Allow TLS 1.3 for RadSec

diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 5736791d13617c53adb58b939a89bc3341cde33b..0bda75f42c0667ee8989c08870b1895a321918cb 100644 (file)
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -258,6 +258,13 @@ listen {
                # for TLS
                cipher_server_preference = no
 
+               #
+               #  Older TLS versions are deprecated.  But for RadSec,
+               #  we CAN allow TLS 1.3.
+               #
+               tls_min_version = "1.2"
+               tls_max_version = "1.3"
+
                #
                #  Session resumption / fast reauthentication
                #  cache.

diff --git a/src/include/tls-h b/src/include/tls-h
index f994f58d5a4c56232db07579247e9b15ae6e413f..b97351eb335f586645fb456e721f691af9fd7b92 100644 (file)
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -315,7 +315,7 @@ int         tls_error_io_log(REQUEST *request, tls_session_t *session, int ret, char co
 void           tls_global_cleanup(void);
 tls_session_t  *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert);
 tls_session_t  *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, int fd, VALUE_PAIR **certs);
-fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs);
+fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs, bool allow_tls13);
 fr_tls_server_conf_t *tls_client_conf_parse(CONF_SECTION *cs);
 fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx);
 SSL_CTX                *tls_init_ctx(fr_tls_server_conf_t *conf, int client);
@@ -366,9 +366,10 @@ struct fr_tls_server_conf_t {
        bool            disable_tlsv1_1;
        bool            disable_tlsv1_2;
 #ifdef TLS1_3_VERSION
-       bool            tls13_enable_magic;
-       bool            tls13_send_zero;
+       bool            tls13_enable_magic;
+       bool            tls13_send_zero;
 #endif
+       bool            tls13_internal_enable;  //!< for radsec
 
        char const      *tls_min_version;
        char const      *tls_max_version;

diff --git a/src/main/listen.c b/src/main/listen.c
index e09518e3fab9ca84e9d36cc33d11b2e2dbeb9380..27ce67c6bc61fd216b42d0a114243d6512e9f7e6 100644 (file)
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -1055,7 +1055,7 @@ int common_socket_parse(CONF_SECTION *cs, rad_listen_t *this)
                         */
                        if (listen_port == 0) listen_port = PW_RADIUS_TLS_PORT;
 
-                       this->tls = tls_server_conf_parse(tls);
+                       this->tls = tls_server_conf_parse(tls, true);
                        if (!this->tls) {
                                return -1;
                        }

diff --git a/src/main/tls.c b/src/main/tls.c
index 7d73ab13a304cabda8122adbed3bea46fc751ceb..09d78283ebb465bbb719bcfaa95ddba8795cd886 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3660,7 +3660,7 @@ post_ca:
         *      UNLESS they set the magic / undocumented flag saying
         *      "please, let me use TLS 1.3".
         */
-       if (!conf->tls13_enable_magic) {
+       if (!conf->tls13_internal_enable && !conf->tls13_enable_magic) {
                if (min_version >= TLS1_3_VERSION) {
                        ERROR("tls_min_version '%s' MUST NOT be 1.3, as the standards have not been finalized.",
                              conf->tls_min_version);
@@ -4096,7 +4096,7 @@ static int store_cmp(void const *a, void const *b)
        return one - two;
 }
 
-fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs)
+fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs, bool allow_tls13)
 {
        fr_tls_server_conf_t *conf;
 
@@ -4123,6 +4123,11 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs)
         */
        if (conf->fragment_size < 100) conf->fragment_size = 100;
 
+       /*
+        *      Allow TLS 1.3 for RadSec
+        */
+       conf->tls13_internal_enable = allow_tls13;
+
        /*
         *      Only check for certificate things if we don't have a
         *      PSK query.
@@ -4154,7 +4159,7 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs)
        /*
         *      Initialize configuration mutex
         */
-        pthread_mutex_init(&conf->mutex, NULL);
+       pthread_mutex_init(&conf->mutex, NULL);
 
        /*
         *      Initialize TLS
@@ -4293,6 +4298,11 @@ fr_tls_server_conf_t *tls_client_conf_parse(CONF_SECTION *cs)
         */
        if (conf->fragment_size < 100) conf->fragment_size = 100;
 
+       /*
+        *      Allow TLS 1.3 for outgoing RadSec connections.
+        */
+       conf->tls13_internal_enable = true;
+
        /*
         *      Initialize TLS
         */

diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c
index f2729ddb6be3284b4c3fb7bf6dab3e99952b7e79..4d22750088cf40a85c8b712b34ca9e54f967b9e5 100644 (file)
--- a/src/modules/rlm_eap/libeap/eap_tls.c
+++ b/src/modules/rlm_eap/libeap/eap_tls.c
@@ -1174,7 +1174,7 @@ fr_tls_server_conf_t *eaptls_conf_parse(CONF_SECTION *cs, char const *attr)
        if (!tls_cs)
                return NULL;
 
-       tls_conf = tls_server_conf_parse(tls_cs);
+       tls_conf = tls_server_conf_parse(tls_cs, false);
 
        if (!tls_conf)
                return NULL;