set talloc parent to sock for thread safety

[freeradius.git] / src / main / tls_listen.c

diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c
index 4cb2a75..32cf564 100644 (file)
--- a/src/main/tls_listen.c
+++ b/src/main/tls_listen.c
@@ -33,6 +33,7 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 #include <sys/stat.h>
 #endif
 
+#ifdef WITH_TCP
 #ifdef WITH_TLS
 #ifdef HAVE_OPENSSL_RAND_H
 #include <openssl/rand.h>
@@ -139,9 +140,7 @@ static int tls_socket_recv(rad_listen_t *listener)
                sock->packet->dst_ipaddr = sock->my_ipaddr;
                sock->packet->dst_port = sock->my_port;
 
-               if (sock->request) {
-                       sock->request->packet = talloc_steal(sock->request, sock->packet);
-               }
+               if (sock->request) sock->request->packet = talloc_steal(sock->request, sock->packet);
        }
 
        /*
@@ -176,7 +175,7 @@ static int tls_socket_recv(rad_listen_t *listener)
 
                SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
                SSL_set_ex_data(sock->ssn->ssl, fr_tls_ex_index_certs, (void *) &sock->certs);
-               SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock->parent);
+               SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock);
 
                doing_init = true;
        }
@@ -289,7 +288,7 @@ static int tls_socket_recv(rad_listen_t *listener)
        PTHREAD_MUTEX_UNLOCK(&sock->mutex);
 
        if (!rad_packet_ok(packet, 0, NULL)) {
-               RDEBUG("Received bad packet: %s", fr_strerror());
+               if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
                DEBUG("Closing TLS socket from client");
                PTHREAD_MUTEX_LOCK(&sock->mutex);
                tls_socket_close(listener);
@@ -324,11 +323,6 @@ static int tls_socket_recv(rad_listen_t *listener)
 
        FR_STATS_INC(auth, total_requests);
 
-       /*
-        *      Re-parent the packet to nothing.
-        */
-       (void) talloc_steal(NULL, packet);
-
        return 1;
 }
 
@@ -350,7 +344,8 @@ int dual_tls_recv(rad_listen_t *listener)
        rad_assert(sock->ssn != NULL);
        rad_assert(client != NULL);
 
-       packet = sock->packet;
+       packet = talloc_steal(NULL, sock->packet);
+       sock->packet = NULL;
 
        /*
         *      Some sanity checks, based on the packet code.
@@ -386,7 +381,7 @@ int dual_tls_recv(rad_listen_t *listener)
                if (!main_config.status_server) {
                        FR_STATS_INC(auth, total_unknown_types);
                        WARN("Ignoring Status-Server request due to security configuration");
-                       rad_free(&sock->packet);
+                       rad_free(&packet);
                        return 0;
                }
                fun = rad_status_server;
@@ -398,18 +393,16 @@ int dual_tls_recv(rad_listen_t *listener)
 
                DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED",
                      packet->code, client->shortname, packet->src_port);
-               rad_free(&sock->packet);
+               rad_free(&packet);
                return 0;
        } /* switch over packet types */
 
        if (!request_receive(NULL, listener, packet, client, fun)) {
                FR_STATS_INC(auth, total_packets_dropped);
-               rad_free(&sock->packet);
+               rad_free(&packet);
                return 0;
        }
 
-       sock->packet = NULL;    /* we have no need for more partial reads */
-
        return 1;
 }
 
@@ -445,6 +438,11 @@ int dual_tls_send(rad_listen_t *listener, REQUEST *request)
                return 0;
        }
 
+       if (request->reply->data_len > (MAX_PACKET_LEN - 100)) {
+               RWARN("Packet is large, and possibly truncated - %zd vs max %d",
+                     request->reply->data_len, MAX_PACKET_LEN);
+       }
+
        /*
         *      Sign the packet.
         */
@@ -530,10 +528,7 @@ static ssize_t proxy_tls_read(rad_listen_t *listener)
                                return -1;
 
                        default:
-                               while ((err = ERR_get_error())) {
-                                       DEBUG("proxy recv says %s",
-                                             ERR_error_string(err, NULL));
-                               }
+                               tls_error_log(NULL, "Failed in proxy receive");
 
                                goto do_close;
                        }
@@ -715,8 +710,7 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
                        break;  /* let someone else retry */
 
                default:
-                       DEBUG("proxy SSL_write says %s",
-                             ERR_error_string(err, NULL));
+                       tls_error_log(NULL, "Failed in proxy send");
                        DEBUG("Closing TLS socket to home server");
                        tls_socket_close(listener);
                        PTHREAD_MUTEX_UNLOCK(&sock->mutex);
@@ -730,3 +724,4 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
 #endif /* WITH_PROXY */
 
 #endif /* WITH_TLS */
+#endif /* WITH_TCP */