diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | Makefile.am | 4 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | dtls.c | 473 | ||||
| -rw-r--r-- | dtls.h | 14 | ||||
| -rw-r--r-- | radsecproxy.c | 455 | ||||
| -rw-r--r-- | radsecproxy.h | 10 |
7 files changed, 513 insertions, 447 deletions
@@ -1,6 +1,6 @@ CFLAGS = -g -Wall -pedantic -pthread LDFLAGS = -lssl -OBJ = util.o debug.o list.o gconfig.o radsecproxy.o +OBJ = util.o debug.o list.o gconfig.o dtls.o radsecproxy.o all: radsecproxy diff --git a/Makefile.am b/Makefile.am index eb4b1d2..ad22fc1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5,11 +5,13 @@ radsecproxy_SOURCES = radsecproxy.c \ util.c \ debug.c \ list.c \ + dtls.c \ radsecproxy.h \ gconfig.h \ debug.h \ util.h \ - list.h + list.h \ + dtls.h radsecproxy_CFLAGS = -g -Wall -pedantic -pthread @SSL_CFLAGS@ @TARGET_CFLAGS@ radsecproxy_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@ diff --git a/configure.ac b/configure.ac index 444ee64..65f386e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(radsecproxy, 1.2-devel, venaas@uninett.no) +AC_INIT(radsecproxy, 2.0-devel, venaas@uninett.no) AM_INIT_AUTOMAKE AC_PROG_CC AM_PROG_CC_C_O @@ -0,0 +1,473 @@ +/* + * Copyright (C) 2008 Stig Venaas <venaas@uninett.no> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + */ + +#include <signal.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <netdb.h> +#include <string.h> +#include <unistd.h> +#include <limits.h> +#ifdef SYS_SOLARIS9 +#include <fcntl.h> +#endif +#include <sys/time.h> +#include <sys/types.h> +#include <sys/select.h> +#include <ctype.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#include <regex.h> +#include <pthread.h> +#include <openssl/ssl.h> +#include <openssl/err.h> +#include "debug.h" +#include "list.h" +#include "util.h" +#include "radsecproxy.h" +#include "dtls.h" + +int udp2bio(int s, struct queue *q, int cnt) { + unsigned char *buf; + BIO *rbio; + + if (cnt < 1) + return 0; + + buf = malloc(cnt); + if (!buf) { + unsigned char err; + debug(DBG_ERR, "udp2bio: malloc failed"); + recv(s, &err, 1, 0); + return 0; + } + + cnt = recv(s, buf, cnt, 0); + if (cnt < 1) { + debug(DBG_WARN, "udp2bio: recv failed"); + free(buf); + return 0; + } + + rbio = BIO_new_mem_buf(buf, cnt); + BIO_set_mem_eof_return(rbio, -1); + + pthread_mutex_lock(&q->mutex); + if (!list_push(q->entries, rbio)) { + BIO_free(rbio); + pthread_mutex_unlock(&q->mutex); + return 0; + } + pthread_cond_signal(&q->cond); + pthread_mutex_unlock(&q->mutex); + return 1; +} + +BIO *getrbio(SSL *ssl, struct queue *q, int timeout) { + BIO *rbio; + struct timeval now; + struct timespec to; + + pthread_mutex_lock(&q->mutex); + if (!(rbio = (BIO *)list_shift(q->entries))) { + if (timeout) { + gettimeofday(&now, NULL); + memset(&to, 0, sizeof(struct timespec)); + to.tv_sec = now.tv_sec + timeout; + pthread_cond_timedwait(&q->cond, &q->mutex, &to); + } else + pthread_cond_wait(&q->cond, &q->mutex); + rbio = (BIO *)list_shift(q->entries); + } + pthread_mutex_unlock(&q->mutex); + return rbio; +} + +void *udpdtlsserverrd(void *arg) { + int cnt, s = *(int *)arg; + unsigned char buf[4]; + struct sockaddr_storage from; + socklen_t fromlen = sizeof(from); + struct clsrvconf *conf; + struct list_node *node; + struct client *client; + fd_set readfds; + pthread_t dtlsserverth; + + for (;;) { + FD_ZERO(&readfds); + FD_SET(s, &readfds); + if (select(s + 1, &readfds, NULL, NULL, NULL) < 1) + continue; + cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen); + if (cnt == -1) { + debug(DBG_WARN, "udpdtlsserverrd: recv