LEN 32
1188 RERROR(
"Internal sanity check failed in EAP-FAST at %d", t->
stage);
1219 uint8_t seed[2 * SSL3_RANDOM_SIZE];
1223 SSL_get_server_random(s, seed, SSL3_RANDOM_SIZE);
1224 SSL_get_client_random(s, &seed[SSL3_RANDOM_SIZE], SSL3_RANDOM_SIZE);
1227 seed,
sizeof(seed),
secret, SSL_MAX_MASTER_KEY_LENGTH);
1228 *secret_len = SSL_MAX_MASTER_KEY_LENGTH;
1232 UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers,
1233 UNUSED SSL_CIPHER
const **cipher,
void *arg)
1237 request_t *request = fr_tls_session_request(s);
1238 fr_tls_session_t *tls_session = arg;
1241 if (!tls_session)
return 0;
1245 if (!t->
pac.key)
return 0;
1247 RDEBUG2(
"processing PAC-Opaque");
1267 fr_tls_session_t *tls_session = talloc_get_type_abort(arg, fr_tls_session_t);
1268 request_t *request = fr_tls_session_request(s);
1278 if (!tls_session)
return 0;
1283 RDEBUG2(
"PAC provided via ClientHello SessionTicket extension");
1287 errmsg =
"PAC is not of type Opaque";
1289 RERROR(
"%s, sending alert to client", errmsg);
1290 if (fr_tls_session_alert(request, tls_session, SSL3_AL_FATAL, SSL_AD_BAD_CERTIFICATE)) {
1291 RERROR(
"too many alerts");
1296 memset(&t->
pac, 0,
sizeof(t->
pac));
1307 if (len -
sizeof(opaque->
hdr) < length) {
1308 errmsg =
"PAC has bad length in header";
1312 if (length <
PAC_A_ID_LENGTH + EVP_MAX_IV_LENGTH + EVP_GCM_TLS_TAG_LEN + 1) {
1313 errmsg =
"PAC file too short";
1318 errmsg =
"PAC has incorrect A_ID";
1322 dlen = length -
sizeof(opaque->
aad) -
sizeof(opaque->
iv) -
sizeof(opaque->
tag);
1325 (
uint8_t *)&opaque_plaintext);
1327 errmsg =
"PAC failed to decrypt";
1331 RHEXDUMP3((
uint8_t const *)&opaque_plaintext, plen,
"PAC-Opaque plaintext data section");
1343 t->
pac.type =
vp->vp_uint16;
1346 t->
pac.expires =
fr_time_add(request->packet->timestamp,
vp->vp_time_delta);
1347 t->
pac.expired =
false;
1360 errmsg =
"unknown TLV";
1368 errmsg =
"PAC missing type TLV";
1373 errmsg =
"PAC is of not of tunnel type";
1378 errmsg =
"PAC missing lifetime TLV";
1383 errmsg =
"PAC missing key TLV";
1387 if (!SSL_set_session_secret_cb(tls_session->ssl,
_session_secret, tls_session)) {
1388 RERROR(
"Failed setting SSL session secret callback");
1399 fr_tls_session_t *tls_session = eap_tls_session->
tls_session;
1407 switch (eap_tls_session->
state) {
1416 fr_tls_session_send(request, tls_session);
1446 RDEBUG2(
"Session established. Proceeding to decode tunneled attributes");
1460 fr_tls_session_send(request, tls_session);
1492 return fr_tls_cache_pending_push(request, tls_session);
1542 fr_tls_session_t *tls_session;
1547 eap_session->
tls =
true;
1555 client_cert =
vp->vp_uint32 ? true :
false;
1557 client_cert =
inst->req_client_cert;
1565 if (
inst->cipher_list) {
1566 RDEBUG2(
"Over-riding main cipher list with '%s'",
inst->cipher_list);
1568 if (!SSL_set_cipher_list(tls_session->ssl,
inst->cipher_list)) {
1569 REDEBUG(
"Failed over-riding cipher list to '%s'. EAP-FAST will likely not work",
1574#ifdef SSL_OP_NO_TLSv1_2
1578 SSL_set_options(tls_session->ssl, SSL_OP_NO_TLSv1_2);
1596 &tls_session->clean_in, tls_session->clean_in.used,
1597 tls_session->clean_in.used) < 0) {
1602 tls_session->record_init(&tls_session->clean_in);
1606 if (!SSL_set_session_ticket_ext_cb(tls_session->ssl,
_session_ticket, tls_session)) {
1607 RERROR(
"Failed setting SSL session ticket callback");
1619 t->
ssl_ctx = fr_tls_ctx_alloc(
inst->tls_conf,
false);
1644 if (!
