rad_assert(request != NULL);
+ RDEBUG2("Initiating new EAP-TLS session");
+
/*
* Manually flush the sessions every so often. If HALF
* of the session lifetime has passed since we last
if (conf->session_cache_enable) state->allow_session_resumption = true; /* otherwise it's false */
- RDEBUG2("Initiate");
-
return state;
}
/* Verify OCSP response status */
status = OCSP_response_status(resp);
- DEBUG2(LOG_PREFIX ":ocsp: Response status: %s",OCSP_response_status_str(status));
if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
- DEBUG2(LOG_PREFIX ": ocsp: Response status: %s", OCSP_response_status_str(status));
+ ERROR(LOG_PREFIX ": ocsp: Response status: %s", OCSP_response_status_str(status));
goto ocsp_end;
}
bresp = OCSP_response_get1_basic(resp);
}
goto ocsp_end;
}
-
+ DEBUG2(LOG_PREFIX ": ocsp: Response status: %s", OCSP_response_status_str(status));
if (bio_out) {
BIO_puts(bio_out, "\tThis Update: ");
buf[0] = '\0';
sn = X509_get_serialNumber(client_cert);
- RDEBUG2("TLS Verify creating certificate attributes");
+ RDEBUG2("Creating attributes from certificate OIDs");
RINDENT();
/*
"attribute and value are defined in the dictionaries",
attribute, value);
} else {
+ /*
+ * rdebug_pair_list indents (so pre REXDENT())
+ */
+ REXDENT();
rdebug_pair_list(L_DBG_LVL_2, request, vp, NULL);
+ RINDENT();
}
}
} else {
RDEBUG2("checking certificate CN (%s) with xlat'ed value (%s)", common_name, cn_str);
if (strcmp(cn_str, common_name) != 0) {
- AUTH("tls: Certificate CN (%s) does not match specified value (%s)!", common_name, cn_str);
+ AUTH(LOG_PREFIX ": Certificate CN (%s) does not match specified value (%s)!",
+ common_name, cn_str);
my_ok = 0;
}
}
} /* depth == 0 */
- if (RDEBUG_ENABLED2) {
- RDEBUG2("chain-depth : %d, ", depth);
- RDEBUG2("error : %d", err);
+ if (RDEBUG_ENABLED3) {
+ RDEBUG3("chain-depth : %d", depth);
+ RDEBUG3("error : %d", err);
- if (identity) RDEBUG2("identity : %s", *identity);
- RDEBUG2("common name : %s", common_name);
- RDEBUG2("subject : %s", subject);
- RDEBUG2("issuer : %s", issuer);
- RDEBUG2("verify return : %d", my_ok);
+ if (identity) RDEBUG3("identity : %s", *identity);
+ RDEBUG3("common name : %s", common_name);
+ RDEBUG3("subject : %s", subject);
+ RDEBUG3("issuer : %s", issuer);
+ RDEBUG3("verify return : %d", my_ok);
}
return my_ok;
}
*/
fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
{
- RDEBUG2("Received TLS ACK");
-
if (ssn == NULL){
REDEBUG("Unexpected ACK received: No ongoing SSL session");
return FR_TLS_INVALID;
switch (ssn->info.content_type) {
case alert:
- RDEBUG2("ACK alert");
+ RDEBUG2("Peer ACKed our alert");
return FR_TLS_FAIL;
case handshake:
if ((ssn->info.handshake_type == handshake_finished) && (ssn->dirty_out.used == 0)) {
- RDEBUG2("ACK handshake is finished");
+ RDEBUG2("Peer ACKed our handshake fragment. handshake is finished");
/*
* From now on all the content is
return FR_TLS_SUCCESS;
} /* else more data to send */
- RDEBUG2("ACK handshake fragment handler");
+ RDEBUG2("Peer ACKed our handshake fragment");
/* Fragmentation handler, send next fragment */
return FR_TLS_REQUEST;
case application_data:
- RDEBUG2("ACK handshake fragment handler in application data");
+ RDEBUG2("Peer ACKed our application data fragment");
return FR_TLS_REQUEST;
/*
*/
default:
REDEBUG("Invalid ACK received: %d", ssn->info.content_type);
-
return FR_TLS_INVALID;
}
}
-
#endif /* WITH_TLS */
rad_assert(module != NULL);
- RDEBUG2("Calling EAP submodule %s to process data", module->type->name);
+ RDEBUG2("Calling submodule %s to process data", module->type->name);
request->module = module->type->name;
return EAP_INVALID;
}
- RDEBUG2("Peer sent EAP %s (%d) request", eap_type2name(type->num), type->num);
+ RDEBUG2("Peer sent packet with method EAP %s (%d)", eap_type2name(type->num), type->num);
/*
* Figure out what to do.
