25 RCSID(
"$Id: 1586c6e2229763b22d24fc8cc9b64da43f517e03 $")
28 #include <freeradius-devel/tls/openssl_user_macros.h>
29 #ifdef HAVE_OPENSSL_RAND_H
30 # include <openssl/rand.h>
32 #ifdef HAVE_OPENSSL_EVP_H
33 # include <openssl/evp.h>
35 #ifdef HAVE_SYS_STAT_H
36 # include <sys/stat.h>
80 fr_tls_session_t *tls_session = eap_tls_session->
tls_session;
88 switch (eap_tls_session->
state) {
101 "client EAP encryption",
102 sizeof(
"client EAP encryption") - 1);
123 return fr_tls_cache_pending_push(request, tls_session);
139 REDEBUG(
"Received unexpected tunneled data after successful handshake");
151 fr_tls_cache_deny(request, tls_session);
159 return fr_tls_cache_pending_push(request, tls_session);
195 eap_session->
tls =
true;
203 client_cert =
vp->vp_uint32 ?
true :
false;
205 client_cert =
inst->req_client_cert;
235 t->
ssl_ctx = fr_tls_ctx_alloc(
inst->tls_conf,
false);
260 if (!
inst->tls_conf) {
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
#define USES_APPLE_DEPRECATED_API
#define CONF_PARSER_TERMINATOR
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Defines a CONF_PAIR to C data type mapping.
A section grouping multiple CONF_PAIR.
#define cf_log_err(_cf, _fmt,...)
#define cf_log_err_by_child(_parent, _child, _fmt,...)
Log an error message against a specified child.
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Specifies an attribute which must be present for the module to function.
Specifies a dictionary which must be loaded/loadable for the module to function.
void *_CONST data
Module instance's parsed configuration.
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
CONF_SECTION *_CONST conf
Module's instance configuration.
void eap_crypto_prf_label_init(eap_tls_prf_label_t *prf_label, eap_session_t *eap_session, char const *keying_prf_label, size_t keying_prf_label_len)
Initialize the PRF label fields.
void * opaque
Opaque data used by EAP methods.
bool tls
Whether EAP method uses TLS.
module_method_t process
Callback that should be used to process the next round.
static eap_session_t * eap_session_get(request_t *request)
Tracks the progress of a single session of any EAP method.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
void * thread
Thread specific instance data.
void * rctx
Resume ctx that a module previously set.
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
void * thread
Thread instance data.
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Temporary structure to hold arguments for module calls.
Temporary structure to hold arguments for instantiation calls.
Temporary structure to hold arguments for thread_instantiation calls.
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
static const conf_parser_t config[]
#define RETURN_MODULE_HANDLED
#define RETURN_MODULE_INVALID
rlm_rcode_t
Return codes indicating the result of the module call.
@ RLM_MODULE_REJECT
Immediately reject the request.
static unlang_action_t mod_handshake_resume(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
static unlang_action_t mod_handshake_process(UNUSED rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, request_t *request)
static fr_dict_t const * dict_freeradius
static fr_dict_attr_t const * attr_eap_tls_require_client_cert
fr_dict_attr_autoload_t rlm_eap_tls_dict_attr[]
static unlang_action_t mod_handshake_done(rlm_rcode_t *p_result, UNUSED module_ctx_t const *mctx, UNUSED request_t *request)
fr_dict_autoload_t rlm_eap_tls_dict[]
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
static conf_parser_t submodule_config[]
rlm_eap_submodule_t rlm_eap_tls
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
static int mod_instantiate(module_inst_ctx_t const *mctx)
SSL_CTX * ssl_ctx
Thread local SSL_CTX.
static unlang_action_t mod_session_init(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
static int instantiate(module_inst_ctx_t const *mctx)
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
eap_aka_sim_process_conf_t * inst
Stores an attribute, a value and various bits of other data.
module_t common
Common fields provided by all modules.
Interface exported by EAP submodules.
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
int eap_tls_success(request_t *request, eap_session_t *eap_session, eap_tls_prf_label_t *prf_label)
Send an EAP-TLS success.
eap_tls_session_t * eap_tls_session_init(request_t *request, eap_session_t *eap_session, SSL_CTX *ssl_ctx, bool client_cert)
Create a new fr_tls_session_t associated with an eap_session_t.
int eap_tls_start(request_t *request, eap_session_t *eap_session)
Send an initial EAP-TLS request to the peer.
int eap_tls_fail(request_t *request, eap_session_t *eap_session)
Send an EAP-TLS failure.
USES_APPLE_DEPRECATED_API fr_table_num_ordered_t const eap_tls_status_table[]
fr_tls_conf_t * eap_tls_conf_parse(CONF_SECTION *cs, char const *attr)
Parse TLS configuration.
unlang_action_t eap_tls_process(request_t *request, eap_session_t *eap_session)
Process an EAP TLS request.
eap_tls_status_t state
The state of the EAP-TLS session.
@ EAP_TLS_INVALID
Invalid, don't reply.
@ EAP_TLS_HANDLED
TLS code has handled it.
@ EAP_TLS_RECORD_RECV_COMPLETE
Received final fragment of a record.
@ EAP_TLS_FAIL
Fail, send fail.
@ EAP_TLS_ESTABLISHED
Session established, send success (or start phase2).
fr_tls_session_t * tls_session
TLS session used to authenticate peer or tunnel sensitive data.
bool include_length
A flag to include length in every TLS Data/Alert packet.
Tracks the state of an EAP-TLS session.
CONF_SECTION * virtual_server_find(char const *name)
Return virtual server matching the specified name.