track TLS cache filename

And ensure it's deleted on failure.

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 03a73fd..390bd57 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -545,6 +545,8 @@ VALUE       TLS-OCSP-Cert-Valid             skipped                 2
 VALUE  TLS-OCSP-Cert-Valid             yes                     1
 VALUE  TLS-OCSP-Cert-Valid             no                      0
 
+ATTRIBUTE      TLS-Cache-Filename                      1946    string
+
 #
 #      Range:  1940-2099
 #              Free

diff --git a/src/main/tls.c b/src/main/tls.c
index 5984c22..3a579f9 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1364,7 +1364,6 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess)
                        return 0;
                }
 
-
                /* Do not convert to TALLOC - Thread safety */
                /* alloc and convert to ASN.1 */
                sess_blob = malloc(blob_len);
@@ -1390,6 +1389,21 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess)
                        goto error;
                }
 
+               /*
+                *      Set the filename to be temporarily write-only.
+                */
+               if (request) {
+                       VALUE_PAIR *vp;
+
+                       vp = fr_pair_afrom_num(request->state_ctx, PW_TLS_CACHE_FILENAME, 0);
+                       if (vp) {
+                               fr_pair_value_strcpy(vp, filename);
+                               fr_pair_add(&request->state, vp);
+                       }
+
+                       (void) fchmod(fd, S_IWUSR);
+               }
+
                todo = blob_len;
                p = sess_blob;
                while (todo > 0) {

diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index 8c5f3c1..38b6829 100644 (file)
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -30,6 +30,8 @@ RCSID("$Id$")
 
 #include "rlm_eap.h"
 
+#include <sys/stat.h>
+
 static const CONF_PARSER module_config[] = {
        { "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_t, default_method_name), "md5" },
        { "timer_expire", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_eap_t, timer_limit), "60" },
@@ -412,6 +414,26 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re
        }
 
        /*
+        *      Enable the cached entry on success.
+        */
+       if (handler->eap_ds->request->code == PW_EAP_SUCCESS) {
+               VALUE_PAIR *vp;
+
+               vp = fr_pair_find_by_num(request->state, PW_TLS_CACHE_FILENAME, 0, TAG_ANY);
+               if (vp) (void) chmod(vp->vp_strvalue, S_IRUSR | S_IWUSR);
+       }
+
+       /*
+        *      Disable the cached entry on failure.
+        */
+       if (handler->eap_ds->request->code == PW_EAP_FAILURE) {
+               VALUE_PAIR *vp;
+
+               vp = fr_pair_find_by_num(request->state, PW_TLS_CACHE_FILENAME, 0, TAG_ANY);
+               if (vp) (void) unlink(vp->vp_strvalue);
+       }
+
+       /*
         *      If it's an Access-Accept, RFC 2869, Section 2.3.1
         *      says that we MUST include a User-Name attribute in the
         *      Access-Accept.