close the TLS socket on TLS errors.

If there's a TLS connection error, then the only way to recover
is to close the socket and start over from scratch.

diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c
index cd1c7e1d8c921a488367588cde1d741613d917da..588d12958deff91deaa963ea5f8f069a4ef6e232 100644 (file)
--- a/src/main/tls_listen.c
+++ b/src/main/tls_listen.c
@@ -81,7 +81,7 @@ static void tls_socket_close(rad_listen_t *listener)
        /*
         *      Tell the event handler that an FD has disappeared.
         */
-       DEBUG("(TLS) Client has closed connection");
+       DEBUG("(TLS) Closing connection");
        radius_update_listener(listener);
 
        /*
@@ -500,7 +500,10 @@ static int tls_socket_recv(rad_listen_t *listener)
                /*
                 *      Normal socket close.
                 */
-               if (rcode == 0) goto do_close;
+               if (rcode == 0) {
+                       RDEBUG("(TLS) Client has closed the TCP connection");
+                       goto do_close;
+               }
 
                sock->ssn->dirty_in.used = rcode;
        }
@@ -606,6 +609,16 @@ get_application_data:
        status = tls_application_data(sock->ssn, request);
        RDEBUG3("(TLS) Application data status %d", status);
 
+       /*
+        *      Some kind of failure.  Close the socket.
+        */
+       if (status == FR_TLS_FAIL) {
+               DEBUG("(TLS) Unable to recover from TLS error, closing socket from client port %u", sock->other_port);
+               tls_socket_close(listener);
+               PTHREAD_MUTEX_UNLOCK(&sock->mutex);
+               return 0;
+       }
+
        if (status == FR_TLS_MORE_FRAGMENTS) {
                PTHREAD_MUTEX_UNLOCK(&sock->mutex);
                return 0;
@@ -1134,7 +1147,8 @@ static ssize_t proxy_tls_read(rad_listen_t *listener)
                rcode = SSL_read(sock->ssn->ssl, data + sock->partial,
                                 length - sock->partial);
                if (rcode <= 0) {
-                       switch (SSL_get_error(sock->ssn->ssl, rcode)) {
+                       int err = SSL_get_error(sock->ssn->ssl, rcode);
+                       switch (err) {
                        case SSL_ERROR_WANT_READ:
                        case SSL_ERROR_WANT_WRITE:
                                DEBUG3("(TLS) SSL_read() returned %s", ERR_reason_error_string(rcode));
@@ -1145,6 +1159,7 @@ static ssize_t proxy_tls_read(rad_listen_t *listener)
                                SSL_shutdown(sock->ssn->ssl);
                                goto do_close;
                        default:
+                               DEBUG("(TLS) Unexpected OpenSSL error %d", err);
                                goto do_close;
                        }
                }