diff -Naur freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c --- freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c 2007-11-02 10:07:50.000000000 +0530 +++ freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c 2007-11-02 10:07:54.000000000 +0530 @@ -609,40 +609,54 @@ static void eaptls_operation(EAPTLS_PACKET *eaptls_packet UNUSED, eaptls_status_t status, EAP_HANDLER *handler) { - tls_session_t *tls_session; + int ret = 0; + tls_session_t *tls_session; - tls_session = (tls_session_t *)handler->opaque; + tls_session = (tls_session_t *)handler->opaque; - if ((status == EAPTLS_MORE_FRAGMENTS) || - (status == EAPTLS_MORE_FRAGMENTS_WITH_LENGTH) || - (status == EAPTLS_FIRST_FRAGMENT)) { - /* - * Send the ACK. - */ - eaptls_send_ack(handler->eap_ds, tls_session->peap_flag); - } else { - /* - * We have the complete TLS-data or TLS-message. - * - * Clean the dirty message. - * - * Authenticate the user and send - * Success/Failure. - * - * If more info - * is required then send another request. */ - if (tls_handshake_recv(tls_session)) { - /* - * FIXME: return success/fail. - * - * TLS proper can decide what to do, then. - */ - eaptls_request(handler->eap_ds, tls_session); - } else { - eaptls_fail(handler->eap_ds, tls_session->peap_flag); - } - } - return; + if ((status == EAPTLS_MORE_FRAGMENTS) || + (status == EAPTLS_MORE_FRAGMENTS_WITH_LENGTH) || + (status == EAPTLS_FIRST_FRAGMENT)) { + /* + * Send the ACK. + */ + eaptls_send_ack(handler->eap_ds, tls_session->peap_flag); + } else { + /* + * We have the complete TLS-data or TLS-message. + * + * Clean the dirty message. + * + * Authenticate the user and send + * Success/Failure. + * + * If more info + * is required then send another request. */ + ret = tls_handshake_recv(tls_session); + /* + * TLS returns 1 on normal case. + * 7 (it can be any value otherthan 0 and 1. TLS should know this value) + * on fast re-auth completion. + */ + if (1 == ret) + { + eaptls_request(handler->eap_ds, tls_session); + } + else if(7 == ret) + { + /* + * Success: Return MPPE keys. + */ + eaptls_success(handler->eap_ds, 0); + eaptls_gen_mppe_keys(&handler->request->reply->vps, + tls_session->ssl, + "client EAP encryption"); + + } else { + eaptls_fail(handler->eap_ds, tls_session->peap_flag); + } + } + return; } diff -Naur freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/tls.c freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/tls.c --- freeradius-1.1.0/src/modules/rlm_eap/types/rlm_eap_tls/tls.c 2004-02-27 00:34:31.000000000 +0530 +++ freeradius-1.1.0_reauth/src/modules/rlm_eap/types/rlm_eap_tls/tls.c 2007-11-02 10:02:23.000000000 +0530 @@ -22,11 +22,24 @@ */ #include "eap_tls.h" +static long ctx_num = 0; + tls_session_t *eaptls_new_session(SSL_CTX *ssl_ctx, int client_cert) { tls_session_t *state = NULL; SSL *new_tls = NULL; int verify_mode = SSL_VERIFY_NONE; + int ret = 0; + + if(0 == ctx_num++) + { + ret = SSL_CTX_set_session_id_context(ssl_ctx, + (const unsigned char *)&ctx_num, sizeof(long)); + if(!ret) + { + printf("FR : pblm in set session id context\n"); + } + } if ((new_tls = SSL_new(ssl_ctx)) == NULL) { radlog(L_ERR, "rlm_eap_tls: Error creating new SSL"); @@ -39,9 +52,14 @@ state = (tls_session_t *)malloc(sizeof(*state)); memset(state, 0, sizeof(*state)); + + SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER); + session_init(state); state->ssl = new_tls; + state->ssl->new_session = 1; + /* * Create & hook the BIOs to handle the dirty side of the * SSL. This is *very important* as we want to handle @@ -185,6 +203,18 @@ DEBUG2("In SSL Connect mode \n"); } + if (SSL_is_init_finished(ssn->ssl) && 1 == ssn->ssl->hit) + { + /* Session Resumption : CCS and Finish received, parsed + * and validated successfully. Time to wind up handshake. */ + record_init(&ssn->dirty_in); + + /* This can return any value otherthan 0 and 1. Check for + * this ret value in the lower layer for reauth completion */ + return 7; + + } + if (ssn->info.content_type != application_data) { err = BIO_read(ssn->from_ssl, ssn->dirty_out.data, sizeof(ssn->dirty_out.data)); @@ -261,7 +291,10 @@ void session_close(tls_session_t *ssn) { if(ssn->ssl) + { + SSL_shutdown(ssn->ssl); SSL_free(ssn->ssl); + } #if 0 /* * WARNING: SSL_free seems to decrement the reference counts already, @@ -271,11 +304,11 @@ BIO_free(ssn->into_ssl); if(ssn->from_ssl) BIO_free(ssn->from_ssl); -#endif record_close(&ssn->clean_in); record_close(&ssn->clean_out); record_close(&ssn->dirty_in); record_close(&ssn->dirty_out); +#endif session_init(ssn); }