The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
verify.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: dcee0df57159506cfa993fd7fb6bd30127c81418 $
19 *
20 * @file tls/verify.c
21 * @brief Expose certificate OIDs as attributes, and call validation virtual
22 * server to check cert is valid.
23 *
24 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
25 * @copyright 2003 Alan DeKok (aland@freeradius.org)
26 * @copyright 2006-2016 The FreeRADIUS server project
27 */
28#ifdef WITH_TLS
29#define LOG_PREFIX "tls"
30
31#include <freeradius-devel/server/exec.h>
32#include <freeradius-devel/server/pair.h>
33#include <freeradius-devel/tls/log.h>
34#include <freeradius-devel/unlang/function.h>
35#include <freeradius-devel/unlang/subrequest.h>
36#include <freeradius-devel/util/debug.h>
37#include <freeradius-devel/util/strerror.h>
38#include <freeradius-devel/util/syserror.h>
39
40#include "attrs.h"
41#include "base.h"
42
43/** Check to see if a verification operation should apply to a certificate
44 *
45 * @param[in] depth starting at 0.
46 * Certificate 0 is the leaf cert (i.e. the client or server cert);
47 * @param[in] untrusted The number of untrusted certificates.
48 * @param[in] mode to check
49 * @return
50 * - true if a given validation check should apply.
51 ** - false if a validation check should not apply.
52 */
53static inline CC_HINT(always_inline)
54bool verify_applies(fr_tls_verify_mode_t mode, int depth, int untrusted)
55{
56 if (mode == FR_TLS_VERIFY_MODE_ALL) return true;
57 if (mode == FR_TLS_VERIFY_MODE_DISABLED) return false;
58
59 if ((mode & FR_TLS_VERIFY_MODE_LEAF) && (depth == 0)) return true;
60 if ((mode & FR_TLS_VERIFY_MODE_ISSUER) && (depth == 1)) return true;
61 if ((mode & FR_TLS_VERIFY_MODE_UNTRUSTED) && (depth < untrusted)) return true;
62
63 return false;
64}
65
66DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
67DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */
68
69/** Print verbose humanly readable messages about why certificate validation failed
70 *
71 */
72static void tls_verify_error_detail(request_t *request, SSL_CTX *ctx, int err)
73{
74 X509_STORE *store = SSL_CTX_get_ex_data(ctx, FR_TLS_EX_CTX_INDEX_VERIFY_STORE);
75
76 switch (err) {
77 /*
78 * We linked the provided cert to at least one
79 * other in a chain, but the chain doesn't terminate
80 * in a root CA.
81 */
82 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
83 FALL_THROUGH;
84
85 /*
86 * We failed to link the provided cert to any
87 * other local certificates in the chain.
88 */
89 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
90 RDEBUG2("Static certificates in verification store are");
91 if (RDEBUG_ENABLED2) {
92 RINDENT();
93 fr_tls_x509_objects_log(request, L_DBG, X509_STORE_get0_objects(store));
94 REXDENT();
95 }
96 break;
97
98 default:
99 break;
100 }
101}
102
103/** Validates a certificate using custom logic
104 *
105 * Before trusting a certificate, we make sure that the certificate is
106 * 'valid'. There are several checks we perform to verify its validity.
107 *
108 * 1. Verify the certificate's signature, and verifying that the certificate has
109 * been issued by a trusted Certificate Authority (this is done for us by OpenSSL).
110 *
111 * 2. Verify that the certificate is valid for the present date (i.e. it is being
112 * presented within its validity dates).
113 *
114 * 3. Verify that the certificate has not been revoked by its issuing Certificate
115 * Authority, by checking with respect to a Certificate Revocation List (CRL).
116 *
117 * @note This callback will be called multiple times based on the depth of the root
118 * certificate chain.
119 *
120 * @note As a byproduct of validation, various OIDs will be extracted from the
121 * certificates, and inserted into the session-state list as fr_pair_t.
122 *
123 * @param ok preverify ok. 1 if true, 0 if false.
124 * @param x509_ctx containing certs to verify.
125 * @return
126 * - 0 if not valid.
127 * - 1 if valid.
