X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=tls.c;h=90c3dc916a9de4d085f6e51a159ea62eb14906a9;hb=refs%2Fheads%2Fmaint-1.6;hp=ce06a6e7a3c0f332b967a9936bc55f21631413ba;hpb=66743827eea20b870a0319660a4a5eb32bfe32ca;p=radsecproxy.git

diff --git a/tls.c b/tls.c
index ce06a6e..90c3dc9 100644
--- a/tls.c
+++ b/tls.c
@@ -43,7 +43,7 @@ void tlssetsrcres();
 
 static const struct protodefs protodefs = {
     "tls",
-    "mysecret", /* secretdefault */
+    "radsec", /* secretdefault */
     SOCK_STREAM, /* socktype */
     "2083", /* portdefault */
     0, /* retrycountdefault */
@@ -82,7 +82,9 @@ static char **getlistenerargs() {
 
 void tlssetsrcres() {
     if (!srcres)
-	srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype);
+	srcres =
+            resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL,
+                                   AF_UNSPEC, NULL, protodefs.socktype);
 }
 
 int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text) {
@@ -167,7 +169,7 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t
 /* returns 0 on timeout, -1 on error and num if ok */
 int sslreadtimeout(SSL *ssl, unsigned char *buf, int num, int timeout) {
     int s, ndesc, cnt, len;
-    fd_set readfds, writefds;
+    fd_set readfds;
     struct timeval timer;
 
     s = SSL_get_fd(ssl);
@@ -175,16 +177,17 @@ int sslreadtimeout(SSL *ssl, unsigned char *buf, int num, int timeout) {
 	return -1;
     /* make socket non-blocking? */
     for (len = 0; len < num; len += cnt) {
-	FD_ZERO(&readfds);
-	FD_SET(s, &readfds);
-	writefds = readfds;
-	if (timeout) {
-	    timer.tv_sec = timeout;
-	    timer.tv_usec = 0;
+	if (SSL_pending(ssl) == 0) {
+            FD_ZERO(&readfds);
+            FD_SET(s, &readfds);
+            if (timeout) {
+                timer.tv_sec = timeout;
+                timer.tv_usec = 0;
+            }
+	    ndesc = select(s + 1, &readfds, NULL, NULL, timeout ? &timer : NULL);
+            if (ndesc < 1)
+                return ndesc;
 	}
-	ndesc = select(s + 1, &readfds, &writefds, NULL, timeout ? &timer : NULL);
-	if (ndesc < 1)
-	    return ndesc;
 
 	cnt = SSL_read(ssl, buf + len, num - len);
 	if (cnt <= 0)
@@ -287,8 +290,17 @@ void *tlsclientrd(void *arg) {
 	    }
 	}
     }
+    debug(DBG_INFO, "tlsclientrd: exiting for %s", server->conf->name);
     ERR_remove_state(0);
+    SSL_shutdown(server->ssl);
+    shutdown(server->sock, SHUT_RDWR);
+    close(server->sock);
+
+    /* Wake up clientwr(). */
     server->clientrdgone = 1;
+    pthread_mutex_lock(&server->newrq_mutex);
+    pthread_cond_signal(&server->newrq_cond);
+    pthread_mutex_unlock(&server->newrq_mutex);
     return NULL;
 }
 
@@ -337,13 +349,13 @@ void tlsserverrd(struct client *client) {
 
     debug(DBG_DBG, "tlsserverrd: starting for %s", addr2string(client->addr));
 
-    if (pthread_create(&tlsserverwrth, NULL, tlsserverwr, (void *)client)) {
+    if (pthread_create(&tlsserverwrth, &pthread_attr, tlsserverwr, (void *)client)) {
 	debug(DBG_ERR, "tlsserverrd: pthread_create failed");
 	return;
     }
 
     for (;;) {
-	buf = radtlsget(client->ssl, 0);
+	buf = radtlsget(client->ssl, IDLE_TIMEOUT * 3);
 	if (!buf) {
 	    debug(DBG_ERR, "tlsserverrd: connection from %s lost", addr2string(client->addr));
 	    break;
@@ -383,6 +395,7 @@ void *tlsservernew(void *arg) {
     SSL_CTX *ctx = NULL;
     unsigned long error;
     struct client *client;
+    struct tls *accepted_tls = NULL;
 
     s = *(int *)arg;
     if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
@@ -410,22 +423,23 @@ void *tlsservernew(void *arg) {
 	cert = verifytlscert(ssl);
 	if (!cert)
 	    goto exit;
+        accepted_tls = conf->tlsconf;
     }
 
     while (conf) {
-	if (verifyconfcert(cert, conf)) {
-	    X509_free(cert);
-	    client = addclient(conf, 1);
-	    if (client) {
-		client->ssl = ssl;
-		client->addr = addr_copy((struct sockaddr *)&from);
-		tlsserverrd(client);
-		removeclient(client);
-	    } else
-		debug(DBG_WARN, "tlsservernew: failed to create new client instance");
-	    goto exit;
-	}
-	conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
+        if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
+            X509_free(cert);
+            client = addclient(conf, 1);
+            if (client) {
+                client->ssl = ssl;
+                client->addr = addr_copy((struct sockaddr *)&from);
+                tlsserverrd(client);
+                removeclient(client);
+            } else
+                debug(DBG_WARN, "tlsservernew: failed to create new client instance");
+            goto exit;
+        }
+        conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
     }
     debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
     if (cert)
@@ -456,7 +470,7 @@ void *tlslistener(void *arg) {
 	    debug(DBG_WARN, "accept failed");
 	    continue;
 	}
-	if (pthread_create(&tlsserverth, NULL, tlsservernew, (void *)&s)) {
+	if (pthread_create(&tlsserverth, &pthread_attr, tlsservernew, (void *)&s)) {
 	    debug(DBG_ERR, "tlslistener: pthread_create failed");
 	    shutdown(s, SHUT_RDWR);
 	    close(s);