failed"); + continue; + } + conf = find_clconf(RAD_DTLS, (struct sockaddr *)&from, NULL); + if (!conf) { + debug(DBG_WARN, "udpdtlsserverrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from, fromlen)); + recv(s, buf, 4, 0); + continue; + } + + node = list_first(conf->clients); + if (node) + client = (struct client *)node->data; + else { + client = addclient(conf); + if (!client) { + recv(s, buf, 4, 0); + continue; + } + client->sock = s; + memcpy(&client->addr, &from, fromlen); + if (pthread_create(&dtlsserverth, NULL, dtlsservernew, (void *)client)) { + debug(DBG_ERR, "udpdtlsserverrd: pthread_create failed"); + removeclient(client); + recv(s, buf, 4, 0); + continue; + } + pthread_detach(dtlsserverth); + } + if (udp2bio(s, client->rbios, cnt)) + debug(DBG_DBG, "udpdtlsserverrd: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from, fromlen)); + } +} + +void *dtlsserverwr(void *arg) { + int cnt; + unsigned long error; + struct client *client = (struct client *)arg; + struct queue *replyq; + struct reply *reply; + + debug(DBG_DBG, "dtlsserverwr: starting for %s", client->conf->host); + replyq = client->replyq; + for (;;) { + pthread_mutex_lock(&replyq->mutex); + while (!list_first(replyq->entries)) { + if (client->ssl) { + debug(DBG_DBG, "dtlsserverwr: waiting for signal"); + pthread_cond_wait(&replyq->cond, &replyq->mutex); + debug(DBG_DBG, "dtlsserverwr: got signal"); + } + if (!client->ssl) { + /* ssl might have changed while waiting */ + pthread_mutex_unlock(&replyq->mutex); + debug(DBG_DBG, "dtlsserverwr: exiting as requested"); + ERR_remove_state(0); + pthread_exit(NULL); + } + } + reply = (struct reply *)list_shift(replyq->entries); + pthread_mutex_unlock(&replyq->mutex); + cnt = SSL_write(client->ssl, reply->buf, RADLEN(reply->buf)); + if (cnt > 0) + debug(DBG_DBG, "dtlsserverwr: sent %d bytes, Radius packet of length %d", + cnt, RADLEN(reply->buf)); + else + while ((error = ERR_get_error())) + debug(DBG_ERR, "dtlsserverwr: SSL: %s", ERR_error_string(error, NULL)); + free(reply->buf); + free(reply); + } +} + +int dtlsread(SSL *ssl, struct queue *q, unsigned char *buf, int num) { + int len, cnt; + + for (len = 0; len < num; len += cnt) { + cnt = SSL_read(ssl, buf + len, num - len); + if (cnt <= 0) + switch (cnt = SSL_get_error(ssl, cnt)) { + case SSL_ERROR_WANT_READ: + BIO_free(ssl->rbio); + ssl->rbio = getrbio(ssl, q, 0); + if (!ssl->rbio) + return -1; + cnt = 0; + continue; + case SSL_ERROR_WANT_WRITE: + cnt = 0; + continue; + case SSL_ERROR_ZERO_RETURN: + /* remote end sent close_notify, send one back */ + SSL_shutdown(ssl); + return -1; + default: + return -1; + } + } + return num; +} + +unsigned char *raddtlsget(SSL *ssl, struct queue *rbios) { + int cnt, len; + unsigned char buf[4], *rad; + + for (;;) { + cnt = dtlsread(ssl, rbios, buf, 4); + if (cnt < 1) { + debug(DBG_DBG, "raddtlsget: connection lost"); + return NULL; + } + + len = RADLEN(buf); + rad = malloc(len); + if (!rad) { + debug(DBG_ERR, "raddtlsget: malloc failed"); + continue; + } + memcpy(rad, buf, 4); + + cnt = dtlsread(ssl, rbios, rad + 4, len - 4); + if (cnt < 1) { + debug(DBG_DBG, "raddtlsget: connection lost"); + free(rad); + return NULL; + } + + if (len >= 20) + break; + + free(rad); + debug(DBG_WARN, "raddtlsget: packet smaller than minimum radius size"); + } + + debug(DBG_DBG, "raddtlsget: got %d bytes", len); + return rad; +} + +void dtlsserverrd(struct client *client) { + struct request rq; + pthread_t dtlsserverwrth; + + debug(DBG_DBG, "dtlsserverrd: starting for %s", client->conf->host); + + if (pthread_create(&dtlsserverwrth, NULL, dtlsserverwr, (void *)client)) { + debug(DBG_ERR, "dtlsserverrd: pthread_create failed"); + return; + } + + for (;;) { + memset(&rq, 0, sizeof(struct request)); + rq.buf = raddtlsget(client->ssl, client->rbios); + if (!rq.buf) { + debug(DBG_ERR, "dtlsserverrd: connection from %s lost", client->conf->host); + break; + } + debug(DBG_DBG, "dtlsserverrd: got Radius message from %s", client->conf->host); + rq.from = client; + if (!radsrv(&rq)) { + debug(DBG_ERR, "dtlsserverrd: message authentication/validation failed, closing connection from %s", client->conf->host); + break; + } + } + + /* stop writer by setting ssl to NULL and give signal in case waiting for data */ + client->ssl = NULL; + + pthread_mutex_lock(&client->replyq->mutex); + pthread_cond_signal(&client->replyq->cond); + pthread_mutex_unlock(&client->replyq->mutex); + debug(DBG_DBG, "dtlsserverrd: waiting for writer to end"); + pthread_join(dtlsserverwrth, NULL); + removeclientrqs(client); + debug(DBG_DBG, "dtlsserverrd: reader for %s exiting", client->conf->host); +} + +/* accept if acc == 1, else connect */ +SSL *dtlsacccon(uint8_t acc, SSL_CTX *ctx, int s, struct sockaddr *addr, struct queue *rbios) { + SSL *ssl; + int i, res; + unsigned long error; + BIO *mem0bio, *wbio; + + ssl = SSL_new(ctx); + if (!ssl) + return NULL; + + mem0bio = BIO_new(BIO_s_mem()); + BIO_set_mem_eof_return(mem0bio, -1); + wbio = BIO_new_dgram(s, BIO_NOCLOSE); + BIO_dgram_set_peer(wbio, addr); + SSL_set_bio(ssl, mem0bio, wbio); + + for (i = 0; i < 5; i++) { + res = acc ? SSL_accept(ssl) : SSL_connect(ssl); + if (res > 0) + return ssl; + if (res == 0) + break; + if (SSL_get_error(ssl, res) == SSL_ERROR_WANT_READ) { + BIO_free(ssl->rbio); + ssl->rbio = getrbio(ssl, rbios, 5); + if (!ssl->rbio) + break; + } + while ((error = ERR_get_error())) + debug(DBG_ERR, "dtls%st: DTLS: %s", acc ? "accep" : "connec", ERR_error_string(error, NULL)); + } + + SSL_free(ssl); + return NULL; +} + +void *dtlsservernew(void *arg) { + struct client *client = (struct client *)arg; + X509 *cert = NULL; + + client->ssl = dtlsacccon(1, client->conf->ssl_ctx, client->sock, (struct sockaddr *)&client->addr, client->rbios); + if (!client->ssl) + goto exit; + cert = verifytlscert(client->ssl); + if (!cert) + goto exit; + if (verifyconfcert(cert, client->conf)) { + X509_free(cert); + dtlsserverrd(client); + removeclient(client); + } else + debug(DBG_WARN, "dtlsservernew: ignoring request, certificate validation failed"); + if (cert) + X509_free(cert); + + exit: + SSL_free(client->ssl); + ERR_remove_state(0); + pthread_exit(NULL); +} + +int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text) { + struct timeval now; + time_t elapsed; + X509 *cert; + + debug(DBG_DBG, "dtlsconnect: called from %s", text); + pthread_mutex_lock(&server->lock); + if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) { + /* already reconnected, nothing to do */ + debug(DBG_DBG, "dtlsconnect(%s): seems already reconnected", text); + pthread_mutex_unlock(&server->lock); + return 1; + } + + for (;;) { + gettimeofday(&now, NULL); + elapsed = now.tv_sec - server->lastconnecttry.tv_sec; + + if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) { + debug(DBG_DBG, "dtlsconnect: timeout"); + SSL_free(server->ssl); + server->ssl = NULL; + pthread_mutex_unlock(&server->lock); + return 0; + } + + if (server->connectionok) { + server->connectionok = 0; + sleep(2); + } else if (elapsed < 1) + sleep(2); + else if (elapsed < 60) { + debug(DBG_INFO, "dtlsconnect: sleeping %lds", elapsed); + sleep(elapsed); + } else if (elapsed < 