Skip to content

Commit

Permalink
Better debugging messages for TLS session cache && resumption
Browse files Browse the repository at this point in the history
  • Loading branch information
@alandekok
alandekok committed Jun 16, 2015
1 parent dca5a0e commit d61964b
Showing 1 changed file with 45 additions and 33 deletions.
78 changes: 45 additions & 33 deletions src/main/tls.c
View file
Expand Up @@ -1342,8 +1342,10 @@ static SSL_SESSION *cbtls_get_session(SSL *ssl, unsigned char *data, int inlen,

/* move the cached VPs into the session */
pairfilter(talloc_ctx, &vps, &pairlist->reply, 0, 0, TAG_ANY);

SSL_SESSION_set_ex_data(sess, fr_tls_ex_index_vps, vps);
RWDEBUG("Successfully restored session %s", buffer);
rdebug_pair_list(L_DBG_LVL_2, request, vps, "reply:");
}
error:
if (sess_data) talloc_free(sess_data);
Expand Down Expand Up @@ -2972,6 +2974,7 @@ int tls_success(tls_session_t *ssn, REQUEST *request)
*/
} else {
size_t size;
vp_cursor_t cursor;
char buffer[2 * MAX_SESSION_SIZE + 1];

size = ssn->ssl->session->session_id_length;
Expand All @@ -2983,44 +2986,53 @@ int tls_success(tls_session_t *ssn, REQUEST *request)
if (!vps) {
RWDEBUG("No information in cached session %s", buffer);
return -1;
} else {
vp_cursor_t cursor;

RDEBUG("Adding cached attributes for session %s:", buffer);
rdebug_pair_list(L_DBG_LVL_1, request, vps, NULL);
for (vp = fr_cursor_init(&cursor, &vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* TLS-* attrs get added back to
* the request list.
*/
if ((vp->da->vendor == 0) &&
(vp->da->attr >= PW_TLS_CERT_SERIAL) &&
(vp->da->attr <= PW_TLS_CLIENT_CERT_SUBJECT_ALT_NAME_UPN)) {
pairadd(&request->packet->vps, paircopyvp(request->packet, vp));
} else {
pairadd(&request->reply->vps, paircopyvp(request->reply, vp));
}
}
}

if (conf->session_cache_path) {
/* "touch" the cached session/vp file */
char filename[256];

snprintf(filename, sizeof(filename), "%s%c%s.asn1",
conf->session_cache_path, FR_DIR_SEP, buffer);
utime(filename, NULL);
snprintf(filename, sizeof(filename), "%s%c%s.vps",
conf->session_cache_path, FR_DIR_SEP, buffer);
utime(filename, NULL);
}
RDEBUG("Adding cached attributes from session %s", buffer);

/*
* The cbtls_get_session() function doesn't have
* access to sock->certs or handler->certs, which
* is where the certificates normally live. So
* the certs are all in the VPS list here, and
* have to be manually extracted.
*/
RINDENT();
for (vp = fr_cursor_init(&cursor, &vps);
vp;
vp = fr_cursor_next(&cursor)) {
/*
* Mark the request as resumed.
* TLS-* attrs get added back to
* the request list.
*/
pairmake_packet("EAP-Session-Resumed", "1", T_OP_SET);
if ((vp->da->vendor == 0) &&
(vp->da->attr >= PW_TLS_CERT_SERIAL) &&
(vp->da->attr <= PW_TLS_CLIENT_CERT_SUBJECT_ALT_NAME_UPN)) {
rdebug_pair(L_DBG_LVL_2, request, vp, "request:");
pairadd(&request->packet->vps, paircopyvp(request->packet, vp));
} else {
rdebug_pair(L_DBG_LVL_2, request, vp, "reply:");
pairadd(&request->reply->vps, paircopyvp(request->reply, vp));
}
}
REXDENT();

if (conf->session_cache_path) {
/* "touch" the cached session/vp file */
char filename[256];

snprintf(filename, sizeof(filename), "%s%c%s.asn1",
conf->session_cache_path, FR_DIR_SEP, buffer);
utime(filename, NULL);
snprintf(filename, sizeof(filename), "%s%c%s.vps",
conf->session_cache_path, FR_DIR_SEP, buffer);
utime(filename, NULL);
}

/*
* Mark the request as resumed.
*/
pairmake_packet("EAP-Session-Resumed", "1", T_OP_SET);
}

return 0;
Expand Down

0 comments on commit d61964b

Please sign in to comment.