delay session tickets until after the user was authenticated

for PEAP, TTLS, FAST, etc.

diff --git a/src/include/tls-h b/src/include/tls-h
index ee22c0683e6f5531a8cedf9244ca83a42984a768..f994f58d5a4c56232db07579247e9b15ae6e413f 100644 (file)
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -141,6 +141,7 @@ typedef struct _tls_session_t {
        bool            is_init_finished;               //!< whether or not init is finished
        bool            client_cert_ok;                 //!< whether or not we validated the client certificate
        bool            authentication_success;         //!< whether or not the user was authenticated (cert or PW)
+       bool            quick_session_tickets;          //!< for EAP-TLS.
 
        /*
         *      Framed-MTU attribute in RADIUS, if present, can also be used to set this

diff --git a/src/main/tls.c b/src/main/tls.c
index b8514450a11eba89523d8b8f6f52f892b119bd74..aa2aeb98596c7e250b6bea0efd6720eedb3022f1 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3078,7 +3078,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                 */
                ssn->client_cert_ok = (my_ok == 1);
 
-               if (conf->session_cache_enable) {
+               if (ssn->quick_session_tickets && conf->session_cache_enable) {
                        SSL_set_num_tickets(ssn->ssl, 1);
                }
        } /* depth == 0 */

diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c
index c65049e2d744555aabf6091239316a702cc61628..e1293d5394baaf499b117db9d39eeba368eb9187 100644 (file)
--- a/src/main/tls_listen.c
+++ b/src/main/tls_listen.c
@@ -175,6 +175,7 @@ static int tls_socket_recv(rad_listen_t *listener)
                SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
                SSL_set_ex_data(sock->ssn->ssl, fr_tls_ex_index_certs, (void *) &sock->certs);
                SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock);
+               sock->ssn->quick_session_tickets = true; /* we don't have inner-tunnel authentication */
 
                doing_init = true;
        }

diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c
index ffeba95131f4c679e59b6e27e65b1122036eec51..f2729ddb6be3284b4c3fb7bf6dab3e99952b7e79 100644 (file)
--- a/src/modules/rlm_eap/libeap/eap_tls.c
+++ b/src/modules/rlm_eap/libeap/eap_tls.c
@@ -765,19 +765,31 @@ static fr_tls_status_t eaptls_operation(fr_tls_status_t status, eap_handler_t *h
         *      notibly not for PEAP even on resumption.
         */
        if ((tls_session->info.version == TLS1_3_VERSION) &&
-           (handler->type == PW_EAP_TLS) &&
-           (tls_session->client_cert_ok || SSL_session_reused(tls_session->ssl))) {
+           (tls_session->client_cert_ok || tls_session->authentication_success || SSL_session_reused(tls_session->ssl))) {
                fr_tls_server_conf_t *conf;
 
                conf = (fr_tls_server_conf_t *)SSL_get_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF);
                rad_assert(conf != NULL);
 
-               if (conf->tls13_send_zero) {
-                       RDEBUG("TLS send Commitment Message");
-                       tls_session->record_plus(&tls_session->clean_in, "\0", 1);
-               } else {
-                       RDEBUG("TLS sending close_notify");
-                       SSL_shutdown(tls_session->ssl);
+               if ((handler->type == PW_EAP_TLS) || SSL_session_reused(tls_session->ssl)) {
+                       tls_session->authentication_success = true;
+
+                       if (conf->tls13_send_zero) {
+                               RDEBUG("TLS send Commitment Message");
+                               tls_session->record_plus(&tls_session->clean_in, "\0", 1);
+                       } else {
+                               RDEBUG("TLS sending close_notify");
+                               SSL_shutdown(tls_session->ssl);
+                       }
+               }
+
+               /*
+                *      Allow sending of session tickets, but ONLY
+                *      after we've verified the client certificate,
+                *      or users password.
+                */
+               else if (conf->session_cache_enable) {
+                       SSL_set_num_tickets(tls_session->ssl, 1);
                }
 
                tls_handshake_send(request, tls_session);

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 8a370c88e6ba841136d7819dcdcb158fa9cf5578..360a42a5d8711dfa56f3e42b32d22cee7fd7b503 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -98,6 +98,7 @@ static int mod_session_init(void *type_arg, eap_handler_t *handler)
        }
 
        handler->opaque = ((void *)ssn);
+       ssn->quick_session_tickets = true; /* send as soon as we've seen the client cert */
 
        /*
         *      TLS session initialization is over.  Now handle TLS