/* See the file COPYING for licensing information.  */

#if defined HAVE_CONFIG_H
#include <config.h>
#endif

#include <assert.h>
#include <openssl/ssl.h>
#include <radsec/radsec.h>
#include <radsec/radsec-impl.h>

#include <regex.h>
#include "rsp_list.h"
#include "../radsecproxy.h"

static struct tls *
_get_tlsconf (struct rs_connection *conn, const struct rs_realm *realm)
{
  struct tls *c = rs_malloc (conn->ctx, sizeof (struct tls));

  if (c)
    {
      memset (c, 0, sizeof (struct tls));
      /* TODO: Make sure old radsecproxy code doesn't free these all
	 of a sudden, or strdup them.  */
      c->name = realm->name;
      c->cacertfile = realm->cacertfile;
      c->cacertpath = NULL;	/* NYI */
      c->certfile = realm->certfile;
      c->certkeyfile = realm->certkeyfile;
      c->certkeypwd = NULL;	/* NYI */
      c->cacheexpiry = 0;	/* NYI */
      c->crlcheck = 0;		/* NYI */
      c->policyoids = (char **) NULL; /* NYI */
    }
    else
      rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL);

  return c;
}

int
rs_tls_init (struct rs_connection *conn)
{
  struct rs_context *ctx;
  struct tls *tlsconf;
  SSL_CTX *ssl_ctx;
  SSL *ssl;
  assert (conn->ctx);
  ctx = conn->ctx;

  tlsconf = _get_tlsconf (conn, conn->active_peer->realm);
  if (!tlsconf)
    return -1;
  ssl_ctx = tlsgetctx (RADPROT_TLS, tlsconf);
  if (!ssl_ctx)
    {
      /* TODO: check radsecproxy error  */
      return rs_err_conn_push_fl (conn, RSE_SOME_ERROR, __FILE__, __LINE__,
				  NULL);
    }

  ssl = SSL_new (ssl_ctx);
  if (!ssl)
    {
      /* TODO: check and report SSL error  */
      /* TODO: free ssl_ctx  */
      return rs_err_conn_push_fl (conn, RSE_SOME_ERROR, __FILE__, __LINE__,
				  NULL);
    }

  conn->tls_ctx = ssl_ctx;
  conn->tls_ssl = ssl;
  rs_free (ctx, tlsconf);
  return RSE_OK;
}