eliminate bogus whitespace diff

[freeradius.git] / src / main / tls_listen.c

diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c
index 0c2081c..f4323a7 100644 (file)
--- a/src/main/tls_listen.c
+++ b/src/main/tls_listen.c
@@ -72,25 +72,16 @@ static void tls_socket_close(rad_listen_t *listener)
 {
        listen_socket_t *sock = listener->data;
 
+       SSL_shutdown(sock->ssn->ssl);
+
        listener->status = RAD_LISTEN_STATUS_EOL;
        listener->tls = NULL; /* parent owns this! */
 
-       if (sock->parent) {
-               /*
-                *      Decrement the number of connections.
-                */
-               if (sock->parent->limit.num_connections > 0) {
-                       sock->parent->limit.num_connections--;
-               }
-               if (sock->client->limit.num_connections > 0) {
-                       sock->client->limit.num_connections--;
-               }
-       }
-
        /*
         *      Tell the event handler that an FD has disappeared.
         */
-       event_new_fd(listener);
+       DEBUG("Client has closed connection");
+       radius_update_listener(listener);
 
        /*
         *      Do NOT free the listener here.  It's in use by
@@ -101,7 +92,7 @@ static void tls_socket_close(rad_listen_t *listener)
         */
 }
 
-static int tls_socket_write(rad_listen_t *listener, REQUEST *request)
+static int CC_HINT(nonnull) tls_socket_write(rad_listen_t *listener, REQUEST *request)
 {
        uint8_t *p;
        ssize_t rcode;
@@ -139,7 +130,7 @@ static int tls_socket_recv(rad_listen_t *listener)
        RADCLIENT *client = sock->client;
 
        if (!sock->packet) {
-               sock->packet = rad_alloc(sock, 0);
+               sock->packet = rad_alloc(sock, false);
                if (!sock->packet) return 0;
 
                sock->packet->sockfd = listener->fd;
@@ -149,8 +140,7 @@ static int tls_socket_recv(rad_listen_t *listener)
                sock->packet->dst_port = sock->my_port;
 
                if (sock->request) {
-                       (void) talloc_steal(sock->request, sock->packet);
-                       sock->request->packet = sock->packet;
+                       sock->request->packet = talloc_steal(sock->request, sock->packet);
                }
        }
 
@@ -166,7 +156,7 @@ static int tls_socket_recv(rad_listen_t *listener)
 
                rad_assert(request->packet == NULL);
                rad_assert(sock->packet != NULL);
-               request->packet = sock->packet;
+               request->packet = talloc_steal(request, sock->packet);
 
                request->component = "<core>";
                request->component = "<tls-connect>";
@@ -174,15 +164,15 @@ static int tls_socket_recv(rad_listen_t *listener)
                /*
                 *      Not sure if we should do this on every packet...
                 */
-               request->reply = rad_alloc(request, 0);
+               request->reply = rad_alloc(request, false);
                if (!request->reply) return 0;
 
                rad_assert(sock->ssn == NULL);
 
-               sock->ssn = tls_new_session(listener->tls, sock->request,
+               sock->ssn = tls_new_session(listener->tls, listener->tls, sock->request,
                                            listener->tls->require_client_cert);
                if (!sock->ssn) {
-                       request_free(&sock->request);
+                       TALLOC_FREE(sock->request);
                        sock->packet = NULL;
                        return 0;
                }
@@ -190,6 +180,7 @@ static int tls_socket_recv(rad_listen_t *listener)
                (void) talloc_steal(sock, sock->ssn);
                SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
                SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_CERTS, (void *)&request->packet->vps);
+               SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock->parent);
 
                doing_init = true;
        }
@@ -208,7 +199,7 @@ static int tls_socket_recv(rad_listen_t *listener)
                     sizeof(sock->ssn->dirty_in.data));
        if ((rcode < 0) && (errno == ECONNRESET)) {
        do_close:
-               DEBUG("Closing TLS socket from client");
+               DEBUG("Closing TLS socket from client port %u", sock->other_port);
                tls_socket_close(listener);
                PTHREAD_MUTEX_UNLOCK(&sock->mutex);
                return 0;
@@ -272,7 +263,7 @@ app:
                return 0;
        }
 
-       dump_hex("TUNNELED DATA", sock->ssn->clean_out.data, sock->ssn->clean_out.used);
+       dump_hex("TUNNELED DATA > ", sock->ssn->clean_out.data, sock->ssn->clean_out.used);
 
        /*
         *      If the packet is a complete RADIUS packet, return it to
@@ -293,7 +284,7 @@ app:
        packet->vps = NULL;
        PTHREAD_MUTEX_UNLOCK(&sock->mutex);
 
-       if (!rad_packet_ok(packet, 0)) {
+       if (!rad_packet_ok(packet, 0, NULL)) {
                RDEBUG("Received bad packet: %s", fr_strerror());
                DEBUG("Closing TLS socket from client");
                PTHREAD_MUTEX_LOCK(&sock->mutex);
@@ -308,7 +299,7 @@ app:
        if (fr_debug_flag) {
                char host_ipaddr[128];
 
-               if ((packet->code > 0) && (packet->code < FR_MAX_PACKET_CODE)) {
+               if (is_radius_code(packet->code)) {
                        RDEBUG("tls_recv: %s packet from host %s port %d, id=%d, length=%d",
                               fr_packet_codes[packet->code],
                               inet_ntop(packet->src_ipaddr.af,
@@ -363,14 +354,14 @@ int dual_tls_recv(rad_listen_t *listener)
         *      set.
         */
        switch(packet->code) {
-       case PW_AUTHENTICATION_REQUEST:
+       case PW_CODE_ACCESS_REQUEST:
                if (listener->type != RAD_LISTEN_AUTH) goto bad_packet;
                FR_STATS_INC(auth, total_requests);
                fun = rad_authenticate;
                break;
 