128 */
129int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
130{
131 X509 *cert;
132
133 SSL_CTX *ssl_ctx;
134 SSL *ssl;
135 fr_tls_session_t *tls_session;
136 int err, depth;
137 fr_tls_conf_t *conf;
138 int my_ok = ok;
139 int untrusted;
140
141 request_t *request;
142 fr_pair_t *container = NULL;
143 fr_pair_t *depth_pair;
144
145 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
146 err = X509_STORE_CTX_get_error(x509_ctx);
147 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
148 untrusted = X509_STORE_CTX_get_num_untrusted(x509_ctx);
149
150 /*
151 * Retrieve the pointer to the SSL of the connection currently treated
152 * and the application specific data stored into the SSL object.
153 */
154 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
155 ssl_ctx = SSL_get_SSL_CTX(ssl);
156 conf = fr_tls_session_conf(ssl);
157 tls_session = talloc_get_type_abort(SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_TLS_SESSION), fr_tls_session_t);
158 request = fr_tls_session_request(tls_session->ssl);
159
160 /*
161 * If this error appears it suggests
162 * that OpenSSL is trying to perform post-handshake
163 * certificate validation which we don't support.
164 */
165 if (!tls_session->can_pause) {
166 fr_assert_msg("Unexpected call to %s. "
167 "tls_session_async_handshake_cont must be in call stack", __FUNCTION__);
168 return 0;
169 }
170
171 /*
172 * Bail out as quickly as possible, producing
173 * as few errors as possible.
174 */
175 if (unlang_request_is_cancelled(request)) {
176 X509_STORE_CTX_set_error(x509_ctx, 0);
177 return 1;
178 }
179
180 /*
181 * Find or add the chain depth attribute and record the greatest depth we see + 1,
182 * as depth is zero based.
183 */
184 if (unlikely(fr_pair_find_or_append_by_da(request->session_state_ctx, &depth_pair, &request->session_state_pairs,
185 attr_tls_certificate_chain_depth) < 0)) {
186 RERROR("Failed to add certificate chain depth pair");
187 return 0;
188 }
189 if (depth_pair->vp_uint32 < ((uint32_t)depth) + 1) depth_pair->vp_uint32 = (uint32_t)depth + 1;
190
191 if (RDEBUG_ENABLED3) {
192 char subject[2048];
193 STACK_OF(X509) *our_chain;
194 int i;
195
196 our_chain = X509_STORE_CTX_get0_chain(x509_ctx);
197 RDEBUG3("Certificate chain - %i cert(s) untrusted", untrusted);
198 for (i = sk_X509_num(our_chain); i > 0 ; i--) {
199 X509 *this_cert = sk_X509_value(our_chain, i - 1);
200
201 X509_NAME_oneline(X509_get_subject_name(this_cert), subject, sizeof(subject));
202 subject[sizeof(subject) - 1] = '\0';
203
204 RDEBUG3("%s [%i] %s", this_cert == cert ? ">" : " ", i - 1, subject);
205 }
206 }
207
208 /*
209 * See if the user has disabled verification for
210 * this certificate. If they have, force verification
211 * to succeed.
212 */
213 if (!my_ok) {
214 char const *p = X509_verify_cert_error_string(err);
215 if (!verify_applies(conf->verify.mode, depth, untrusted) ||
216 ((conf->verify.allow_expired_crl) && (err == X509_V_ERR_CRL_HAS_EXPIRED)) ||
217 ((conf->verify.allow_not_yet_valid_crl) && (err == X509_V_ERR_CRL_NOT_YET_VALID))) {
218 RDEBUG2("Ignoring verification error - %s (%i)", p, err);
219 tls_verify_error_detail(request, ssl_ctx, err);
220
221 my_ok = 1;
222 X509_STORE_CTX_set_error(x509_ctx, 0);
223 } else {
224 RERROR("Verification error - %s (%i)", p, err);
225 tls_verify_error_detail(request, ssl_ctx, err);
226 goto done;
227 }
228 }
229
230 if (verify_applies(conf->verify.attribute_mode, depth, untrusted) &&
231 (!(container = fr_pair_find_by_da_idx(&request->session_state_pairs, attr_tls_certificate, depth)) ||
232 fr_pair_list_empty(&container->vp_group))) {
233 if (!container) {
234 unsigned int i;
235
236 /*
237 * Build a stack of container attributes.
238 *
239 * OpenSSL passes us the deepest certificate
240 * first, so we need to build out sufficient
241 * TLS-Certificate container TLVs so the TLS-Certificate
242 * indexes match the attribute depth.