*/
default:
++reply->id;
}
- RDEBUG2("Sending response, EAP ID %d", reply->id);
- } else {
- RDEBUG2("Sending response, EAP ID %d (set by EAP method handler)", reply->id);
}
/*
break;
}
+ RDEBUG2("Sending EAP %s (code %i) ID %d length %i",
+ eap_codes[eap_packet->code], eap_packet->code, reply->id,
+ eap_packet->length[0] * 256 + eap_packet->length[1]);
+
return rcode;
}
*/
if ((eap_msg->vp_octets[0] == 0) ||
(eap_msg->vp_octets[0] >= PW_EAP_MAX_CODES)) {
- RDEBUG2("Unknown EAP packet");
+ RDEBUG2("Peer sent EAP packet with unknown code %i", eap_msg->vp_octets[0]);
} else {
RDEBUG2("Peer sent EAP %s (code %i) ID %d length %zu",
eap_codes[eap_msg->vp_octets[0]],
* fragments to receive to make the complete
* TLS-record/TLS-Message
*/
-static int eaptls_send_ack(EAP_DS *eap_ds, int peap_flag)
+static int eaptls_send_ack(eap_handler_t *handler, int peap_flag)
{
EAPTLS_PACKET reply;
+ REQUEST *request = handler->request;
+ RDEBUG2("ACKing Peer's TLS record fragment");
reply.code = FR_TLS_ACK;
reply.length = TLS_HEADER_LEN + 1/*flags*/;
reply.flags = peap_flag;
reply.data = NULL;
reply.dlen = 0;
- eaptls_compose(eap_ds, &reply);
+ eaptls_compose(handler->eap_ds, &reply);
return 1;
}
/*
* First output the flags (for debugging)
*/
- RDEBUG2("Peer sent EAP-TLS flags %c%c%c",
+ RDEBUG3("Peer sent flags %c%c%c",
TLS_START(eaptls_packet->flags) ? 'S' : '-',
TLS_MORE_FRAGMENTS(eaptls_packet->flags) ? 'M' : '-',
TLS_LENGTH_INCLUDED(eaptls_packet->flags) ? 'L' : '-');
RDEBUG2("Got complete TLS record (no fragmentation)");
return FR_TLS_LENGTH_INCLUDED;
}
- } else {
- RDEBUG2("Got additional TLS record fragment");
}
- if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
- RDEBUG2("More fragments to follow");
- return FR_TLS_MORE_FRAGMENTS;
+ /*
+ * The previous packet had the M flags set, but this one doesn't,
+ * this must be the final record fragment
+ */
+ if (TLS_MORE_FRAGMENTS(eaptls_prev->flags) && !TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
+ RDEBUG2("Got final TLS record fragment");
+ } else {
+ RDEBUG2("Got additional TLS record fragment. Peer indicated more fragments to follow");
}
+ if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) return FR_TLS_MORE_FRAGMENTS;
+
/*
* None of the flags are set, but it's still a valid
* EAPTLS packet.
/*
* Send the ACK.
*/
- eaptls_send_ack(handler->eap_ds, tls_session->peap_flag);
+ eaptls_send_ack(handler, tls_session->peap_flag);
return FR_TLS_HANDLED;
}
if (!request) return FR_TLS_FAIL;
- RDEBUG2("Processing EAP-TLS");
+ RDEBUG2("Continuing EAP-TLS");
+
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_REQUEST, request);
if (handler->certs) pairadd(&request->packet->vps,
/*
* Send the ACK.
*/
- eaptls_send_ack(handler->eap_ds,
- tls_session->peap_flag);
+ eaptls_send_ack(handler, tls_session->peap_flag);
RDEBUG2("Init is done, but tunneled data is fragmented");
status = FR_TLS_HANDLED;
goto done;
*/
case PW_EAP_MSCHAPV2:
default:
- RDEBUG2("EAP type %s (%d)", eap_type2name(eap_method),
+ RDEBUG2("EAP method %s (%d)", eap_type2name(eap_method),
eap_method);
return 1;
}
inst = type_arg;
- RDEBUG2("Authenticate");
-
status = eaptls_process(handler);
if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
REDEBUG("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));
fake->server = inst->virtual_server;
}
- RDEBUG("Processing EAP-TLS Certificate check:");
+ RDEBUG2("Validating certificate");
rad_virtual_server(fake);
/* copy the reply vps back to our reply */
/* reject if virtual server didn't return accept */
if (fake->reply->code != PW_CODE_ACCESS_ACCEPT) {
- RDEBUG2("Certificates were rejected by the virtual server");
+ RDEBUG2("Certificate rejected by the virtual server");
talloc_free(fake);
eaptls_fail(handler, 0);
return 0;
projects / thirdparty / freeradius-server.git / commitdiff
