2 * Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
10 #include <sys/socket.h>
11 #include <netinet/in.h>
20 #include <sys/types.h>
21 #include <sys/select.h>
24 #include <arpa/inet.h>
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
32 #include "radsecproxy.h"
35 int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text) {
41 debug(DBG_DBG, "tlsconnect: called from %s", text);
42 pthread_mutex_lock(&server->lock);
43 if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) {
44 /* already reconnected, nothing to do */
45 debug(DBG_DBG, "tlsconnect(%s): seems already reconnected", text);
46 pthread_mutex_unlock(&server->lock);
51 gettimeofday(&now, NULL);
52 elapsed = now.tv_sec - server->lastconnecttry.tv_sec;
53 if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) {
54 debug(DBG_DBG, "tlsconnect: timeout");
55 if (server->sock >= 0)
57 SSL_free(server->ssl);
59 pthread_mutex_unlock(&server->lock);
62 if (server->connectionok) {
63 server->connectionok = 0;
65 } else if (elapsed < 1)
67 else if (elapsed < 60) {
68 debug(DBG_INFO, "tlsconnect: sleeping %lds", elapsed);
70 } else if (elapsed < 100000) {
71 debug(DBG_INFO, "tlsconnect: sleeping %ds", 60);
74 server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */
75 debug(DBG_WARN, "tlsconnect: trying to open TLS connection to %s port %s", server->conf->host, server->conf->port);
76 if (server->sock >= 0)
78 if ((server->sock = connecttcp(server->conf->addrinfo, getsrcprotores(RAD_TLS))) < 0) {
79 debug(DBG_ERR, "tlsconnect: connecttcp failed");
83 SSL_free(server->ssl);
84 server->ssl = SSL_new(server->conf->ssl_ctx);
85 SSL_set_fd(server->ssl, server->sock);
86 if (SSL_connect(server->ssl) <= 0) {
87 while ((error = ERR_get_error()))
88 debug(DBG_ERR, "tlsconnect: TLS: %s", ERR_error_string(error, NULL));
91 cert = verifytlscert(server->ssl);
94 if (verifyconfcert(cert, server->conf)) {
100 debug(DBG_WARN, "tlsconnect: TLS connection to %s port %s up", server->conf->host, server->conf->port);
101 gettimeofday(&server->lastconnecttry, NULL);
102 pthread_mutex_unlock(&server->lock);
106 /* timeout in seconds, 0 means no timeout (blocking), returns when num bytes have been read, or timeout */
107 /* returns 0 on timeout, -1 on error and num if ok */
108 int sslreadtimeout(SSL *ssl, unsigned char *buf, int num, int timeout) {
109 int s, ndesc, cnt, len;
110 fd_set readfds, writefds;
111 struct timeval timer;
116 /* make socket non-blocking? */
117 for (len = 0; len < num; len += cnt) {
122 timer.tv_sec = timeout;
125 ndesc = select(s + 1, &readfds, &writefds, NULL, timeout ? &timer : NULL);
129 cnt = SSL_read(ssl, buf + len, num - len);
131 switch (SSL_get_error(ssl, cnt)) {
132 case SSL_ERROR_WANT_READ:
133 case SSL_ERROR_WANT_WRITE:
136 case SSL_ERROR_ZERO_RETURN:
137 /* remote end sent close_notify, send one back */
147 /* timeout in seconds, 0 means no timeout (blocking) */
148 unsigned char *radtlsget(SSL *ssl, int timeout) {
150 unsigned char buf[4], *rad;
153 cnt = sslreadtimeout(ssl, buf, 4, timeout);
155 debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout");
162 debug(DBG_ERR, "radtlsget: malloc failed");
167 cnt = sslreadtimeout(ssl, rad + 4, len - 4, timeout);
169 debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout");
178 debug(DBG_WARN, "radtlsget: packet smaller than minimum radius size");
181 debug(DBG_DBG, "radtlsget: got %d bytes", len);
185 int clientradputtls(struct server *server, unsigned char *rad) {
189 struct timeval lastconnecttry;
190 struct clsrvconf *conf = server->conf;
193 lastconnecttry = server->lastconnecttry;
194 while ((cnt = SSL_write(server->ssl, rad, len)) <= 0) {
195 while ((error = ERR_get_error()))
196 debug(DBG_ERR, "clientradputtls: TLS: %s", ERR_error_string(error, NULL));
197 if (server->dynamiclookuparg)
199 tlsconnect(server, &lastconnecttry, 0, "clientradputtls");
200 lastconnecttry = server->lastconnecttry;
203 server->connectionok = 1;
204 debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->host);
208 void *tlsclientrd(void *arg) {
209 struct server *server = (struct server *)arg;
211 struct timeval now, lastconnecttry;