inst->default_provisioning_method) {
1646 inst->default_provisioning_method_name);
1656 if (!
inst->tls_conf) {
1661 if (talloc_array_length(
inst->pac_opaque_key) - 1 != 32) {
1670 if (
inst->tls_conf->tls_min_version > (
float) 1.1) {
1683 talloc_array_length(
inst->authority_identity) - 1);
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
#define USES_APPLE_DEPRECATED_API
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
#define CONF_PARSER_TERMINATOR
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Defines a CONF_PAIR to C data type mapping.
A section grouping multiple CONF_PAIR.
#define cf_log_err_by_child(_parent, _child, _fmt,...)
Log an error message against a specified child.
eap_packet_t * response
Packet we received from the peer.
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
static void * fr_dcursor_next(fr_dcursor_t *cursor)
Advanced the cursor to the next item.
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
#define FR_MSCHAP_MPPE_RECV_KEY
fr_radius_packet_code_t
RADIUS packet codes.
@ FR_RADIUS_CODE_ACCESS_CHALLENGE
RFC2865 - Access-Challenge.
@ FR_RADIUS_CODE_STATUS_CLIENT
RFC2865/RFC5997 - Status Server (response)
@ FR_RADIUS_CODE_ACCESS_ACCEPT
RFC2865 - Access-Accept.
@ FR_RADIUS_CODE_ACCESS_REJECT
RFC2865 - Access-Reject.
#define VENDORPEC_MICROSOFT
#define FR_MSCHAP_MPPE_SEND_KEY
#define FR_MSCHAP2_SUCCESS
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
fr_dict_attr_t const * fr_dict_attr_child_by_num(fr_dict_attr_t const *parent, unsigned int attr)
Check if a child attribute exists in a parent using an attribute number.
Specifies an attribute which must be present for the module to function.
Specifies a dictionary which must be loaded/loadable for the module to function.
static uint32_t fr_dict_vendor_num_by_da(fr_dict_attr_t const *da)
Return the vendor number for an attribute.
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
#define REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK
#define REQUEST_DATA_EAP_TUNNEL_CALLBACK
eap_type_t eap_name2type(char const *name)
Return an EAP-Type for a particular name.
Structure to represent packet format of eap on wire
Function declarations and packet structures.
#define EAP_FAST_TLV_MANDATORY
unsigned char aad[PAC_A_ID_LENGTH]
eap_fast_pac_attr_lifetime_t lifetime
eap_fast_pac_attr_hdr_t hdr
uint8_t client_challenge[MD5_DIGEST_LENGTH]
eap_fast_pac_attr_lifetime_t lifetime
eap_fast_pac_attr_pac_key_t key
eap_fast_keyblock_t * keyblock
eap_fast_pac_attr_hdr_t hdr
fr_time_delta_t pac_lifetime
@ EAP_FAST_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST
#define EAP_FAST_SIMCK_LEN
eap_fast_pac_attr_a_id_info_t a_id_info
struct eap_fast_tunnel_t::@171 isk
#define EAP_FAST_TLV_TYPE
uint8_t data[PAC_A_ID_INFO_LENGTH]
int default_provisioning_method
eap_fast_pac_attr_hdr_t hdr
unsigned char iv[EVP_MAX_IV_LENGTH]
struct eap_fast_tunnel_t::@172 pac
uint8_t data[PAC_KEY_LENGTH]
eap_fast_pac_attr_hdr_t hdr
unsigned char tag[EVP_GCM_TLS_TAG_LEN]
eap_fast_pac_attr_hdr_t hdr
eap_fast_attr_pac_opaque_t opaque
#define EAP_FAST_TLV_RESULT_SUCCESS
eap_fast_pac_attr_pac_type_t type
#define EAP_FAST_ERR_UNEXPECTED_TLV
eap_fast_pac_attr_hdr_t hdr
uint8_t data[PAC_A_ID_LENGTH]
char const * authority_identity
eap_fast_attr_pac_info_t info
eap_fast_pac_attr_a_id_t a_id
eap_fast_pac_attr_hdr_t hdr
uint8_t server_challenge[MD5_DIGEST_LENGTH]
uint8_t data[sizeof(eap_fast_attr_pac_opaque_plaintext_t) *2]
