From 1509ddf6b4910a96a39f4df608362113ace4bad4 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 25 Aug 2008 10:34:28 +0200
Subject: [PATCH] Finish Session Resumption patch - cache User-Name

It just caches User-Name right now, and doesn't do much else.
But it's slightly better than it was before.
---
 src/modules/rlm_eap/libeap/cb.c                    |  7 ++++
 src/modules/rlm_eap/libeap/eap_tls.c               | 42 ++++++++++++++++++++++
 src/modules/rlm_eap/libeap/eap_tls.h               |  6 +++-
 src/modules/rlm_eap/radeapclient.c                 |  5 +++
 src/modules/rlm_eap/types/rlm_eap_peap/peap.c      |  3 +-
 .../rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c      | 17 +++++----
 .../rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c        | 38 ++++++++++++++++++--
 .../rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c      |  5 ++-
 src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c      |  3 +-
 9 files changed, 107 insertions(+), 19 deletions(-)

diff --git a/src/modules/rlm_eap/libeap/cb.c b/src/modules/rlm_eap/libeap/cb.c
index ad2b237..cdac49f 100644
--- a/src/modules/rlm_eap/libeap/cb.c
+++ b/src/modules/rlm_eap/libeap/cb.c
@@ -113,4 +113,11 @@ int cbtls_password(char *buf,
 	return(strlen((char *)userdata));
 }
 
+/*
+ *	For callbacks
+ */
+int eaptls_handle_idx = -1;
+int eaptls_conf_idx = -1;
+int eaptls_session_idx = -1;
+
 #endif /* !defined(NO_OPENSSL) */
diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c
index ec9a3d0..ef0e4c3 100644
--- a/src/modules/rlm_eap/libeap/eap_tls.c
+++ b/src/modules/rlm_eap/libeap/eap_tls.c
@@ -105,6 +105,8 @@ int eaptls_start(EAP_DS *eap_ds, int peap_flag)
 int eaptls_success(EAP_HANDLER *handler, int peap_flag)
 {
 	EAPTLS_PACKET	reply;
+	VALUE_PAIR *vp, *vps = NULL;
+	REQUEST *request = handler->request;
 	tls_session_t *tls_session = handler->opaque;
 
 	reply.code = EAPTLS_SUCCESS;
@@ -113,6 +115,45 @@ int eaptls_success(EAP_HANDLER *handler, int peap_flag)
 	reply.data = NULL;
 	reply.dlen = 0;
 
+	/*
+	 *	Store the reply, if configured.
+	 */
+	if (!SSL_session_reused(tls_session->ssl)) {
+		RDEBUG2("Saving response in the cache");
+		
+		vp = paircopy2(request->reply->vps, PW_USER_NAME);
+		pairadd(&vps, vp);
+		
+		vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
+		pairadd(&vps, vp);
+		
+		if (vps) {
+			SSL_SESSION_set_ex_data(tls_session->ssl->session,
+						eaptls_session_idx, vps);
+		}
+
+		/*
+		 *	Copy the previous reply.
+		 */
+	} else {
+		vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
+					     eaptls_session_idx);
+		if (!vp) {
+			RDEBUG("WARNING: No information in cached session!");
+			/*
+			 *	FIXME: Call eaptls_fail, and return 0
+			 */
+			return 1;
+		}
+
+		RDEBUG("Adding cached attributes to the reply:");
+		debug_pair_list(vp);
+		pairadd(&request->reply->vps, paircopy(vp));		
+	}
+
+	/*
+	 *	Call compose AFTER checking for cached data.
+	 */
 	eaptls_compose(handler->eap_ds, &reply);
 
 	/*
@@ -979,3 +1020,4 @@ int eaptls_compose(EAP_DS *eap_ds, EAPTLS_PACKET *reply)
 
 	return 1;
 }
+
diff --git a/src/modules/rlm_eap/libeap/eap_tls.h b/src/modules/rlm_eap/libeap/eap_tls.h
index da68f83..cc56a78 100644
--- a/src/modules/rlm_eap/libeap/eap_tls.h
+++ b/src/modules/rlm_eap/libeap/eap_tls.h
@@ -231,7 +231,6 @@ void		eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size);
 #define SET_MORE_FRAGMENTS(x) 	((x) | (0x40))
 #define SET_LENGTH_INCLUDED(x) 	((x) | (0x80))
 
-
 /*
  *	Following enums from rfc2246
  *
@@ -368,4 +367,9 @@ void 		session_free(void *ssn);
 void 		session_close(tls_session_t *ssn);
 void 		session_init(tls_session_t *ssn);
 
+/* SSL Indicies for ex data */
+extern int	eaptls_handle_idx;
+extern int	eaptls_conf_idx;
+extern int	eaptls_session_idx;
+
 #endif /*_EAP_TLS_H*/
diff --git a/src/modules/rlm_eap/radeapclient.c b/src/modules/rlm_eap/radeapclient.c
index 0d652ba..83ec3dc 100644
--- a/src/modules/rlm_eap/radeapclient.c
+++ b/src/modules/rlm_eap/radeapclient.c
@@ -68,6 +68,11 @@ static void unmap_eap_types(RADIUS_PACKET *rep);
 static int map_eapsim_types(RADIUS_PACKET *r);
 static int unmap_eapsim_types(RADIUS_PACKET *r);
 
