The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
tls.h
Go to the documentation of this file.
1#pragma once
2/*
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or (at
6 * your option) any later version.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License
14 * along with this program; if not, write to the Free Software
15 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
16 */
17
18/**
19 * $Id: 7db8c33b0429fd03750c7e3b242989d10831bf6a $
20 * @file lib/eap/tls.h
21 * @brief Generic EAP over TLS API
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006 The FreeRADIUS server project
26 */
27
28RCSIDH(lib_eap_tls_h, "$Id: 7db8c33b0429fd03750c7e3b242989d10831bf6a $")
29USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
30
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34#include <errno.h>
35#include <sys/types.h>
36#include <sys/socket.h>
37#include <netinet/in.h>
38#include <netinet/tcp.h>
39#include <netdb.h>
40#include <fcntl.h>
41#include <signal.h>
42
43#include <ctype.h>
44#include <sys/time.h>
45#include <arpa/inet.h>
46
47#ifdef HAVE_UNISTD_H
48# include <unistd.h>
49#endif
50
51#include <freeradius-devel/server/base.h>
52#include <freeradius-devel/tls/base.h>
53#include <freeradius-devel/eap/base.h>
54
55#define TLS_HEADER_LEN 4
56#define TLS_HEADER_LENGTH_FIELD_LEN 4
57
58/*
59 * RFC 2716, Section 4.2:
60 *
61 * Flags
62 *
63 * 0 1 2 3 4 5 6 7 8
64 * +-+-+-+-+-+-+-+-+
65 * |L M S R R R R R|
66 * +-+-+-+-+-+-+-+-+
67 *
68 * L = Length included
69 * M = More fragments
70 * S = EAP-TLS start
71 * R = Reserved
72 */
73#define TLS_RESERVED4(x) (((x) & 0x01) != 0)
74#define TLS_RESERVED3(x) (((x) & 0x02) != 0)
75#define TLS_RESERVED2(x) (((x) & 0x04) != 0)
76#define TLS_RESERVED1(x) (((x) & 0x08) != 0)
77#define TLS_RESERVED0(x) (((x) & 0x10) != 0)
78#define TLS_START(x) (((x) & 0x20) != 0)
79#define TLS_MORE_FRAGMENTS(x) (((x) & 0x40) != 0)
80#define TLS_LENGTH_INCLUDED(x) (((x) & 0x80) != 0)
81
82#define SET_START(x) ((x) | (0x20))
83#define SET_MORE_FRAGMENTS(x) ((x) | (0x40))
84#define SET_LENGTH_INCLUDED(x) ((x) | (0x80))
85
86typedef enum {
87 EAP_TLS_INVALID = 0, //!< Invalid, don't reply.
88 EAP_TLS_ESTABLISHED, //!< Session established, send success (or start phase2).
89 EAP_TLS_FAIL, //!< Fail, send fail.
90 EAP_TLS_HANDLED, //!< TLS code has handled it.
91
92 /*
93 * Composition states, we need to
94 * compose a request of this type.
95 */
96 EAP_TLS_START_SEND, //!< We're starting a new TLS session.
97 EAP_TLS_RECORD_SEND, //!< We're sending a record.
98 EAP_TLS_ACK_SEND, //!< Acknowledge receipt of a record or record fragment.
99
100 /*
101 * Receive states, we received a
102 * response containing a fragment of a
103 * record.
104 */
105 EAP_TLS_RECORD_RECV_FIRST, //!< Received first fragment of a record.
106 EAP_TLS_RECORD_RECV_MORE, //!< Received additional fragment of a record.
107 EAP_TLS_RECORD_RECV_COMPLETE //!< Received final fragment of a record.
108} eap_tls_status_t;
109
114
115/** Tracks the state of an EAP-TLS session
116 *
117 * Contains any EAP-TLS specific state information, such as whether we're
118 * sending/receiving fragments, and the progress of those operations.
119 *
120 * TLS session state is stored in a fr_tls_session_t accessed via the tls_session field.
121 */
122typedef struct {
123 eap_tls_status_t state; //!< The state of the EAP-TLS session.
124
125 fr_tls_session_t *tls_session; //!< TLS session used to authenticate peer
126 //!< or tunnel sensitive data.
127
128 int base_flags; //!< Some protocols use the reserved bits of the EAP-TLS
129 //!< flags (such as PEAP). This allows the base flags to
130 //!< be set.
131
132 bool phase2; //!< Whether we're in phase 2
133
134 bool include_length; //!< A flag to include length in every TLS Data/Alert packet.
135 //!< If set to no then only the first fragment contains length.
136
137 bool authentication_success; //! for methods with inner auth, if the inner auth succeeded.
138
139 bool record_out_started; //!< Whether a record transfer to the peer is currently
140 //!< in progress.
141 size_t record_out_total_len; //!< Actual/Total TLS message length we're sending.
142
143 bool record_in_started; //!< Whether a record transfer from the peer is currently
144 //!< in progress.
145 size_t record_in_total_len; //!< How long the peer indicated the complete tls record
146 //!< would be.
