/src/freeradius-server/src/lib/tls/base.h

Source
#pragma once
/*
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
#ifdef WITH_TLS
/**
 * $Id: 6540b52d009f25c94fd946e37ee5799b0dc71820 $
 *
 * @file lib/tls/tls.h
 * @brief Structures and prototypes for TLS wrappers
 *
 * @copyright 2010 Network RADIUS SARL (legal@networkradius.com)
 * @copyright 2016 The FreeRADIUS project
 */
RCSIDH(tls_h, "$Id: 6540b52d009f25c94fd946e37ee5799b0dc71820 $")

#include "openssl_user_macros.h"

#include <freeradius-devel/server/cf_parse.h>
#include <freeradius-devel/server/tmpl.h>
#include <freeradius-devel/unlang/function.h>

#undef HAVE_OPENSSL_OCSP_H

#if 1
#  include <openssl/engine.h>
#endif
#include <openssl/ssl.h>
#include <openssl/err.h>

#include "cache.h"
#include "conf.h"
#include "index.h"
#include "session.h"

#ifdef __cplusplus
extern "C" {
#endif
extern int fr_tls_ex_index_vps;
extern int fr_tls_max_threads;

/** Drain log messages from an OpenSSL bio and print them using the specified logging macro
 *
 * @param _macro Logging macro e.g. RDEBUG.
 * @param _prefix Prefix, should be "" if not used.
 * @param _queue OpenSSL BIO.
 */
#define FR_OPENSSL_DRAIN_LOG_QUEUE(_macro, _prefix, _queue) \
do {\
  char const *_p = NULL, *_q, *_end; \
  size_t _len; \
  _len = BIO_get_mem_data(_queue, &_p); \
  _end = _p + _len; \
  if (!_p) break; \
  while ((_q = memchr(_p, '\n', _end - _p))) { \
    _macro(_prefix "%.*s", (int) (_q - _p), _p); \
    _p = _q + 1; \
  } \
  if (_p != _end) _macro(_prefix "%.*s", (int) (_end - _p), _p); \
  (void) BIO_reset(_queue); \
} while (0)

/** Drain errors from an OpenSSL bio and print print them using the specified logging macro
 *
 * @param _macro Logging macro e.g. RDEBUG.
 * @param _prefix Prefix, should be "" if not used.
 * @param _queue OpenSSL BIO.
 */
#define FR_OPENSSL_DRAIN_ERROR_QUEUE(_macro, _prefix, _queue) \
do {\
  ERR_print_errors(_queue); \
  FR_OPENSSL_DRAIN_LOG_QUEUE(_macro, _prefix, _queue); \
} while (0)

extern conf_parser_t fr_tls_server_config[];
extern conf_parser_t fr_tls_client_config[];

/** Holds the temporary context
 *
 */
extern _Thread_local TALLOC_CTX *ssl_talloc_ctx;

/** Bind any memory allocated by an OpenSSL function to the object it created
 *
 * This is a horrible workaround for OpenSSL memory leaks.  But should always
 * work, unless OpenSSL allocates memory for global structures whilst allocating
 * non-global ones.
 *
 * It is technically threadsafe as ssl_talloc_ctx is thread specific.
 *
 * This should always work so long as OpenSSL does not become talloc aware and
 * so will free the allocated object last, after doing manual cleanups.
 *
 @code{.c}
   FR_OPENSSL_BIND_MEMORY(ctx = SSL_CTX_new(TLS_method()));
   if (!ctx) ..error
 @endcode
 * @param _expr   The call to the OpenSSL function and storage of the
 *      result.
 */
#define FR_OPENSSL_BIND_OBJ_MEMORY(_expr) \
do { \
  void *_nmem; \
  MEM(ssl_talloc_ctx = talloc_init_const(STRINGIFY(_expr))); \
  _nmem = (_expr);\
  if (!_nmem) { \
    TALLOC_FREE(ssl_talloc_ctx); \
  } else { \
    talloc_steal(_nmem, ssl_talloc_ctx); \
  } \
  ssl_talloc_ctx = NULL; \
} while (0)

/** Bind all memory allocated from this point until the next instance of FR_OPENSSL_BIND_MEMORY_END to _obj
 *
 * @param[in] _obj  to bind memory to.
 */
#define FR_OPENSSL_BIND_MEMORY_BEGIN(_obj) \
do { \
  if (fr_cond_assert(!ssl_talloc_ctx && (_obj))) { \
    MEM(ssl_talloc_ctx = talloc_init_const(STRINGIFY(_obj))); \
    talloc_steal(_obj, ssl_talloc_ctx); \
  } \
} while(0)

