X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=tls.c;h=4197069d99e2bf77c27084fabe158f74074734dd;hb=refs%2Fheads%2Fpthread_create_attr;hp=93bec50bbcd628a66fcac6c4f7c36245ce84cae4;hpb=fb4af51e107fb96380efeadc252e25da079be6cc;p=radsecproxy.git diff --git a/tls.c b/tls.c index 93bec50..4197069 100644 --- a/tls.c +++ b/tls.c @@ -1,10 +1,6 @@ -/* - * Copyright (C) 2006-2008 Stig Venaas - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - */ +/* Copyright (c) 2007-2009, UNINETT AS + * Copyright (c) 2012, NORDUnet A/S */ +/* See LICENSE for licensing information. */ #include #include @@ -26,10 +22,12 @@ #include #include #include +#include "radsecproxy.h" +#include "hostport.h" + +#ifdef RADPROT_TLS #include "debug.h" -#include "list.h" #include "util.h" -#include "radsecproxy.h" static void setprotoopts(struct commonprotoopts *opts); static char **getlistenerargs(); @@ -41,7 +39,7 @@ void tlssetsrcres(); static const struct protodefs protodefs = { "tls", - "mysecret", /* secretdefault */ + "radsec", /* secretdefault */ SOCK_STREAM, /* socktype */ "2083", /* portdefault */ 0, /* retrycountdefault */ @@ -80,8 +78,9 @@ static char **getlistenerargs() { void tlssetsrcres() { if (!srcres) - srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL); - + srcres = + resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, + AF_UNSPEC, NULL, protodefs.socktype); } int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text) { @@ -90,7 +89,7 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t X509 *cert; SSL_CTX *ctx = NULL; unsigned long error; - + debug(DBG_DBG, "tlsconnect: called from %s", text); pthread_mutex_lock(&server->lock); if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) { @@ -125,14 +124,12 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t sleep(60); } else server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ - debug(DBG_WARN, "tlsconnect: trying to open TLS connection to %s port %s", server->conf->host, server->conf->port); + if (server->sock >= 0) close(server->sock); - if ((server->sock = connecttcp(server->conf->addrinfo, srcres)) < 0) { - debug(DBG_ERR, "tlsconnect: connecttcp failed"); + if ((server->sock = connecttcphostlist(server->conf->hostports, srcres)) < 0) continue; - } - + SSL_free(server->ssl); server->ssl = NULL; ctx = tlsgetctx(handle, server->conf->tlsconf); @@ -157,7 +154,7 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t } X509_free(cert); } - debug(DBG_WARN, "tlsconnect: TLS connection to %s port %s up", server->conf->host, server->conf->port); + debug(DBG_WARN, "tlsconnect: TLS connection to %s up", server->conf->name); server->connectionok = 1; gettimeofday(&server->lastconnecttry, NULL); pthread_mutex_unlock(&server->lock); @@ -170,7 +167,7 @@ int sslreadtimeout(SSL *ssl, unsigned char *buf, int num, int timeout) { int s, ndesc, cnt, len; fd_set readfds, writefds; struct timeval timer; - + s = SSL_get_fd(ssl); if (s < 0) return -1; @@ -224,21 +221,21 @@ unsigned char *radtlsget(SSL *ssl, int timeout) { continue; } memcpy(rad, buf, 4); - + cnt = sslreadtimeout(ssl, rad + 4, len - 4, timeout); if (cnt < 1) { debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout"); free(rad); return NULL; } - + if (len >= 20) break; - + free(rad); debug(DBG_WARN, "radtlsget: packet smaller than minimum radius size"); } - + debug(DBG_DBG, "radtlsget: got %d bytes", len); return rad; } @@ -258,7 +255,7 @@ int clientradputtls(struct server *server, unsigned char *rad) { return 0; } - debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->host); + debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->name); return 1; } @@ -266,7 +263,7 @@ void *tlsclientrd(void *arg) { struct server *server = (struct server *)arg; unsigned char *buf; struct timeval now, lastconnecttry; - + for (;;) { /* yes, lastconnecttry is really necessary */ lastconnecttry = server->lastconnecttry; @@ -297,15 +294,15 @@ void *tlsserverwr(void *arg) { int cnt; unsigned long error; struct client *client = (struct client *)arg; - struct queue *replyq; + struct gqueue *replyq; struct request *reply; - + debug(DBG_DBG, "tlsserverwr: starting for %s", addr2string(client->addr)); replyq = client->replyq; for (;;) { pthread_mutex_lock(&replyq->mutex); while (!list_first(replyq->entries)) { - if (client->ssl) { + if (client->ssl) { debug(DBG_DBG, "tlsserverwr: waiting for signal"); pthread_cond_wait(&replyq->cond, &replyq->mutex); debug(DBG_DBG, "tlsserverwr: got signal"); @@ -335,10 +332,10 @@ void tlsserverrd(struct client *client) { struct request *rq; uint8_t *buf; pthread_t tlsserverwrth; - + debug(DBG_DBG, "tlsserverrd: starting for %s", addr2string(client->addr)); - - if (pthread_create(&tlsserverwrth, NULL, tlsserverwr, (void *)client)) { + + if (pthread_create(&tlsserverwrth, &pthread_attr, tlsserverwr, (void *)client)) { debug(DBG_ERR, "tlsserverrd: pthread_create failed"); return; } @@ -362,7 +359,7 @@ void tlsserverrd(struct client *client) { break; } } - + /* stop writer by setting ssl to NULL and give signal in case waiting for data */ client->ssl = NULL; pthread_mutex_lock(&client->replyq->mutex); @@ -384,6 +381,7 @@ void *tlsservernew(void *arg) { SSL_CTX *ctx = NULL; unsigned long error; struct client *client; + struct tls *accepted_tls = NULL; s = *(int *)arg; if (getpeername(s, (struct sockaddr *)&from, &fromlen)) { @@ -411,28 +409,29 @@ void *tlsservernew(void *arg) { cert = verifytlscert(ssl); if (!cert) goto exit; + accepted_tls = conf->tlsconf; } - + while (conf) { - if (verifyconfcert(cert, conf)) { - X509_free(cert); - client = addclient(conf, 1); - if (client) { - client->ssl = ssl; - client->addr = addr_copy((struct sockaddr *)&from); - tlsserverrd(client); - removeclient(client); - } else - debug(DBG_WARN, "tlsservernew: failed to create new client instance"); - goto exit; - } - conf = find_clconf(handle, (struct sockaddr *)&from, &cur); + if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) { + X509_free(cert); + client = addclient(conf, 1); + if (client) { + client->ssl = ssl; + client->addr = addr_copy((struct sockaddr *)&from); + tlsserverrd(client); + removeclient(client); + } else + debug(DBG_WARN, "tlsservernew: failed to create new client instance"); + goto exit; + } + conf = find_clconf(handle, (struct sockaddr *)&from, &cur); } debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client"); if (cert) X509_free(cert); - exit: +exit: if (ssl) { SSL_shutdown(ssl); SSL_free(ssl); @@ -457,7 +456,7 @@ void *tlslistener(void *arg) { debug(DBG_WARN, "accept failed"); continue; } - if (pthread_create(&tlsserverth, NULL, tlsservernew, (void *)&s)) { + if (pthread_create(&tlsserverth, &pthread_attr, tlsservernew, (void *)&s)) { debug(DBG_ERR, "tlslistener: pthread_create failed"); shutdown(s, SHUT_RDWR); close(s); @@ -468,3 +467,12 @@ void *tlslistener(void *arg) { free(sp); return NULL; } +#else +const struct protodefs *tlsinit(uint8_t h) { + return NULL; +} +#endif + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */