make outgoing SSL_connect() non-blocking

[freeradius.git] / src / main / tls_listen.c
diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c

index 5f6f7d8..785b243 100644 (file)
--- a/src/main/tls_listen.c
+++ b/src/main/tls_listen.c
@@ -33,6 +33,7 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
  #include <sys/stat.h>
  #endif
  
+#ifdef WITH_TCP
  #ifdef WITH_TLS
  #ifdef HAVE_OPENSSL_RAND_H
  #include <openssl/rand.h>
@@ -54,7 +55,7 @@ static void dump_hex(char const *msg, uint8_t const *data, size_t data_len)
  {
         size_t i;
  
-       if (debug_flag < 3) return;
+       if (rad_debug_lvl < 3) return;
  
         printf("%s %d\n", msg, (int) data_len);
         if (data_len > 256) data_len = 256;
@@ -130,7 +131,7 @@ static int tls_socket_recv(rad_listen_t *listener)
         RADCLIENT *client = sock->client;
  
         if (!sock->packet) {
-               sock->packet = rad_alloc(sock, 0);
+               sock->packet = rad_alloc(sock, false);
                 if (!sock->packet) return 0;
  
                 sock->packet->sockfd = listener->fd;
@@ -139,17 +140,14 @@ static int tls_socket_recv(rad_listen_t *listener)
                 sock->packet->dst_ipaddr = sock->my_ipaddr;
                 sock->packet->dst_port = sock->my_port;
  
-               if (sock->request) {
-                       (void) talloc_steal(sock->request, sock->packet);
-                       sock->request->packet = sock->packet;
-               }
+               if (sock->request) sock->request->packet = talloc_steal(sock->request, sock->packet);
         }
  
         /*
-        *      Allocate a REQUEST for debugging.
+        *      Allocate a REQUEST for debugging, and initialize the TLS session.
          */
         if (!sock->request) {
-               sock->request = request = request_alloc(NULL);
+               sock->request = request = request_alloc(sock);
                 if (!sock->request) {
                         ERROR("Out of memory");
                         return 0;
@@ -157,31 +155,26 @@ static int tls_socket_recv(rad_listen_t *listener)
  
                 rad_assert(request->packet == NULL);
                 rad_assert(sock->packet != NULL);
-               request->packet = sock->packet;
+               request->packet = talloc_steal(request, sock->packet);
  
-               request->component = "<core>";
                 request->component = "<tls-connect>";
  
-               /*
-                *      Not sure if we should do this on every packet...
-                */
-               request->reply = rad_alloc(request, 0);
+               request->reply = rad_alloc(request, false);
                 if (!request->reply) return 0;
  
                 rad_assert(sock->ssn == NULL);
  
-               sock->ssn = tls_new_session(listener->tls, sock->request,
+               sock->ssn = tls_new_session(sock, listener->tls, sock->request,
                                             listener->tls->require_client_cert);
                 if (!sock->ssn) {
-                       request_free(&sock->request);
+                       TALLOC_FREE(sock->request);
                         sock->packet = NULL;
                         return 0;
                 }
  
-               (void) talloc_steal(sock, sock->ssn);
                 SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
-               SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_CERTS, (void *)&request->packet->vps);
-               SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock->parent);
+               SSL_set_ex_data(sock->ssn->ssl, fr_tls_ex_index_certs, (void *) &sock->certs);
+               SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, NULL);
  
                 doing_init = true;
         }
@@ -229,28 +222,33 @@ static int tls_socket_recv(rad_listen_t *listener)
         }
  
         /*
-        *      Skip ahead to reading application data.
+        *      If we need to do more initialization, do that here.
          */
-       if (SSL_is_init_finished(sock->ssn->ssl)) goto app;
+       if (!SSL_is_init_finished(sock->ssn->ssl)) {
+               if (!tls_handshake_recv(request, sock->ssn)) {
+                       RDEBUG("FAILED in TLS handshake receive");
+                       goto do_close;
+               }
  
-       if (!tls_handshake_recv(request, sock->ssn)) {
-               RDEBUG("FAILED in TLS handshake receive");
-               goto do_close;
-       }
+               /*
+                *      More ACK data to send.  Do so.
+                */
+               if (sock->ssn->dirty_out.used > 0) {
+                       tls_socket_write(listener, request);
+                       PTHREAD_MUTEX_UNLOCK(&sock->mutex);
+                       return 0;
+               }
  
-       if (sock->ssn->dirty_out.used > 0) {
-               tls_socket_write(listener, request);
-               PTHREAD_MUTEX_UNLOCK(&sock->mutex);
-               return 0;
+               /*
+                *      FIXME: Run the request through a virtual
+                *      server in order to see if we like the
+                *      certificate presented by the client.
+                */
         }
  
-app:
         /*
-        *      FIXME: Run the packet through a virtual server in
-        *      order to see if we like the certificate presented by
-        *      the client.
+        *      Try to get application data.
          */
-
         status = tls_application_data(sock->ssn, request);
         RDEBUG("Application data status %d", status);
  
