Hello,
well, I thought about the problem with reauth: Why must there be passwords
in the session? EAP/TLS doesn't need any passwords to be exchanged.
The passphrase stays local.
That's why it shouldn't be necessary to have these Keys in the Session or
in the response (the client didn't send any password, too).
At the moment of adding the Password to the session, the handshake has been
done already.
from src/modules/rlm_eap/libeap/eap_tls.c (original):
-------------------------------------------------------------------------------------------------------------------------
} else if (!SSL_session_reused(tls_session->ssl)) {
RDEBUG2("Saving response in the cache");
vp = paircopy2(request->reply->vps, PW_USER_NAME);
pairadd(&vps, vp);
vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
pairadd(&vps, vp);
if (vps) {
SSL_SESSION_set_ex_data(tls_session->ssl->session,
eaptls_session_idx, vps);
} else {
RDEBUG2("WARNING: No information to cache: session
caching will be disabled for this session.");
SSL_CTX_remove_session(tls_session->ctx,
tls_session->ssl->session);
}
/*
* Else the session WAS allowed. Copy the cached
* reply.
*/
} else {
vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
eaptls_session_idx);
if (!vp) {
RDEBUG("WARNING: No information in cached session!");
return eaptls_fail(handler, peap_flag);
} else {
RDEBUG("Adding cached attributes to the reply:");
debug_pair_list(vp);
pairadd(&request->reply->vps, paircopy(vp));
/*
* Mark the request as resumed.
*/
vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
if (vp) pairadd(&request->packet->vps, vp);
}
}
-----------------------------------------------------------------------------------------------------------------------------------
Therefore, I did the following change (-> for testing only!!!!
This should be used only with EAP/tls for testing - no warranty!):
-----------------------------------------------------------------------------------------------------------------------------------
} else if (!SSL_session_reused(tls_session->ssl)) {
RDEBUG2("Saving response in the cache");
vp = paircopy2(request->reply->vps, PW_USER_NAME);
pairadd(&vps, vp);
vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
pairadd(&vps, vp);
if (vps) {
SSL_SESSION_set_ex_data(tls_session->ssl->session,
eaptls_session_idx, vps);
} else {
RDEBUG2("WARNING: No information to cache: session
caching will be disabled for this session.");
SSL_CTX_remove_session(tls_session->ctx,
tls_session->ssl->session);
}
/*
* Else the session WAS allowed. Copy the cached
* reply.
*/
} else {
vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
eaptls_session_idx);
if (!vp) {
// here should be a check for the authentication type
EAP/tls,
// because I'm not sure, if this code is used
exclusively for eap/tls
RDEBUG("WARNING: No information in cached session!");
vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
if (vp) {
pairadd(&request->packet->vps, vp);
RDEBUG("WARNING: Missing session-data
ignored!");
}
else {
RDEBUG("WARNING: Couldn't set
EAP-Session-Resumed data!");
return eaptls_fail(handler, peap_flag);
}
} else {
RDEBUG("Adding cached attributes to the reply:");
debug_pair_list(vp);
pairadd(&request->reply->vps, paircopy(vp));
/*
* Mark the request as resumed.
*/
vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
if (vp) pairadd(&request->packet->vps, vp);
}
}
-----------------------------------------------------------------------------------------------------------------------------------
That's what is sent to the client after this process:
Sending Access-Accept of id 52 to 192.168.1.9 port 2048
MS-MPPE-Recv-Key =
0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MS-MPPE-Send-Key =
0xyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
EAP-Message = 0x03020004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "myu...@mydom.it"
Kind regards,
Andreas Hartmann
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