243 */
244 for (i = fr_pair_count_by_da(&request->session_state_pairs, attr_tls_certificate);
245 i <= (unsigned int)depth;
246 i++) {
247 MEM(container = fr_pair_afrom_da(request->session_state_ctx, attr_tls_certificate));
248 fr_pair_append(&request->session_state_pairs, container);
249 }
250 }
251
252#ifdef STATIC_ANALYZER
253 /*
254 * Container can never be NULL, because if container
255 * was previously NULL, i will be <= depth.
256 */
257 if (!fr_cond_assert(container)) {
258 my_ok = 0;
259 goto done;
260 }
261#endif
262 /*
263 * If we fail to populate the cert attributes,
264 * trash all instances in the session-state list
265 * and cause validation to fail.
266 */
267 if (fr_tls_session_pairs_from_x509_cert(&container->vp_group, container,
268 request, cert, conf->verify.der_decode) < 0) {
269 fr_pair_delete_by_da(&request->session_state_pairs, attr_tls_certificate);
270 if (conf->verify.der_decode) {
271 fr_pair_delete_by_da(&request->session_state_pairs, attr_der_certificate);
272 }
273 my_ok = 0;
274 goto done;
275 }
276
277 log_request_pair(L_DBG_LVL_2, request, NULL, container, "session-state.");
278 }
279done:
280 /*
281 * If verification hasn't already failed
282 * and we're meant to verify this cert
283 * then call the virtual server.
284 *
285 * We only call the virtual server for
286 * the certificate at depth 0 as all
287 * other certificate attributes should
288 * have been added by this point.
289 */
290 if (my_ok && (depth == 0)) {
291 if (conf->verify_certificate && tls_session->verify_client_cert) {
292 RDEBUG2("Requesting certificate validation");
293
294 /*
295 * This sets the validation state of the tls_session
296 * so that when we call ASYNC_pause_job(), and execution
297 * jumps back to tls_session_async_handshake_cont
298 * (just under SSL_read())
299 * the code there knows what job it needs to push onto
300 * the unlang stack.
301 */
302 fr_tls_verify_cert_request(tls_session, SSL_session_reused(tls_session->ssl));
303
304 /*
305 * Jumps back to SSL_read() in session.c
306 *
307 * Be aware that if the request is cancelled
308 * whatever was meant to be done during the
309 * time we yielded may not have been completed.
310 */
311 ASYNC_pause_job();
312
313 /*
314 * Just try and bail out as quickly as possible.
315 */
316 if (unlang_request_is_cancelled(request)) {
317 X509_STORE_CTX_set_error(x509_ctx, 0);
318 fr_tls_verify_cert_reset(tls_session);
319 return 1;
320 }
321
322
323 /*
324 * If we couldn't validate the certificate
325 * then validation overall fails.
326 */
327 if (!fr_tls_verify_cert_result(tls_session)) {
328 REDEBUG("Certificate validation failed");
329 my_ok = 0;
330 X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
331 }
332 }
333 }
334
335 tls_session->client_cert_ok = (my_ok > 0);
336 RDEBUG2("[verify] = %s", my_ok ? "ok" : "invalid");
337
338 return my_ok;
339}
340DIAG_ON(used-but-marked-unused)
341DIAG_ON(DIAG_UNKNOWN_PRAGMAS)
342
343/** Revalidates the client's certificate chain
344 *
345 * Wraps the fr_tls_verify_cert_cb callback, allowing us to use the same
346 * validation logic whenever we need to.
347 *
348 * @note Only use so far is forcing the chain to be re-validated on session
349 * resumption.
350 *
351 * @return
352 * - 1 if the chain could be validated.
353 * - 0 if the chain failed validation.
354 */
355int fr_tls_verify_cert_chain(request_t *request, SSL *ssl)
356{
357 int err;
358 int verify;
359 int ret = 1;
360
361 SSL_CTX *ssl_ctx;
362 STACK_OF(X509) *chain;
363 X509 *cert;
364 X509_STORE *store;
365 X509_STORE_CTX *store_ctx;
366
367 /*
368 * If there's no client certificate, we just return OK.
