<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3199" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>Hi
All,<BR><BR>I successfully tested session resumption of my EAP-TLS and EAP-TTLS
clients <BR>using FreeRADIUS version 1.1.0.<BR>The following files were modified
to make session resumption
work.<BR><BR>freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/tls.c
,<BR>freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c
and<BR>freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c.<BR><BR>Here
is the patch to be applied to freeRADIUS 1.1.0 to make fast
<BR>re-authentication work.<BR><BR><BR>diff -Naur
freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c
<BR>freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c<BR>---
freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c <BR>2004-09-02
01:00:48.000000000 +0530<BR>+++
freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c
<BR>2007-11-01 09:49:09.000000000 +0530<BR>@@ -609,43 +609,61 @@<BR> static
void eaptls_operation(EAPTLS_PACKET *eaptls_packet
UNUSED,<BR>
eaptls_status_t status, EAP_HANDLER *handler)<BR> {<BR>-
tls_session_t *tls_session;<BR>+ int ret =
0;<BR>+ tls_session_t *tls_session;<BR><BR>-
tls_session = (tls_session_t *)handler->opaque;<BR>+
tls_session = (tls_session_t *)handler->opaque;<BR><BR>- if
((status == EAPTLS_MORE_FRAGMENTS) ||<BR>-
(status == EAPTLS_MORE_FRAGMENTS_WITH_LENGTH)
||<BR>- (status == EAPTLS_FIRST_FRAGMENT))
{<BR>-
/*<BR>- * Send the
ACK.<BR>-
*/<BR>- eaptls_send_ack(handler->eap_ds,
tls_session->peap_flag);<BR>- } else
{<BR>-
/*<BR>- * We have the complete
TLS-data or TLS-message.<BR>-
*<BR>- * Clean the dirty
message.<BR>-
*<BR>- * Authenticate the user
and send<BR>- *
Success/Failure.<BR>-
*<BR>- * If more
info<BR>- * is required then
send another request. */<BR>- if
(tls_handshake_recv(tls_session))
{<BR>-
/*<BR>-
* FIXME: return
success/fail.<BR>-
*<BR>- *
TLS proper can decide what to do,
then.<BR>-
*/<BR>-
eaptls_request(handler->eap_ds,
tls_session);<BR>- } else
{<BR>-
eaptls_fail(handler->eap_ds,
tls_session->peap_flag);<BR>-
}<BR>- }<BR>- return;<BR>+ if ((status
== EAPTLS_MORE_FRAGMENTS)
||<BR>+
(status == EAPTLS_MORE_FRAGMENTS_WITH_LENGTH)
||<BR>+
(status == EAPTLS_FIRST_FRAGMENT))<BR>+
{<BR>+
/*<BR>+ * Send the
ACK.<BR>+
*/<BR>+
eaptls_send_ack(handler->eap_ds,
tls_session->peap_flag);<BR>+ }<BR>+
else<BR>+ {<BR>+
/*<BR>+ * We have the complete
TLS-data or TLS-message.<BR>+
*<BR>+ * Clean the dirty
message.<BR>+
*<BR>+ * Authenticate the user
and send<BR>+ *
Success/Failure.<BR>+
*<BR>+ * If more
info<BR>+ * is required then
send another request. */<BR>+
ret =
tls_handshake_recv(tls_session);<BR>+
/*<BR>+ * TLS returns 1 on
normal case.<BR>+
* 7 (it
can be any value otherthan 0 and 1. TLS <BR>should know this
value)<BR>+
* on
fast re-auth completion.<BR>+
*/<BR>+ if (1 ==
ret)<BR>+
{<BR>+
eaptls_request(handler->eap_ds,
tls_session);<BR>+
}<BR>+ else if(7 ==
ret)<BR>+
{<BR>+
/*<BR>+
* Success: Return MPPE
keys.<BR>+
*/<BR>+
eaptls_success(handler->eap_ds,
0);<BR>+
eaptls_gen_mppe_keys(&handler->request->reply->vps,<BR>+
tls_session->ssl,<BR>+
"client EAP encryption");<BR>+<BR>+
}<BR>+
else<BR>+
{<BR>+
eaptls_fail(handler->eap_ds,
tls_session->peap_flag);<BR>+
}<BR>+ }<BR>+
return;<BR> }<BR><BR>-<BR> /*<BR> * In the actual authentication