100000) { + debug(DBG_INFO, "dtlsconnect: sleeping %ds", 60); + sleep(60); + } else + server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ + debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", server->conf->host, server->conf->port); + + SSL_free(server->ssl); + server->ssl = dtlsacccon(0, server->conf->ssl_ctx, server->sock, server->conf->addrinfo->ai_addr, server->rbios); + if (!server->ssl) + continue; + debug(DBG_DBG, "dtlsconnect: DTLS: ok"); + + cert = verifytlscert(server->ssl); + if (!cert) + continue; + + if (verifyconfcert(cert, server->conf)) + break; + X509_free(cert); + } + X509_free(cert); + debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", server->conf->host, server->conf->port); + gettimeofday(&server->lastconnecttry, NULL); + pthread_mutex_unlock(&server->lock); + return 1; +} + +int clientradputdtls(struct server *server, unsigned char *rad) { + int cnt; + size_t len; + unsigned long error; + struct clsrvconf *conf = server->conf; + + len = RADLEN(rad); + while ((cnt = SSL_write(server->ssl, rad, len)) <= 0) { + while ((error = ERR_get_error())) + debug(DBG_ERR, "clientradputdtls: DTLS: %s", ERR_error_string(error, NULL)); + } + debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->host); + return 1; +} + +/* reads UDP containing DTLS and passes it on to dtlsclientrd */ +void *udpdtlsclientrd(void *arg) { + int cnt, s = *(int *)arg; + unsigned char buf[4]; + struct sockaddr_storage from; + socklen_t fromlen = sizeof(from); + struct clsrvconf *conf; + fd_set readfds; + + for (;;) { + FD_ZERO(&readfds); + FD_SET(s, &readfds); + if (select(s + 1, &readfds, NULL, NULL, NULL) < 1) + continue; + cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen); + if (cnt == -1) { + debug(DBG_WARN, "udpdtlsclientrd: recv failed"); + continue; + } + + conf = find_srvconf(RAD_DTLS, (struct sockaddr *)&from, NULL); + if (!conf) { + debug(DBG_WARN, "udpdtlsclientrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from, fromlen)); + recv(s, buf, 4, 0); + continue; + } + if (udp2bio(s, conf->servers->rbios, cnt)) + debug(DBG_DBG, "radudpget: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from, fromlen)); + } +} + +void *dtlsclientrd(void *arg) { + struct server *server = (struct server *)arg; + unsigned char *buf; + struct timeval lastconnecttry; + + for (;;) { + /* yes, lastconnecttry is really necessary */ + lastconnecttry = server->lastconnecttry; + buf = raddtlsget(server->ssl, server->rbios); + if (!buf) { + dtlsconnect(server, &lastconnecttry, 0, "dtlsclientrd"); + continue; + } + + if (!replyh(server, buf)) + free(buf); + } +} + @@ -0,0 +1,14 @@ +/* + * Copyright (C) 2008 Stig Venaas <venaas@uninett.no> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + */ + +void *udpdtlsserverrd(void *arg); +int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text); +void *dtlsservernew(void *arg); +void *dtlsclientrd(void *arg); +void *udpdtlsclientrd(void *arg); +int clientradputdtls(struct server *server, unsigned char *rad); diff --git a/radsecproxy.c b/radsecproxy.c index e4eee75..14a28bd 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -64,9 +64,11 @@ #include "util.h" #include "gconfig.h" #include "radsecproxy.h" +#include "dtls.h" static struct options options; -struct list *clconfs, *srvconfs, *realms, *tlsconfs, *rewriteconfs; +static struct list *clconfs, *srvconfs; +struct list *realms, *tlsconfs, *rewriteconfs; static struct addrinfo *srcprotores[4] = { NULL, NULL, NULL, NULL }; @@ -89,20 +91,15 @@ void freerealm(struct realm *realm); void freeclsrvconf(struct clsrvconf *conf); void freerqdata(struct request *rq); void *udpserverrd(void *arg); -void *udpdtlsserverrd(void *arg); void *tlslistener(void *arg); void *tcplistener(void *arg); int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text); -int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text); -void *dtlsservernew(void *arg); int tcpconnect(struct server *server, struct timeval *when, int timeout, char *text); void *udpclientrd(void *arg); void *tlsclientrd(void *arg); -void *dtlsclientrd(void *arg); void *tcpclientrd(void *arg); int clientradputudp(struct server *server, unsigned char *rad); int clientradputtls(struct server *server, unsigned char *rad); -int clientradputdtls(struct server *server, unsigned char *rad); int clientradputtcp(struct server *server, unsigned char *rad); X509 *verifytlscert(SSL *ssl); int radsrv(struct request *rq); @@ -490,6 +487,14 @@ struct clsrvconf *find_conf(uint8_t type, struct sockaddr *addr, struct list *co return NULL; } +struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur) { + return find_conf(type, addr, clconfs, cur); +} + +struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur) { + return find_conf(type, addr, srvconfs, cur); +} + /* returns next config of given type, or NULL */ struct clsrvconf *find_conf_type(uint8_t type, struct list *confs, struct list_node **cur) { struct list_node *entry; @@ -725,42 +730,6 @@ int addserver(struct clsrvconf *conf) { return 0; } -int udp2bio(int s, struct queue *q, int cnt) { - unsigned char *buf; - BIO *rbio; - - if (cnt < 1) - return 0; - - buf = malloc(cnt); - if (!buf) { - unsigned char err; - debug(DBG_ERR, "udp2bio: malloc failed"); - recv(s, &err, 1, 0); - return 0; - } - - cnt = recv(s, buf, cnt, 0); - if (cnt < 1) { - debug(DBG_WARN, "udp2bio: recv failed"); - free(buf); - return 0; - } - - rbio = BIO_new_mem_buf(buf, cnt); - BIO_set_mem_eof_return(rbio, -1); - - pthread_mutex_lock(&q->mutex); - if (!list_push(q->entries, rbio)) { - BIO_free(rbio); - pthread_mutex_unlock(&q->mutex); - return 0; - } - pthread_cond_signal(&q->cond); - pthread_mutex_unlock(&q->mutex); - return 1; -} - /* exactly one of client and server must be non-NULL */ /* return who we received from in *client or *server */ /* return from in sa if not NULL */ @@ -1097,344 +1066,6 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t return 1; } -void *udpdtlsserverrd(void *arg) { - int cnt, s = *(int *)arg; - unsigned char buf[4]; - struct sockaddr_storage from; - socklen_t fromlen = sizeof(from); - struct clsrvconf *conf; - struct list_node *node; - struct client *client; - fd_set readfds; - pthread_t dtlsserverth; - - for (;;) { - FD_ZERO(&readfds); - FD_SET(s, &readfds); - if (select(s + 1, &readfds, NULL, NULL, NULL) < 1) - continue; - cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen); - if (cnt == -1) { - debug(DBG_WARN, "udpdtlsserverrd: recv failed"); - continue; - } - conf = find_conf(RAD_DTLS, (struct sockaddr *)&from, clconfs, NULL); - if (!conf) { - debug(DBG_WARN, "udpdtlsserverrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from, fromlen)); - recv(s, buf, 4, 0); - continue; - } - - node = list_first(conf->clients); - if (node) - client = (struct client *)node->data; - else { - client = addclient(conf); - if (!client) { - recv(s, buf, 4, 0); - continue; - } - client->sock = s; - memcpy(&client->addr, &from, fromlen); - if (pthread_create(&dtlsserverth, NULL, dtlsservernew, (void *)client)) { - debug(DBG_ERR, "udpdtlsserverrd: pthread_create failed"); - removeclient(client); - recv(s, buf, 4, 