2 * Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
10 #include <sys/socket.h>
11 #include <netinet/in.h>
20 #include <sys/types.h>
21 #include <sys/select.h>
24 #include <arpa/inet.h>
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
30 #include "radsecproxy.h"
36 static void setprotoopts(struct commonprotoopts *opts);
37 static char **getlistenerargs();
38 void *tlslistener(void *arg);
39 int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text);
40 void *tlsclientrd(void *arg);
41 int clientradputtls(struct server *server, unsigned char *rad);
44 static const struct protodefs protodefs = {
46 "mysecret", /* secretdefault */
47 SOCK_STREAM, /* socktype */
48 "2083", /* portdefault */
49 0, /* retrycountdefault */
50 0, /* retrycountmax */
51 REQUEST_RETRY_INTERVAL * REQUEST_RETRY_COUNT, /* retryintervaldefault */
52 60, /* retryintervalmax */
53 DUPLICATE_INTERVAL, /* duplicateintervaldefault */
54 setprotoopts, /* setprotoopts */
55 getlistenerargs, /* getlistenerargs */
56 tlslistener, /* listener */
57 tlsconnect, /* connecter */
58 tlsclientrd, /* clientconnreader */
59 clientradputtls, /* clientradput */
61 NULL, /* addserverextra */
62 tlssetsrcres, /* setsrcres */
66 static struct addrinfo *srcres = NULL;
67 static uint8_t handle;
68 static struct commonprotoopts *protoopts = NULL;
70 const struct protodefs *tlsinit(uint8_t h) {
75 static void setprotoopts(struct commonprotoopts *opts) {
79 static char **getlistenerargs() {
80 return protoopts ? protoopts->listenargs : NULL;
85 srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL);
89 int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text) {
96 debug(DBG_DBG, "tlsconnect: called from %s", text);
97 pthread_mutex_lock(&server->lock);
98 if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) {
99 /* already reconnected, nothing to do */
100 debug(DBG_DBG, "tlsconnect(%s): seems already reconnected", text);
101 pthread_mutex_unlock(&server->lock);
106 gettimeofday(&now, NULL);
107 elapsed = now.tv_sec - server->lastconnecttry.tv_sec;
108 if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) {
109 debug(DBG_DBG, "tlsconnect: timeout");
110 if (server->sock >= 0)
112 SSL_free(server->ssl);
114 pthread_mutex_unlock(&server->lock);
117 if (server->connectionok) {
118 server->connectionok = 0;
120 } else if (elapsed < 1)
122 else if (elapsed < 60) {
123 debug(DBG_INFO, "tlsconnect: sleeping %lds", elapsed);
125 } else if (elapsed < 100000) {
126 debug(DBG_INFO, "tlsconnect: sleeping %ds", 60);
129 server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */
130 debug(DBG_WARN, "tlsconnect: trying to open TLS connection to %s port %s", server->conf->host, server->conf->port);
131 if (server->sock >= 0)
133 if ((server->sock = connecttcp(server->conf->addrinfo, srcres)) < 0) {
134 debug(DBG_ERR, "tlsconnect: connecttcp failed");
138 SSL_free(server->ssl);
140 ctx = tlsgetctx(handle, server->conf->tlsconf);
143 server->ssl = SSL_new(ctx);
147 SSL_set_fd(server->ssl, server->sock);
148 if (SSL_connect(server->ssl) <= 0) {
149 while ((error = ERR_get_error()))
150 debug(DBG_ERR, "tlsconnect: TLS: %s", ERR_error_string(error, NULL));
153 cert = verifytlscert(server->ssl);
156 if (verifyconfcert(cert, server->conf)) {
162 debug(DBG_WARN, "tlsconnect: TLS connection to %s port %s up", server->conf->host, server->conf->port);
163 server->connectionok = 1;
164 gettimeofday(&server->lastconnecttry, NULL);
165 pthread_mutex_unlock(&server->lock);
169 /* timeout in seconds, 0 means no timeout (blocking), returns when num bytes have been read, or timeout */
170 /* returns 0 on timeout, -1 on error and num if ok */
171 int sslreadtimeout(SSL *ssl, unsigned char *buf, int num, int timeout) {
172 int s, ndesc, cnt, len;
173 fd_set readfds, writefds;
174 struct timeval timer;
179 /* make socket non-blocking? */
180 for (len = 0; len < num; len += cnt) {
185 timer.tv_sec = timeout;
188 ndesc = select(s + 1, &readfds, &writefds, NULL, timeout ? &timer : NULL);
192 cnt = SSL_read(ssl, buf + len, num - len);
194 switch (SSL_get_error(ssl, cnt)) {
195 case SSL_ERROR_WANT_READ:
196 case SSL_ERROR_WANT_WRITE:
199 case SSL_ERROR_ZERO_RETURN:
200 /* remote end sent close_notify, send one back */
210 /* timeout in seconds, 0 means no timeout (blocking) */
211 unsigned char *radtlsget(SSL *ssl, int timeout) {
213 unsigned char buf[4], *rad;
216 cnt = sslreadtimeout(ssl, buf, 4, timeout);
218 debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout");
225 debug(DBG_ERR, "radtlsget: malloc failed");
230 cnt = sslreadtimeout(ssl, rad + 4, len - 4, timeout);
232 debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout");
241 debug(DBG_WARN, "radtlsget: packet smaller than minimum radius size");
244 debug(DBG_DBG, "radtlsget: got %d bytes", len);