147 size_t record_in_recvd_len; //!< How much of the record we've received so far.
148} eap_tls_session_t;
149
150typedef struct {
151 char const *keying_prf_label; //!< PRF label to use for generating keying material.
152 //!< If NULL, no MPPE keys will be generated.
153 size_t keying_prf_label_len; //!< length of the keying PRF label.
154
155 char const *sessid_prf_label; //!< PRF label to use when generating the session ID.
156 //!< If NULL, session ID will be based on client/server randoms.
157 size_t sessid_prf_label_len; //!< Length of the session ID PRF label.
158
159 uint8_t context[1]; //!< for TLS 1.3 context, is the EAP Type code
160 size_t context_len; //!< length of the context
161
162 int use_context; //!< for SSL_export_keying_material().
163} eap_tls_prf_label_t;
164
165extern fr_table_num_ordered_t const eap_tls_status_table[];
166extern size_t eap_tls_status_table_len;
167
168/*
169 * Externally exported TLS functions.
170 */
171unlang_action_t eap_tls_process(request_t *request, eap_session_t *eap_session) CC_HINT(nonnull);
172
173int eap_tls_start(request_t *request, eap_session_t *eap_session) CC_HINT(nonnull);
174
175int eap_tls_success(request_t *request, eap_session_t *eap_session, eap_tls_prf_label_t *prf_label) CC_HINT(nonnull(1,2));
176
177int eap_tls_fail(request_t *request, eap_session_t *eap_session) CC_HINT(nonnull);
178
179int eap_tls_request(request_t *request, eap_session_t *eap_session) CC_HINT(nonnull);
180
181int eap_tls_compose(request_t *request, eap_session_t *eap_session,
182 eap_tls_status_t status, uint8_t flags,
183 fr_tls_record_t *record, size_t record_len, size_t frag_len);
184
185/* MPPE key generation */
186void eap_crypto_prf_label_init(eap_tls_prf_label_t *prf_label, eap_session_t *eap_session,
187 char const *keying_prf_label, size_t keying_prf_label_len);
188
189int eap_crypto_mppe_keys(request_t *request, SSL *ssl, eap_tls_prf_label_t *prf_label) CC_HINT(nonnull);
190
191int eap_crypto_tls_session_id(TALLOC_CTX *ctx, request_t *request,
192 SSL *ssl, eap_tls_prf_label_t *prf_label, uint8_t **out,
193 uint8_t eap_type);
194
195/* EAP-TLS framework */
196eap_tls_session_t *eap_tls_session_init(request_t *request, eap_session_t *eap_session,
197 SSL_CTX *ssl_ctx, bool client_cert) CC_HINT(nonnull);
198
199
200fr_tls_conf_t *eap_tls_conf_parse(CONF_SECTION *cs) CC_HINT(nonnull);
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
context
static int context
Definition radmin.c:71
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:474
RCSIDH
#define RCSIDH(h, id)
Definition build.h:488
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
eap_type
eap_type
Definition types.h:44
eap_session_s
Tracks the progress of a single session of any EAP method.
Definition session.h:41
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
request_t
Definition merged_model.c:210
signal.h
Signals that can be sent to a request.
fr_table_num_ordered_t
An element in an arbitrarily ordered array of name to num mappings.
Definition table.h:57
eap_tls_session_t::base_flags
int base_flags
Some protocols use the reserved bits of the EAP-TLS flags (such as PEAP).
Definition tls.h:128
eap_tls_session_t::state
eap_tls_status_t state
The state of the EAP-TLS session.
Definition tls.h:123
eap_tls_session_t::phase2
bool phase2
Whether we're in phase 2.
Definition tls.h:132
eap_tls_session_init
eap_tls_session_t * eap_tls_session_init(request_t *request, eap_session_t *eap_session, SSL_CTX *ssl_ctx, bool client_cert)
Create a new fr_tls_session_t associated with an eap_session_t.
Definition tls.c:1157
eap_tls_status_t
eap_tls_status_t
Definition tls.h:86
EAP_TLS_RECORD_RECV_FIRST
@ EAP_TLS_RECORD_RECV_FIRST
Received first fragment of a record.
Definition tls.h:105
EAP_TLS_INVALID
@ EAP_TLS_INVALID
Invalid, don't reply.
Definition tls.h:87
EAP_TLS_HANDLED
@ EAP_TLS_HANDLED
TLS code has handled it.
Definition tls.h:90
EAP_TLS_RECORD_RECV_MORE
@ EAP_TLS_RECORD_RECV_MORE
Received additional fragment of a record.
Definition tls.h:106
EAP_TLS_ACK_SEND
@ EAP_TLS_ACK_SEND
Acknowledge receipt of a record or record fragment.
Definition tls.h:98
EAP_TLS_RECORD_SEND
@ EAP_TLS_RECORD_SEND
We're sending a record.
Definition tls.h:97
EAP_TLS_RECORD_RECV_COMPLETE
@ EAP_TLS_RECORD_RECV_COMPLETE
Received final fragment of a record.
