summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile2
-rw-r--r--Makefile.am4
-rw-r--r--configure.ac2
-rw-r--r--dtls.c473
-rw-r--r--dtls.h14
-rw-r--r--radsecproxy.c455
-rw-r--r--radsecproxy.h10
7 files changed, 513 insertions, 447 deletions
diff --git a/Makefile b/Makefile
index 6eb07e2..d84eabd 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
CFLAGS = -g -Wall -pedantic -pthread
LDFLAGS = -lssl
-OBJ = util.o debug.o list.o gconfig.o radsecproxy.o
+OBJ = util.o debug.o list.o gconfig.o dtls.o radsecproxy.o
all: radsecproxy
diff --git a/Makefile.am b/Makefile.am
index eb4b1d2..ad22fc1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,11 +5,13 @@ radsecproxy_SOURCES = radsecproxy.c \
util.c \
debug.c \
list.c \
+ dtls.c \
radsecproxy.h \
gconfig.h \
debug.h \
util.h \
- list.h
+ list.h \
+ dtls.h
radsecproxy_CFLAGS = -g -Wall -pedantic -pthread @SSL_CFLAGS@ @TARGET_CFLAGS@
radsecproxy_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@
diff --git a/configure.ac b/configure.ac
index 444ee64..65f386e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT(radsecproxy, 1.2-devel, venaas@uninett.no)
+AC_INIT(radsecproxy, 2.0-devel, venaas@uninett.no)
AM_INIT_AUTOMAKE
AC_PROG_CC
AM_PROG_CC_C_O
diff --git a/dtls.c b/dtls.c
new file mode 100644
index 0000000..b44a921
--- /dev/null
+++ b/dtls.c
@@ -0,0 +1,473 @@
+/*
+ * Copyright (C) 2008 Stig Venaas <venaas@uninett.no>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ */
+
+#include <signal.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+#include <unistd.h>
+#include <limits.h>
+#ifdef SYS_SOLARIS9
+#include <fcntl.h>
+#endif
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/select.h>
+#include <ctype.h>
+#include <sys/wait.h>
+#include <arpa/inet.h>
+#include <regex.h>
+#include <pthread.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include "debug.h"
+#include "list.h"
+#include "util.h"
+#include "radsecproxy.h"
+#include "dtls.h"
+
+int udp2bio(int s, struct queue *q, int cnt) {
+ unsigned char *buf;
+ BIO *rbio;
+
+ if (cnt < 1)
+ return 0;
+
+ buf = malloc(cnt);
+ if (!buf) {
+ unsigned char err;
+ debug(DBG_ERR, "udp2bio: malloc failed");
+ recv(s, &err, 1, 0);
+ return 0;
+ }
+
+ cnt = recv(s, buf, cnt, 0);
+ if (cnt < 1) {
+ debug(DBG_WARN, "udp2bio: recv failed");
+ free(buf);
+ return 0;
+ }
+
+ rbio = BIO_new_mem_buf(buf, cnt);
+ BIO_set_mem_eof_return(rbio, -1);
+
+ pthread_mutex_lock(&q->mutex);
+ if (!list_push(q->entries, rbio)) {
+ BIO_free(rbio);
+ pthread_mutex_unlock(&q->mutex);
+ return 0;
+ }
+ pthread_cond_signal(&q->cond);
+ pthread_mutex_unlock(&q->mutex);
+ return 1;
+}
+
+BIO *getrbio(SSL *ssl, struct queue *q, int timeout) {
+ BIO *rbio;
+ struct timeval now;
+ struct timespec to;
+
+ pthread_mutex_lock(&q->mutex);
+ if (!(rbio = (BIO *)list_shift(q->entries))) {
+ if (timeout) {
+ gettimeofday(&now, NULL);
+ memset(&to, 0, sizeof(struct timespec));
+ to.tv_sec = now.tv_sec + timeout;
+ pthread_cond_timedwait(&q->cond, &q->mutex, &to);
+ } else
+ pthread_cond_wait(&q->cond, &q->mutex);
+ rbio = (BIO *)list_shift(q->entries);
+ }
+ pthread_mutex_unlock(&q->mutex);
+ return rbio;
+}
+
+void *udpdtlsserverrd(void *arg) {
+ int cnt, s = *(int *)arg;
+ unsigned char buf[4];
+ struct sockaddr_storage from;
+ socklen_t fromlen = sizeof(from);
+ struct clsrvconf *conf;
+ struct list_node *node;
+ struct client *client;
+ fd_set readfds;
+ pthread_t dtlsserverth;
+
+ for (;;) {
+ FD_ZERO(&readfds);
+ FD_SET(s, &readfds);
+ if (select(s + 1, &readfds, NULL, NULL, NULL) < 1)
+ continue;
+ cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen);