248 int clientradputtls(struct server *server, unsigned char *rad) {
252 struct clsrvconf *conf = server->conf;
254 if (!server->connectionok)
257 if ((cnt = SSL_write(server->ssl, rad, len)) <= 0) {
258 while ((error = ERR_get_error()))
259 debug(DBG_ERR, "clientradputtls: TLS: %s", ERR_error_string(error, NULL));
263 debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->host);
267 void *tlsclientrd(void *arg) {
268 struct server *server = (struct server *)arg;
270 struct timeval now, lastconnecttry;
273 /* yes, lastconnecttry is really necessary */
274 lastconnecttry = server->lastconnecttry;
275 buf = radtlsget(server->ssl, server->dynamiclookuparg ? IDLE_TIMEOUT : 0);
277 if (server->dynamiclookuparg)
279 tlsconnect(server, &lastconnecttry, 0, "tlsclientrd");
285 if (server->dynamiclookuparg) {
286 gettimeofday(&now, NULL);
287 if (now.tv_sec - server->lastreply.tv_sec > IDLE_TIMEOUT) {
288 debug(DBG_INFO, "tlsclientrd: idle timeout for %s", server->conf->name);
294 server->clientrdgone = 1;
298 void *tlsserverwr(void *arg) {
301 struct client *client = (struct client *)arg;
302 struct gqueue *replyq;
303 struct request *reply;
305 debug(DBG_DBG, "tlsserverwr: starting for %s", addr2string(client->addr));
306 replyq = client->replyq;
308 pthread_mutex_lock(&replyq->mutex);
309 while (!list_first(replyq->entries)) {
311 debug(DBG_DBG, "tlsserverwr: waiting for signal");
312 pthread_cond_wait(&replyq->cond, &replyq->mutex);
313 debug(DBG_DBG, "tlsserverwr: got signal");
316 /* ssl might have changed while waiting */
317 pthread_mutex_unlock(&replyq->mutex);
318 debug(DBG_DBG, "tlsserverwr: exiting as requested");
323 reply = (struct request *)list_shift(replyq->entries);
324 pthread_mutex_unlock(&replyq->mutex);
325 cnt = SSL_write(client->ssl, reply->replybuf, RADLEN(reply->replybuf));
327 debug(DBG_DBG, "tlsserverwr: sent %d bytes, Radius packet of length %d to %s",
328 cnt, RADLEN(reply->replybuf), addr2string(client->addr));
330 while ((error = ERR_get_error()))
331 debug(DBG_ERR, "tlsserverwr: SSL: %s", ERR_error_string(error, NULL));
336 void tlsserverrd(struct client *client) {
339 pthread_t tlsserverwrth;
341 debug(DBG_DBG, "tlsserverrd: starting for %s", addr2string(client->addr));
343 if (pthread_create(&tlsserverwrth, NULL, tlsserverwr, (void *)client)) {
344 debug(DBG_ERR, "tlsserverrd: pthread_create failed");
349 buf = radtlsget(client->ssl, 0);
351 debug(DBG_ERR, "tlsserverrd: connection from %s lost", addr2string(client->addr));
354 debug(DBG_DBG, "tlsserverrd: got Radius message from %s", addr2string(client->addr));
363 debug(DBG_ERR, "tlsserverrd: message authentication/validation failed, closing connection from %s", addr2string(client->addr));
368 /* stop writer by setting ssl to NULL and give signal in case waiting for data */
370 pthread_mutex_lock(&client->replyq->mutex);
371 pthread_cond_signal(&client->replyq->cond);
372 pthread_mutex_unlock(&client->replyq->mutex);
373 debug(DBG_DBG, "tlsserverrd: waiting for writer to end");
374 pthread_join(tlsserverwrth, NULL);
375 debug(DBG_DBG, "tlsserverrd: reader for %s exiting", addr2string(client->addr));
378 void *tlsservernew(void *arg) {
380 struct sockaddr_storage from;
381 socklen_t fromlen = sizeof(from);
382 struct clsrvconf *conf;
383 struct list_node *cur = NULL;
388 struct client *client;
391 if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
392 debug(DBG_DBG, "tlsservernew: getpeername failed, exiting");
395 debug(DBG_WARN, "tlsservernew: incoming TLS connection from %s", addr2string((struct sockaddr *)&from));
397 conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
399 ctx = tlsgetctx(handle, conf->tlsconf);
407 if (SSL_accept(ssl) <= 0) {
408 while ((error = ERR_get_error()))
409 debug(DBG_ERR, "tlsservernew: SSL: %s", ERR_error_string(error, NULL));
410 debug(DBG_ERR, "tlsservernew: SSL_accept failed");
413 cert = verifytlscert(ssl);
419 if (verifyconfcert(cert, conf)) {
421 client = addclient(conf, 1);
424 client->addr = addr_copy((struct sockaddr *)&from);
426 removeclient(client);
428 debug(DBG_WARN, "tlsservernew: failed to create new client instance");
431 conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
433 debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
443 shutdown(s, SHUT_RDWR);
448 void *tlslistener(void *arg) {
449 pthread_t tlsserverth;
450 int s, *sp = (int *)arg;
451 struct sockaddr_storage from;
452 socklen_t fromlen = sizeof(from);
457 s = accept(*sp, (struct sockaddr *)&from, &fromlen);
459 debug(DBG_WARN, "accept failed");
462 if (pthread_create(&tlsserverth, NULL, tlsservernew, (void *)&s)) {
463 debug(DBG_ERR, "tlslistener: pthread_create failed");
464 shutdown(s, SHUT_RDWR);
468 pthread_detach(tlsserverth);
474 const struct protodefs *tlsinit(uint8_t h) {