eap_fast_pac_attr_pac_type_t type
@ EAP_FAST_AUTHENTICATION
@ EAP_FAST_CRYPTOBIND_CHECK
@ EAP_FAST_TLS_SESSION_HANDSHAKE
@ EAP_FAST_PROVISIONING_ANON
@ EAP_FAST_PROVISIONING_AUTH
eap_fast_pac_attr_pac_key_t key
#define EAP_FAST_TLV_RESULT_FAILURE
uint8_t const * pac_opaque_key
int eap_fast_decrypt(uint8_t const *ciphertext, size_t ciphertext_len, uint8_t const *aad, size_t aad_len, uint8_t const *tag, uint8_t const *key, uint8_t const *iv, uint8_t *plaintext)
void eap_fast_tls_gen_challenge(SSL *s, uint8_t *buffer, uint8_t *scratch, size_t size, char const *prf_label)
int eap_fast_encrypt(uint8_t const *plaintext, size_t plaintext_len, uint8_t const *aad, size_t aad_len, uint8_t const *key, uint8_t *iv, unsigned char *ciphertext, uint8_t *tag)
USES_APPLE_DEPRECATED_API void T_PRF(unsigned char const *secret, unsigned int secret_len, char const *prf_label, unsigned char const *seed, unsigned int seed_len, unsigned char *out, unsigned int out_len)
Crypto function declarations.
int fr_hmac_sha1(uint8_t digest[static SHA1_DIGEST_LENGTH], uint8_t const *in, size_t inlen, uint8_t const *key, size_t key_len)
Calculate HMAC using internal SHA1 implementation.
rlm_rcode_t rcode
The current rcode, from executing the instruction or merging the result from a frame.
unlang_action_t eap_virtual_server(request_t *request, eap_session_t *eap_session, virtual_server_t *virtual_server)
Run a subrequest through a virtual server.
void eap_add_reply(request_t *request, fr_dict_attr_t const *da, uint8_t const *value, int len)
static eap_session_t * eap_session_get(request_t *request)
void * opaque
Opaque data used by EAP methods.
bool tls
Whether EAP method uses TLS.
module_method_t process
Callback that should be used to process the next round.
eap_round_t * this_round
The EAP response we're processing, and the EAP request we're building.
Tracks the progress of a single session of any EAP method.
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
#define RWDEBUG2(fmt,...)
#define RHEXDUMP3(_data, _len, _fmt,...)
@ L_DBG_LVL_1
Highest priority debug messages (-x).
void fr_packet_free(fr_packet_t **packet_p)
Free a fr_packet_t.
#define MD5_DIGEST_LENGTH
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT16
16 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_OCTETS
Raw octets.
void fr_md5_calc(uint8_t out[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen)
Perform a single digest operation on a single input buffer.
module_instance_t const * mi
Instance of the module being instantiated.
void * thread
Thread specific instance data.
void * rctx
Resume ctx that a module previously set.
void * thread
Thread instance data.
module_instance_t const * mi
Instance of the module being instantiated.
module_instance_t * mi
Instance of the module being instantiated.
Temporary structure to hold arguments for module calls.
Temporary structure to hold arguments for instantiation calls.
Temporary structure to hold arguments for thread_instantiation calls.
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
int fr_pair_list_copy_by_da(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from, fr_dict_attr_t const *da, unsigned int count)
Duplicate pairs in a list matching the specified da.
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
int fr_pair_value_from_str(fr_pair_t *vp, char const *value, size_t inlen, fr_sbuff_unescape_rules_t const *uerules, UNUSED bool tainted)
Convert string value to native attribute value.
