/* See the file COPYING for licensing information. */
+#if defined HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <freeradius/libradius.h>
#include <event2/event.h>
#include <event2/bufferevent.h>
+#if defined RS_ENABLE_TLS
+#include <event2/bufferevent_ssl.h>
+#include <openssl/err.h>
+#endif
#include <radsec/radsec.h>
#include <radsec/radsec-impl.h>
+#include "tls.h"
#if defined DEBUG
#include <netdb.h>
#include <sys/socket.h>
#endif
static int
-_packet_create (struct rs_connection *conn, struct rs_packet **pkt_out)
-{
- struct rs_packet *p;
- RADIUS_PACKET *rpkt;
-
- *pkt_out = NULL;
-
- rpkt = rad_alloc (1);
- if (!rpkt)
- return rs_err_conn_push (conn, RSE_NOMEM, __func__);
- rpkt->id = conn->nextid++;
-
- p = (struct rs_packet *) malloc (sizeof (struct rs_packet));
- if (!p)
- {
- rad_free (&rpkt);
- return rs_err_conn_push (conn, RSE_NOMEM, __func__);
- }
- memset (p, 0, sizeof (struct rs_packet));
- p->conn = conn;
- p->rpkt = rpkt;
-
- *pkt_out = p;
- return RSE_OK;
-}
-
-static int
_do_send (struct rs_packet *pkt)
{
int err;
+ VALUE_PAIR *vp;
+
+ assert (pkt->rpkt);
+ assert (!pkt->original);
+
+ vp = paircreate (PW_MESSAGE_AUTHENTICATOR, PW_TYPE_OCTETS);
+ if (!vp)
+ return rs_err_conn_push_fl (pkt->conn, RSE_NOMEM, __FILE__, __LINE__,
+ "paircreate: %s", fr_strerror ());
+ pairadd (&pkt->rpkt->vps, vp);
if (rad_encode (pkt->rpkt, NULL, pkt->conn->active_peer->secret))
return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
if (rad_sign (pkt->rpkt, NULL, pkt->conn->active_peer->secret))
return rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
"rad_sign: %s", fr_strerror ());
- assert (pkt->rpkt);
#if defined (DEBUG)
{
char host[80], serv[80];
struct rs_packet *pkt = (struct rs_packet *)ctx;
struct rs_connection *conn;
struct rs_peer *p;
- int err;
+#if defined RS_ENABLE_TLS
+ unsigned long err;
+#endif
assert (pkt);
assert (pkt->conn);
p->is_connected = 1;
if (conn->callbacks.connected_cb)
conn->callbacks.connected_cb (conn->user_data);
-
#if defined (DEBUG)
fprintf (stderr, "%s: connected\n", __func__);
#endif
/* Packet will be freed in write callback. */
}
else if (events & BEV_EVENT_ERROR)
- rs_err_conn_push_fl (pkt->conn, RSE_CONNERR, __FILE__, __LINE__, NULL);
+ {
+#if defined RS_ENABLE_TLS
+ if (conn->tls_ssl) /* FIXME: correct check? */
+ {
+ for (err = bufferevent_get_openssl_error (conn->bev);
+ err;
+ err = bufferevent_get_openssl_error (conn->bev))
+ {
+ fprintf (stderr, "%s: openssl error: %s\n", __func__,
+ ERR_error_string (err, NULL)); /* DEBUG, until verified that pushed errors will actually be handled */
+ rs_err_conn_push_fl (pkt->conn, RSE_SSLERR, __FILE__, __LINE__,
+ "%d", err);
+ }
+ }
+#endif /* RS_ENABLE_TLS */
+ rs_err_conn_push_fl (pkt->conn, RSE_CONNERR, __FILE__, __LINE__, NULL);
+ fprintf (stderr, "%s: BEV_EVENT_ERROR\n", __func__); /* DEBUG, until verified that pushed errors will actually be handled */
+ }
}
static void
#endif
if (event_base_loopbreak (pkt->conn->evb) < 0)
abort (); /* FIXME */
- rs_packet_destroy (pkt);
+ if (!pkt->conn->callbacks.sent_cb) /* Callback owns the packet now. */
