6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
21 * Copyright 2003 Alan DeKok <aland@freeradius.org>
23 #ifndef _RLM_EAP_TLS_H
24 #define _RLM_EAP_TLS_H
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <netinet/in.h>
33 #include <netinet/tcp.h>
40 #include <arpa/inet.h>
54 * For RH 9, which apparently needs this.
56 #ifndef OPENSSL_NO_KRB5
57 #define OPENSSL_NO_KRB5
59 #include <openssl/err.h>
60 #ifdef HAVE_OPENSSL_ENGINE_H
61 #include <openssl/engine.h>
63 #include <openssl/ssl.h>
64 #endif /* !defined(NO_OPENSSL) */
69 EAPTLS_INVALID = 0, /* invalid, don't reply */
70 EAPTLS_REQUEST, /* request, ok to send, invalid to receive */
71 EAPTLS_RESPONSE, /* response, ok to receive, invalid to send */
72 EAPTLS_SUCCESS, /* success, send success */
73 EAPTLS_FAIL, /* fail, send fail */
74 EAPTLS_NOOP, /* noop, continue */
76 EAPTLS_START, /* start, ok to send, invalid to receive */
77 EAPTLS_OK, /* ok, continue */
78 EAPTLS_ACK, /* acknowledge, continue */
79 EAPTLS_FIRST_FRAGMENT, /* first fragment */
80 EAPTLS_MORE_FRAGMENTS, /* more fragments, to send/receive */
81 EAPTLS_LENGTH_INCLUDED, /* length included */
82 EAPTLS_MORE_FRAGMENTS_WITH_LENGTH, /* more fragments with length */
83 EAPTLS_HANDLED /* tls code has handled it */
86 #define MAX_RECORD_SIZE 16384
89 * A single TLS record may be up to 16384 octets in length, but a
90 * TLS message may span multiple TLS records, and a TLS
91 * certificate message may in principle be as long as 16MB.
93 * However, note that in order to protect against reassembly
94 * lockup and denial of service attacks, it may be desirable for
95 * an implementation to set a maximum size for one such group of
98 * The TLS Message Length field is four octets, and provides the
99 * total length of the TLS message or set of messages that is
100 * being fragmented; this simplifies buffer allocation.
104 * FIXME: Dynamic allocation of buffer to overcome MAX_RECORD_SIZE overflows.
105 * or configure TLS not to exceed MAX_RECORD_SIZE.
107 typedef struct _record_t {
108 unsigned char data[MAX_RECORD_SIZE];
112 typedef struct _tls_info_t {
113 unsigned char origin;
114 unsigned char content_type;
115 unsigned char handshake_type;
116 unsigned char alert_level;
117 unsigned char alert_description;
118 char info_description[256];
125 * tls_session_t Structure gets stored as opaque in EAP_HANDLER
126 * This contains EAP-REQUEST specific data
127 * (ie EAPTLS_DATA(fragment), EAPTLS-ALERT, EAPTLS-REQUEST ...)
129 * clean_in - data that needs to be sent but only after it is soiled.
130 * dirty_in - data EAP server receives.
131 * clean_out - data that is cleaned after receiving.
132 * dirty_out - data EAP server sends.
133 * offset - current fragment size transmitted
134 * fragment - Flag, In fragment mode or not.
135 * tls_msg_len - Actual/Total TLS message length.
136 * length_flag - A flag to include length in every TLS Data/Alert packet
137 * if set to no then only the first fragment contains length
139 typedef struct _tls_session_t {
151 * Framed-MTU attribute in RADIUS,
152 * if present, can also be used to set this
155 unsigned int tls_msg_len;
161 * Used by TTLS & PEAP to keep track of other per-session
165 void (*free_opaque)(void *opaque);
170 * Externally exported TLS functions.
172 eaptls_status_t eaptls_process(EAP_HANDLER *handler);
174 int eaptls_success(EAP_DS *eap_ds, int peap_flag);
175 int eaptls_fail(EAP_DS *eap_ds, int peap_flag);
176 int eaptls_request(EAP_DS *eap_ds, tls_session_t *ssn);
179 /* MPPE key generation */
180 void eaptls_gen_mppe_keys(VALUE_PAIR **reply_vps, SSL *s,
181 const char *prf_label);
182 void eapttls_gen_challenge(SSL *s, char *buffer, int size);
184 #endif /* _RLM_EAP_TLS_H */