Put SSL errors into Module-Failure-Message

author Alan T. DeKok <aland@freeradius.org>

Thu, 29 Jul 2010 07:45:11 +0000 (09:45 +0200)

committer Alan T. DeKok <aland@freeradius.org>

Fri, 30 Jul 2010 12:36:41 +0000 (14:36 +0200)
author Alan T. DeKok <aland@freeradius.org>
Thu, 29 Jul 2010 07:45:11 +0000 (09:45 +0200)
committer Alan T. DeKok <aland@freeradius.org>
Fri, 30 Jul 2010 12:36:41 +0000 (14:36 +0200)
diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c

index df361cd..6983713 100644 (file)
--- a/src/modules/rlm_eap/libeap/eap_tls.c
+++ b/src/modules/rlm_eap/libeap/eap_tls.c
@@ -760,7 +760,7 @@ static eaptls_status_t eaptls_operation(eaptls_status_t status,
          *      If more info
          *      is required then send another request.
          */
-       if (!tls_handshake_recv(tls_session)) {
+       if (!tls_handshake_recv(handler->request, tls_session)) {
                 DEBUG2("TLS receive handshake failed during operation");
                 eaptls_fail(handler, tls_session->peap_flag);
                 return EAPTLS_FAIL;
diff --git a/src/modules/rlm_eap/libeap/eap_tls.h b/src/modules/rlm_eap/libeap/eap_tls.h

index caeb5a6..f661562 100644 (file)
--- a/src/modules/rlm_eap/libeap/eap_tls.h
+++ b/src/modules/rlm_eap/libeap/eap_tls.h
@@ -359,8 +359,8 @@ void                cbtls_msg(int write_p, int msg_version, int content_type,
  
  /* TLS */
  tls_session_t  *eaptls_new_session(SSL_CTX *ssl_ctx, int client_cert);
-int            tls_handshake_recv(tls_session_t *ssn);
-int            tls_handshake_send(tls_session_t *ssn);
+int            tls_handshake_recv(REQUEST *, tls_session_t *ssn);
+int            tls_handshake_send(REQUEST *,tls_session_t *ssn);
  void           tls_session_information(tls_session_t *tls_session);
  
  /* Session */
diff --git a/src/modules/rlm_eap/libeap/tls.c b/src/modules/rlm_eap/libeap/tls.c

index 0929be7..5a4fa0b 100644 (file)
--- a/src/modules/rlm_eap/libeap/tls.c
+++ b/src/modules/rlm_eap/libeap/tls.c
@@ -99,14 +99,16 @@ tls_session_t *eaptls_new_session(SSL_CTX *ssl_ctx, int client_cert)
  /*
   *     Print out some text describing the error.
   */
-static int int_ssl_check(SSL *s, int ret, const char *text)
+static int int_ssl_check(REQUEST *request, SSL *s, int ret, const char *text)
  {
         int e;
         unsigned long l;
  
         if ((l = ERR_get_error()) != 0) {
-               radlog(L_ERR, "rlm_eap: SSL error %s",
-                      ERR_error_string(l, NULL));
+               const char *p = ERR_error_string(l, NULL);
+               radlog(L_ERR, "rlm_eap: SSL error %s", p);
+               radius_pairmake(request, &request->packet->vps,
+                               "Module-Failure-Message", p, T_OP_ADD);
         }
         e = SSL_get_error(s, ret);
  
@@ -172,7 +174,7 @@ static int int_ssl_check(SSL *s, int ret, const char *text)
   * Fill the Bio with the dirty data to clean it
   * Get the cleaned data from SSL, if it is not Handshake data
   */
-int tls_handshake_recv(tls_session_t *ssn)
+int tls_handshake_recv(REQUEST *request, tls_session_t *ssn)
  {
         int err;
  
@@ -186,7 +188,7 @@ int tls_handshake_recv(tls_session_t *ssn)
                 return 1;
         }
  
-       if (!int_ssl_check(ssn->ssl, err, "SSL_read")) {
+       if (!int_ssl_check(request, ssn->ssl, err, "SSL_read")) {
                 return 0;
         }
  
@@ -220,7 +222,7 @@ int tls_handshake_recv(tls_session_t *ssn)
                         return 1;
  
