/*
* Attach the EAP-TLS module.
*/
static int eaptls_attach(CONF_SECTION *cs, void **instance)
{
EAP_TLS_CONF *conf;
eap_tls_t *inst;
/* Store all these values in the data structure for later references */
inst = (eap_tls_t *)malloc(sizeof(*inst));
if (!inst) {
radlog(L_ERR, "rlm_eap_tls: out of memory");
return -1;
}
memset(inst, 0, sizeof(*inst));
/*
* Parse the config file & get all the configured values
*/
conf = (EAP_TLS_CONF *)malloc(sizeof(*conf));
if (conf == NULL) {
radlog(L_ERR, "rlm_eap_tls: out of memory");
return -1;
}
memset(conf, 0, sizeof(*conf));
inst->conf = conf;
if (cf_section_parse(cs, conf, module_config) < 0) {
eaptls_detach(inst);
return -1;
}
/*
* Initialize TLS
*/
inst->ctx = init_tls_ctx(conf);
if (inst->ctx == NULL) {
eaptls_detach(inst);
return -1;
}
if (load_dh_params(inst->ctx, conf->dh_file) < 0) {
eaptls_detach(inst);
return -1;
}
if (generate_eph_rsa_key(inst->ctx) < 0) {
eaptls_detach(inst);
return -1;
}
*instance = inst;
return 0;
}
/*
* Attach the EAP-TLS module.
*/
static int eaptls_attach(CONF_SECTION *cs, void **instance)
{
EAP_TLS_CONF *conf;
eap_tls_t *inst;
/* Store all these values in the data structure for later references */
inst = (eap_tls_t *)malloc(sizeof(*inst));
if (!inst) {
radlog(L_ERR, "rlm_eap_tls: out of memory");
return -1;
}
memset(inst, 0, sizeof(*inst));
/*
* Parse the config file & get all the configured values
*/
conf = (EAP_TLS_CONF *)malloc(sizeof(*conf));
if (conf == NULL) {
free(inst);
radlog(L_ERR, "rlm_eap_tls: out of memory");
return -1;
}
memset(conf, 0, sizeof(*conf));
inst->conf = conf;
if (cf_section_parse(cs, conf, module_config) < 0) {
eaptls_detach(inst);
return -1;
}
/*
* The EAP RFC's say 1020, but we're less picky.
*/
if (conf->fragment_size < 100) {
radlog(L_ERR, "rlm_eap_tls: Fragment size is too small.");
eaptls_detach(inst);
return -1;
}
/*
* The maximum size for a RADIUS packet is 4096,
* minus the header (20), Message-Authenticator (18),
* and State (18), etc. results in about 4000 bytes of data
* that can be devoted *solely* to EAP.
*/
if (conf->fragment_size > 4000) {
radlog(L_ERR, "rlm_eap_tls: Fragment size is too large.");
eaptls_detach(inst);
return -1;
}
/*
* Account for the EAP header (4), and the EAP-TLS header
* (6), as per Section 4.2 of RFC 2716. What's left is
* the maximum amount of data we read from a TLS buffer.
*/
conf->fragment_size -= 10;
/*
* This magic makes the administrators life HUGELY easier
* on initial deployments.
*
* If the server starts up in debugging mode, AND the
* bootstrap command is configured, AND it exists, AND
* there is no server certificate
*/
if (conf->make_cert_command && (debug_flag >= 2)) {
struct stat buf;
if ((stat(conf->make_cert_command, &buf) == 0) &&
(stat(conf->certificate_file, &buf) < 0) &&
(errno == ENOENT) &&
(radius_exec_program(conf->make_cert_command, NULL, 1,
NULL, 0, NULL, NULL, 0) != 0)) {
eaptls_detach(inst);
return -1;
}
}
/*
* Initialize TLS
*/
inst->ctx = init_tls_ctx(conf);
if (inst->ctx == NULL) {
eaptls_detach(inst);
return -1;
}
#ifdef HAVE_OPENSSL_OCSP_H
/*
* Initialize OCSP Revocation Store
*/
if (conf->ocsp_enable) {
inst->store = init_revocation_store(conf);
if (inst->store == NULL) {
eaptls_detach(inst);
return -1;
}
}
#endif HAVE_OPENSSL_OCSP_H
if (load_dh_params(inst->ctx, conf->dh_file) < 0) {
eaptls_detach(inst);
return -1;
}
if (generate_eph_rsa_key(inst->ctx) < 0) {
eaptls_detach(inst);
return -1;
}
if (conf->verify_tmp_dir) {
if (chmod(conf->verify_tmp_dir, S_IRWXU) < 0) {
radlog(L_ERR, "rlm_eap_tls: Failed changing permissions on %s: %s", conf->verify_tmp_dir, strerror(errno));
eaptls_detach(inst);
return -1;
}
}
if (conf->verify_client_cert_cmd && !conf->verify_tmp_dir) {
radlog(L_ERR, "rlm_eap_tls: You MUST set the verify directory in order to use verify_client_cmd");
eaptls_detach(inst);
return -1;
}
*instance = inst;
return 0;
}