+ rs_packet_destroy (pkt);
}
static void
_read_cb (struct bufferevent *bev, void *ctx)
{
- struct rs_packet *pkt = (struct rs_packet *) ctx;
+ struct rs_packet *pkt = (struct rs_packet *)ctx;
size_t n;
assert (pkt);
assert (pkt->conn);
+
+ pkt->rpkt->sockfd = pkt->conn->active_peer->fd; /* FIXME: Why? */
+ pkt->rpkt->vps = NULL; /* FIXME: Why? */
+
if (!pkt->hdr_read_flag)
{
n = bufferevent_read (pkt->conn->bev, pkt->hdr, RS_HEADER_LEN);
#endif
if (!rad_packet_ok (pkt->rpkt, 0) != 0)
return;
- if (rad_decode (pkt->rpkt, NULL, pkt->conn->active_peer->secret) != 0)
- return;
+ assert (pkt->original);
+
+ /* Verify header and message authenticator. */
+ if (rad_verify (pkt->rpkt, pkt->original->rpkt,
+ pkt->conn->active_peer->secret))
+ {
+ rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
+ "rad_verify: %s", fr_strerror ());
+ return;
+ }
+
+ /* Decode and decrypt. */
+ if (rad_decode (pkt->rpkt, pkt->original->rpkt,
+ pkt->conn->active_peer->secret))
+ {
+ rs_err_conn_push_fl (pkt->conn, RSE_FR, __FILE__, __LINE__,
+ "rad_decode: %s", fr_strerror ());
+ return;
+ }
if (pkt->conn->callbacks.received_cb)
- pkt->conn->callbacks.received_cb(pkt, pkt->conn->user_data);
+ pkt->conn->callbacks.received_cb (pkt, pkt->conn->user_data);
if (event_base_loopbreak (pkt->conn->evb) < 0)
abort (); /* FIXME */
static int
_init_bev (struct rs_connection *conn, struct rs_peer *peer)
{
- if (!conn->bev)
+ if (conn->bev)
+ return RSE_OK;
+
+ switch (conn->type)
{
+ case RS_CONN_TYPE_UDP:
+ case RS_CONN_TYPE_TCP:
conn->bev = bufferevent_socket_new (conn->evb, peer->fd, 0);
if (!conn->bev)
return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__,
"bufferevent_socket_new");
+ break;
+#if defined RS_ENABLE_TLS
+ case RS_CONN_TYPE_TLS:
+ if (rs_tls_init (conn))
+ return -1;
+ /* Would be convenient to pass BEV_OPT_CLOSE_ON_FREE but things
+ seem to break when be_openssl_ctrl() (in libevent) calls
+ SSL_set_bio() after BIO_new_socket() with flag=1. */
+ conn->bev =
+ bufferevent_openssl_socket_new (conn->evb, peer->fd, conn->tls_ssl,
+ BUFFEREVENT_SSL_CONNECTING, 0);
+ if (!conn->bev)
+ return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__,
+ "bufferevent_openssl_socket_new");
+
+ break;
+ case RS_CONN_TYPE_DTLS:
+ return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__,
+ "%s: NYI", __func__);
+#endif /* RS_ENABLE_TLS */
+ default:
+ return rs_err_conn_push_fl (conn, RSE_INTERNAL, __FILE__, __LINE__,
+ "%s: unknown connection type: %d", __func__,
+ conn->type);
}
+
return RSE_OK;
}
/* Public functions. */
int
-rs_packet_create_acc_request (struct rs_connection *conn,
- struct rs_packet **pkt_out,
- const char *user_name, const char *user_pw)
+rs_packet_create (struct rs_connection *conn, struct rs_packet **pkt_out)
+{
+ struct rs_packet *p;
+ RADIUS_PACKET *rpkt;
+
+ *pkt_out = NULL;
+
+ rpkt = rad_alloc (1);
+ if (!rpkt)
+ return rs_err_conn_push (conn, RSE_NOMEM, __func__);
+ rpkt->id = conn->nextid++;
+
+ p = (struct rs_packet *) malloc (sizeof (struct rs_packet));
+ if (!p)
+ {
+ rad_free (&rpkt);