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
int fr_pair_value_bstrndup(fr_pair_t *vp, char const *src, size_t len, bool tainted)
Copy data into a "string" type value pair.
fr_pair_t * fr_pair_copy(TALLOC_CTX *ctx, fr_pair_t const *vp)
Copy a single valuepair.
int fr_pair_raw_afrom_pair(fr_pair_t *vp, uint8_t const *data, size_t data_len)
Mark malformed attribute as raw.
int fr_pair_prepend_by_da(TALLOC_CTX *ctx, fr_pair_t **out, fr_pair_list_t *list, fr_dict_attr_t const *da)
Alloc a new fr_pair_t (and prepend)
fr_pair_t * fr_pair_afrom_child_num(TALLOC_CTX *ctx, fr_dict_attr_t const *parent, unsigned int attr)
Create a new valuepair.
static const conf_parser_t config[]
#define RETURN_UNLANG_HANDLED
#define RETURN_UNLANG_FAIL
rlm_rcode_t
Return codes indicating the result of the module call.
@ RLM_MODULE_INVALID
The module considers the request invalid.
@ RLM_MODULE_OK
The module is OK, continue.
@ RLM_MODULE_REJECT
Immediately reject the request.
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
#define request_local_alloc_internal(_ctx, _args)
Allocate a new internal request outside of the request pool.
Optional arguments for initialising requests.
#define request_data_add(_request, _unique_ptr, _unique_int, _opaque, _free_on_replace, _free_on_parent, _persist)
Add opaque data to a request_t.
static unlang_action_t mod_handshake_process(UNUSED unlang_result_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)
int stage
Processing stage.
static unlang_action_t mod_handshake_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
static fr_dict_attr_t const * attr_eap_fast_pac_a_id_info
static fr_dict_attr_t const * attr_eap_fast_pac_lifetime
fr_dict_autoload_t rlm_eap_fast_dict[]
static fr_dict_attr_t const * attr_eap_fast_pac_i_id
static fr_dict_attr_t const * attr_user_password
static int eap_fast_verify(request_t *request, fr_tls_session_t *tls_session, uint8_t const *data, unsigned int data_len)
static fr_dict_attr_t const * attr_eap_fast_pac_type
static fr_radius_packet_code_t eap_fast_process_tlvs(request_t *request, module_ctx_t const *mctx, eap_session_t *eap_session, fr_tls_session_t *tls_session, fr_pair_list_t *fast_vps)
static fr_dict_attr_t const * attr_freeradius_proxied_to
static fr_dict_attr_t const * attr_eap_fast_pac_opaque_tlv
char const * cipher_list
cipher list specific to EAP-FAST
static fr_dict_attr_t const * attr_eap_fast_intermediate_result
virtual_server_t * virtual_server
Virtual server to use for processing inner EAP method.
static fr_dict_attr_t const * attr_eap_message
static fr_dict_attr_t const * attr_eap_type
static fr_dict_attr_t const * attr_eap_msk
static fr_dict_attr_t const * attr_eap_fast_pac_opaque_pac_key
static fr_dict_attr_t const * attr_eap_fast_pac_info_i_id
static void eap_fast_send_identity_request(request_t *request, fr_tls_session_t *tls_session, eap_session_t *eap_session)
static fr_dict_attr_t const * attr_eap_fast_pac_info_a_id_info
static fr_dict_attr_t const * attr_eap_fast_pac_info_pac_lifetime
#define EAPTLS_MPPE_KEY_LEN
fr_dict_attr_autoload_t rlm_eap_fast_dict_attr[]
static fr_dict_t const * dict_freeradius
static fr_dict_attr_t const * attr_eap_tls_require_client_cert
static fr_dict_attr_t const * attr_eap_fast_pac_tlv
char const * tls_conf_name
Name of shared TLS config.