0); - continue; - } - pthread_detach(dtlsserverth); - } - if (udp2bio(s, client->rbios, cnt)) - debug(DBG_DBG, "udpdtlsserverrd: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from, fromlen)); - } -} - -void *dtlsserverwr(void *arg) { - int cnt; - unsigned long error; - struct client *client = (struct client *)arg; - struct queue *replyq; - struct reply *reply; - - debug(DBG_DBG, "dtlsserverwr: starting for %s", client->conf->host); - replyq = client->replyq; - for (;;) { - pthread_mutex_lock(&replyq->mutex); - while (!list_first(replyq->entries)) { - if (client->ssl) { - debug(DBG_DBG, "dtlsserverwr: waiting for signal"); - pthread_cond_wait(&replyq->cond, &replyq->mutex); - debug(DBG_DBG, "dtlsserverwr: got signal"); - } - if (!client->ssl) { - /* ssl might have changed while waiting */ - pthread_mutex_unlock(&replyq->mutex); - debug(DBG_DBG, "dtlsserverwr: exiting as requested"); - ERR_remove_state(0); - pthread_exit(NULL); - } - } - reply = (struct reply *)list_shift(replyq->entries); - pthread_mutex_unlock(&replyq->mutex); - cnt = SSL_write(client->ssl, reply->buf, RADLEN(reply->buf)); - if (cnt > 0) - debug(DBG_DBG, "dtlsserverwr: sent %d bytes, Radius packet of length %d", - cnt, RADLEN(reply->buf)); - else - while ((error = ERR_get_error())) - debug(DBG_ERR, "dtlsserverwr: SSL: %s", ERR_error_string(error, NULL)); - free(reply->buf); - free(reply); - } -} - -BIO *getrbio(SSL *ssl, struct queue *q, int timeout) { - BIO *rbio; - struct timeval now; - struct timespec to; - - pthread_mutex_lock(&q->mutex); - if (!(rbio = (BIO *)list_shift(q->entries))) { - if (timeout) { - gettimeofday(&now, NULL); - memset(&to, 0, sizeof(struct timespec)); - to.tv_sec = now.tv_sec + timeout; - pthread_cond_timedwait(&q->cond, &q->mutex, &to); - } else - pthread_cond_wait(&q->cond, &q->mutex); - rbio = (BIO *)list_shift(q->entries); - } - pthread_mutex_unlock(&q->mutex); - return rbio; -} - -int dtlsread(SSL *ssl, struct queue *q, unsigned char *buf, int num) { - int len, cnt; - - for (len = 0; len < num; len += cnt) { - cnt = SSL_read(ssl, buf + len, num - len); - if (cnt <= 0) - switch (cnt = SSL_get_error(ssl, cnt)) { - case SSL_ERROR_WANT_READ: - BIO_free(ssl->rbio); - ssl->rbio = getrbio(ssl, q, 0); - if (!ssl->rbio) - return -1; - cnt = 0; - continue; - case SSL_ERROR_WANT_WRITE: - cnt = 0; - continue; - case SSL_ERROR_ZERO_RETURN: - /* remote end sent close_notify, send one back */ - SSL_shutdown(ssl); - return -1; - default: - return -1; - } - } - return num; -} - -unsigned char *raddtlsget(SSL *ssl, struct queue *rbios) { - int cnt, len; - unsigned char buf[4], *rad; - - for (;;) { - cnt = dtlsread(ssl, rbios, buf, 4); - if (cnt < 1) { - debug(DBG_DBG, "raddtlsget: connection lost"); - return NULL; - } - - len = RADLEN(buf); - rad = malloc(len); - if (!rad) { - debug(DBG_ERR, "raddtlsget: malloc failed"); - continue; - } - memcpy(rad, buf, 4); - - cnt = dtlsread(ssl, rbios, rad + 4, len - 4); - if (cnt < 1) { - debug(DBG_DBG, "raddtlsget: connection lost"); - free(rad); - return NULL; - } - - if (len >= 20) - break; - - free(rad); - debug(DBG_WARN, "raddtlsget: packet smaller than minimum radius size"); - } - - debug(DBG_DBG, "raddtlsget: got %d bytes", len); - return rad; -} - -void dtlsserverrd(struct client *client) { - struct request rq; - pthread_t dtlsserverwrth; - - debug(DBG_DBG, "dtlsserverrd: starting for %s", client->conf->host); - - if (pthread_create(&dtlsserverwrth, NULL, dtlsserverwr, (void *)client)) { - debug(DBG_ERR, "dtlsserverrd: pthread_create failed"); - return; - } - - for (;;) { - memset(&rq, 0, sizeof(struct