6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21 * Copyright 2003 Alan DeKok <aland@freeradius.org>
26 #include "rlm_eap_tls.h"
28 #define BUFFER_SIZE 1024
30 #define EAP_TLS_START 1
32 #define EAP_TLS_SUCCESS 3
33 #define EAP_TLS_FAIL 4
34 #define EAP_TLS_ALERT 9
36 #define TLS_HEADER_LEN 4
39 * RFC 2716, Section 4.2:
53 #define TLS_START(x) (((x) & 0x20) != 0)
54 #define TLS_MORE_FRAGMENTS(x) (((x) & 0x40) != 0)
55 #define TLS_LENGTH_INCLUDED(x) (((x) & 0x80) != 0)
57 #define TLS_CHANGE_CIPHER_SPEC(x) (((x) & 0x0014) == 0x0014)
58 #define TLS_ALERT(x) (((x) & 0x0015) == 0x0015)
59 #define TLS_HANDSHAKE(x) (((x) & 0x0016) == 0x0016)
61 #define SET_START(x) ((x) | (0x20))
62 #define SET_MORE_FRAGMENTS(x) ((x) | (0x40))
63 #define SET_LENGTH_INCLUDED(x) ((x) | (0x80))
67 * Following enums from rfc2246
69 * Hmm... since we dpeend on OpenSSL, it would be smarter to
70 * use the OpenSSL names for these.
73 change_cipher_spec = 20,
84 enum AlertDescription {
86 unexpected_message = 10,
88 decryption_failed = 21,
90 decompression_failure = 30,
91 handshake_failure = 40,
93 unsupported_certificate = 43,
94 certificate_revoked = 44,
95 certificate_expired = 45,
96 certificate_unknown = 46,
97 illegal_parameter = 47,
102 export_restriction = 60,
103 protocol_version = 70,
104 insufficient_security = 71,
107 no_renegotiation = 100
115 server_key_exchange = 12,
116 certificate_request = 13,
117 server_hello_done = 14,
118 certificate_verify = 15,
119 client_key_exchange = 16,
138 The L bit (length included) is set to indicate the presence of the
139 four octet TLS Message Length field, and MUST be set for the first
140 fragment of a fragmented TLS message or set of messages. The M bit
141 (more fragments) is set on all but the last fragment. The S bit
142 (EAP-TLS start) is set in an EAP-TLS Start message. This
143 differentiates the EAP-TLS Start message from a fragment
148 The TLS Message Length field is four octets, and is present only
149 if the L bit is set. This field provides the total length of the
150 TLS message or set of messages that is being fragmented.
154 The TLS data consists of the encapsulated TLS packet in TLS record
157 * The data structures present here
158 * maps only to the typedata in the EAP packet
160 * Based on the L bit flag, first 4 bytes of data indicate the length
162 typedef struct tls_packet_t {
167 typedef struct tls_packet {
175 //uint8_t *packet; /* Wired EAP-TLS packet as found in typdedata of EAP_PACKET */
179 /* configured values goes right here */
180 typedef struct eap_tls_conf {
181 char *private_key_password;
182 char *private_key_file;
183 char *certificate_file;
198 * Always < 4096 (due to radius limit), 0 by default = 2048
205 /* This structure gets stored in arg */
206 typedef struct _eap_tls_t {
212 /* EAP-TLS framework */
213 EAPTLS_PACKET *eaptls_alloc(void);
214 void eaptls_free(EAPTLS_PACKET **eaptls_packet_ptr);
215 int eaptls_start(EAP_DS *eap_ds, int peap);
216 int eaptls_compose(EAP_DS *eap_ds, EAPTLS_PACKET *reply);
219 int cbtls_password(char *buf, int num, int rwflag, void *userdata);
220 void cbtls_info(const SSL *s, int where, int ret);
221 int cbtls_verify(int ok, X509_STORE_CTX *ctx);
222 void cbtls_msg(int write_p, int msg_version, int content_type,
223 const void *buf, size_t len, SSL *ssl, void *arg);
224 RSA *cbtls_rsa(SSL *s, int is_export, int keylength);
227 tls_session_t *eaptls_new_session(SSL_CTX *ssl_ctx, int client_cert);
228 int tls_handshake_recv(tls_session_t *ssn);
229 int tls_handshake_send(tls_session_t *ssn);
230 void tls_session_information(tls_session_t *tls_session);
233 void session_free(void *ssn);
234 void session_close(tls_session_t *ssn);
235 void session_init(tls_session_t *ssn);
238 void record_init(record_t *buf);
239 void record_close(record_t *buf);
240 unsigned int record_plus(record_t *buf, const unsigned char *ptr,
242 unsigned int record_minus(record_t *buf, unsigned char *ptr,
244 #endif /*_EAP_TLS_H*/