23
23
#ifndef _RLM_EAP_TLS_H
24
24
#define _RLM_EAP_TLS_H
30
#include <sys/types.h>
31
#include <sys/socket.h>
32
#include <netinet/in.h>
33
#include <netinet/tcp.h>
40
#include <arpa/inet.h>
54
* For RH 9, which apparently needs this.
56
#ifndef OPENSSL_NO_KRB5
57
#define OPENSSL_NO_KRB5
59
#include <openssl/err.h>
60
#ifdef HAVE_OPENSSL_ENGINE_H
61
#include <openssl/engine.h>
63
#include <openssl/ssl.h>
64
#endif /* !defined(NO_OPENSSL) */
69
EAPTLS_INVALID = 0, /* invalid, don't reply */
70
EAPTLS_REQUEST, /* request, ok to send, invalid to receive */
71
EAPTLS_RESPONSE, /* response, ok to receive, invalid to send */
72
EAPTLS_SUCCESS, /* success, send success */
73
EAPTLS_FAIL, /* fail, send fail */
74
EAPTLS_NOOP, /* noop, continue */
76
EAPTLS_START, /* start, ok to send, invalid to receive */
77
EAPTLS_OK, /* ok, continue */
78
EAPTLS_ACK, /* acknowledge, continue */
79
EAPTLS_FIRST_FRAGMENT, /* first fragment */
80
EAPTLS_MORE_FRAGMENTS, /* more fragments, to send/receive */
81
EAPTLS_LENGTH_INCLUDED, /* length included */
82
EAPTLS_MORE_FRAGMENTS_WITH_LENGTH, /* more fragments with length */
83
EAPTLS_HANDLED /* tls code has handled it */
86
#define MAX_RECORD_SIZE 16384
89
* A single TLS record may be up to 16384 octets in length, but a
90
* TLS message may span multiple TLS records, and a TLS
91
* certificate message may in principle be as long as 16MB.
93
* However, note that in order to protect against reassembly
94
* lockup and denial of service attacks, it may be desirable for
95
* an implementation to set a maximum size for one such group of
98
* The TLS Message Length field is four octets, and provides the
99
* total length of the TLS message or set of messages that is
100
* being fragmented; this simplifies buffer allocation.
104
* FIXME: Dynamic allocation of buffer to overcome MAX_RECORD_SIZE overflows.
105
* or configure TLS not to exceed MAX_RECORD_SIZE.
107
typedef struct _record_t {
108
unsigned char data[MAX_RECORD_SIZE];
112
typedef struct _tls_info_t {
113
unsigned char origin;
114
unsigned char content_type;
115
unsigned char handshake_type;
116
unsigned char alert_level;
117
unsigned char alert_description;
118
char info_description[256];
125
* tls_session_t Structure gets stored as opaque in EAP_HANDLER
126
* This contains EAP-REQUEST specific data
127
* (ie EAPTLS_DATA(fragment), EAPTLS-ALERT, EAPTLS-REQUEST ...)
129
* clean_in - data that needs to be sent but only after it is soiled.
130
* dirty_in - data EAP server receives.
131
* clean_out - data that is cleaned after receiving.
132
* dirty_out - data EAP server sends.
133
* offset - current fragment size transmitted
134
* fragment - Flag, In fragment mode or not.
135
* tls_msg_len - Actual/Total TLS message length.
136
* length_flag - A flag to include length in every TLS Data/Alert packet
137
* if set to no then only the first fragment contains length
139
typedef struct _tls_session_t {
151
* Framed-MTU attribute in RADIUS,
152
* if present, can also be used to set this
155
unsigned int tls_msg_len;
161
* Used by TTLS & PEAP to keep track of other per-session
165
void (*free_opaque)(void *opaque);
170
* Externally exported TLS functions.
172
eaptls_status_t eaptls_process(EAP_HANDLER *handler);
174
int eaptls_success(EAP_DS *eap_ds, int peap_flag);
175
int eaptls_fail(EAP_DS *eap_ds, int peap_flag);
176
int eaptls_request(EAP_DS *eap_ds, tls_session_t *ssn);
179
/* MPPE key generation */
180
void eaptls_gen_mppe_keys(VALUE_PAIR **reply_vps, SSL *s,
181
const char *prf_label);
182
void eapttls_gen_challenge(SSL *s, char *buffer, int size);
31
/* configured values goes right here */
32
typedef struct eap_tls_conf {
33
char *private_key_password;
34
char *private_key_file;
35
char *certificate_file;
50
* Always < 4096 (due to radius limit), 0 by default = 2048
56
char *check_cert_issuer;
59
/* This structure gets stored in arg */
60
typedef struct _eap_tls_t {
184
66
#endif /* _RLM_EAP_TLS_H */