+ return rs_err_conn_push (conn, RSE_NOMEM, __func__);
+ }
+ memset (p, 0, sizeof (struct rs_packet));
+ p->conn = conn;
+ p->rpkt = rpkt;
+
+ *pkt_out = p;
+ return RSE_OK;
+}
+
+int
+rs_packet_create_auth_request (struct rs_connection *conn,
+ struct rs_packet **pkt_out,
+ const char *user_name, const char *user_pw)
{
struct rs_packet *pkt;
struct rs_attr *attr;
- if (_packet_create (conn, pkt_out))
+ if (rs_packet_create (conn, pkt_out))
return -1;
pkt = *pkt_out;
pkt->rpkt->code = PW_AUTHENTICATION_REQUEST;
- if (rs_attr_create (conn, &attr, "User-Name", user_name))
- return -1;
- rs_packet_add_attr (pkt, attr);
+ if (user_name)
+ {
+ if (rs_attr_create (conn, &attr, "User-Name", user_name))
+ return -1;
+ rs_packet_add_attr (pkt, attr);
- if (rs_attr_create (conn, &attr, "User-Password", user_pw))
- return -1;
- /* FIXME: need this too? rad_pwencode(user_pw, &pwlen, SECRET, reqauth) */
- rs_packet_add_attr (pkt, attr);
+ if (user_pw)
+ {
+ if (rs_attr_create (conn, &attr, "User-Password", user_pw))
+ return -1;
+ rs_packet_add_attr (pkt, attr);
+ }
+ }
return RSE_OK;
}
assert (conn->active_peer);
assert (conn->active_peer->fd >= 0);
- if (conn->callbacks.connected_cb || conn->callbacks.disconnected_cb
- || conn->callbacks.received_cb || conn->callbacks.sent_cb)
- ; /* FIXME: install event callbacks, other than below */
- else
- {
- bufferevent_setcb (conn->bev, _read_cb, _write_cb, _event_cb, pkt);
- event_base_dispatch (conn->evb);
- }
+ conn->user_data = user_data;
+ bufferevent_setcb (conn->bev, _read_cb, _write_cb, _event_cb, pkt);
+ if (!conn->user_dispatch_flag)
+ event_base_dispatch (conn->evb);
#if defined (DEBUG)
fprintf (stderr, "%s: event loop done\n", __func__);
}
int
-rs_conn_receive_packet (struct rs_connection *conn, struct rs_packet **pkt_out)
+rs_conn_receive_packet (struct rs_connection *conn,
+ struct rs_packet *request,
+ struct rs_packet **pkt_out)
{
struct rs_packet *pkt;
assert (conn);
- if (_packet_create (conn, pkt_out))
+ if (rs_packet_create (conn, pkt_out))
return -1;
pkt = *pkt_out;
pkt->conn = conn;
+ pkt->original = request;
if (_conn_open (conn, pkt))
return -1;
bufferevent_setwatermark (conn->bev, EV_READ, RS_HEADER_LEN, 0);
bufferevent_enable (conn->bev, EV_READ);
- event_base_dispatch (conn->evb);
-#if defined (DEBUG)
- fprintf (stderr, "%s: event loop done", __func__);
- if (event_base_got_break(conn->evb))
+ bufferevent_setcb (conn->bev, _read_cb, _write_cb, _event_cb, pkt);
+
+ if (!conn->user_dispatch_flag)
{
- fprintf (stderr, ", got this:\n");
- rs_dump_packet (pkt);
- }
- else
- fprintf (stderr, ", no reply\n");
+ event_base_dispatch (conn->evb);
+#if defined (DEBUG)
+ fprintf (stderr, "%s: event loop done", __func__);
+ if (event_base_got_break(conn->evb))
+ {
+ fprintf (stderr, ", got this:\n");
+ rs_dump_packet (pkt);
+ }
+ else
+ fprintf (stderr, ", no reply\n");
#endif
+ }
+
+ pkt->original = NULL;
return RSE_OK;
}
{
if (pkt)
{
+ // FIXME: memory leak! TODO: free all attributes
rad_free (&pkt->rpkt);
rs_free (pkt->conn->ctx, pkt);
}
projects / radsecproxy.git / blobdiff