SSL_CTX * ssl_ctx
Thread local SSL_CTX.
static fr_dict_attr_t const * attr_eap_fast_eap_payload
static fr_dict_t const * dict_radius
static fr_dict_attr_t const * attr_ms_chap_challenge
static fr_dict_attr_t const * attr_eap_fast_pac_key
static fr_dict_attr_t const * attr_eap_fast_crypto_binding
rlm_eap_submodule_t rlm_eap_fast
static int _session_secret(SSL *s, void *secret, int *secret_len, UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers, UNUSED SSL_CIPHER const **cipher, void *arg)
static fr_dict_attr_t const * attr_eap_fast_pac_acknowledge
fr_time_delta_t pac_lifetime
seconds to add to current time to describe PAC lifetime
static fr_radius_packet_code_t eap_fast_process(request_t *request, module_ctx_t const *mctx, eap_session_t *eap_session, fr_tls_session_t *tls_session)
static void eap_fast_append_result(fr_tls_session_t *tls_session, fr_radius_packet_code_t code)
static void eap_fast_session_ticket(fr_tls_session_t *tls_session, const SSL *s, uint8_t *secret, int *secret_len)
static void eap_fast_send_error(fr_tls_session_t *tls_session, int error)
char const * pac_opaque_key
The key used to encrypt PAC-Opaque.
static fr_radius_packet_code_t eap_fast_crypto_binding(request_t *request, UNUSED eap_session_t *eap_session, fr_tls_session_t *tls_session, eap_tlv_crypto_binding_tlv_t *binding)
static fr_dict_attr_t const * attr_eap_fast_pac_info_tlv
static fr_dict_attr_t const * attr_eap_emsk
static void eap_fast_init_keys(request_t *request, fr_tls_session_t *tls_session)
RFC 4851 section 5.1 - EAP-FAST Authentication Phase 1: Key Derivations.
char const * default_provisioning_method_name
static fr_dict_attr_t const * attr_ms_mppe_send_key
static fr_dict_attr_t const * attr_eap_fast_pac_info_a_id
char const * authority_identity
The identity we present in the EAP-TLS.
fr_dict_t const * dict_eap_fast
int default_provisioning_method
static fr_dict_attr_t const * attr_eap_fast_pac_info_pac_type
static fr_dict_attr_t const * attr_eap_fast_pac_a_id
static rlm_rcode_t process_reply(UNUSED eap_session_t *eap_session, fr_tls_session_t *tls_session, request_t *request, fr_packet_t *reply, fr_pair_list_t *reply_list)
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
static fr_dict_attr_t const * attr_eap_fast_nak
static void eap_fast_send_pac_tunnel(request_t *request, fr_tls_session_t *tls_session)
static fr_dict_attr_t const * attr_eap_fast_pac_opaque_pac_type
static fr_radius_packet_code_t eap_fast_eap_payload(request_t *request, module_ctx_t const *mctx, eap_session_t *eap_session, fr_tls_session_t *tls_session, fr_pair_t *tlv_eap_payload)
static fr_dict_attr_t const * attr_eap_fast_error
static fr_dict_attr_t const * attr_eap_fast_pac_opaque_pac_lifetime
static void eap_fast_append_crypto_binding(request_t *request, fr_tls_session_t *tls_session)
static fr_dict_attr_t const * attr_user_name
static eap_fast_tunnel_t * eap_fast_alloc(TALLOC_CTX *ctx, rlm_eap_fast_t const *inst)
Allocate the FAST per-session data.
static fr_dict_attr_t const * attr_proxy_to_realm
static fr_dict_attr_t const * attr_ms_mppe_recv_key
static conf_parser_t submodule_config[]
static fr_dict_attr_t const * attr_eap_fast_result
fr_tls_conf_t * tls_conf
TLS config pointer.
bool req_client_cert
Whether we require a client cert in the outer tunnel.
static fr_dict_attr_t const * attr_eap_fast_pac_opaque_i_id
static ssize_t eap_fast_decode_pair(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_t const *parent, uint8_t const *data, size_t data_len, void *decode_ctx)
FIXME do something with mandatory.
static fr_dict_attr_t const * attr_ms_chap_peer_challenge
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
static unlang_action_t mod_session_init(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
static fr_dict_attr_t const * attr_eap_fast_vendor_specific
static int mod_instantiate(module_inst_ctx_t const *mctx)
static void eap_fast_tlv_append(fr_tls_session_t *tls_session, fr_dict_attr_t const *tlv, bool mandatory, int length, void const *data)
static int _session_ticket(SSL *s, uint8_t const *data, int len, void *arg)
static void eap_fast_update_icmk(request_t *request, fr_tls_session_t *tls_session, uint8_t *msk)
RFC 4851 section 5.2 - Intermediate Compound Key Derivations.