request)); - rq.buf = raddtlsget(client->ssl, client->rbios); - if (!rq.buf) { - debug(DBG_ERR, "dtlsserverrd: connection from %s lost", client->conf->host); - break; - } - debug(DBG_DBG, "dtlsserverrd: got Radius message from %s", client->conf->host); - rq.from = client; - if (!radsrv(&rq)) { - debug(DBG_ERR, "dtlsserverrd: message authentication/validation failed, closing connection from %s", client->conf->host); - break; - } - } - - /* stop writer by setting ssl to NULL and give signal in case waiting for data */ - client->ssl = NULL; - - pthread_mutex_lock(&client->replyq->mutex); - pthread_cond_signal(&client->replyq->cond); - pthread_mutex_unlock(&client->replyq->mutex); - debug(DBG_DBG, "dtlsserverrd: waiting for writer to end"); - pthread_join(dtlsserverwrth, NULL); - removeclientrqs(client); - debug(DBG_DBG, "dtlsserverrd: reader for %s exiting", client->conf->host); -} - -/* accept if acc == 1, else connect */ -SSL *dtlsacccon(uint8_t acc, SSL_CTX *ctx, int s, struct sockaddr *addr, struct queue *rbios) { - SSL *ssl; - int i, res; - unsigned long error; - BIO *mem0bio, *wbio; - - ssl = SSL_new(ctx); - if (!ssl) - return NULL; - - mem0bio = BIO_new(BIO_s_mem()); - BIO_set_mem_eof_return(mem0bio, -1); - wbio = BIO_new_dgram(s, BIO_NOCLOSE); - BIO_dgram_set_peer(wbio, addr); - SSL_set_bio(ssl, mem0bio, wbio); - - for (i = 0; i < 5; i++) { - res = acc ? SSL_accept(ssl) : SSL_connect(ssl); - if (res > 0) - return ssl; - if (res == 0) - break; - if (SSL_get_error(ssl, res) == SSL_ERROR_WANT_READ) { - BIO_free(ssl->rbio); - ssl->rbio = getrbio(ssl, rbios, 5); - if (!ssl->rbio) - break; - } - while ((error = ERR_get_error())) - debug(DBG_ERR, "dtls%st: DTLS: %s", acc ? "accep" : "connec", ERR_error_string(error, NULL)); - } - - SSL_free(ssl); - return NULL; -} - -void *dtlsservernew(void *arg) { - struct client *client = (struct client *)arg; - X509 *cert = NULL; - - client->ssl = dtlsacccon(1, client->conf->ssl_ctx, client->sock, (struct sockaddr *)&client->addr, client->rbios); - if (!client->ssl) - goto exit; - cert = verifytlscert(client->ssl); - if (!cert) - goto exit; - if (verifyconfcert(cert, client->conf)) { - X509_free(cert); - dtlsserverrd(client); - removeclient(client); - } else - debug(DBG_WARN, "dtlsservernew: ignoring request, certificate validation failed"); - if (cert) - X509_free(cert); - - exit: - SSL_free(client->ssl); - ERR_remove_state(0); - pthread_exit(NULL); -} - -int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text) { - struct timeval now; - time_t elapsed; - X509 *cert; - - debug(DBG_DBG, "dtlsconnect: called from %s", text); - pthread_mutex_lock(&server->lock); - if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) { - /* already reconnected, nothing to do */ - debug(DBG_DBG, "dtlsconnect(%s): seems already reconnected", text); - pthread_mutex_unlock(&server->lock); - return 1; - } - - for (;;) { - gettimeofday(&now, NULL); - elapsed = now.tv_sec - server->lastconnecttry.tv_sec; - - if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) { - debug(DBG_DBG, "dtlsconnect: timeout"); - SSL_free(server->ssl); - server->ssl = NULL; - pthread_mutex_unlock(&server->lock); - return 0; - } - - if (server->connectionok) { - server->connectionok = 0; - sleep(2); - } else if (elapsed < 1) - sleep(2); - else if (elapsed < 60) { - debug(DBG_INFO, "dtlsconnect: sleeping %lds", elapsed); - sleep(elapsed); - } else if (elapsed < 100000) { - debug(DBG_INFO, "dtlsconnect: sleeping %ds", 60); - sleep(60); - } else - server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ - debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", server->conf->host, server->conf->port); - - SSL_free(server->ssl); - server->ssl = dtlsacccon(0, server->conf->ssl_ctx, server->sock, server->conf->addrinfo->ai_addr, server->rbios); - if (!server->ssl) - continue; - debug(DBG_DBG, "dtlsconnect: DTLS: ok"); - - cert = verifytlscert(server->ssl); - if (!cert) - continue; - - if (verifyconfcert(cert, server->conf)) - break; - X509_free(cert); - } - X509_free(cert); - debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", server->conf->host, server->conf->port); - gettimeofday(&server->lastconnecttry, NULL); - pthread_mutex_unlock(&server->lock); - return 1; -} - int tcpconnect(struct server *server, struct timeval *when, int timeout, char *text) { struct timeval now; time_t elapsed; @@ -1691,21 +1322,6 @@ int clientradputtls(struct server *server, unsigned char *rad) { return 1; } -int clientradputdtls(struct server *server, unsigned char *rad) { - int cnt; - size_t len; - unsigned long error; - struct clsrvconf *conf = server->conf; - - len = RADLEN(rad); - while ((cnt = SSL_write(server->ssl, rad, len)) <= 0) { - while ((error = ERR_get_error())) - debug(DBG_ERR, "clientradputdtls: DTLS: %s", ERR_error_string(error, NULL)); - } - debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->host); - return 1; -} - int clientradputtcp(struct server *server, unsigned char *rad) { int cnt; size_t len; @@ -2982,55 +2598,6 @@ void *tlsclientrd(void *arg) { return NULL; } -void *udpdtlsclientrd(void *arg) { - int cnt, s = *(int *)arg; - unsigned char buf[4]; - struct sockaddr_storage from; - socklen_t fromlen = sizeof(from); - struct clsrvconf *conf; - fd_set readfds; - - for (;;) { - FD_ZERO(&readfds); - FD_SET(s, &readfds); - if (select(s + 1, &readfds, NULL, NULL, NULL) < 1) - continue; - cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen); - if (cnt == -1) { - debug(DBG_WARN, "udpdtlsclientrd: recv failed"); - continue; - } - - conf = find_conf(RAD_DTLS, (struct sockaddr *)&from, srvconfs, NULL); - if (!conf) { - debug(DBG_WARN, "udpdtlsclientrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from, fromlen)); - recv(s, buf, 4, 0); - continue; - } - if (udp2bio(s, conf->servers->rbios, cnt)) - debug(DBG_DBG, "radudpget: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from, fromlen)); - } -} - -void *dtlsclientrd(void *arg) { - struct server *server = (struct server *)arg; - unsigned char *buf; - struct timeval lastconnecttry; - - for (;;) { - /* yes, lastconnecttry is really necessary */ - lastconnecttry = server->lastconnecttry; - buf = raddtlsget(server->ssl, server->rbios); - if (!buf) { - dtlsconnect(server, &lastconnecttry, 0, "dtlsclientrd"); - continue; - } - - if (!replyh(server, buf)) - free(buf); - } -} - void *tcpclientrd(void *arg) { struct server *server = (struct server *)arg; unsigned char *buf; diff --git a/radsecproxy.h b/radsecproxy.h index 34f56ca..5ee7a57 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -201,3 +201,13 @@ struct protodefs { #define SOCKADDR_SIZE(addr) ((addr).ss_family == AF_INET ? \ sizeof(struct sockaddr_in) : \ sizeof(struct sockaddr_in6)) + +struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur); +struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur); +struct client *addclient(struct clsrvconf *conf); +void removeclient(struct client *client); +void removeclientrqs(struct client *client); +int radsrv(struct request *rq); +X509 *verifytlscert(SSL *ssl); +int verifyconfcert(X509 *cert, struct clsrvconf *conf); +int replyh(struct server *server, unsigned char *buf); |