From: Alan T. DeKok Date: Mon, 14 Jun 2021 20:06:44 +0000 (-0400) Subject: add flags to allow TLS 1.3 and 0x00 application data. X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=676bca4c00744510046c265342d50d61d3fa7789;p=thirdparty%2Ffreeradius-server.git add flags to allow TLS 1.3 and 0x00 application data. Looks OK, but testing would be nice. --- diff --git a/src/lib/eap/tls.c b/src/lib/eap/tls.c index 29b5fcb54d9..6f4d97f0458 100644 --- a/src/lib/eap/tls.c +++ b/src/lib/eap/tls.c @@ -837,7 +837,6 @@ static unlang_action_t eap_tls_handshake_resume(UNUSED rlm_rcode_t *p_result, UN break; } -#if 0 #ifdef TLS1_3_VERSION /* * https://tools.ietf.org/html/draft-ietf-emu-eap-tls13#section-2.5 @@ -862,21 +861,25 @@ static unlang_action_t eap_tls_handshake_resume(UNUSED rlm_rcode_t *p_result, UN * the client cert */ if ((tls_session->info.version == TLS1_3_VERSION) && - (tls_session->client_cert_ok || tls_session->authentication_success || SSL_session_reused(tls_session->ssl))) { - if ((handler->type == PW_EAP_TLS) || SSL_session_reused(tls_session->ssl)) { - tls_session->authentication_success = true; + (tls_session->client_cert_ok || eap_tls_session->authentication_success || SSL_session_reused(tls_session->ssl))) { + if ((eap_session->type == FR_EAP_METHOD_TLS) || SSL_session_reused(tls_session->ssl)) { + eap_tls_session->authentication_success = true; RDEBUG("(TLS) EAP Sending final Commitment Message."); - tls_session->record_plus(&tls_session->clean_in, "\0", 1); + tls_session->record_from_buff(&tls_session->clean_in, "\0", 1); } - if (fr_tls_session_handshake(request, tls_session) < 0) { + /* + * Always returns UNLANG_ACTION_CALCULATE_RESULT + */ + (void) fr_tls_session_async_handshake_push(request, tls_session); + if (tls_session->result != FR_TLS_RESULT_SUCCESS) { REDEBUG("TLS receive handshake failed during operation"); fr_tls_cache_deny(tls_session); - return EAP_TLS_FAIL; + eap_tls_session->state = EAP_TLS_FAIL; + return UNLANG_ACTION_CALCULATE_RESULT; } } -#endif #endif /* diff --git a/src/lib/eap/tls.h b/src/lib/eap/tls.h index 8a0a4919c2a..d01e2354e6a 100644 --- a/src/lib/eap/tls.h +++ b/src/lib/eap/tls.h @@ -129,13 +129,16 @@ typedef struct { fr_tls_session_t *tls_session; //!< TLS session used to authenticate peer //!< or tunnel sensitive data. + int base_flags; //!< Some protocols use the reserved bits of the EAP-TLS + //!< flags (such as PEAP). This allows the base flags to + //!< be set. + bool phase2; //!< Whether we're in phase 2 bool include_length; //!< A flag to include length in every TLS Data/Alert packet. //!< If set to no then only the first fragment contains length. - int base_flags; //!< Some protocols use the reserved bits of the EAP-TLS - //!< flags (such as PEAP). This allows the base flags to - //!< be set. + + bool authentication_success; //! for methods with inner auth, if the inner auth succeeded. bool record_out_started; //!< Whether a record transfer to the peer is currently //!< in progress. diff --git a/src/lib/tls/session.h b/src/lib/tls/session.h index 6cc53286e37..56a28a3edf8 100644 --- a/src/lib/tls/session.h +++ b/src/lib/tls/session.h @@ -127,6 +127,8 @@ typedef struct { bool invalid; //!< Whether heartbleed attack was detected. + bool client_cert_ok; //!< whether or not the client certificate was validated + uint8_t alerts_sent; bool pending_alert; uint8_t pending_alert_level; diff --git a/src/lib/tls/validate.c b/src/lib/tls/validate.c index b2c5e909e45..ac6588a22d4 100644 --- a/src/lib/tls/validate.c +++ b/src/lib/tls/validate.c @@ -345,6 +345,12 @@ int fr_tls_validate_cert_cb(int ok, X509_STORE_CTX *x509_ctx) } #endif + /* + * If we have a client certificate, cache whether or not + * we validated it. + */ + tls_session->client_cert_ok = (my_ok > 0); + RDEBUG2("[verify client] = %s", my_ok ? "ok" : "invalid"); return my_ok; }