214 /* yes, lastconnecttry is really necessary */
215 lastconnecttry = server->lastconnecttry;
216 buf = radtlsget(server->ssl, server->dynamiclookuparg ? IDLE_TIMEOUT : 0);
218 if (server->dynamiclookuparg)
220 tlsconnect(server, &lastconnecttry, 0, "tlsclientrd");
226 if (server->dynamiclookuparg) {
227 gettimeofday(&now, NULL);
228 if (now.tv_sec - server->lastreply.tv_sec > IDLE_TIMEOUT) {
229 debug(DBG_INFO, "tlsclientrd: idle timeout for %s", server->conf->name);
235 server->clientrdgone = 1;
239 void *tlsserverwr(void *arg) {
242 struct client *client = (struct client *)arg;
243 struct queue *replyq;
246 debug(DBG_DBG, "tlsserverwr: starting for %s", client->conf->host);
247 replyq = client->replyq;
249 pthread_mutex_lock(&replyq->mutex);
250 while (!list_first(replyq->entries)) {
252 debug(DBG_DBG, "tlsserverwr: waiting for signal");
253 pthread_cond_wait(&replyq->cond, &replyq->mutex);
254 debug(DBG_DBG, "tlsserverwr: got signal");
257 /* ssl might have changed while waiting */
258 pthread_mutex_unlock(&replyq->mutex);
259 debug(DBG_DBG, "tlsserverwr: exiting as requested");
264 reply = (struct reply *)list_shift(replyq->entries);
265 pthread_mutex_unlock(&replyq->mutex);
266 cnt = SSL_write(client->ssl, reply->buf, RADLEN(reply->buf));
268 debug(DBG_DBG, "tlsserverwr: sent %d bytes, Radius packet of length %d",
269 cnt, RADLEN(reply->buf));
271 while ((error = ERR_get_error()))
272 debug(DBG_ERR, "tlsserverwr: SSL: %s", ERR_error_string(error, NULL));
278 void tlsserverrd(struct client *client) {
280 pthread_t tlsserverwrth;
282 debug(DBG_DBG, "tlsserverrd: starting for %s", client->conf->host);
284 if (pthread_create(&tlsserverwrth, NULL, tlsserverwr, (void *)client)) {
285 debug(DBG_ERR, "tlsserverrd: pthread_create failed");
290 memset(&rq, 0, sizeof(struct request));
291 rq.buf = radtlsget(client->ssl, 0);
293 debug(DBG_ERR, "tlsserverrd: connection from %s lost", client->conf->host);
296 debug(DBG_DBG, "tlsserverrd: got Radius message from %s", client->conf->host);
299 debug(DBG_ERR, "tlsserverrd: message authentication/validation failed, closing connection from %s", client->conf->host);
304 /* stop writer by setting ssl to NULL and give signal in case waiting for data */
306 pthread_mutex_lock(&client->replyq->mutex);
307 pthread_cond_signal(&client->replyq->cond);
308 pthread_mutex_unlock(&client->replyq->mutex);
309 debug(DBG_DBG, "tlsserverrd: waiting for writer to end");
310 pthread_join(tlsserverwrth, NULL);
311 removeclientrqs(client);
312 debug(DBG_DBG, "tlsserverrd: reader for %s exiting", client->conf->host);
315 void *tlsservernew(void *arg) {
317 struct sockaddr_storage from;
318 size_t fromlen = sizeof(from);
319 struct clsrvconf *conf;
320 struct list_node *cur = NULL;
324 struct client *client;
327 if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
328 debug(DBG_DBG, "tlsservernew: getpeername failed, exiting");
331 debug(DBG_WARN, "tlsservernew: incoming TLS connection from %s", addr2string((struct sockaddr *)&from, fromlen));
333 conf = find_clconf(RAD_TLS, (struct sockaddr *)&from, &cur);
335 ssl = SSL_new(conf->ssl_ctx);
338 if (SSL_accept(ssl) <= 0) {
339 while ((error = ERR_get_error()))
340 debug(DBG_ERR, "tlsservernew: SSL: %s", ERR_error_string(error, NULL));
341 debug(DBG_ERR, "tlsservernew: SSL_accept failed");
344 cert = verifytlscert(ssl);
350 if (verifyconfcert(cert, conf)) {
352 client = addclient(conf);
356 removeclient(client);
358 debug(DBG_WARN, "tlsservernew: failed to create new client instance");
361 conf = find_clconf(RAD_TLS, (struct sockaddr *)&from, &cur);
363 debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
373 shutdown(s, SHUT_RDWR);
378 void *tlslistener(void *arg) {
379 pthread_t tlsserverth;
380 int s, *sp = (int *)arg;
381 struct sockaddr_storage from;
382 size_t fromlen = sizeof(from);
387 s = accept(*sp, (struct sockaddr *)&from, &fromlen);
389 debug(DBG_WARN, "accept failed");
392 if (pthread_create(&tlsserverth, NULL, tlsservernew, (void *)&s)) {
393 debug(DBG_ERR, "tlslistener: pthread_create failed");
394 shutdown(s, SHUT_RDWR);
398 pthread_detach(tlsserverth);
projects / libradsec.git / blob