+ if (cnt == -1) {
+ debug(DBG_WARN, "udpdtlsserverrd: recv failed");
+ continue;
+ }
+ conf = find_clconf(RAD_DTLS, (struct sockaddr *)&from, NULL);
+ if (!conf) {
+ debug(DBG_WARN, "udpdtlsserverrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from, fromlen));
+ recv(s, buf, 4, 0);
+ continue;
+ }
+
+ node = list_first(conf->clients);
+ if (node)
+ client = (struct client *)node->data;
+ else {
+ client = addclient(conf);
+ if (!client) {
+ recv(s, buf, 4, 0);
+ continue;
+ }
+ client->sock = s;
+ memcpy(&client->addr, &from, fromlen);
+ if (pthread_create(&dtlsserverth, NULL, dtlsservernew, (void *)client)) {
+ debug(DBG_ERR, "udpdtlsserverrd: pthread_create failed");
+ removeclient(client);
+ recv(s, buf, 4, 0);
+ continue;
+ }
+ pthread_detach(dtlsserverth);
+ }
+ if (udp2bio(s, client->rbios, cnt))
+ debug(DBG_DBG, "udpdtlsserverrd: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from, fromlen));
+ }
+}
+
+void *dtlsserverwr(void *arg) {
+ int cnt;
+ unsigned long error;
+ struct client *client = (struct client *)arg;
+ struct queue *replyq;
+ struct reply *reply;
+
+ debug(DBG_DBG, "dtlsserverwr: starting for %s", client->conf->host);
+ replyq = client->replyq;
+ for (;;) {
+ pthread_mutex_lock(&replyq->mutex);
+ while (!list_first(replyq->entries)) {
+ if (client->ssl) {
+ debug(DBG_DBG, "dtlsserverwr: waiting for signal");
+ pthread_cond_wait(&replyq->cond, &replyq->mutex);
+ debug(DBG_DBG, "dtlsserverwr: got signal");
+ }
+ if (!client->ssl) {
+ /* ssl might have changed while waiting */
+ pthread_mutex_unlock(&replyq->mutex);
+ debug(DBG_DBG, "dtlsserverwr: exiting as requested");
+ ERR_remove_state(0);
+ pthread_exit(NULL);
+ }
+ }
+ reply = (struct reply *)list_shift(replyq->entries);
+ pthread_mutex_unlock(&replyq->mutex);
+ cnt = SSL_write(client->ssl, reply->buf, RADLEN(reply->buf));
+ if (cnt > 0)
+ debug(DBG_DBG, "dtlsserverwr: sent %d bytes, Radius packet of length %d",
+ cnt, RADLEN(reply->buf));
+ else
+ while ((error = ERR_get_error()))
+ debug(DBG_ERR, "dtlsserverwr: SSL: %s", ERR_error_string(error, NULL));
+ free(reply->buf);
+ free(reply);
+ }
+}
+
+int dtlsread(SSL *ssl, struct queue *q, unsigned char *buf, int num) {
+ int len, cnt;
+
+ for (len = 0; len < num; len += cnt) {
+ cnt = SSL_read(ssl, buf + len, num - len);
+ if (cnt <= 0)
+ switch (cnt = SSL_get_error(ssl, cnt)) {
+ case SSL_ERROR_WANT_READ:
+ BIO_free(ssl->rbio);
+ ssl->rbio = getrbio(ssl, q, 0);
+ if (!ssl->rbio)
+ return -1;
+ cnt = 0;
+ continue;
+ case SSL_ERROR_WANT_WRITE:
+ cnt = 0;
+ continue;
+ case SSL_ERROR_ZERO_RETURN:
+ /* remote end sent close_notify, send one back */
+ SSL_shutdown(ssl);
+ return -1;
+ default:
+ return -1;
+ }
+ }
+ return num;
+}
+
+unsigned char *raddtlsget(SSL *ssl, struct queue *rbios) {
+ int cnt, len;
+ unsigned char buf[4], *rad;
+
+ for (;;) {
+ cnt = dtlsread(ssl, rbios, buf, 4);
+ if (cnt < 1) {
+ debug(DBG_DBG, "raddtlsget: connection lost");
+ return NULL;
+ }
+
+ len = RADLEN(buf);
+ rad = malloc(len);
+ if (!rad) {
+ debug(DBG_ERR, "raddtlsget: malloc failed");
+ continue;
+ }
+ memcpy(rad, buf, 4);
+
+ cnt = dtlsread(ssl, rbios, rad + 4, len - 4);
+ if (cnt < 1) {
+ debug(DBG_DBG, "raddtlsget: connection lost");
+ free(rad);
+ return NULL;
+ }
+
+ if (len >= 20)
+ break;
+
+ free(rad);
+ debug(DBG_WARN, "raddtlsget: packet smaller than minimum radius size");
+ }
+
+ debug(DBG_DBG, "raddtlsget: got %d bytes", len);
+ return rad;
+}
+
+void dtlsserverrd(struct client *client) {
+ struct request rq;
+ pthread_t dtlsserverwrth;
+
+ debug(DBG_DBG, "dtlsserverrd: starting for %s", client->conf->host);
