tac_plus-ng/packet.c: be more verbose when rejecting TLS connections

MarcJHuber · MarcJHuber · commit 7d559f8f16e6 · 2025-08-21T18:03:00.000+02:00
diff --git a/tac_plus-ng/headers.h b/tac_plus-ng/headers.h
@@ -1035,6 +1035,7 @@ struct context_logfile {
 };
 
 void cleanup(struct context *, int);
+void reject_conn(struct context *ctx, const char *hint, char *tls, int line);
 
 /* acct.c */
 void accounting(tac_session *, tac_pak_hdr *);
diff --git a/tac_plus-ng/main.c b/tac_plus-ng/main.c
@@ -639,7 +639,7 @@ static void read_px(struct context_px *ctx, int cur)
     free(ctx);
 }
 
-static void reject_conn(struct context *ctx, const char *hint, char *tls, int line)
+void reject_conn(struct context *ctx, const char *hint, char *tls, int line)
 {
     if (!hint)
 	hint = "";
@@ -1463,7 +1463,7 @@ static void accept_control_common(int s, struct scm_data_accept_ext *sd_ext, soc
 
 static int query_mavis_host(struct context *ctx, void (*f)(struct context *))
 {
-    if(!ctx->host || ctx->host->try_mavis != TRISTATE_YES)
+    if (!ctx->host || ctx->host->try_mavis != TRISTATE_YES)
 	return 0;
     if (!ctx->mavis_tried) {
 	ctx->mavis_tried = 1;
diff --git a/tac_plus-ng/packet.c b/tac_plus-ng/packet.c
@@ -564,8 +564,13 @@ void tac_read(struct context *ctx, int cur)
     if (config.rad_dict && ctx->hdroff > 0 && ctx->hdr.tac.version < TAC_PLUS_MAJOR_VER) {
 #ifdef WITH_SSL
 	if (ctx->tls) {
+	    int ssl_version = SSL_version(ctx->tls);
+	    if (!(ctx->host->bug_compatibility & CLIENT_BUG_BAD_TLS_VERSION) && (!tls_ver_ok(ctx->tls_versions, ssl_version & 0xff))) {
+		ctx->reset_tcp = BISTATE_YES;
+		reject_conn(ctx, NULL, (char *) SSL_get_version(ctx->tls), __LINE__);
+		return;
+	    }
 	    if (ctx->radius_1_1 == BISTATE_YES) {
-		int ssl_version = SSL_version(ctx->tls);
 		switch (ssl_version) {
 		case TLS1_3_VERSION:
 		case DTLS1_2_VERSION:	// FIXME, is that fine for radius/1.1?
@@ -575,7 +580,7 @@ void tac_read(struct context *ctx, int cur)
 		    break;
 		default:
 		    ctx->reset_tcp = BISTATE_YES;
-		    cleanup(ctx, cur);
+		    reject_conn(ctx, NULL, (char *) SSL_get_version(ctx->tls), __LINE__);
 		    return;
 		}
 	    }
@@ -606,12 +611,12 @@ void tac_read(struct context *ctx, int cur)
 #ifdef WITH_SSL
 	if (ctx->tls && ctx->use_tls) {
 #define S "radsec"
-	    static struct tac_key key = { .len = sizeof(S) - 1, .key = S };
+	    static struct tac_key key = {.len = sizeof(S) - 1,.key = S };
 #undef S
 	    ctx->key = &key;
 	} else if (ctx->tls && ctx->use_dtls) {
 #define S "radius/dtls"
-	    static struct tac_key key = { .len = sizeof(S) - 1, .key = S };
+	    static struct tac_key key = {.len = sizeof(S) - 1,.key = S };
 #undef S
 	    ctx->key = &key;
 	} else
@@ -634,6 +639,12 @@ void tac_read(struct context *ctx, int cur)
 	CHECK_PROTOCOL(tacacs_tls, tacacs);
 	ctx->aaa_protocol = S_tacacs_tls;
 	int ssl_version = SSL_version(ctx->tls);
+	if (!(ctx->host->bug_compatibility & CLIENT_BUG_BAD_TLS_VERSION)
+	    && (!tls_ver_ok(ctx->tls_versions, ssl_version & 0xff) || ssl_version != TLS1_3_VERSION)) {
+	    ctx->reset_tcp = BISTATE_YES;
+	    reject_conn(ctx, NULL, (char *) SSL_get_version(ctx->tls), __LINE__);
+	    return;
+	}
 	switch (ssl_version) {
 	case TLS1_2_VERSION:
 	case TLS1_3_VERSION:
@@ -642,11 +653,6 @@ void tac_read(struct context *ctx, int cur)
 	    ssl_version = 0;
 	    break;
 	}
-	if (!(ctx->host->bug_compatibility & CLIENT_BUG_BAD_TLS_VERSION) && (!tls_ver_ok(ctx->tls_versions, ssl_version & 0xff) || ssl_version != TLS1_3_VERSION)) {
-	    ctx->reset_tcp = BISTATE_YES;
-	    cleanup(ctx, cur);
-	    return;
-	}
     } else
 #endif
     {
@@ -1149,12 +1155,13 @@ void tac_write(struct context *ctx, int cur)
 
 #define STR_TYPE(A) { A, sizeof(A) - 1}
 static str_t types[] = {
-    STR_TYPE(""),	// 0
-    STR_TYPE("authen"),	// 1, TAC_PLUS_AUTHEN
-    STR_TYPE("author"),	// 2, TAC_PLUS_AUTHOR
-    STR_TYPE("acct"),	// 3, TAC_PLUS_ACCT
-    STR_TYPE("status"),	// 4
+    STR_TYPE(""),		// 0
+    STR_TYPE("authen"),		// 1, TAC_PLUS_AUTHEN
+    STR_TYPE("author"),		// 2, TAC_PLUS_AUTHOR
+    STR_TYPE("acct"),		// 3, TAC_PLUS_ACCT
+    STR_TYPE("status"),		// 4
 };
+
 #undef STR_TYPE
 
 static tac_session *new_session(struct context *ctx, tac_pak_hdr *tac_hdr, rad_pak_hdr *radhdr)

Original file line number	Diff line number	Diff line change
`@@ -639,7 +639,7 @@ static void read_px(struct context_px *ctx, int cur)`
`639`	`639`	`free(ctx);`
`640`	`640`	`}`
`641`	`641`
`642`		`-static void reject_conn(struct context ctx, const char hint, char *tls, int line)`
	`642`	`+void reject_conn(struct context ctx, const char hint, char *tls, int line)`
`643`	`643`	`{`
`644`	`644`	`if (!hint)`
`645`	`645`	`hint = "";`
`@@ -1463,7 +1463,7 @@ static void accept_control_common(int s, struct scm_data_accept_ext *sd_ext, soc`
`1463`	`1463`
`1464`	`1464`	`static int query_mavis_host(struct context ctx, void (f)(struct context *))`
`1465`	`1465`	`{`
`1466`		`- if(!ctx->host \|\| ctx->host->try_mavis != TRISTATE_YES)`
	`1466`	`+ if (!ctx->host \|\| ctx->host->try_mavis != TRISTATE_YES)`
`1467`	`1467`	`return 0;`
`1468`	`1468`	`if (!ctx->mavis_tried) {`
`1469`	`1469`	`ctx->mavis_tried = 1;`