#define FR_OPENSSL_BIND_MEMORY_END ssl_talloc_ctx = NULL

/*
 *  tls/ctx.c
 */

/** Return the tls config associated with a SSL_CTX
 *
 * @param[in] ssl_ctx to retrieve the configuration from.
 * @return #fr_tls_conf_t associated with the ctx.
 */
static inline fr_tls_conf_t *fr_tls_ctx_conf(SSL_CTX *ssl_ctx)
{
  return talloc_get_type_abort(SSL_CTX_get_ex_data(ssl_ctx, FR_TLS_EX_INDEX_CONF), fr_tls_conf_t);
}

SSL_CTX   *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client);

/*
 *  tls/base.c
 */
int   fr_openssl_thread_init(size_t async_pool_size_init, size_t async_pool_size_max);

int   fr_openssl_init(void);

int   fr_openssl_fips_mode(bool enabled);

void    fr_openssl_free(void);

int   fr_tls_dict_init(void);

void    fr_tls_dict_free(void);

/*
 *  tls/virtual_server.c
 */
unlang_action_t fr_tls_call_push(request_t *child, unlang_function_no_result_t resume,
               fr_tls_conf_t *conf, fr_tls_session_t *tls_session, bool cache_required);

#ifdef __cplusplus
}
#endif
#endif /* WITH_TLS */

Coverage Report

Created: 2026-03-31 06:21

Line	Count	Source
1		#pragma once
2		/*
3		* This program is free software; you can redistribute it and/or modify
4		* it under the terms of the GNU General Public License as published by
5		* the Free Software Foundation; either version 2 of the License, or
6		* (at your option) any later version.
7		*
8		* This program is distributed in the hope that it will be useful,
9		* but WITHOUT ANY WARRANTY; without even the implied warranty of
10		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11		* GNU General Public License for more details.
12		*
13		* You should have received a copy of the GNU General Public License
14		* along with this program; if not, write to the Free Software
15		* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
16		*/
17		#ifdef WITH_TLS
18		/**
19		* $Id: 6540b52d009f25c94fd946e37ee5799b0dc71820 $
20		*
21		* @file lib/tls/tls.h
22		* @brief Structures and prototypes for TLS wrappers
23		*
24		* @copyright 2010 Network RADIUS SARL (legal@networkradius.com)
25		* @copyright 2016 The FreeRADIUS project
26		*/
27		RCSIDH(tls_h, "$Id: 6540b52d009f25c94fd946e37ee5799b0dc71820 $")
28
29		#include "openssl_user_macros.h"
30
31		#include <freeradius-devel/server/cf_parse.h>
32		#include <freeradius-devel/server/tmpl.h>
33		#include <freeradius-devel/unlang/function.h>
34
35		#undef HAVE_OPENSSL_OCSP_H
36
37		#if 1
38		# include <openssl/engine.h>
39		#endif
40		#include <openssl/ssl.h>
41		#include <openssl/err.h>
42
43		#include "cache.h"
44		#include "conf.h"
45		#include "index.h"
46		#include "session.h"
47
48		#ifdef __cplusplus
49		extern "C" {
50		#endif
51		extern int fr_tls_ex_index_vps;
52		extern int fr_tls_max_threads;
53
54		/** Drain log messages from an OpenSSL bio and print them using the specified logging macro
55		*
56		* @param _macro Logging macro e.g. RDEBUG.
57		* @param _prefix Prefix, should be "" if not used.
58		* @param _queue OpenSSL BIO.
59		*/
60		#define FR_OPENSSL_DRAIN_LOG_QUEUE(_macro, _prefix, _queue) \
61		do {\
62		char const _p = NULL, _q, *_end; \
63		size_t _len; \
64		_len = BIO_get_mem_data(_queue, &_p); \
65		_end = _p + _len; \
66		if (!_p) break; \
67		while ((_q = memchr(_p, '\n', _end - _p))) { \
68		_macro(_prefix "%.*s", (int) (_q - _p), _p); \
69		_p = _q + 1; \
70		} \
71		if (_p != _end) _macro(_prefix "%.*s", (int) (_end - _p), _p); \
72		(void) BIO_reset(_queue); \
73		} while (0)
74
75		/** Drain errors from an OpenSSL bio and print print them using the specified logging macro
76		*