+
+ if (pthread_create(&dtlsserverwrth, NULL, dtlsserverwr, (void *)client)) {
+ debug(DBG_ERR, "dtlsserverrd: pthread_create failed");
+ return;
+ }
+
+ for (;;) {
+ memset(&rq, 0, sizeof(struct request));
+ rq.buf = raddtlsget(client->ssl, client->rbios);
+ if (!rq.buf) {
+ debug(DBG_ERR, "dtlsserverrd: connection from %s lost", client->conf->host);
+ break;
+ }
+ debug(DBG_DBG, "dtlsserverrd: got Radius message from %s", client->conf->host);
+ rq.from = client;
+ if (!radsrv(&rq)) {
+ debug(DBG_ERR, "dtlsserverrd: message authentication/validation failed, closing connection from %s", client->conf->host);
+ break;
+ }
+ }
+
+ /* stop writer by setting ssl to NULL and give signal in case waiting for data */
+ client->ssl = NULL;
+
+ pthread_mutex_lock(&client->replyq->mutex);
+ pthread_cond_signal(&client->replyq->cond);
+ pthread_mutex_unlock(&client->replyq->mutex);
+ debug(DBG_DBG, "dtlsserverrd: waiting for writer to end");
+ pthread_join(dtlsserverwrth, NULL);
+ removeclientrqs(client);
+ debug(DBG_DBG, "dtlsserverrd: reader for %s exiting", client->conf->host);
+}
+
+/* accept if acc == 1, else connect */
+SSL *dtlsacccon(uint8_t acc, SSL_CTX *ctx, int s, struct sockaddr *addr, struct queue *rbios) {
+ SSL *ssl;
+ int i, res;
+ unsigned long error;
+ BIO *mem0bio, *wbio;
+
+ ssl = SSL_new(ctx);
+ if (!ssl)
+ return NULL;
+
+ mem0bio = BIO_new(BIO_s_mem());
+ BIO_set_mem_eof_return(mem0bio, -1);
+ wbio = BIO_new_dgram(s, BIO_NOCLOSE);
+ BIO_dgram_set_peer(wbio, addr);
+ SSL_set_bio(ssl, mem0bio, wbio);
+
+ for (i = 0; i < 5; i++) {
+ res = acc ? SSL_accept(ssl) : SSL_connect(ssl);
+ if (res > 0)
+ return ssl;
+ if (res == 0)
+ break;
+ if (SSL_get_error(ssl, res) == SSL_ERROR_WANT_READ) {
+ BIO_free(ssl->rbio);
+ ssl->rbio = getrbio(ssl, rbios, 5);
+ if (!ssl->rbio)
+ break;
+ }
+ while ((error = ERR_get_error()))
+ debug(DBG_ERR, "dtls%st: DTLS: %s", acc ? "accep" : "connec", ERR_error_string(error, NULL));
+ }
+
+ SSL_free(ssl);
+ return NULL;
+}
+
+void *dtlsservernew(void *arg) {
+ struct client *client = (struct client *)arg;
+ X509 *cert = NULL;
+
+ client->ssl = dtlsacccon(1, client->conf->ssl_ctx, client->sock, (struct sockaddr *)&client->addr, client->rbios);
+ if (!client->ssl)
+ goto exit;
+ cert = verifytlscert(client->ssl);
+ if (!cert)
+ goto exit;
+ if (verifyconfcert(cert, client->conf)) {
+ X509_free(cert);
+ dtlsserverrd(client);
+ removeclient(client);
+ } else
+ debug(DBG_WARN, "dtlsservernew: ignoring request, certificate validation failed");
+ if (cert)
+ X509_free(cert);
+
+ exit:
+ SSL_free(client->ssl);
+ ERR_remove_state(0);
+ pthread_exit(NULL);
+}
+
+int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text) {
+ struct timeval now;
+ time_t elapsed;
+ X509 *cert;
+
+ debug(DBG_DBG, "dtlsconnect: called from %s", text);
+ pthread_mutex_lock(&server->lock);
+ if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) {
+ /* already reconnected, nothing to do */
+ debug(DBG_DBG, "dtlsconnect(%s): seems already reconnected", text);
+ pthread_mutex_unlock(&server->lock);
+ return 1;
+ }
+
+ for (;;) {
+ gettimeofday(&now, NULL);
+ elapsed = now.tv_sec - server->lastconnecttry.tv_sec;
+
+ if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) {
+ debug(DBG_DBG, "dtlsconnect: timeout");
+ SSL_free(server->ssl);
+ server->ssl = NULL;
+ pthread_mutex_unlock(&server->lock);
+ return 0;
+ }
+
+ if (server->connectionok) {
+ server->connectionok = 0;
+ sleep(2);
+ } else if (elapsed < 1)
+ sleep(2);
+ else if (elapsed < 60) {
+ debug(DBG_INFO, "dtlsconnect: sleeping %lds", elapsed);
+ sleep(elapsed);