369 */
370 cert = SSL_get0_peer_certificate(ssl); /* Does not increase ref count */
371 if (!cert) return 1;
372
373 ssl_ctx = SSL_get_SSL_CTX(ssl);
374 store_ctx = X509_STORE_CTX_new();
375 chain = SSL_get_peer_cert_chain(ssl); /* Does not increase ref count */
376 store = SSL_CTX_get_ex_data(ssl_ctx, FR_TLS_EX_CTX_INDEX_VERIFY_STORE); /* Gets the verification store */
377
378 /*
379 * This sets up a store_ctx for doing peer certificate verification.
380 *
381 * store_ctx - Is the ctx to initialise
382 * store - Is an X509_STORE of implicitly
383 * trusted certificates. Here we're using
384 * the verify store that was created when we
385 * allocated the SSL_CTX.
386 * cert - Is the certificate to validate.
387 * chain - Is any other certificates the peer provided
388 * us in order to build a chain from a trusted
389 * root or intermediary to its leaf (cert).
390 *
391 * Note: SSL_CTX_get_cert_store() returns the ctx->cert_store, which
392 * is not the same as the verification cert store.
393 */
394 X509_STORE_CTX_init(store_ctx, store, cert, chain);
395 X509_STORE_CTX_set_ex_data(store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), ssl);
396 X509_STORE_CTX_set_verify_cb(store_ctx, fr_tls_verify_cert_cb);
397
398 verify = X509_verify_cert(store_ctx);
399 if (verify != 1) {
400 err = X509_STORE_CTX_get_error(store_ctx);
401
402 if (err != X509_V_OK) {
403 REDEBUG("Failed re-validating resumed session: %s", X509_verify_cert_error_string(err));
404 ret = 0;
405 }
406 }
407
408 X509_STORE_CTX_free(store_ctx);
409
410 return ret;
411}
412
413/** Process the result of `verify certificate { ... }`
414 *
415 */
416static unlang_action_t tls_verify_client_cert_result(request_t *request, void *uctx)
417{
418 fr_tls_session_t *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
419 fr_pair_t *vp, *next;
420
421 fr_assert(tls_session->validate.state == FR_TLS_VALIDATION_REQUESTED);
422
423 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_tls_packet_type);
424 if (!vp || (vp->vp_uint32 != enum_tls_packet_type_success->vb_uint32)) {
425 REDEBUG("Failed (re-)validating certificates");
426
427 /*
428 * Hoist any instances of Module-Failure-Message from the subrequest
429 * so they can be used for logging failures.
430 */
431 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_module_failure_message);
432 while (vp && request->parent) {
433 next = fr_pair_find_by_da(&request->request_pairs, vp, attr_module_failure_message);
434 fr_pair_remove(&request->request_pairs, vp);
435 fr_pair_steal_append(request->parent->request_ctx, &request->parent->request_pairs, vp);
436 vp = next;
437 }
438
439 tls_session->validate.state = FR_TLS_VALIDATION_FAILED;
440 return UNLANG_ACTION_CALCULATE_RESULT;
441 }
442
443 tls_session->validate.state = FR_TLS_VALIDATION_SUCCESS;
444
445 RDEBUG2("Certificates (re-)validated");
446
447 return UNLANG_ACTION_CALCULATE_RESULT;
448}
449
450/** Push a `verify certificate { ... }` call into the current request, using a subrequest
451 *
452 * @param[in] request The current request.
453 * @param[in] tls_session The current TLS session.
454 * @return
455 * - UNLANG_ACTION_CALCULATE_RESULT on noop.
456 * - UNLANG_ACTION_PUSHED_CHILD on success.
457 * - UNLANG_ACTION_FAIL on failure.
458 */
459static unlang_action_t tls_verify_client_cert_push(request_t *request, fr_tls_session_t *tls_session)
460{
461 fr_tls_conf_t *conf = fr_tls_session_conf(tls_session->ssl);
462 request_t *child;
463 fr_pair_t *vp;
464 unlang_action_t ua;
465
466 MEM(child = unlang_subrequest_alloc(request, dict_tls));
467 request = child;
468
469 /*
470 * Add extra pairs to the subrequest
471 */
472 fr_tls_session_extra_pairs_copy_to_child(child, tls_session);
473
474 /*
475 * Setup the child request for loading
476 * session resumption data.
