From 7477adf9f80e25fac260e61cdaf6d9b9b1ceb9d1 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Mon, 25 Aug 2008 11:17:10 +0200 Subject: [PATCH] Enforce session cache enable. If the cache is disabled, then delete the current entry from the list of cached sessions. Also check for new Allow-Session-Resumption attribute. If set to zero, then disallow it for this session, too --- share/dictionary.freeradius.internal | 6 ++++ src/modules/rlm_eap/libeap/eap_tls.c | 34 ++++++++++++++++++++-- src/modules/rlm_eap/libeap/eap_tls.h | 1 + .../rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c | 4 +++ 4 files changed, 42 insertions(+), 3 deletions(-) diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 6f39479..86d9e09 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -182,6 +182,12 @@ ATTRIBUTE FreeRADIUS-Client-Shortname 1124 string ATTRIBUTE FreeRADIUS-Client-NAS-Type 1125 string ATTRIBUTE FreeRADIUS-Client-Virtual-Server 1126 string +# For session resumption +ATTRIBUTE Allow-Session-Resumption 1127 integer + +VALUE Allow-Session-Resumption no 0 +VALUE Allow-Session-Resumption yes 1 + # # Range: 1200-1279 # EAP-SIM (and other EAP type) weirdness. diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c index ef0e4c3..a1d0146 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.c +++ b/src/modules/rlm_eap/libeap/eap_tls.c @@ -116,9 +116,35 @@ int eaptls_success(EAP_HANDLER *handler, int peap_flag) reply.dlen = 0; /* - * Store the reply, if configured. + * If there's no session resumption, delete the entry + * from the cache. This means either it's disabled + * globally for this SSL context, OR we were told to + * disable it for this user. + * + * This also means you can't turn it on just for one + * user. */ - if (!SSL_session_reused(tls_session->ssl)) { + if ((!tls_session->allow_session_resumption) || + (((vp = pairfind(request->config_items, 1127)) != NULL) && + (vp->vp_integer == 0))) { + SSL_CTX_remove_session(tls_session->ctx, + tls_session->ssl->session); + tls_session->allow_session_resumption = 0; + + /* + * If we're in a resumed session and it's + * not allowed, + */ + if (SSL_session_reused(tls_session->ssl)) { + RDEBUG("FAIL: Forcibly stopping session resumption as it is not allowed."); + return eaptls_fail(handler, peap_flag); + } + + /* + * Else resumption IS allowed, so we store the + * user data in the cache. + */ + } else if (!SSL_session_reused(tls_session->ssl)) { RDEBUG2("Saving response in the cache"); vp = paircopy2(request->reply->vps, PW_USER_NAME); @@ -133,9 +159,11 @@ int eaptls_success(EAP_HANDLER *handler, int peap_flag) } /* - * Copy the previous reply. + * Else the session WAS allowed. Copy the cached + * reply. */ } else { + vp = SSL_SESSION_get_ex_data(tls_session->ssl->session, eaptls_session_idx); if (!vp) { diff --git a/src/modules/rlm_eap/libeap/eap_tls.h b/src/modules/rlm_eap/libeap/eap_tls.h index cc56a78..caeb5a6 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.h +++ b/src/modules/rlm_eap/libeap/eap_tls.h @@ -176,6 +176,7 @@ typedef struct _tls_session_t { void (*free_opaque)(void *opaque); const char *prf_label; + int allow_session_resumption; } tls_session_t; diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c index 212402a..996dbee 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c @@ -929,6 +929,10 @@ static int eaptls_initiate(void *type_arg, EAP_HANDLER *handler) break; } + if (inst->conf->session_cache_enable) { + ssn->allow_session_resumption = 1; /* otherwise it's zero */ + } + /* * TLS session initialization is over. Now handle TLS * related handshaking or application data. -- 2.1.4