+ } else if (elapsed < 100000) {
+ debug(DBG_INFO, "dtlsconnect: sleeping %ds", 60);
+ sleep(60);
+ } else
+ server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */
+ debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", server->conf->host, server->conf->port);
+
+ SSL_free(server->ssl);
+ server->ssl = dtlsacccon(0, server->conf->ssl_ctx, server->sock, server->conf->addrinfo->ai_addr, server->rbios);
+ if (!server->ssl)
+ continue;
+ debug(DBG_DBG, "dtlsconnect: DTLS: ok");
+
+ cert = verifytlscert(server->ssl);
+ if (!cert)
+ continue;
+
+ if (verifyconfcert(cert, server->conf))
+ break;
+ X509_free(cert);
+ }
+ X509_free(cert);
+ debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", server->conf->host, server->conf->port);
+ gettimeofday(&server->lastconnecttry, NULL);
+ pthread_mutex_unlock(&server->lock);
+ return 1;
+}
+
+int clientradputdtls(struct server *server, unsigned char *rad) {
+ int cnt;
+ size_t len;
+ unsigned long error;
+ struct clsrvconf *conf = server->conf;
+
+ len = RADLEN(rad);
+ while ((cnt = SSL_write(server->ssl, rad, len)) <= 0) {
+ while ((error = ERR_get_error()))
+ debug(DBG_ERR, "clientradputdtls: DTLS: %s", ERR_error_string(error, NULL));
+ }
+ debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->host);
+ return 1;
+}
+
+/* reads UDP containing DTLS and passes it on to dtlsclientrd */
+void *udpdtlsclientrd(void *arg) {
+ int cnt, s = *(int *)arg;
+ unsigned char buf[4];
+ struct sockaddr_storage from;
+ socklen_t fromlen = sizeof(from);
+ struct clsrvconf *conf;
+ fd_set readfds;
+
+ for (;;) {
+ FD_ZERO(&readfds);
+ FD_SET(s, &readfds);
+ if (select(s + 1, &readfds, NULL, NULL, NULL) < 1)
+ continue;
+ cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen);
+ if (cnt == -1) {
+ debug(DBG_WARN, "udpdtlsclientrd: recv failed");
+ continue;
+ }
+
+ conf = find_srvconf(RAD_DTLS, (struct sockaddr *)&from, NULL);
+ if (!conf) {
+ debug(DBG_WARN, "udpdtlsclientrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from, fromlen));
+ recv(s, buf, 4, 0);
+ continue;
+ }
+ if (udp2bio(s, conf->servers->rbios, cnt))
+ debug(DBG_DBG, "radudpget: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from, fromlen));
+ }
+}
+
+void *dtlsclientrd(void *arg) {
+ struct server *server = (struct server *)arg;
+ unsigned char *buf;
+ struct timeval lastconnecttry;
+
+ for (;;) {
+ /* yes, lastconnecttry is really necessary */
+ lastconnecttry = server->lastconnecttry;
+ buf = raddtlsget(server->ssl, server->rbios);
+ if (!buf) {
+ dtlsconnect(server, &lastconnecttry, 0, "dtlsclientrd");
+ continue;
+ }
+
+ if (!replyh(server, buf))
+ free(buf);
+ }
+}
+
diff --git a/dtls.h b/dtls.h
new file mode 100644
index 0000000..41ee54d
--- /dev/null
+++ b/dtls.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) 2008 Stig Venaas <venaas@uninett.no>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ */
+
+void *udpdtlsserverrd(void *arg);
+int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text);
+void *dtlsservernew(void *arg);
+void *dtlsclientrd(void *arg);
+void *udpdtlsclientrd(void *arg);
+int clientradputdtls(struct server *server, unsigned char *rad);
diff --git a/radsecproxy.c b/radsecproxy.c
index e4eee75..14a28bd 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -64,9 +64,11 @@
#include "util.h"
#include "gconfig.h"
#include "radsecproxy.h"
+#include "dtls.h"
static struct options options;
-struct list *clconfs, *srvconfs, *realms, *tlsconfs, *rewriteconfs;
+static struct list *clconfs, *srvconfs;
+struct list *realms, *tlsconfs, *rewriteconfs;
static struct addrinfo *srcprotores[4] = { NULL, NULL, NULL, NULL };