477 */
478 MEM(pair_prepend_request(&vp, attr_tls_packet_type) >= 0);
479 vp->vp_uint32 = enum_tls_packet_type_verify_certificate->vb_uint32;
480
481 /*
482 * Copy certificate pairs to the child session state
483 */
484 vp = NULL;
485 while ((vp = fr_pair_find_by_da(&request->parent->session_state_pairs, vp, attr_tls_certificate))) {
486 fr_pair_append(&request->session_state_pairs, fr_pair_copy(request->session_state_ctx, vp));
487 }
488 if (conf->verify.der_decode) {
489 while ((vp = fr_pair_find_by_da(&request->parent->session_state_pairs, vp, attr_der_certificate))) {
490 fr_pair_append(&request->session_state_pairs, fr_pair_copy(request->session_state_ctx, vp));
491 }
492 }
493
494 MEM(pair_append_request(&vp, attr_tls_session_resumed) >= 0);
495 vp->vp_bool = tls_session->validate.resumed;
496
497 /*
498 * Allocate a child, and set it up to call
499 * the TLS virtual server.
500 */
501 ua = fr_tls_call_push(child, tls_verify_client_cert_result, conf, tls_session, false);
502 if (ua < 0) {
503 PERROR("Failed calling TLS virtual server");
504 talloc_free(child);
505 return UNLANG_ACTION_FAIL;
506 }
507
508 return ua;
509}
510
511/** Clear any previous validation result
512 *
513 * Should be called by the validation requestor to get the result and reset
514 * the validation state.
515 *
516 * @return
517 * - true if the certificate chain was validated.
518 * - false if the certificate chain failed validation.
519 */
520bool fr_tls_verify_cert_result(fr_tls_session_t *tls_session)
521{
522 bool result;
523
524 fr_assert(tls_session->validate.state != FR_TLS_VALIDATION_INIT);
525
526 result = tls_session->validate.state == FR_TLS_VALIDATION_SUCCESS;
527
528 tls_session->validate.state = FR_TLS_VALIDATION_INIT;
529 tls_session->validate.resumed = false;
530
531 return result;
532}
533
534/** Reset the verification state
535 *
536 */
537void fr_tls_verify_cert_reset(fr_tls_session_t *tls_session)
538{
539 tls_session->validate.state = FR_TLS_VALIDATION_INIT;
540 tls_session->validate.resumed = false;
541}
542
543/** Setup a verification request
544 *
545 */
546void fr_tls_verify_cert_request(fr_tls_session_t *tls_session, bool session_resumed)
547{
548 fr_assert(tls_session->validate.state == FR_TLS_VALIDATION_INIT);
549
550 tls_session->validate.state = FR_TLS_VALIDATION_REQUESTED;
551 tls_session->validate.resumed = session_resumed;
552}
553
554/** Push a `verify certificate { ... }` section
555 *
556 * @param[in] request The current request.
557 * @param[in] tls_session The current TLS session.
558 * @return
559 * - UNLANG_ACTION_CALCULATE_RESULT - No pending actions
560 * - UNLANG_ACTION_PUSHED_CHILD - Pending operations to evaluate.
561 */
562unlang_action_t fr_tls_verify_cert_pending_push(request_t *request, fr_tls_session_t *tls_session)
563{
564 if (tls_session->validate.state == FR_TLS_VALIDATION_REQUESTED) {
565 return tls_verify_client_cert_push(request, tls_session);
566 }
567
568 return UNLANG_ACTION_CALCULATE_RESULT;
569}
570#endif /* WITH_TLS */
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_FAIL
@ UNLANG_ACTION_FAIL
Encountered an unexpected error.
Definition action.h:36
UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
store
#define store(_store, _var)
Definition atomic_queue.c:51
DIAG_UNKNOWN_PRAGMAS
#define DIAG_UNKNOWN_PRAGMAS
Definition build.h:479
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:343
DIAG_ON
#define DIAG_ON(_x)
Definition build.h:481
unlikely
#define unlikely(_x)
Definition build.h:402
DIAG_OFF
#define DIAG_OFF(_x)
Definition build.h:480
fr_cond_assert
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:141
fr_assert_msg
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
Definition debug.h:212
MEM
#define MEM(x)
Definition debug.h:46
err
static fr_slen_t err
Definition dict.h:882
talloc_free
talloc_free(hp)
unlang_request_is_cancelled
bool unlang_request_is_cancelled(request_t const *request)
Return whether a request has been cancelled.