                 } else {
-                       int_ssl_check(ssn->ssl, err, "BIO_read");
+                       int_ssl_check(request, ssn->ssl, err, "BIO_read");
                         record_init(&ssn->dirty_in);
                         return 0;
                 }
@@ -239,7 +241,7 @@ int tls_handshake_recv(tls_session_t *ssn)
   *     Take clear-text user data, and encrypt it into the output buffer,
   *     to send to the client at the other end of the SSL connection.
   */
-int tls_handshake_send(tls_session_t *ssn)
+int tls_handshake_send(REQUEST *request, tls_session_t *ssn)
  {
         int err;
  
@@ -264,7 +266,7 @@ int tls_handshake_send(tls_session_t *ssn)
                 if (err > 0) {
                         ssn->dirty_out.used = err;
                 } else {
-                       int_ssl_check(ssn->ssl, err, "handshake_send");
+                       int_ssl_check(request, ssn->ssl, err, "handshake_send");
                 }
         }
  
diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c

index 075dd9f..982c8a8 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
@@ -55,7 +55,7 @@ static int eappeap_failure(EAP_HANDLER *handler, tls_session_t *tls_session)
         /*
          *      FIXME: Check the return code.
          */
-       tls_handshake_send(tls_session);
+       tls_handshake_send(request, tls_session);
  
         return 1;
  }
@@ -90,7 +90,7 @@ static int eappeap_success(EAP_HANDLER *handler, tls_session_t *tls_session)
         /*
          *      FIXME: Check the return code.
          */
-       tls_handshake_send(tls_session);
+       tls_handshake_send(request, tls_session);
  
         return 1;
  }
@@ -109,7 +109,7 @@ static int eappeap_identity(EAP_HANDLER *handler, tls_session_t *tls_session)
         (tls_session->record_plus)(&tls_session->clean_in,
                                   &eap_packet, sizeof(eap_packet));
  
-       tls_handshake_send(tls_session);
+       tls_handshake_send(handler->request, tls_session);
         (tls_session->record_init)(&tls_session->clean_in);
  
         return 1;
@@ -238,7 +238,7 @@ static VALUE_PAIR *eap2vp(REQUEST *request, EAP_DS *eap_ds,
   *     Convert a list of VALUE_PAIR's to an EAP packet, through the
   *     simple expedient of dumping the EAP message
   */
-static int vp2eap(tls_session_t *tls_session, VALUE_PAIR *vp)
+static int vp2eap(REQUEST *request, tls_session_t *tls_session, VALUE_PAIR *vp)
  {
         /*
          *      Skip the id, code, and length.  Just write the EAP
@@ -284,7 +284,7 @@ static int vp2eap(tls_session_t *tls_session, VALUE_PAIR *vp)
                                            vp->vp_octets, vp->length);
         }
  
-       tls_handshake_send(tls_session);
+       tls_handshake_send(request, tls_session);
  
         return 1;
  }
@@ -422,7 +422,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
                  *      VP's back to the client.
                  */
                 if (vp) {
-                       vp2eap(tls_session, vp);
+                       vp2eap(request, tls_session, vp);
                         pairfree(&vp);
                 }
  
diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c

index 772edc3..c3fde1c 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -598,7 +598,7 @@ static int vp2diameter(REQUEST *request, tls_session_t *tls_session, VALUE_PAIR
                 /*
                  *      FIXME: Check the return code.
                  */
-               tls_handshake_send(tls_session);
+               tls_handshake_send(request, tls_session);
         }
  
         /*
author	Alan T. DeKok <aland@freeradius.org>
	Thu, 29 Jul 2010 07:45:11 +0000 (09:45 +0200)
committer	Alan T. DeKok <aland@freeradius.org>
	Fri, 30 Jul 2010 12:36:41 +0000 (14:36 +0200)
src/modules/rlm_eap/libeap/eap_tls.c		patch \| blob \| history
src/modules/rlm_eap/libeap/eap_tls.h		patch \| blob \| history
src/modules/rlm_eap/libeap/tls.c		patch \| blob \| history
src/modules/rlm_eap/types/rlm_eap_peap/peap.c		patch \| blob \| history
src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c		patch \| blob \| history