@@ -89,20 +91,15 @@ void freerealm(struct realm *realm);
void freeclsrvconf(struct clsrvconf *conf);
void freerqdata(struct request *rq);
void *udpserverrd(void *arg);
-void *udpdtlsserverrd(void *arg);
void *tlslistener(void *arg);
void *tcplistener(void *arg);
int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text);
-int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text);
-void *dtlsservernew(void *arg);
int tcpconnect(struct server *server, struct timeval *when, int timeout, char *text);
void *udpclientrd(void *arg);
void *tlsclientrd(void *arg);
-void *dtlsclientrd(void *arg);
void *tcpclientrd(void *arg);
int clientradputudp(struct server *server, unsigned char *rad);
int clientradputtls(struct server *server, unsigned char *rad);
-int clientradputdtls(struct server *server, unsigned char *rad);
int clientradputtcp(struct server *server, unsigned char *rad);
X509 *verifytlscert(SSL *ssl);
int radsrv(struct request *rq);
@@ -490,6 +487,14 @@ struct clsrvconf *find_conf(uint8_t type, struct sockaddr *addr, struct list *co
return NULL;
}
+struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur) {
+ return find_conf(type, addr, clconfs, cur);
+}
+
+struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur) {
+ return find_conf(type, addr, srvconfs, cur);
+}
+
/* returns next config of given type, or NULL */
struct clsrvconf *find_conf_type(uint8_t type, struct list *confs, struct list_node **cur) {
struct list_node *entry;
@@ -725,42 +730,6 @@ int addserver(struct clsrvconf *conf) {
return 0;
}
-int udp2bio(int s, struct queue *q, int cnt) {
- unsigned char *buf;
- BIO *rbio;
-
- if (cnt < 1)
- return 0;
-
- buf = malloc(cnt);
- if (!buf) {
- unsigned char err;
- debug(DBG_ERR, "udp2bio: malloc failed");
- recv(s, &err, 1, 0);
- return 0;
- }
-
- cnt = recv(s, buf, cnt, 0);
- if (cnt < 1) {
- debug(DBG_WARN, "udp2bio: recv failed");
- free(buf);
- return 0;
- }
-
- rbio = BIO_new_mem_buf(buf, cnt);
- BIO_set_mem_eof_return(rbio, -1);
-
- pthread_mutex_lock(&q->mutex);
- if (!list_push(q->entries, rbio)) {
- BIO_free(rbio);
- pthread_mutex_unlock(&q->mutex);
- return 0;
- }
- pthread_cond_signal(&q->cond);
- pthread_mutex_unlock(&q->mutex);
- return 1;
-}
-
/* exactly one of client and server must be non-NULL */
/* return who we received from in *client or *server */
/* return from in sa if not NULL */
@@ -1097,344 +1066,6 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t
return 1;
}
-void *udpdtlsserverrd(void *arg) {
- int cnt, s = *(int *)arg;
- unsigned char buf[4];
- struct sockaddr_storage from;
- socklen_t fromlen = sizeof(from);
- struct clsrvconf *conf;
- struct list_node *node;
- struct client *client;
- fd_set readfds;
- pthread_t dtlsserverth;
-
- for (;;) {
- FD_ZERO(&readfds);
- FD_SET(s, &readfds);
- if (select(s + 1, &readfds, NULL, NULL, NULL) < 1)
- continue;
- cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen);
- if (cnt == -1) {
- debug(DBG_WARN, "udpdtlsserverrd: recv failed");
- continue;
- }
- conf = find_conf(RAD_DTLS, (struct sockaddr *)&from, clconfs, NULL);
- if (!conf) {
- debug(DBG_WARN, "udpdtlsserverrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from, fromlen));
- recv(s, buf, 4, 0);
- continue;
- }
-
- node = list_first(conf->clients);
- if (node)
- client = (struct client *)node->data;
- else {
- client = addclient(conf);
- if (!client) {
- recv(s, buf, 4, 0);
- continue;
- }
- client->sock = s;
- memcpy(&client->addr, &from, fromlen);
- if (pthread_create(&dtlsserverth, NULL, dtlsservernew, (void *)client)) {
- debug(DBG_ERR, "udpdtlsserverrd: pthread_create failed");