+void debug_pair_list(UNUSED VALUE_PAIR *vp)
+{
+	return;
+}
+
 static void NEVER_RETURNS usage(void)
 {
 	fprintf(stderr, "Usage: radeapclient [options] server[:port] <command> [<secret>]\n");
diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
index ee25c9b..9adf6d3 100644
--- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
@@ -532,8 +532,7 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data)
 		/*
 		 *	Success: Automatically return MPPE keys.
 		 */
-		eaptls_success(handler, 0);
-		return 1;
+		return eaptls_success(handler, 0);
 
 	default:
 		RDEBUG2("Reply was unknown.");
diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
index 965ad9e..4f2c42c 100644
--- a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
@@ -303,21 +303,20 @@ static int eappeap_authenticate(void *arg, EAP_HANDLER *handler)
 
 	case RLM_MODULE_OK:
 		/*
-		 *	Success: Automatically return MPPE keys.
-		 */
-		eaptls_success(handler, 0);
-
-		/*
 		 *	Move the saved VP's from the Access-Accept to
 		 *	our Access-Accept.
 		 */
 		peap = tls_session->opaque;
 		if (peap->accept_vps) {
-			DEBUG2("  Using saved attributes from the original Access-Accept");
+			RDEBUG2("Using saved attributes from the original Access-Accept");
+			pairmove(&handler->request->reply->vps, &peap->accept_vps);
+			pairfree(&peap->accept_vps);
 		}
-		pairmove(&handler->request->reply->vps, &peap->accept_vps);
-		pairfree(&peap->accept_vps);
-		return 1;
+
+		/*
+		 *	Success: Automatically return MPPE keys.
+		 */
+		return eaptls_success(handler, 0);
 
 		/*
 		 *	No response packet, MUST be proxying it.
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 7bf69fd..212402a 100644
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -357,6 +357,19 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 
 
 /*
+ *	Free cached session data, which is always a list of VALUE_PAIRs
+ */
+void eaptls_session_free(void *parent, void *data_ptr, CRYPTO_EX_DATA *ad,
+			 int idx, long argl, void *argp)
+{
+	VALUE_PAIR *vp = data_ptr;
+	if (!data_ptr) return;
+
+	pairfree(&vp);
+}
+
+
+/*
  *	Create Global context SSL and use it in every new session
  *
  *	- Load the trusted CAs
@@ -584,6 +597,28 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
 		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
 	}
 
+	/*
+	 *	Register the application indices.  We can't use
+	 *	hard-coded "0" and "1" as before, because we need to
+	 *	set up a "free" handler for the cached session
+	 *	information.
+	 */
+	if (eaptls_handle_idx < 0) {
+		eaptls_handle_idx = SSL_get_ex_new_index(0, "eaptls_handle_idx",
+							  NULL, NULL, NULL);
+	}
+	
+	if (eaptls_conf_idx < 0) {
+		eaptls_conf_idx = SSL_get_ex_new_index(0, "eaptls_conf_idx",
+							  NULL, NULL, NULL);
+	}
+
+	if (eaptls_session_idx < 0) {
+		eaptls_session_idx = SSL_get_ex_new_index(0, "eaptls_session_idx",
+							  NULL, NULL,
+							  eaptls_session_free);
+	}
+
 	return ctx;
 }
 
@@ -1021,8 +1056,7 @@ static int eaptls_authenticate(void *arg, EAP_HANDLER *handler)
 	/*
 	 *	Success: Automatically return MPPE keys.
 	 */
-	eaptls_success(handler, 0);
-	return 1;
+	return eaptls_success(handler, 0);
 }
 
 /*
diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
index e359d4f..91a4234 100644
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
@@ -204,7 +204,7 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
 			/*
 			 *	Success: Automatically return MPPE keys.
 			 */
-			eaptls_success(handler, 0);
+			return eaptls_success(handler, 0);
 		} else {
 			eaptls_request(handler->eap_ds, tls_session);
 		}
@@ -267,8 +267,7 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
 		 *	Success: Automatically return MPPE keys.
 		 */
 	case PW_AUTHENTICATION_ACK:
-		eaptls_success(handler, 0);
-		return 1;
+		return eaptls_success(handler, 0);
 
 		/*
 		 *	No response packet, MUST be proxying it.
diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index f74f9b2..16459fa 100644
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -903,8 +903,7 @@ static int eapttls_postproxy(EAP_HANDLER *handler, void *data)
 		/*
 		 *	Success: Automatically return MPPE keys.
 		 */
-		eaptls_success(handler, 0);
-		return 1;
+		return eaptls_success(handler, 0);
 
 	default:
 		RDEBUG("Reply was unknown.");
-- 
2.1.4