 #ifdef WITH_ACCOUNTING
-       case PW_ACCOUNTING_REQUEST:
+       case PW_CODE_ACCOUNTING_REQUEST:
                if (listener->type != RAD_LISTEN_ACCT) {
                        /*
                         *      Allow auth + dual.  Disallow
@@ -386,10 +377,10 @@ int dual_tls_recv(rad_listen_t *listener)
                break;
 #endif
 
-       case PW_STATUS_SERVER:
-               if (!mainconfig.status_server) {
+       case PW_CODE_STATUS_SERVER:
+               if (!main_config.status_server) {
                        FR_STATS_INC(auth, total_unknown_types);
-                       WDEBUG("Ignoring Status-Server request due to security configuration");
+                       WARN("Ignoring Status-Server request due to security configuration");
                        rad_free(&sock->packet);
                        request->packet = NULL;
                        return 0;
@@ -429,6 +420,8 @@ int dual_tls_send(rad_listen_t *listener, REQUEST *request)
 {
        listen_socket_t *sock = listener->data;
 
+       VERIFY_REQUEST(request);
+
        rad_assert(request->listener == listener);
        rad_assert(listener->send == dual_tls_send);
 
@@ -461,12 +454,15 @@ int dual_tls_send(rad_listen_t *listener, REQUEST *request)
        }
 
        PTHREAD_MUTEX_LOCK(&sock->mutex);
+
        /*
         *      Write the packet to the SSL buffers.
         */
        sock->ssn->record_plus(&sock->ssn->clean_in,
                               request->reply->data, request->reply->data_len);
 
+       dump_hex("TUNNELED DATA < ", sock->ssn->clean_in.data, sock->ssn->clean_in.used);
+
        /*
         *      Do SSL magic to get encrypted data.
         */
@@ -499,7 +495,7 @@ int dual_tls_send(rad_listen_t *listener, REQUEST *request)
  *
  *     Called with the mutex held.
  */
-static int proxy_tls_read(rad_listen_t *listener)
+static ssize_t proxy_tls_read(rad_listen_t *listener)
 {
        int rcode;
        size_t length;
@@ -537,7 +533,7 @@ static int proxy_tls_read(rad_listen_t *listener)
                                        DEBUG("proxy recv says %s",
                                              ERR_error_string(err, NULL));
                                }
-                               
+
                                goto do_close;
                        }
                }
@@ -601,26 +597,27 @@ static int proxy_tls_read(rad_listen_t *listener)
                return 0;
        }
 
-       return 1;
+       sock->partial = 0;      /* we've now read the packet */
+       return length;
 }
 
 
 int proxy_tls_recv(rad_listen_t *listener)
 {
-       int rcode;
        listen_socket_t *sock = listener->data;
        char buffer[256];
        RADIUS_PACKET *packet;
        uint8_t *data;
+       ssize_t data_len;
 
        if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0;
 
        DEBUG3("Proxy SSL socket has data to read");
        PTHREAD_MUTEX_LOCK(&sock->mutex);
-       rcode = proxy_tls_read(listener);
+       data_len = proxy_tls_read(listener);
        PTHREAD_MUTEX_UNLOCK(&sock->mutex);
 
-       if (rcode < 0) {
+       if (data_len < 0) {
                DEBUG("Closing TLS socket to home server");
                PTHREAD_MUTEX_LOCK(&sock->mutex);
                tls_socket_close(listener);
@@ -628,12 +625,11 @@ int proxy_tls_recv(rad_listen_t *listener)
                return 0;
        }
 
-       if (rcode == 0) return 0; /* no data to read */
+       if (data_len == 0) return 0; /* not done yet */
 
        data = sock->data;
-       sock->partial = 0;      /* we've now read the packet */
 
-       packet = rad_alloc(sock, 0);
+       packet = rad_alloc(sock, false);
        packet->sockfd = listener->fd;
        packet->src_ipaddr = sock->other_ipaddr;
        packet->src_port = sock->other_port;
@@ -641,7 +637,7 @@ int proxy_tls_recv(rad_listen_t *listener)
        packet->dst_port = sock->my_port;
        packet->code = data[0];
        packet->id = data[1];
-       packet->data_len = (data[2] << 8) | data[3];
+       packet->data_len = data_len;
        packet->data = talloc_array(packet, uint8_t, packet->data_len);
        memcpy(packet->data, data, packet->data_len);
        memcpy(packet->vector, packet->data + 4, 16);
@@ -650,13 +646,13 @@ int proxy_tls_recv(rad_listen_t *listener)
         *      FIXME: Client MIB updates?
         */
        switch(packet->code) {
-       case PW_AUTHENTICATION_ACK:
-       case PW_ACCESS_CHALLENGE:
-       case PW_AUTHENTICATION_REJECT:
+       case PW_CODE_ACCESS_ACCEPT:
+       case PW_CODE_ACCESS_CHALLENGE:
+       case PW_CODE_ACCESS_REJECT:
                break;
 
 #ifdef WITH_ACCOUNTING
-       case PW_ACCOUNTING_RESPONSE:
+       case PW_CODE_ACCOUNTING_RESPONSE:
                break;
 #endif
 
@@ -687,7 +683,10 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
        int rcode;
        listen_socket_t *sock = listener->data;
 
-       if (listener->status != RAD_LISTEN_STATUS_KNOWN) return 0;
+       VERIFY_REQUEST(request);
+
+       if ((listener->status != RAD_LISTEN_STATUS_INIT) &&
+           (listener->status != RAD_LISTEN_STATUS_KNOWN)) return 0;
 
        /*
         *      Normal proxying calls us with the data already