- removeclient(client);
- recv(s, buf, 4, 0);
- continue;
- }
- pthread_detach(dtlsserverth);
- }
- if (udp2bio(s, client->rbios, cnt))
- debug(DBG_DBG, "udpdtlsserverrd: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from, fromlen));
- }
-}
-
-void *dtlsserverwr(void *arg) {
- int cnt;
- unsigned long error;
- struct client *client = (struct client *)arg;
- struct queue *replyq;
- struct reply *reply;
-
- debug(DBG_DBG, "dtlsserverwr: starting for %s", client->conf->host);
- replyq = client->replyq;
- for (;;) {
- pthread_mutex_lock(&replyq->mutex);
- while (!list_first(replyq->entries)) {
- if (client->ssl) {
- debug(DBG_DBG, "dtlsserverwr: waiting for signal");
- pthread_cond_wait(&replyq->cond, &replyq->mutex);
- debug(DBG_DBG, "dtlsserverwr: got signal");
- }
- if (!client->ssl) {
- /* ssl might have changed while waiting */
- pthread_mutex_unlock(&replyq->mutex);
- debug(DBG_DBG, "dtlsserverwr: exiting as requested");
- ERR_remove_state(0);
- pthread_exit(NULL);
- }
- }
- reply = (struct reply *)list_shift(replyq->entries);
- pthread_mutex_unlock(&replyq->mutex);
- cnt = SSL_write(client->ssl, reply->buf, RADLEN(reply->buf));
- if (cnt > 0)
- debug(DBG_DBG, "dtlsserverwr: sent %d bytes, Radius packet of length %d",
- cnt, RADLEN(reply->buf));
- else
- while ((error = ERR_get_error()))
- debug(DBG_ERR, "dtlsserverwr: SSL: %s", ERR_error_string(error, NULL));
- free(reply->buf);
- free(reply);
- }
-}
-
-BIO *getrbio(SSL *ssl, struct queue *q, int timeout) {
- BIO *rbio;
- struct timeval now;
- struct timespec to;
-
- pthread_mutex_lock(&q->mutex);
- if (!(rbio = (BIO *)list_shift(q->entries))) {
- if (timeout) {
- gettimeofday(&now, NULL);
- memset(&to, 0, sizeof(struct timespec));
- to.tv_sec = now.tv_sec + timeout;
- pthread_cond_timedwait(&q->cond, &q->mutex, &to);
- } else
- pthread_cond_wait(&q->cond, &q->mutex);
- rbio = (BIO *)list_shift(q->entries);
- }
- pthread_mutex_unlock(&q->mutex);
- return rbio;
-}
-
-int dtlsread(SSL *ssl, struct queue *q, unsigned char *buf, int num) {
- int len, cnt;
-
- for (len = 0; len < num; len += cnt) {
- cnt = SSL_read(ssl, buf + len, num - len);
- if (cnt <= 0)
- switch (cnt = SSL_get_error(ssl, cnt)) {
- case SSL_ERROR_WANT_READ:
- BIO_free(ssl->rbio);
- ssl->rbio = getrbio(ssl, q, 0);
- if (!ssl->rbio)
- return -1;
- cnt = 0;
- continue;
- case SSL_ERROR_WANT_WRITE:
- cnt = 0;
- continue;
- case SSL_ERROR_ZERO_RETURN:
- /* remote end sent close_notify, send one back */
- SSL_shutdown(ssl);
- return -1;
- default:
- return -1;
- }
- }
- return num;
-}
-
-unsigned char *raddtlsget(SSL *ssl, struct queue *rbios) {
- int cnt, len;
- unsigned char buf[4], *rad;
-
- for (;;) {
- cnt = dtlsread(ssl, rbios, buf, 4);
- if (cnt < 1) {
- debug(DBG_DBG, "raddtlsget: connection lost");
- return NULL;
- }
-
- len = RADLEN(buf);
- rad = malloc(len);
- if (!rad) {
- debug(DBG_ERR, "raddtlsget: malloc failed");
- continue;
- }
- memcpy(rad, buf, 4);
-
- cnt = dtlsread(ssl, rbios, rad + 4, len - 4);
- if (cnt < 1) {
- debug(DBG_DBG, "raddtlsget: connection lost");
- free(rad);
- return NULL;
- }
-
- if (len >= 20)
- break;
-
- free(rad);
- debug(DBG_WARN, "raddtlsget: packet smaller than minimum radius size");
- }
-
- debug(DBG_DBG, "raddtlsget: got %d bytes", len);
- return rad;
-}
-
-void dtlsserverrd(struct client *client) {
- struct request rq;
- pthread_t dtlsserverwrth;
-
- debug(DBG_DBG, "dtlsserverrd: starting for %s", client->conf->host);
-
- if (pthread_create(&dtlsserverwrth, NULL, dtlsserverwr, (void *)client)) {
- debug(DBG_ERR, "dtlsserverrd: pthread_create failed");
- return;
- }
-
