From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 3 Jun 2021 13:36:46 +0000 (-0400)
Subject: cache TLS state change messages in session-state list
X-Git-Tag: release_3_0_23~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fdd65b50099b70b3c3dac80bb513ac902bf7d7e;p=thirdparty%2Ffreeradius-server.git

cache TLS state change messages in session-state list

so that they can be accessible to debug messages
---

diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 3c53f3427bd..1926b7cd6e3 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -1006,7 +1006,30 @@ post-auth {
 	#  didn't write the client, so we don't know where those logs
 	#  are, or how to get at them.
 	#
+	#  Information about the TLS state changes is in the
+	#  &session-state:TLS-Session-Information attribute.
+	#
 	Post-Auth-Type Client-Lost {
+		#
+		#  Debug ALL of the TLS state changes done during the
+		#  EAP negotiation.
+		#
+#		%{debug_attr:&session-state:TLS-Session-Information[*]}
+
+		#
+		#  Debug the LAST TLS state change done during the EAP
+		#  negotiation.  For errors, this is usually a TLS
+		#  alert from the client saying something like
+		#  "unknown CA".
+		#
+#		%{debug_attr:&session-state:TLS-Session-Information[n]}
+
+		#
+		#  Debug the last module failure message.  This may be
+		#  useful, or it may refer to a server-side failure
+		#  which did not cause the client to stop talking to the server.
+		#
+#		%{debug_attr:&session-state:Module-Failure-Message}
 	}
 
 	#
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 5ce68aa3278..8e8a868c65d 100644
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -551,7 +551,7 @@ ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Email		1915	string
 ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Dns		1916	string
 ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Upn		1917	string
 ATTRIBUTE	TLS-Cert-Valid-Since			1918	string
-# 1919: reserved for future cert attribute
+ATTRIBUTE	TLS-Session-Information			1919	string
 ATTRIBUTE	TLS-Client-Cert-Serial			1920	string
 ATTRIBUTE	TLS-Client-Cert-Expiration		1921	string
 ATTRIBUTE	TLS-Client-Cert-Issuer			1922	string
diff --git a/src/main/tls.c b/src/main/tls.c
index 785b97cb039..4fdede5d969 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1074,6 +1074,7 @@ void tls_session_information(tls_session_t *tls_session)
 	char const *str_write_p, *str_version, *str_content_type = "";
 	char const *str_details1 = "", *str_details2= "";
 	REQUEST *request;
+	VALUE_PAIR *vp;
 	char content_type[16], alert_buf[16];
 	char buffer[32];
 
@@ -1406,6 +1407,17 @@ void tls_session_information(tls_session_t *tls_session)
 		 str_write_p, str_version, str_content_type,
 		 str_details1, str_details2);
 
+	/*
+	 *	Cache the TLS session information in the session-state
+	 *	list, so it can be accessed by Post-Auth-Type
+	 *	Client-Lost { ... }
+	 */
+	vp = fr_pair_afrom_num(request->state_ctx, PW_TLS_SESSION_INFORMATION, 0);
+	if (vp) {
+		fr_pair_value_strcpy(vp, tls_session->info.info_description);
+		fr_pair_add(&request->state, vp);
+	}
+
 	RDEBUG2("%s", tls_session->info.info_description);
 }