From 82aa1dbb4b17453662b9d6bad13aefe4efea4d10 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Thu, 29 Jul 2010 09:45:11 +0200 Subject: [PATCH] Put SSL errors into Module-Failure-Message --- src/modules/rlm_eap/libeap/eap_tls.c | 2 +- src/modules/rlm_eap/libeap/eap_tls.h | 4 ++-- src/modules/rlm_eap/libeap/tls.c | 18 ++++++++++-------- src/modules/rlm_eap/types/rlm_eap_peap/peap.c | 12 ++++++------ src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c | 2 +- 5 files changed, 20 insertions(+), 18 deletions(-) diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c index df361cd..6983713 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.c +++ b/src/modules/rlm_eap/libeap/eap_tls.c @@ -760,7 +760,7 @@ static eaptls_status_t eaptls_operation(eaptls_status_t status, * If more info * is required then send another request. */ - if (!tls_handshake_recv(tls_session)) { + if (!tls_handshake_recv(handler->request, tls_session)) { DEBUG2("TLS receive handshake failed during operation"); eaptls_fail(handler, tls_session->peap_flag); return EAPTLS_FAIL; diff --git a/src/modules/rlm_eap/libeap/eap_tls.h b/src/modules/rlm_eap/libeap/eap_tls.h index caeb5a6..f661562 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.h +++ b/src/modules/rlm_eap/libeap/eap_tls.h @@ -359,8 +359,8 @@ void cbtls_msg(int write_p, int msg_version, int content_type, /* TLS */ tls_session_t *eaptls_new_session(SSL_CTX *ssl_ctx, int client_cert); -int tls_handshake_recv(tls_session_t *ssn); -int tls_handshake_send(tls_session_t *ssn); +int tls_handshake_recv(REQUEST *, tls_session_t *ssn); +int tls_handshake_send(REQUEST *,tls_session_t *ssn); void tls_session_information(tls_session_t *tls_session); /* Session */ diff --git a/src/modules/rlm_eap/libeap/tls.c b/src/modules/rlm_eap/libeap/tls.c index 0929be7..5a4fa0b 100644 --- a/src/modules/rlm_eap/libeap/tls.c +++ b/src/modules/rlm_eap/libeap/tls.c @@ -99,14 +99,16 @@ tls_session_t *eaptls_new_session(SSL_CTX *ssl_ctx, int client_cert) /* * Print out some text describing the error. */ -static int int_ssl_check(SSL *s, int ret, const char *text) +static int int_ssl_check(REQUEST *request, SSL *s, int ret, const char *text) { int e; unsigned long l; if ((l = ERR_get_error()) != 0) { - radlog(L_ERR, "rlm_eap: SSL error %s", - ERR_error_string(l, NULL)); + const char *p = ERR_error_string(l, NULL); + radlog(L_ERR, "rlm_eap: SSL error %s", p); + radius_pairmake(request, &request->packet->vps, + "Module-Failure-Message", p, T_OP_ADD); } e = SSL_get_error(s, ret); @@ -172,7 +174,7 @@ static int int_ssl_check(SSL *s, int ret, const char *text) * Fill the Bio with the dirty data to clean it * Get the cleaned data from SSL, if it is not Handshake data */ -int tls_handshake_recv(tls_session_t *ssn) +int tls_handshake_recv(REQUEST *request, tls_session_t *ssn) { int err; @@ -186,7 +188,7 @@ int tls_handshake_recv(tls_session_t *ssn) return 1; } - if (!int_ssl_check(ssn->ssl, err, "SSL_read")) { + if (!int_ssl_check(request, ssn->ssl, err, "SSL_read")) { return 0; } @@ -220,7 +222,7 @@ int tls_handshake_recv(tls_session_t *ssn) return 1; } else { - int_ssl_check(ssn->ssl, err, "BIO_read"); + int_ssl_check(request, ssn->ssl, err, "BIO_read"); record_init(&ssn->dirty_in); return 0; } @@ -239,7 +241,7 @@ int tls_handshake_recv(tls_session_t *ssn) * Take clear-text user data, and encrypt it into the output buffer, * to send to the client at the other end of the SSL connection. */ -int tls_handshake_send(tls_session_t *ssn) +int tls_handshake_send(REQUEST *request, tls_session_t *ssn) { int err; @@ -264,7 +266,7 @@ int tls_handshake_send(tls_session_t *ssn) if (err > 0) { ssn->dirty_out.used = err; } else { - int_ssl_check(ssn->ssl, err, "handshake_send"); + int_ssl_check(request, ssn->ssl, err, "handshake_send"); } } diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index 075dd9f..982c8a8 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -55,7 +55,7 @@ static int eappeap_failure(EAP_HANDLER *handler, tls_session_t *tls_session) /* * FIXME: Check the return code. */ - tls_handshake_send(tls_session); + tls_handshake_send(request, tls_session); return 1; } @@ -90,7 +90,7 @@ static int eappeap_success(EAP_HANDLER *handler, tls_session_t *tls_session) /* * FIXME: Check the return code. */ - tls_handshake_send(tls_session); + tls_handshake_send(request, tls_session); return 1; } @@ -109,7 +109,7 @@ static int eappeap_identity(EAP_HANDLER *handler, tls_session_t *tls_session) (tls_session->record_plus)(&tls_session->clean_in, &eap_packet, sizeof(eap_packet)); - tls_handshake_send(tls_session); + tls_handshake_send(handler->request, tls_session); (tls_session->record_init)(&tls_session->clean_in); return 1; @@ -238,7 +238,7 @@ static VALUE_PAIR *eap2vp(REQUEST *request, EAP_DS *eap_ds, * Convert a list of VALUE_PAIR's to an EAP packet, through the * simple expedient of dumping the EAP message */ -static int vp2eap(tls_session_t *tls_session, VALUE_PAIR *vp) +static int vp2eap(REQUEST *request, tls_session_t *tls_session, VALUE_PAIR *vp) { /* * Skip the id, code, and length. Just write the EAP @@ -284,7 +284,7 @@ static int vp2eap(tls_session_t *tls_session, VALUE_PAIR *vp) vp->vp_octets, vp->length); } - tls_handshake_send(tls_session); + tls_handshake_send(request, tls_session); return 1; } @@ -422,7 +422,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, * VP's back to the client. */ if (vp) { - vp2eap(tls_session, vp); + vp2eap(request, tls_session, vp); pairfree(&vp); } diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c index 772edc3..c3fde1c 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c @@ -598,7 +598,7 @@ static int vp2diameter(REQUEST *request, tls_session_t *tls_session, VALUE_PAIR /* * FIXME: Check the return code. */ - tls_handshake_send(tls_session); + tls_handshake_send(request, tls_session); } /* -- 2.1.4