- for (;;) {
- memset(&rq, 0, sizeof(struct request));
- rq.buf = raddtlsget(client->ssl, client->rbios);
- if (!rq.buf) {
- debug(DBG_ERR, "dtlsserverrd: connection from %s lost", client->conf->host);
- break;
- }
- debug(DBG_DBG, "dtlsserverrd: got Radius message from %s", client->conf->host);
- rq.from = client;
- if (!radsrv(&rq)) {
- debug(DBG_ERR, "dtlsserverrd: message authentication/validation failed, closing connection from %s", client->conf->host);
- break;
- }
- }
-
- /* stop writer by setting ssl to NULL and give signal in case waiting for data */
- client->ssl = NULL;
-
- pthread_mutex_lock(&client->replyq->mutex);
- pthread_cond_signal(&client->replyq->cond);
- pthread_mutex_unlock(&client->replyq->mutex);
- debug(DBG_DBG, "dtlsserverrd: waiting for writer to end");
- pthread_join(dtlsserverwrth, NULL);
- removeclientrqs(client);
- debug(DBG_DBG, "dtlsserverrd: reader for %s exiting", client->conf->host);
-}
-
-/* accept if acc == 1, else connect */
-SSL *dtlsacccon(uint8_t acc, SSL_CTX *ctx, int s, struct sockaddr *addr, struct queue *rbios) {
- SSL *ssl;
- int i, res;
- unsigned long error;
- BIO *mem0bio, *wbio;
-
- ssl = SSL_new(ctx);
- if (!ssl)
- return NULL;
-
- mem0bio = BIO_new(BIO_s_mem());
- BIO_set_mem_eof_return(mem0bio, -1);
- wbio = BIO_new_dgram(s, BIO_NOCLOSE);
- BIO_dgram_set_peer(wbio, addr);
- SSL_set_bio(ssl, mem0bio, wbio);
-
- for (i = 0; i < 5; i++) {
- res = acc ? SSL_accept(ssl) : SSL_connect(ssl);
- if (res > 0)
- return ssl;
- if (res == 0)
- break;
- if (SSL_get_error(ssl, res) == SSL_ERROR_WANT_READ) {
- BIO_free(ssl->rbio);
- ssl->rbio = getrbio(ssl, rbios, 5);
- if (!ssl->rbio)
- break;
- }
- while ((error = ERR_get_error()))
- debug(DBG_ERR, "dtls%st: DTLS: %s", acc ? "accep" : "connec", ERR_error_string(error, NULL));
- }
-
- SSL_free(ssl);
- return NULL;
-}
-
-void *dtlsservernew(void *arg) {
- struct client *client = (struct client *)arg;
- X509 *cert = NULL;
-
- client->ssl = dtlsacccon(1, client->conf->ssl_ctx, client->sock, (struct sockaddr *)&client->addr, client->rbios);
- if (!client->ssl)
- goto exit;
- cert = verifytlscert(client->ssl);
- if (!cert)
- goto exit;
- if (verifyconfcert(cert, client->conf)) {
- X509_free(cert);
- dtlsserverrd(client);
- removeclient(client);
- } else
- debug(DBG_WARN, "dtlsservernew: ignoring request, certificate validation failed");
- if (cert)
- X509_free(cert);
-
- exit:
- SSL_free(client->ssl);
- ERR_remove_state(0);
- pthread_exit(NULL);
-}
-
-int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text) {
- struct timeval now;
- time_t elapsed;
- X509 *cert;
-
- debug(DBG_DBG, "dtlsconnect: called from %s", text);
- pthread_mutex_lock(&server->lock);
- if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) {
- /* already reconnected, nothing to do */
- debug(DBG_DBG, "dtlsconnect(%s): seems already reconnected", text);
- pthread_mutex_unlock(&server->lock);
- return 1;
- }
-
- for (;;) {
- gettimeofday(&now, NULL);
- elapsed = now.tv_sec - server->lastconnecttry.tv_sec;
-
- if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) {
- debug(DBG_DBG, "dtlsconnect: timeout");
- SSL_free(server->ssl);
- server->ssl = NULL;
- pthread_mutex_unlock(&server->lock);
- return 0;
- }
-
- if (server->connectionok) {
- server->connectionok = 0;
- sleep(2);
- } else if (elapsed < 1)
- sleep(2);
- else if (elapsed < 60) {
- debug(DBG_INFO, "dtlsconnect: sleeping %lds", elapsed);
- sleep(elapsed);
- } else if (elapsed < 100000) {
- debug(DBG_INFO, "dtlsconnect: sleeping %ds", 60);
- sleep(60);
- } else
- server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */
- debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", server->conf->host, server->conf->port);
-
- SSL_free(server->ssl);
- server->ssl = dtlsacccon(0, server->conf->ssl_ctx, server->sock, server->conf->addrinfo->ai_addr, server->rbios);
- if (!server->ssl)
- continue;
- debug(DBG_DBG, "dtlsconnect: DTLS: ok");
-
- cert = verifytlscert(server->ssl);
- if (!cert)
- continue;
-
- if (verifyconfcert(cert, server->conf))
- break;
- X509_free(cert);
- }
- X509_free(cert);
- debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", server->conf->host, server->conf->port);
- gettimeofday(&server->lastconnecttry, NULL);
- pthread_mutex_unlock(&server->lock);
- return 1;
-}
-
int tcpconnect(struct server *server, struct timeval *when, int timeout, char *text) {
struct timeval now;
time_t elapsed;
@@ -1691,21 +1322,6 @@ int clientradputtls(struct server *server, unsigned char *rad) {
return 1;
}
-int clientradputdtls(struct server *server, unsigned char *rad) {
- int cnt;
- size_t len;
- unsigned long error;
- struct clsrvconf *conf = server->conf;
-
- len = RADLEN(rad);
- while ((cnt = SSL_write(server->ssl, rad, len)) <= 0) {
- while ((error = ERR_get_error()))
- debug(DBG_ERR, "clientradputdtls: DTLS: %s", ERR_error_string(error, NULL));
- }
- debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->host);
- return 1;
-}
-
int clientradputtcp(struct server *server, unsigned char *rad) {
int cnt;
size_t len;
@@ -2982,55 +2598,6 @@ void *tlsclientrd(void *arg) {
return NULL;
}
-void *udpdtlsclientrd(void *arg) {
- int cnt, s = *(int *)arg;
- unsigned char buf[4];
- struct sockaddr_storage from;
- socklen_t fromlen = sizeof(from);
- struct clsrvconf *conf;
- fd_set readfds;
-
- for (;;) {
- FD_ZERO(&readfds);
- FD_SET(s, &readfds);
- if (select(s + 1, &readfds, NULL, NULL, NULL) < 1)
- continue;
- cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen);
- if (cnt == -1) {
- debug(DBG_WARN, "udpdtlsclientrd: recv failed");
- continue;
- }
-
- conf = find_conf(RAD_DTLS, (struct sockaddr *)&from, srvconfs, NULL);
- if (!conf) {
- debug(DBG_WARN, "udpdtlsclientrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from, fromlen));
- recv(s, buf, 4, 0);
- continue;
- }
- if (udp2bio(s, conf->servers->rbios, cnt))
- debug(DBG_DBG, "radudpget: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from, fromlen));
- }
-}
-
-void *dtlsclientrd(void *arg) {
- struct server *server = (struct server *)arg;
- unsigned char *buf;
- struct timeval lastconnecttry;
-
- for (;;) {
- /* yes, lastconnecttry is really necessary */
- lastconnecttry = server->lastconnecttry;
- buf = raddtlsget(server->ssl, server->rbios);
- if (!buf) {
- dtlsconnect(server, &lastconnecttry, 0, "dtlsclientrd");
- continue;
- }
-
- if (!replyh(server, buf))
- free(buf);
- }
-}
-
void *tcpclientrd(void *arg) {
struct server *server = (struct server *)arg;
unsigned char *buf;
diff --git a/radsecproxy.h b/radsecproxy.h
index 34f56ca..5ee7a57 100644
--- a/radsecproxy.h
+++ b/radsecproxy.h
@@ -201,3 +201,13 @@ struct protodefs {
#define SOCKADDR_SIZE(addr) ((addr).ss_family == AF_INET ? \
sizeof(struct sockaddr_in) : \
sizeof(struct sockaddr_in6))
+
+struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur);
+struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur);
+struct client *addclient(struct clsrvconf *conf);
+void removeclient(struct client *client);
+void removeclientrqs(struct client *client);
+int radsrv(struct request *rq);
+X509 *verifytlscert(SSL *ssl);
+int verifyconfcert(X509 *cert, struct clsrvconf *conf);
+int replyh(struct server *server, unsigned char *buf);