From: Alan T. DeKok Date: Wed, 3 Mar 2021 12:59:55 +0000 (-0500) Subject: delay session tickets until after the user was authenticated X-Git-Tag: release_3_0_22~182 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b9f08f51e78b47769de3e666d27490bd33a1134;p=thirdparty%2Ffreeradius-server.git delay session tickets until after the user was authenticated for PEAP, TTLS, FAST, etc. --- diff --git a/src/include/tls-h b/src/include/tls-h index ee22c0683e..f994f58d5a 100644 --- a/src/include/tls-h +++ b/src/include/tls-h @@ -141,6 +141,7 @@ typedef struct _tls_session_t { bool is_init_finished; //!< whether or not init is finished bool client_cert_ok; //!< whether or not we validated the client certificate bool authentication_success; //!< whether or not the user was authenticated (cert or PW) + bool quick_session_tickets; //!< for EAP-TLS. /* * Framed-MTU attribute in RADIUS, if present, can also be used to set this diff --git a/src/main/tls.c b/src/main/tls.c index b8514450a1..aa2aeb9859 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -3078,7 +3078,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) */ ssn->client_cert_ok = (my_ok == 1); - if (conf->session_cache_enable) { + if (ssn->quick_session_tickets && conf->session_cache_enable) { SSL_set_num_tickets(ssn->ssl, 1); } } /* depth == 0 */ diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c index c65049e2d7..e1293d5394 100644 --- a/src/main/tls_listen.c +++ b/src/main/tls_listen.c @@ -175,6 +175,7 @@ static int tls_socket_recv(rad_listen_t *listener) SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request); SSL_set_ex_data(sock->ssn->ssl, fr_tls_ex_index_certs, (void *) &sock->certs); SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock); + sock->ssn->quick_session_tickets = true; /* we don't have inner-tunnel authentication */ doing_init = true; } diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c index ffeba95131..f2729ddb6b 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.c +++ b/src/modules/rlm_eap/libeap/eap_tls.c @@ -765,19 +765,31 @@ static fr_tls_status_t eaptls_operation(fr_tls_status_t status, eap_handler_t *h * notibly not for PEAP even on resumption. */ if ((tls_session->info.version == TLS1_3_VERSION) && - (handler->type == PW_EAP_TLS) && - (tls_session->client_cert_ok || SSL_session_reused(tls_session->ssl))) { + (tls_session->client_cert_ok || tls_session->authentication_success || SSL_session_reused(tls_session->ssl))) { fr_tls_server_conf_t *conf; conf = (fr_tls_server_conf_t *)SSL_get_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF); rad_assert(conf != NULL); - if (conf->tls13_send_zero) { - RDEBUG("TLS send Commitment Message"); - tls_session->record_plus(&tls_session->clean_in, "\0", 1); - } else { - RDEBUG("TLS sending close_notify"); - SSL_shutdown(tls_session->ssl); + if ((handler->type == PW_EAP_TLS) || SSL_session_reused(tls_session->ssl)) { + tls_session->authentication_success = true; + + if (conf->tls13_send_zero) { + RDEBUG("TLS send Commitment Message"); + tls_session->record_plus(&tls_session->clean_in, "\0", 1); + } else { + RDEBUG("TLS sending close_notify"); + SSL_shutdown(tls_session->ssl); + } + } + + /* + * Allow sending of session tickets, but ONLY + * after we've verified the client certificate, + * or users password. + */ + else if (conf->session_cache_enable) { + SSL_set_num_tickets(tls_session->ssl, 1); } tls_handshake_send(request, tls_session); diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c index 8a370c88e6..360a42a5d8 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c @@ -98,6 +98,7 @@ static int mod_session_init(void *type_arg, eap_handler_t *handler) } handler->opaque = ((void *)ssn); + ssn->quick_session_tickets = true; /* send as soon as we've seen the client cert */ /* * TLS session initialization is over. Now handle TLS