@@ -264,7 +262,10 @@ app:
                 return 0;
         }
  
-       dump_hex("TUNNELED DATA", sock->ssn->clean_out.data, sock->ssn->clean_out.used);
+       /*
+        *      We now have a bunch of application data.
+        */
+       dump_hex("TUNNELED DATA > ", sock->ssn->clean_out.data, sock->ssn->clean_out.used);
  
         /*
          *      If the packet is a complete RADIUS packet, return it to
@@ -272,7 +273,7 @@ app:
          */
         if ((sock->ssn->clean_out.used < 20) ||
             (((sock->ssn->clean_out.data[2] << 8) | sock->ssn->clean_out.data[3]) != (int) sock->ssn->clean_out.used)) {
-               RDEBUG("Received bad packet: Length %d contents %d",
+               RDEBUG("Received bad packet: Length %zd contents %d",
                        sock->ssn->clean_out.used,
                        (sock->ssn->clean_out.data[2] << 8) | sock->ssn->clean_out.data[3]);
                 goto do_close;
@@ -286,7 +287,7 @@ app:
         PTHREAD_MUTEX_UNLOCK(&sock->mutex);
  
         if (!rad_packet_ok(packet, 0, NULL)) {
-               RDEBUG("Received bad packet: %s", fr_strerror());
+               if (DEBUG_ENABLED) ERROR("Receive - %s", fr_strerror());
                 DEBUG("Closing TLS socket from client");
                 PTHREAD_MUTEX_LOCK(&sock->mutex);
                 tls_socket_close(listener);
@@ -297,7 +298,7 @@ app:
         /*
          *      Copied from src/lib/radius.c, rad_recv();
          */
-       if (fr_debug_flag) {
+       if (fr_debug_lvl) {
                 char host_ipaddr[128];
  
                 if (is_radius_code(packet->code)) {
@@ -328,7 +329,6 @@ app:
  int dual_tls_recv(rad_listen_t *listener)
  {
         RADIUS_PACKET *packet;
-       REQUEST *request;
         RAD_REQUEST_FUNP fun = NULL;
         listen_socket_t *sock = listener->data;
         RADCLIENT       *client = sock->client;
@@ -339,14 +339,12 @@ int dual_tls_recv(rad_listen_t *listener)
                 return 0;
         }
  
-       rad_assert(sock->request != NULL);
-       rad_assert(sock->request->packet != NULL);
         rad_assert(sock->packet != NULL);
         rad_assert(sock->ssn != NULL);
         rad_assert(client != NULL);
  
-       request = sock->request;
-       packet = sock->packet;
+       packet = talloc_steal(NULL, sock->packet);
+       sock->packet = NULL;
  
         /*
          *      Some sanity checks, based on the packet code.
@@ -354,8 +352,8 @@ int dual_tls_recv(rad_listen_t *listener)
          *      "auth+acct" are marked as "auth", with the "dual" flag
          *      set.
          */
-       switch(packet->code) {
-       case PW_CODE_AUTHENTICATION_REQUEST:
+       switch (packet->code) {
+       case PW_CODE_ACCESS_REQUEST:
                 if (listener->type != RAD_LISTEN_AUTH) goto bad_packet;
                 FR_STATS_INC(auth, total_requests);
                 fun = rad_authenticate;
@@ -382,8 +380,7 @@ int dual_tls_recv(rad_listen_t *listener)
                 if (!main_config.status_server) {
                         FR_STATS_INC(auth, total_unknown_types);
                         WARN("Ignoring Status-Server request due to security configuration");
-                       rad_free(&sock->packet);
-                       request->packet = NULL;
+                       rad_free(&packet);
                         return 0;
                 }
                 fun = rad_status_server;
@@ -395,21 +392,16 @@ int dual_tls_recv(rad_listen_t *listener)
  
                 DEBUG("Invalid packet code %d sent from client %s port %d : IGNORED",
                       packet->code, client->shortname, packet->src_port);
-               rad_free(&sock->packet);
-               request->packet = NULL;
+               rad_free(&packet);
                 return 0;
         } /* switch over packet types */
  
-       if (!request_receive(listener, packet, client, fun)) {
+       if (!request_receive(NULL, listener, packet, client, fun)) {
                 FR_STATS_INC(auth, total_packets_dropped);
-               rad_free(&sock->packet);
-               request->packet = NULL;
+               rad_free(&packet);
                 return 0;
         }
  
-       sock->packet = NULL;    /* we have no need for more partial reads */
-       request->packet = NULL;
-
         return 1;
  }
  
@@ -445,6 +437,11 @@ int dual_tls_send(rad_listen_t *listener, REQUEST *request)
                 return 0;
         }
  
+       if (request->reply->data_len > (MAX_PACKET_LEN - 100)) {
+               RWARN("Packet is large, and possibly truncated - %zd vs max %d",
+                     request->reply->data_len, MAX_PACKET_LEN);
+       }
+
         /*
          *      Sign the packet.
          */
@@ -455,12 +452,15 @@ int dual_tls_send(rad_listen_t *listener, REQUEST *request)
         }
  