Definition interpret.c:1599
attr_tls_certificate
HIDDEN fr_dict_attr_t const * attr_tls_certificate
Attribute definitions for lib curl.
Definition base.c:36
dict_tls
static fr_dict_t const * dict_tls
Definition base.c:77
attr_module_failure_message
static fr_dict_attr_t const * attr_module_failure_message
Definition log.c:206
log_request_pair
void log_request_pair(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_t const *vp, char const *prefix)
Print a fr_pair_t.
Definition log.c:790
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:455
RDEBUG_ENABLED3
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition log.h:347
RDEBUG3
#define RDEBUG3(fmt,...)
Definition log.h:355
RERROR
#define RERROR(fmt,...)
Definition log.h:310
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:442
attr_tls_packet_type
HIDDEN fr_dict_attr_t const * attr_tls_packet_type
attr_tls_session_resumed
HIDDEN fr_dict_attr_t const * attr_tls_session_resumed
enum_tls_packet_type_success
fr_value_box_t const * enum_tls_packet_type_success
attr_der_certificate
HIDDEN fr_dict_attr_t const * attr_der_certificate
enum_tls_packet_type_verify_certificate
fr_value_box_t const * enum_tls_packet_type_verify_certificate
attr_tls_certificate_chain_depth
HIDDEN fr_dict_attr_t const * attr_tls_certificate_chain_depth
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:68
L_DBG
@ L_DBG
Only displayed when debugging is enabled.
Definition log.h:56
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
request_t
Definition merged_model.c:210
used
static size_t used
Definition message_set_test.c:49
depth
static uint8_t depth(fr_minmax_heap_index_t i)
Definition minmax_heap.c:83
fr_pair_count_by_da
unsigned int fr_pair_count_by_da(fr_pair_list_t const *list, fr_dict_attr_t const *da)
Return the number of instances of a given da in the specified list.
Definition pair.c:684
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:707
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1352
fr_pair_delete_by_da
int fr_pair_delete_by_da(fr_pair_list_t *list, fr_dict_attr_t const *da)
Delete matching pairs from the specified list.
Definition pair.c:1696
fr_pair_find_by_da_idx
fr_pair_t * fr_pair_find_by_da_idx(fr_pair_list_t const *list, fr_dict_attr_t const *da, unsigned int idx)
Find a pair with a matching da at a given index.
Definition pair.c:755
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:290
fr_pair_steal_append
int fr_pair_steal_append(TALLOC_CTX *list_ctx, fr_pair_list_t *list, fr_pair_t *vp)
Change a vp's talloc ctx and insert it into a new list.
Definition pair.c:562
fr_pair_copy
fr_pair_t * fr_pair_copy(TALLOC_CTX *ctx, fr_pair_t const *vp)
Copy a single valuepair.
Definition pair.c:503
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:37
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient-ng.h:52
RDEBUG_ENABLED2
#define RDEBUG_ENABLED2()
Definition radclient-ng.h:50
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient-ng.h:54
done
static bool done
Definition radclient.c:80
conf
static rs_t * conf
Definition radsniff.c:52
pair_append_request
#define pair_append_request(_attr, _da)
Allocate and append a fr_pair_t to the request list.
Definition pair.h:37
pair_prepend_request
#define pair_prepend_request(_attr, _da)
Allocate and prepend a fr_pair_t to the request list.
Definition pair.h:77
vp
fr_pair_t * vp
Definition state_machine.c:2287
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
unlang_subrequest_alloc
request_t * unlang_subrequest_alloc(request_t *parent, fr_dict_t const *namespace)
Allocate a subrequest to run through a virtual server at some point in the future.
Definition subrequest.c:302
fr_pair_list_empty
bool fr_pair_list_empty(fr_pair_list_t const *list)
Is a valuepair list empty.
Definition pair_inline.c:124
fr_pair_remove
fr_pair_t * fr_pair_remove(fr_pair_list_t *list, fr_pair_t *vp)
Remove fr_pair_t from a list without freeing.
Definition pair_inline.c:93
fr_pair_find_or_append_by_da
static int fr_pair_find_or_append_by_da(TALLOC_CTX *ctx, fr_pair_t **out, fr_pair_list_t *list, fr_dict_attr_t const *da)
Definition pair.h:540
Generated by   doxygen 1.9.8