Index: /branches/rel_ag_9_4_5/FreeBSD/src/sys/click/app/fastlog/fastlog_var.h =================================================================== --- /branches/rel_ag_9_4_5/FreeBSD/src/sys/click/app/fastlog/fastlog_var.h (revision 20359) +++ /branches/rel_ag_9_4_5/FreeBSD/src/sys/click/app/fastlog/fastlog_var.h (working copy) @@ -143,6 +143,9 @@ #define LOG_MOD_DD "DesktopDirect" #define LOG_MOD_VPN_TL "L3VPN Traffic Log" +/* Client Security */ +#define LOG_MOD_CLIENTSEC "Client Security Log" + /* * This enumration must be kept in sync with the log define tables @@ -1540,6 +1543,9 @@ VPN_TRAFFIC_LOG_ICMP_SESS_SETUP, VPN_TRAFFIC_LOG_ICMP_SESS_TIMEOUT, VPN_TRAFFIC_LOG_ICMP_SESS_LOGOUT, + +/* Begin Client Security log message */ + CLIENTSEC_CHECK_FAIL, FASTLOG_END }; Index: /branches/rel_ag_9_4_5/FreeBSD/src/sys/click/app/fastlog/logex_def.h =================================================================== --- /branches/rel_ag_9_4_5/FreeBSD/src/sys/click/app/fastlog/logex_def.h (revision 20359) +++ /branches/rel_ag_9_4_5/FreeBSD/src/sys/click/app/fastlog/logex_def.h (working copy) @@ -3591,6 +3591,10 @@ /**************************End of Volume License log message*****************/ + /**************************Begin of Client Security Check log message*****************/ + { CLIENTSEC_CHECK_FAIL, 200065000, LOG_INFO, LOG_MOD_CLIENTSEC, 2, "Client Security Check: %s %s", NULL, NULL}, + /**************************End of Client Security Check log message*****************/ + { FASTLOG_END,200021999, LOG_DEBUG, LOG_MOD_FASTLOG, 0 , "Last log string entry", NULL, NULL } }; Index: /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c =================================================================== --- /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c (revision 20359) +++ /branches/rel_ag_9_4_5/uproxy/http_proxy/smanager/sec_misc.c (working copy) @@ -10614,6 +10614,29 @@ } } +static const char +*extract_error_value(char *cookie) { + static char result[256]; + const char *start = strstr(cookie, "error="); + + if (start) { + start += strlen("error="); + const char *end = strchr(start, '\"'); + if (end) { + size_t length = end - start; + if (length < sizeof(result)) { + strncpy(result, start, length); + result[length] = '\0'; + return result; + } else { + return NULL; + } + } + } + + return NULL; +} + static int32_t get_client_privileges_from_cookie(smanager_data_t *sec_data, uint32_t *privileges, char **msg, char **ploc) @@ -10629,6 +10652,7 @@ int32_t rc, cookie_rc; sec_vsite_t *vsite = sec_data->vsite_p; *ploc=NULL; + char *redirect_error=NULL; if (SEC_ISSET(vsite->common_flags, SEC_CLIENT_SEC)) { default_privileges = get_client_security_default_privilege(vsite); @@ -10640,6 +10664,14 @@ if (cookie) { unencode_twingo(encoded_cookie, cookie); cookie_rc = clientsec_cookie_format(cookie); + /* create redirect error message in buffer logging */ + redirect_error = extract_error_value(cookie); + if (redirect_error) { + fastlog_logex(CLIENTSEC_CHECK_FAIL, 2, "the local system did not pass the client security check:", redirect_error); + } + else { + fastlog_logex(CLIENTSEC_CHECK_FAIL, 2, "warning:", "the machine you are using to browse this site is not secure"); + } /*check if it need redirect*/ if(sec_redirect_client_security(sec_data, cookie, strlen(cookie)) == 0){ if (cookie) {