1 /* Copyright (c) 2007-2009, UNINETT AS
2 * Copyright (c) 2012, NORDUnet A/S */
3 /* See LICENSE for licensing information. */
6 #include <sys/socket.h>
7 #include <netinet/in.h>
16 #include <sys/types.h>
17 #include <sys/select.h>
20 #include <arpa/inet.h>
23 #include <openssl/ssl.h>
24 #include <openssl/err.h>
25 #include "radsecproxy.h"
32 static void setprotoopts(struct commonprotoopts *opts);
33 static char **getlistenerargs();
34 void *tlslistener(void *arg);
35 int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text);
36 void *tlsclientrd(void *arg);
37 int clientradputtls(struct server *server, unsigned char *rad);
40 static const struct protodefs protodefs = {
42 "radsec", /* secretdefault */
43 SOCK_STREAM, /* socktype */
44 "2083", /* portdefault */
45 0, /* retrycountdefault */
46 0, /* retrycountmax */
47 REQUEST_RETRY_INTERVAL * REQUEST_RETRY_COUNT, /* retryintervaldefault */
48 60, /* retryintervalmax */
49 DUPLICATE_INTERVAL, /* duplicateintervaldefault */
50 setprotoopts, /* setprotoopts */
51 getlistenerargs, /* getlistenerargs */
52 tlslistener, /* listener */
53 tlsconnect, /* connecter */
54 tlsclientrd, /* clientconnreader */
55 clientradputtls, /* clientradput */
57 NULL, /* addserverextra */
58 tlssetsrcres, /* setsrcres */
62 static struct addrinfo *srcres = NULL;
63 static uint8_t handle;
64 static struct commonprotoopts *protoopts = NULL;
66 const struct protodefs *tlsinit(uint8_t h) {
71 static void setprotoopts(struct commonprotoopts *opts) {
75 static char **getlistenerargs() {
76 return protoopts ? protoopts->listenargs : NULL;
82 resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL,
83 AF_UNSPEC, NULL, protodefs.socktype);
86 int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text) {
93 debug(DBG_DBG, "tlsconnect: called from %s", text);
94 pthread_mutex_lock(&server->lock);
95 if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) {
96 /* already reconnected, nothing to do */
97 debug(DBG_DBG, "tlsconnect(%s): seems already reconnected", text);
98 pthread_mutex_unlock(&server->lock);
103 gettimeofday(&now, NULL);
104 elapsed = now.tv_sec - server->lastconnecttry.tv_sec;
105 if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) {
106 debug(DBG_DBG, "tlsconnect: timeout");
107 if (server->sock >= 0)
109 SSL_free(server->ssl);
111 pthread_mutex_unlock(&server->lock);
114 if (server->connectionok) {
115 server->connectionok = 0;
117 } else if (elapsed < 1)
119 else if (elapsed < 60) {
120 debug(DBG_INFO, "tlsconnect: sleeping %lds", elapsed);
122 } else if (elapsed < 100000) {
123 debug(DBG_INFO, "tlsconnect: sleeping %ds", 60);
126 server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */
128 if (server->sock >= 0)
130 if ((server->sock = connecttcphostlist(server->conf->hostports, srcres)) < 0)
133 SSL_free(server->ssl);
135 ctx = tlsgetctx(handle, server->conf->tlsconf);
138 server->ssl = SSL_new(ctx);
142 SSL_set_fd(server->ssl, server->sock);
143 if (SSL_connect(server->ssl) <= 0) {
144 while ((error = ERR_get_error()))
145 debug(DBG_ERR, "tlsconnect: TLS: %s", ERR_error_string(error, NULL));
148 cert = verifytlscert(server->ssl);
151 if (verifyconfcert(cert, server->conf)) {
157 debug(DBG_WARN, "tlsconnect: TLS connection to %s up", server->conf->name);
158 server->connectionok = 1;
159 gettimeofday(&server->lastconnecttry, NULL);
160 pthread_mutex_unlock(&server->lock);
164 /* timeout in seconds, 0 means no timeout (blocking), returns when num bytes have been read, or timeout */
165 /* returns 0 on timeout, -1 on error and num if ok */
166 int sslreadtimeout(SSL *ssl, unsigned char *buf, int num, int timeout) {
167 int s, ndesc, cnt, len;
168 fd_set readfds, writefds;
169 struct timeval timer;
174 /* make socket non-blocking? */
175 for (len = 0; len < num; len += cnt) {
180 timer.tv_sec = timeout;
183 ndesc = select(s + 1, &readfds, &writefds, NULL, timeout ? &timer : NULL);
187 cnt = SSL_read(ssl, buf + len, num - len);
189 switch (SSL_get_error(ssl, cnt)) {
190 case SSL_ERROR_WANT_READ:
191 case SSL_ERROR_WANT_WRITE:
194 case SSL_ERROR_ZERO_RETURN:
195 /* remote end sent close_notify, send one back */
205 /* timeout in seconds, 0 means no timeout (blocking) */
206 unsigned char *radtlsget(SSL *ssl, int timeout) {
208 unsigned char buf[4], *rad;
211 cnt = sslreadtimeout(ssl, buf, 4, timeout);
213 debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout");
220 debug(DBG_ERR, "radtlsget: malloc failed");
225 cnt = sslreadtimeout(ssl, rad + 4, len - 4, timeout);
227 debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout");
236 debug(DBG_WARN, "radtlsget: packet smaller than minimum radius size");
239 debug(DBG_DBG, "radtlsget: got %d bytes", len);
243 int clientradputtls(struct server *server, unsigned char *rad) {
247 struct clsrvconf *conf = server->conf;