         PTHREAD_MUTEX_LOCK(&sock->mutex);
+
         /*
          *      Write the packet to the SSL buffers.
          */
         sock->ssn->record_plus(&sock->ssn->clean_in,
                                request->reply->data, request->reply->data_len);
  
+       dump_hex("TUNNELED DATA < ", sock->ssn->clean_in.data, sock->ssn->clean_in.used);
+
         /*
          *      Do SSL magic to get encrypted data.
          */
@@ -479,6 +479,34 @@ int dual_tls_send(rad_listen_t *listener, REQUEST *request)
         return 0;
  }
  
+static int try_connect(tls_session_t *ssn)
+{
+       int ret;
+       ret = SSL_connect(ssn->ssl);
+       if (ret < 0) {
+               switch (SSL_get_error(ssn->ssl, ret)) {
+                       default:
+                               break;
+
+
+
+               case SSL_ERROR_WANT_READ:
+               case SSL_ERROR_WANT_WRITE:
+                       ssn->connected = false;
+                       return 0;
+               }
+       }
+
+       if (ret <= 0) {
+               tls_error_io_log(NULL, ssn, ret, "Failed in " STRINGIFY(__FUNCTION__) " (SSL_connect)");
+               talloc_free(ssn);
+
+               return -1;
+       }
+
+       return 1;
+}
+
  
  #ifdef WITH_PROXY
  /*
@@ -500,11 +528,23 @@ static ssize_t proxy_tls_read(rad_listen_t *listener)
         uint8_t *data;
         listen_socket_t *sock = listener->data;
  
+       if (!sock->ssn->connected) {
+               rcode = try_connect(sock->ssn);
+               if (rcode == 0) return 0;
+
+               if (rcode < 0) {
+                       SSL_shutdown(sock->ssn->ssl);
+                       return -1;
+               }
+
+               sock->ssn->connected = true;
+       }
+
         /*
          *      Get the maximum size of data to receive.
          */
         if (!sock->data) sock->data = talloc_array(sock, uint8_t,
-                                                  sock->ssn->offset);
+                                                  sock->ssn->mtu);
  
         data = sock->data;
  
@@ -527,10 +567,7 @@ static ssize_t proxy_tls_read(rad_listen_t *listener)
                                 return -1;
  
                         default:
-                               while ((err = ERR_get_error())) {
-                                       DEBUG("proxy recv says %s",
-                                             ERR_error_string(err, NULL));
-                               }
+                               tls_error_log(NULL, "Failed in proxy receive");
  
                                 goto do_close;
                         }
@@ -554,7 +591,7 @@ static ssize_t proxy_tls_read(rad_listen_t *listener)
                  *      FIXME: allocate a RADIUS_PACKET, and set
                  *      "data" to be as large as necessary.
                  */
-               if (length > sock->ssn->offset) {
+               if (length > sock->ssn->mtu) {
                         INFO("Received packet will be too large! Set \"fragment_size = %u\"",
                              (data[2] << 8) | data[3]);
                         goto do_close;
@@ -627,7 +664,7 @@ int proxy_tls_recv(rad_listen_t *listener)
  
         data = sock->data;
  
-       packet = rad_alloc(sock, 0);
+       packet = rad_alloc(sock, false);
         packet->sockfd = listener->fd;
         packet->src_ipaddr = sock->other_ipaddr;
         packet->src_port = sock->other_port;
@@ -643,10 +680,10 @@ int proxy_tls_recv(rad_listen_t *listener)
         /*
          *      FIXME: Client MIB updates?
          */
-       switch(packet->code) {
-       case PW_CODE_AUTHENTICATION_ACK:
+       switch (packet->code) {
+       case PW_CODE_ACCESS_ACCEPT:
         case PW_CODE_ACCESS_CHALLENGE:
-       case PW_CODE_AUTHENTICATION_REJECT:
+       case PW_CODE_ACCESS_REJECT:
                 break;
  
  #ifdef WITH_ACCOUNTING
@@ -696,6 +733,20 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
                                                 request);
         }
  
+       if (!sock->ssn->connected) {
+               PTHREAD_MUTEX_LOCK(&sock->mutex);
+               rcode = try_connect(sock->ssn);
+               PTHREAD_MUTEX_LOCK(&sock->mutex);
+               if (rcode == 0) return 0;
+
+               if (rcode < 0) {
+                       SSL_shutdown(sock->ssn->ssl);
+                       return -1;
+               }
+
+               sock->ssn->connected = true;
+       }
+
         DEBUG3("Proxy is writing %u bytes to SSL",
                (unsigned int) request->proxy->data_len);
         PTHREAD_MUTEX_LOCK(&sock->mutex);
@@ -712,8 +763,7 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
                         break;  /* let someone else retry */
  
                 default:
-                       DEBUG("proxy SSL_write says %s",
-                             ERR_error_string(err, NULL));
+                       tls_error_log(NULL, "Failed in proxy send");
                         DEBUG("Closing TLS socket to home server");
                         tls_socket_close(listener);
                         PTHREAD_MUTEX_UNLOCK(&sock->mutex);
@@ -727,3 +777,4 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
  #endif /* WITH_PROXY */
  
  #endif /* WITH_TLS */
+#endif /* WITH_TCP */