CONF_SECTION * conf
Module's instance configuration.
size_t inst_size
Size of the module's instance data.
void * data
Module's instance data.
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
eap_aka_sim_process_conf_t * inst
Stores an attribute, a value and various bits of other data.
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
module_t common
Common fields provided by all modules.
Interface exported by EAP submodules.
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
#define talloc_get_type_abort_const
static int64_t fr_time_to_sec(fr_time_t when)
Convert an fr_time_t (internal time) to number of sec since the unix epoch (wallclock time)
static int64_t fr_time_delta_unwrap(fr_time_delta_t time)
#define fr_time_delta_wrap(_time)
#define fr_time_wrap(_time)
#define fr_time_lteq(_a, _b)
#define fr_time_delta_ispos(_a)
#define fr_time_eq(_a, _b)
#define fr_time_add(_a, _b)
Add a time/time delta together.
A time delta, a difference in time measured in nanoseconds.
int eap_tls_success(request_t *request, eap_session_t *eap_session, eap_tls_prf_label_t *prf_label)
Send an EAP-TLS success.
eap_tls_session_t * eap_tls_session_init(request_t *request, eap_session_t *eap_session, SSL_CTX *ssl_ctx, bool client_cert)
Create a new fr_tls_session_t associated with an eap_session_t.
int eap_tls_compose(request_t *request, eap_session_t *eap_session, eap_tls_status_t status, uint8_t flags, fr_tls_record_t *record, size_t record_len, size_t frag_len)
Convert the EAP-TLS reply packet into an EAP packet.
int eap_tls_request(request_t *request, eap_session_t *eap_session)
Frames the OpenSSL data that needs to be sent to the client in an EAP-Request.
int eap_tls_fail(request_t *request, eap_session_t *eap_session)
Send an EAP-TLS failure.
USES_APPLE_DEPRECATED_API fr_table_num_ordered_t const eap_tls_status_table[]
fr_tls_conf_t * eap_tls_conf_parse(CONF_SECTION *cs)
Parse TLS configuration.
unlang_action_t eap_tls_process(request_t *request, eap_session_t *eap_session)
Process an EAP TLS request.
int base_flags
Some protocols use the reserved bits of the EAP-TLS flags (such as PEAP).
eap_tls_status_t state
The state of the EAP-TLS session.
@ EAP_TLS_INVALID
Invalid, don't reply.
@ EAP_TLS_HANDLED
TLS code has handled it.
@ EAP_TLS_RECORD_RECV_COMPLETE
Received final fragment of a record.
@ EAP_TLS_START_SEND
We're starting a new TLS session.
@ EAP_TLS_FAIL
Fail, send fail.
@ EAP_TLS_ESTABLISHED
Session established, send success (or start phase2).
fr_tls_session_t * tls_session
TLS session used to authenticate peer or tunnel sensitive data.
Tracks the state of an EAP-TLS session.
unsigned int code
Packet code (type).
#define fr_pair_dcursor_by_da_init(_cursor, _list, _da)
Initialise a cursor that will return only attributes matching the specified fr_dict_attr_t.
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
void fr_pair_list_free(fr_pair_list_t *list)
Free memory used by a valuepair list.
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
char const * fr_strerror(void)
Get the last library error.
int fr_tls_utils_keyblock_size_get(request_t *request, SSL *ssl)
Returns the OpenSSL keyblock size.
ssize_t fr_value_box_from_network(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_type_t type, fr_dict_attr_t const *enumv, fr_dbuff_t *dbuff, size_t len, bool tainted)
Decode a fr_value_box_t from serialized binary data.
static size_t char ** out
int virtual_server_cf_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Wrapper for the config parser to allow pass1 resolution of virtual servers.
Additional validation rules for virtual server lookup.