From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 30 Jul 2021 13:07:01 +0000 (-0400)
Subject: the end client must be known, too.
X-Git-Tag: release_3_0_24~80
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8dea7634a9bcc31fbf7a26c1ac4bf0b5c2673472;p=thirdparty%2Ffreeradius-server.git

the end client must be known, too.
---

diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c
index 0c4cc934d4..3cc1b6b6c7 100644
--- a/src/main/tls_listen.c
+++ b/src/main/tls_listen.c
@@ -132,6 +132,7 @@ static int proxy_protocol_check(rad_listen_t *listener, REQUEST *request)
 	fr_ipaddr_t src, dst;
 	char *argv[5], *eos;
 	ssize_t rcode;
+	RADCLIENT *client;
 
 	/*
 	 *	Begin by trying to fill the buffer.
@@ -278,6 +279,32 @@ static int proxy_protocol_check(rad_listen_t *listener, REQUEST *request)
 		       sock->haproxy_dst_port);
 	}
 
+        /*
+         *      Ensure that the source IP indicated by the PROXY
+         *      protocol is a known TLS client.
+         */
+        if ((client = client_listener_find(listener, &src, src_port)) == NULL ||
+             client->proto != IPPROTO_TCP) {
+		RDEBUG("(TLS) Unknown client %s - dropping PROXY protocol connection", argv[0]);
+		return -1;
+        }
+
+        /*
+         *      Use the client indicated by the proxy.
+         */
+        sock->client = client;
+
+	/*
+         *      Fix up the current request so that the first packet's
+         *      src/dst is valid.  Subsequent packets will get the
+         *      clients IP from the listener and listen_sock
+         *      structures.
+         */
+        request->packet->dst_ipaddr = dst;
+        request->packet->dst_port = dst_port;
+        request->packet->src_ipaddr = src;
+        request->packet->src_port = src_port;
+
 	/*
 	 *	Move any remaining TLS data to the start of the buffer.
 	 */