first verify the packet and then create the <BR>data structure<BR>
*/<BR>@@ -778,6 +796,7 @@<BR> {<BR> uint8_t
*ptr;<BR><BR>+<BR> /*<BR> *
Don't set eap_ds->request->type.type, as the main
EAP<BR> * handler will do that for us. This
allows the TLS<BR>@@ -820,6 +839,7
@@<BR> break;<BR>
case EAPTLS_SUCCESS:<BR>
eap_ds->request->code =
PW_EAP_SUCCESS;<BR>+<BR>
break;<BR> case
EAPTLS_FAIL:<BR>
eap_ds->request->code = PW_EAP_FAILURE;<BR>diff -Naur
<BR>freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
<BR>freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c<BR>---
freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
<BR>2005-12-15 05:36:26.000000000 +0530<BR>+++
<BR>freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
<BR>2007-11-01 09:49:12.000000000 +0530<BR>@@ -503,6 +503,7
@@<BR><BR> DEBUG2(" rlm_eap_tls:
Authenticate");<BR><BR>+<BR> status =
eaptls_process(handler);<BR> DEBUG2(" eaptls_process
returned %d\n", status);<BR> switch (status) {<BR>@@ -546,6
+547,7 @@<BR>
}<BR> #endif<BR><BR>+
printf("CALLING FAIL in
authenticate.\n");<BR>
eaptls_fail(handler->eap_ds,
0);<BR> return
0;<BR> break;<BR>@@ -564,6 +566,7
@@<BR>
eaptls_gen_mppe_keys(&handler->request->reply->vps,<BR>
tls_session->ssl,<BR>
"client EAP encryption");<BR>+<BR> return
1;<BR> }<BR><BR>diff -Naur
freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/tls.c
<BR>freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/tls.c<BR>---
freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/tls.c <BR>2004-02-27
00:34:31.000000000 +0530<BR>+++
freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/tls.c
<BR>2007-11-01 09:49:10.000000000 +0530<BR>@@ -22,11 +22,24 @@<BR>
*/<BR> #include "eap_tls.h"<BR><BR>+static long ctx_num =
0;<BR>+<BR> tls_session_t *eaptls_new_session(SSL_CTX *ssl_ctx, int
client_cert)<BR> {<BR> tls_session_t *state =
NULL;<BR> SSL *new_tls = NULL;<BR> int
verify_mode = SSL_VERIFY_NONE;<BR>+ int ret =
0;<BR>+<BR>+ if(0 == ctx_num++)<BR>+
{<BR>+ ret =
SSL_CTX_set_session_id_context(ssl_ctx,<BR>+
(const unsigned char *)&ctx_num,
sizeof(long));<BR>+
if(!ret)<BR>+
{<BR>+
printf("FR : pblm in set session id
context\n");<BR>+
}<BR>+ }<BR><BR> if ((new_tls =
SSL_new(ssl_ctx)) == NULL) {<BR>
radlog(L_ERR, "rlm_eap_tls: Error creating new SSL");<BR>@@ -39,9 +52,14
@@<BR><BR> state = (tls_session_t
*)malloc(sizeof(*state));<BR> memset(state, 0,
sizeof(*state));<BR>+<BR>+
SSL_CTX_set_session_cache_mode(ssl_ctx,
<BR>SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER);<BR>+<BR>
session_init(state);<BR> state->ssl =
new_tls;<BR><BR>+ state->ssl->new_session =
1;<BR>+<BR> /*<BR> * Create
& hook the BIOs to handle the dirty side of the<BR>
* SSL. This is *very important* as we want to handle<BR>@@ -83,6
+101,8 @@<BR> return
state;<BR> }<BR><BR>+<BR>+<BR> /*<BR> * Print out some text
describing the error.<BR> */<BR>@@ -169,7 +189,8 @@<BR>
}<BR><BR> /* Some Extra STATE information for easy debugging
*/<BR>- if (SSL_is_init_finished(ssn->ssl)) {<BR>+ if
(SSL_is_init_finished(ssn->ssl))<BR>+
{<BR> DEBUG2("SSL Connection
Established\n");<BR>
}<BR> if (SSL_in_init(ssn->ssl))
{<BR>@@ -185,6 +206,18 @@<BR>
DEBUG2("In SSL Connect mode \n");<BR> }<BR><BR>+
if (SSL_is_init_finished(ssn->ssl) && 1 ==
ssn->ssl->hit)<BR>+
{<BR>+ /* Session Resumption : CCS and
Finish received, parsed<BR>+ *
and validated successfully. Time to wind up handshake.
