From: Alan T. DeKok Date: Fri, 3 Feb 2017 22:29:18 +0000 (-0500) Subject: track TLS cache filename X-Git-Tag: release_3_0_13~43 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=freeradius.git;a=commitdiff_plain;h=6b909d0cdb23070dea98483cde945ddb64c18ac4 track TLS cache filename And ensure it's deleted on failure. --- diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 03a73fd..390bd57 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -545,6 +545,8 @@ VALUE TLS-OCSP-Cert-Valid skipped 2 VALUE TLS-OCSP-Cert-Valid yes 1 VALUE TLS-OCSP-Cert-Valid no 0 +ATTRIBUTE TLS-Cache-Filename 1946 string + # # Range: 1940-2099 # Free diff --git a/src/main/tls.c b/src/main/tls.c index 5984c22..3a579f9 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -1364,7 +1364,6 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) return 0; } - /* Do not convert to TALLOC - Thread safety */ /* alloc and convert to ASN.1 */ sess_blob = malloc(blob_len); @@ -1390,6 +1389,21 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) goto error; } + /* + * Set the filename to be temporarily write-only. + */ + if (request) { + VALUE_PAIR *vp; + + vp = fr_pair_afrom_num(request->state_ctx, PW_TLS_CACHE_FILENAME, 0); + if (vp) { + fr_pair_value_strcpy(vp, filename); + fr_pair_add(&request->state, vp); + } + + (void) fchmod(fd, S_IWUSR); + } + todo = blob_len; p = sess_blob; while (todo > 0) { diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c index 8c5f3c1..38b6829 100644 --- a/src/modules/rlm_eap/rlm_eap.c +++ b/src/modules/rlm_eap/rlm_eap.c @@ -30,6 +30,8 @@ RCSID("$Id$") #include "rlm_eap.h" +#include + static const CONF_PARSER module_config[] = { { "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_t, default_method_name), "md5" }, { "timer_expire", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_eap_t, timer_limit), "60" }, @@ -412,6 +414,26 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *re } /* + * Enable the cached entry on success. + */ + if (handler->eap_ds->request->code == PW_EAP_SUCCESS) { + VALUE_PAIR *vp; + + vp = fr_pair_find_by_num(request->state, PW_TLS_CACHE_FILENAME, 0, TAG_ANY); + if (vp) (void) chmod(vp->vp_strvalue, S_IRUSR | S_IWUSR); + } + + /* + * Disable the cached entry on failure. + */ + if (handler->eap_ds->request->code == PW_EAP_FAILURE) { + VALUE_PAIR *vp; + + vp = fr_pair_find_by_num(request->state, PW_TLS_CACHE_FILENAME, 0, TAG_ANY); + if (vp) (void) unlink(vp->vp_strvalue); + } + + /* * If it's an Access-Accept, RFC 2869, Section 2.3.1 * says that we MUST include a User-Name attribute in the * Access-Accept.