Definition tls.h:107
EAP_TLS_START_SEND
@ EAP_TLS_START_SEND
We're starting a new TLS session.
Definition tls.h:96
EAP_TLS_FAIL
@ EAP_TLS_FAIL
Fail, send fail.
Definition tls.h:89
EAP_TLS_ESTABLISHED
@ EAP_TLS_ESTABLISHED
Session established, send success (or start phase2).
Definition tls.h:88
eap_tls_session_t::tls_session
fr_tls_session_t * tls_session
TLS session used to authenticate peer or tunnel sensitive data.
Definition tls.h:125
eap_tls_prf_label_t::keying_prf_label_len
size_t keying_prf_label_len
length of the keying PRF label.
Definition tls.h:153
eap_tls_session_t::record_in_started
bool record_in_started
Whether a record transfer from the peer is currently in progress.
Definition tls.h:143
eap_tls_session_t::record_out_total_len
size_t record_out_total_len
Actual/Total TLS message length we're sending.
Definition tls.h:141
eap_tls_data_t::flags
uint8_t flags
Definition tls.h:111
eap_tls_prf_label_t::keying_prf_label
char const * keying_prf_label
PRF label to use for generating keying material.
Definition tls.h:151
eap_tls_compose
int eap_tls_compose(request_t *request, eap_session_t *eap_session, eap_tls_status_t status, uint8_t flags, fr_tls_record_t *record, size_t record_len, size_t frag_len)
Convert the EAP-TLS reply packet into an EAP packet.
Definition tls.c:114
eap_crypto_prf_label_init
void eap_crypto_prf_label_init(eap_tls_prf_label_t *prf_label, eap_session_t *eap_session, char const *keying_prf_label, size_t keying_prf_label_len)
Initialize the PRF label fields.
Definition crypto.c:48
eap_tls_status_table
fr_table_num_ordered_t const eap_tls_status_table[]
Definition tls.c:80
eap_tls_prf_label_t::context_len
size_t context_len
length of the context
Definition tls.h:160
eap_tls_session_t::record_in_total_len
size_t record_in_total_len
How long the peer indicated the complete tls record would be.
Definition tls.h:145
eap_tls_status_table_len
size_t eap_tls_status_table_len
Definition tls.c:94
eap_crypto_mppe_keys
int eap_crypto_mppe_keys(request_t *request, SSL *ssl, eap_tls_prf_label_t *prf_label)
Generate keys according to RFC 5216 and add to the reply.
Definition crypto.c:85
eap_tls_start
int eap_tls_start(request_t *request, eap_session_t *eap_session)
Send an initial EAP-TLS request to the peer.
Definition tls.c:239
eap_tls_request
int eap_tls_request(request_t *request, eap_session_t *eap_session)
Frames the OpenSSL data that needs to be sent to the client in an EAP-Request.
Definition tls.c:372
eap_tls_success
int eap_tls_success(request_t *request, eap_session_t *eap_session, eap_tls_prf_label_t *prf_label))
Send an EAP-TLS success.
Definition tls.c:264
eap_tls_fail
int eap_tls_fail(request_t *request, eap_session_t *eap_session)
Send an EAP-TLS failure.
Definition tls.c:322
eap_tls_prf_label_t::sessid_prf_label
char const * sessid_prf_label
PRF label to use when generating the session ID.
Definition tls.h:155
eap_tls_session_t::record_out_started
bool record_out_started
for methods with inner auth, if the inner auth succeeded.
Definition tls.h:139
eap_tls_session_t::record_in_recvd_len
size_t record_in_recvd_len
How much of the record we've received so far.
Definition tls.h:147
eap_tls_prf_label_t::use_context
int use_context
for SSL_export_keying_material().
Definition tls.h:162
eap_crypto_tls_session_id
int eap_crypto_tls_session_id(TALLOC_CTX *ctx, request_t *request, SSL *ssl, eap_tls_prf_label_t *prf_label, uint8_t **out, uint8_t eap_type)
Definition crypto.c:132
eap_tls_conf_parse
fr_tls_conf_t * eap_tls_conf_parse(CONF_SECTION *cs)
Parse TLS configuration.
Definition tls.c:1289
eap_tls_session_t::authentication_success
bool authentication_success
Definition tls.h:137
eap_tls_prf_label_t::sessid_prf_label_len
size_t sessid_prf_label_len
Length of the session ID PRF label.
Definition tls.h:157
eap_tls_session_t::include_length
bool include_length
A flag to include length in every TLS Data/Alert packet.
Definition tls.h:134
eap_tls_process
unlang_action_t eap_tls_process(request_t *request, eap_session_t *eap_session)
Process an EAP TLS request.
Definition tls.c:983
eap_tls_data_t
Definition tls.h:110
eap_tls_prf_label_t
Definition tls.h:150
eap_tls_session_t
Tracks the state of an EAP-TLS session.
Definition tls.h:122
data
static fr_slen_t data
Definition value.h:1334
nonnull
int nonnull(2, 5))
out
static size_t char ** out
Definition value.h:1024
Generated by   doxygen 1.9.8