77		* @param _macro Logging macro e.g. RDEBUG.
78		* @param _prefix Prefix, should be "" if not used.
79		* @param _queue OpenSSL BIO.
80		*/
81		#define FR_OPENSSL_DRAIN_ERROR_QUEUE(_macro, _prefix, _queue) \
82		do {\
83		ERR_print_errors(_queue); \
84		FR_OPENSSL_DRAIN_LOG_QUEUE(_macro, _prefix, _queue); \
85		} while (0)
86
87		extern conf_parser_t fr_tls_server_config[];
88		extern conf_parser_t fr_tls_client_config[];
89
90		/** Holds the temporary context
91		*
92		*/
93		extern _Thread_local TALLOC_CTX *ssl_talloc_ctx;
94
95		/** Bind any memory allocated by an OpenSSL function to the object it created
96		*
97		* This is a horrible workaround for OpenSSL memory leaks. But should always
98		* work, unless OpenSSL allocates memory for global structures whilst allocating
99		* non-global ones.
100		*
101		* It is technically threadsafe as ssl_talloc_ctx is thread specific.
102		*
103		* This should always work so long as OpenSSL does not become talloc aware and
104		* so will free the allocated object last, after doing manual cleanups.
105		*
106		@code{.c}
107		FR_OPENSSL_BIND_MEMORY(ctx = SSL_CTX_new(TLS_method()));
108		if (!ctx) ..error
109		@endcode
110		* @param _expr The call to the OpenSSL function and storage of the
111		* result.
112		*/
113		#define FR_OPENSSL_BIND_OBJ_MEMORY(_expr) \
114		do { \
115		void *_nmem; \
116		MEM(ssl_talloc_ctx = talloc_init_const(STRINGIFY(_expr))); \
117		_nmem = (_expr);\
118		if (!_nmem) { \
119		TALLOC_FREE(ssl_talloc_ctx); \
120		} else { \
121		talloc_steal(_nmem, ssl_talloc_ctx); \
122		} \
123		ssl_talloc_ctx = NULL; \
124		} while (0)
125
126		/** Bind all memory allocated from this point until the next instance of FR_OPENSSL_BIND_MEMORY_END to _obj
127		*
128		* @param[in] _obj to bind memory to.
129		*/
130		#define FR_OPENSSL_BIND_MEMORY_BEGIN(_obj) \
131		do { \
132		if (fr_cond_assert(!ssl_talloc_ctx && (_obj))) { \
133		MEM(ssl_talloc_ctx = talloc_init_const(STRINGIFY(_obj))); \
134		talloc_steal(_obj, ssl_talloc_ctx); \
135		} \
136		} while(0)
137
138		#define FR_OPENSSL_BIND_MEMORY_END ssl_talloc_ctx = NULL
139
140		/*
141		* tls/ctx.c
142		*/
143
144		/** Return the tls config associated with a SSL_CTX
145		*
146		* @param[in] ssl_ctx to retrieve the configuration from.
147		* @return #fr_tls_conf_t associated with the ctx.
148		*/
149		static inline fr_tls_conf_t fr_tls_ctx_conf(SSL_CTX ssl_ctx)
150	0	{
151		return talloc_get_type_abort(SSL_CTX_get_ex_data(ssl_ctx, FR_TLS_EX_INDEX_CONF), fr_tls_conf_t);
152	0	} Unexecuted instantiation: base.c:fr_tls_ctx_conf Unexecuted instantiation: cache.c:fr_tls_ctx_conf Unexecuted instantiation: conf.c:fr_tls_ctx_conf Unexecuted instantiation: pairs.c:fr_tls_ctx_conf Unexecuted instantiation: session.c:fr_tls_ctx_conf Unexecuted instantiation: strerror.c:fr_tls_ctx_conf Unexecuted instantiation: virtual_server.c:fr_tls_ctx_conf
153
154		SSL_CTX fr_tls_ctx_alloc(fr_tls_conf_t const conf, bool client);
155
156		/*
157		* tls/base.c
158		*/
159		int fr_openssl_thread_init(size_t async_pool_size_init, size_t async_pool_size_max);
160
161		int fr_openssl_init(void);
162
163		int fr_openssl_fips_mode(bool enabled);
164
165		void fr_openssl_free(void);
166
167		int fr_tls_dict_init(void);
168
169		void fr_tls_dict_free(void);
170
171		/*
172		* tls/virtual_server.c
173		*/
174		unlang_action_t fr_tls_call_push(request_t *child, unlang_function_no_result_t resume,
175		fr_tls_conf_t conf, fr_tls_session_t tls_session, bool cache_required);
176
177		#ifdef __cplusplus
178		}
179		#endif
180		#endif /* WITH_TLS */