]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
add flags to allow TLS 1.3 and 0x00 application data.
authorAlan T. DeKok <aland@freeradius.org>
Mon, 14 Jun 2021 20:06:44 +0000 (16:06 -0400)
committerAlan T. DeKok <aland@freeradius.org>
Mon, 14 Jun 2021 20:06:44 +0000 (16:06 -0400)
Looks OK, but testing would be nice.

src/lib/eap/tls.c
src/lib/eap/tls.h
src/lib/tls/session.h
src/lib/tls/validate.c

index 29b5fcb54d93ab8da8c8fcbb9734fcd6d74d2ba2..6f4d97f045887f9d18b7d5b963fe91e81963efa3 100644 (file)
@@ -837,7 +837,6 @@ static unlang_action_t eap_tls_handshake_resume(UNUSED rlm_rcode_t *p_result, UN
                break;
        }
 
-#if 0
 #ifdef TLS1_3_VERSION
        /*
         *      https://tools.ietf.org/html/draft-ietf-emu-eap-tls13#section-2.5
@@ -862,21 +861,25 @@ static unlang_action_t eap_tls_handshake_resume(UNUSED rlm_rcode_t *p_result, UN
         *                the client cert
         */
        if ((tls_session->info.version == TLS1_3_VERSION) &&
-           (tls_session->client_cert_ok || tls_session->authentication_success || SSL_session_reused(tls_session->ssl))) {
-               if ((handler->type == PW_EAP_TLS) || SSL_session_reused(tls_session->ssl)) {
-                       tls_session->authentication_success = true;
+           (tls_session->client_cert_ok || eap_tls_session->authentication_success || SSL_session_reused(tls_session->ssl))) {
+               if ((eap_session->type == FR_EAP_METHOD_TLS) || SSL_session_reused(tls_session->ssl)) {
+                       eap_tls_session->authentication_success = true;
 
                        RDEBUG("(TLS) EAP Sending final Commitment Message.");
-                       tls_session->record_plus(&tls_session->clean_in, "\0", 1);
+                       tls_session->record_from_buff(&tls_session->clean_in, "\0", 1);
                }
 
-               if (fr_tls_session_handshake(request, tls_session) < 0) {
+               /*
+                *      Always returns UNLANG_ACTION_CALCULATE_RESULT
+                */
+               (void) fr_tls_session_async_handshake_push(request, tls_session);
+               if (tls_session->result != FR_TLS_RESULT_SUCCESS) {
                        REDEBUG("TLS receive handshake failed during operation");
                        fr_tls_cache_deny(tls_session);
-                       return EAP_TLS_FAIL;
+                       eap_tls_session->state = EAP_TLS_FAIL;
+                       return UNLANG_ACTION_CALCULATE_RESULT;
                }
        }
-#endif
 #endif
 
        /*
index 8a0a4919c2ac53eb2445cc4c378254af245a27a8..d01e2354e6a35691e3ba2c5dfa353f3728f71a95 100644 (file)
@@ -129,13 +129,16 @@ typedef struct {
        fr_tls_session_t        *tls_session;           //!< TLS session used to authenticate peer
                                                        //!< or tunnel sensitive data.
 
+       int                     base_flags;             //!< Some protocols use the reserved bits of the EAP-TLS
+                                                       //!< flags (such as PEAP).  This allows the base flags to
+                                                       //!< be set.
+
        bool                    phase2;                 //!< Whether we're in phase 2
 
        bool                    include_length;         //!< A flag to include length in every TLS Data/Alert packet.
                                                        //!< If set to no then only the first fragment contains length.
-       int                     base_flags;             //!< Some protocols use the reserved bits of the EAP-TLS
-                                                       //!< flags (such as PEAP).  This allows the base flags to
-                                                       //!< be set.
+
+       bool                    authentication_success; //! for methods with inner auth, if the inner auth succeeded.
 
        bool                    record_out_started;     //!< Whether a record transfer to the peer is currently
                                                        //!< in progress.
index 6cc53286e37ceca8f375e855619f748619a6764c..56a28a3edf89cc5afbf421da4ee30d89799ad3d5 100644 (file)
@@ -127,6 +127,8 @@ typedef struct {
 
        bool                    invalid;                        //!< Whether heartbleed attack was detected.
 
+       bool                    client_cert_ok;                 //!< whether or not the client certificate was validated
+
        uint8_t                 alerts_sent;
        bool                    pending_alert;
        uint8_t                 pending_alert_level;
index b2c5e909e45798002633a013f7cf4a72de462f44..ac6588a22d4ab31b2c1ffa08e9ff7c82a9173539 100644 (file)
@@ -345,6 +345,12 @@ int fr_tls_validate_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
        }
 #endif
 
+       /*
+        *      If we have a client certificate, cache whether or not
+        *      we validated it.
+        */
+       tls_session->client_cert_ok = (my_ok > 0);
+
        RDEBUG2("[verify client] = %s", my_ok ? "ok" : "invalid");
        return my_ok;
 }