*/<BR>+
record_init(&ssn->dirty_in);<BR>+<BR>+
/* This can return any value otherthan 0 and 1. Check
for<BR>+ * this ret value in the
lower layer for reauth completion
*/<BR>+ return
7;<BR>+<BR>+ }<BR>+<BR> if
(ssn->info.content_type != application_data)
{<BR> err = BIO_read(ssn->from_ssl,
ssn->dirty_out.data,<BR>
sizeof(ssn->dirty_out.data));<BR>@@ -260,8 +293,19 @@<BR><BR> void
session_close(tls_session_t *ssn)<BR> {<BR>+ int index =
0;<BR>+ static int flag = 0;<BR>+ int ret =
0;<BR>+ SSL *ssl_bk = ssn->ssl;<BR>+
SSL_SESSION *pSession;<BR>+ pSession =
malloc(sizeof(SSL_SESSION));<BR>+<BR>+<BR>
if(ssn->ssl)<BR>+
{<BR>+
SSL_shutdown(ssn->ssl);<BR>
SSL_free(ssn->ssl);<BR>+ }<BR> #if
0<BR> /*<BR> * WARNING: SSL_free seems to decrement the reference
counts already,<BR>@@ -271,11 +315,11
@@<BR>
BIO_free(ssn->into_ssl);<BR>
if(ssn->from_ssl)<BR>
BIO_free(ssn->from_ssl);<BR>-#endif<BR>
record_close(&ssn->clean_in);<BR>
record_close(&ssn->clean_out);<BR>
record_close(&ssn->dirty_in);<BR>
record_close(&ssn->dirty_out);<BR>+#endif<BR>
session_init(ssn);<BR> }<BR><BR><BR>Thanks and
Regards,<BR>-Sujith<BR><BR><BR>----- Original Message ----- <BR>From: "Alan
DeKok" <</FONT><A href=""><FONT face="Times New Roman"
size=3>aland@deployingradius.com</FONT></A><FONT face="Times New Roman"
size=3>><BR>To: "FreeRadius developers mailing list" <BR><</FONT><A
href=""><FONT face="Times New Roman"
size=3>freeradius-devel@lists.freeradius.org</FONT></A><FONT
face="Times New Roman" size=3>><BR>Sent: Wednesday, October 17, 2007 7:27
PM<BR>Subject: Re: Testing EAP-TLS session resumption<BR><BR><BR>>
sujithsankar wrote:<BR>>> I am working on EAP-TLS client.<BR>>> The
normal functionality testing was done by interoperating with <BR>>>
FreeRADIUS.<BR>>><BR>>> Now, I would like to test fast
re-authentication feature of my EAP-TLS<BR>>> client.<BR>>> It is
learnt that FreeRADIUS does not support this feature.<BR>>><BR>>>
Has anyone of you tried to test such a feature?<BR>><BR>> I haven't
tested it.<BR>><BR>>> Does anyone know about any patch for FreeRADIUS
to support session<BR>>> resumption?<BR>><BR>> Nope.
Feel free to send a patch, if you figure out how to get it to <BR>>
work.<BR>><BR>> Alan DeKok.<BR>> -<BR>> List
info/subscribe/unsubscribe? See <BR>> </FONT><A href=""><FONT
face="Times New Roman"
size=3>http://www.freeradius.org/list/devel.html</FONT></A><FONT
face="Times New Roman" size=3> </FONT><BR></FONT></DIV><p>The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it.
Contact your Administrator for further information.</p>
</BODY></HTML>