249 if (!server->connectionok)
252 if ((cnt = SSL_write(server->ssl, rad, len)) <= 0) {
253 while ((error = ERR_get_error()))
254 debug(DBG_ERR, "clientradputtls: TLS: %s", ERR_error_string(error, NULL));
258 debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->name);
262 void *tlsclientrd(void *arg) {
263 struct server *server = (struct server *)arg;
265 struct timeval now, lastconnecttry;
268 /* yes, lastconnecttry is really necessary */
269 lastconnecttry = server->lastconnecttry;
270 buf = radtlsget(server->ssl, server->dynamiclookuparg ? IDLE_TIMEOUT : 0);
272 if (server->dynamiclookuparg)
274 tlsconnect(server, &lastconnecttry, 0, "tlsclientrd");
280 if (server->dynamiclookuparg) {
281 gettimeofday(&now, NULL);
282 if (now.tv_sec - server->lastreply.tv_sec > IDLE_TIMEOUT) {
283 debug(DBG_INFO, "tlsclientrd: idle timeout for %s", server->conf->name);
289 server->clientrdgone = 1;
293 void *tlsserverwr(void *arg) {
296 struct client *client = (struct client *)arg;
297 struct gqueue *replyq;
298 struct request *reply;
300 debug(DBG_DBG, "tlsserverwr: starting for %s", addr2string(client->addr));
301 replyq = client->replyq;
303 pthread_mutex_lock(&replyq->mutex);
304 while (!list_first(replyq->entries)) {
306 debug(DBG_DBG, "tlsserverwr: waiting for signal");
307 pthread_cond_wait(&replyq->cond, &replyq->mutex);
308 debug(DBG_DBG, "tlsserverwr: got signal");
311 /* ssl might have changed while waiting */
312 pthread_mutex_unlock(&replyq->mutex);
313 debug(DBG_DBG, "tlsserverwr: exiting as requested");
318 reply = (struct request *)list_shift(replyq->entries);
319 pthread_mutex_unlock(&replyq->mutex);
320 cnt = SSL_write(client->ssl, reply->replybuf, RADLEN(reply->replybuf));
322 debug(DBG_DBG, "tlsserverwr: sent %d bytes, Radius packet of length %d to %s",
323 cnt, RADLEN(reply->replybuf), addr2string(client->addr));
325 while ((error = ERR_get_error()))
326 debug(DBG_ERR, "tlsserverwr: SSL: %s", ERR_error_string(error, NULL));
331 void tlsserverrd(struct client *client) {
334 pthread_t tlsserverwrth;
336 debug(DBG_DBG, "tlsserverrd: starting for %s", addr2string(client->addr));
338 if (pthread_create(&tlsserverwrth, NULL, tlsserverwr, (void *)client)) {
339 debug(DBG_ERR, "tlsserverrd: pthread_create failed");
344 buf = radtlsget(client->ssl, 0);
346 debug(DBG_ERR, "tlsserverrd: connection from %s lost", addr2string(client->addr));
349 debug(DBG_DBG, "tlsserverrd: got Radius message from %s", addr2string(client->addr));
358 debug(DBG_ERR, "tlsserverrd: message authentication/validation failed, closing connection from %s", addr2string(client->addr));
363 /* stop writer by setting ssl to NULL and give signal in case waiting for data */
365 pthread_mutex_lock(&client->replyq->mutex);
366 pthread_cond_signal(&client->replyq->cond);
367 pthread_mutex_unlock(&client->replyq->mutex);
368 debug(DBG_DBG, "tlsserverrd: waiting for writer to end");
369 pthread_join(tlsserverwrth, NULL);
370 debug(DBG_DBG, "tlsserverrd: reader for %s exiting", addr2string(client->addr));
373 void *tlsservernew(void *arg) {
375 struct sockaddr_storage from;
376 socklen_t fromlen = sizeof(from);
377 struct clsrvconf *conf;
378 struct list_node *cur = NULL;
383 struct client *client;
384 struct tls *accepted_tls = NULL;
387 if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
388 debug(DBG_DBG, "tlsservernew: getpeername failed, exiting");
391 debug(DBG_WARN, "tlsservernew: incoming TLS connection from %s", addr2string((struct sockaddr *)&from));
393 conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
395 ctx = tlsgetctx(handle, conf->tlsconf);
403 if (SSL_accept(ssl) <= 0) {
404 while ((error = ERR_get_error()))
405 debug(DBG_ERR, "tlsservernew: SSL: %s", ERR_error_string(error, NULL));
406 debug(DBG_ERR, "tlsservernew: SSL_accept failed");
409 cert = verifytlscert(ssl);
412 accepted_tls = conf->tlsconf;
416 if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
418 client = addclient(conf, 1);
421 client->addr = addr_copy((struct sockaddr *)&from);
423 removeclient(client);
425 debug(DBG_WARN, "tlsservernew: failed to create new client instance");
428 conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
430 debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
440 shutdown(s, SHUT_RDWR);
445 void *tlslistener(void *arg) {
446 pthread_t tlsserverth;
447 int s, *sp = (int *)arg;
448 struct sockaddr_storage from;
449 socklen_t fromlen = sizeof(from);
454 s = accept(*sp, (struct sockaddr *)&from, &fromlen);
456 debug(DBG_WARN, "accept failed");
459 if (pthread_create(&tlsserverth, NULL, tlsservernew, (void *)&s)) {
460 debug(DBG_ERR, "tlslistener: pthread_create failed");
461 shutdown(s, SHUT_RDWR);
465 pthread_detach(tlsserverth);
471 const struct protodefs *tlsinit(uint8_t h) {
476 /* Local Variables: */
477 /* c-file-style: "stroustrup" */