int eaptls_success(eap_handler_t *handler, int peap_flag)
{
EAPTLS_PACKET reply;
REQUEST *request = handler->request;
tls_session_t *tls_session = handler->opaque;
handler->finished = true;
reply.code = FR_TLS_SUCCESS;
reply.length = TLS_HEADER_LEN;
reply.flags = peap_flag;
reply.data = NULL;
reply.dlen = 0;
tls_success(tls_session, request);
/*
* Call compose AFTER checking for cached data.
*/
eaptls_compose(handler->eap_ds, &reply);
/*
* Automatically generate MPPE keying material.
*/
if (tls_session->prf_label) {
eaptls_gen_mppe_keys(handler->request,
tls_session->ssl, tls_session->prf_label);
} else {
RWDEBUG("Not adding MPPE keys because there is no PRF label");
}
eaptls_gen_eap_key(handler->request->reply, tls_session->ssl,
handler->type);
return 1;
}
int eaptls_success(EAP_HANDLER *handler, int peap_flag)
{
EAPTLS_PACKET reply;
VALUE_PAIR *vp, *vps = NULL;
REQUEST *request = handler->request;
tls_session_t *tls_session = handler->opaque;
handler->finished = TRUE;
reply.code = EAPTLS_SUCCESS;
reply.length = TLS_HEADER_LEN;
reply.flags = peap_flag;
reply.data = NULL;
reply.dlen = 0;
/*
* If there's no session resumption, delete the entry
* from the cache. This means either it's disabled
* globally for this SSL context, OR we were told to
* disable it for this user.
*
* This also means you can't turn it on just for one
* user.
*/
if ((!tls_session->allow_session_resumption) ||
(((vp = pairfind(request->config_items, 1127)) != NULL) &&
(vp->vp_integer == 0))) {
SSL_CTX_remove_session(tls_session->ctx,
tls_session->ssl->session);
tls_session->allow_session_resumption = 0;
/*
* If we're in a resumed session and it's
* not allowed,
*/
if (SSL_session_reused(tls_session->ssl)) {
RDEBUG("FAIL: Forcibly stopping session resumption as it is not allowed.");
return eaptls_fail(handler, peap_flag);
}
/*
* Else resumption IS allowed, so we store the
* user data in the cache.
*/
} else if (!SSL_session_reused(tls_session->ssl)) {
RDEBUG2("Saving response in the cache");
vp = paircopy2(request->reply->vps, PW_USER_NAME);
if (vp) pairadd(&vps, vp);
vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
if (vp) pairadd(&vps, vp);
vp = paircopy2(request->reply->vps, PW_CHARGEABLE_USER_IDENTITY);
if (vp) pairadd(&vps, vp);
vp = paircopy2(request->reply->vps, PW_CACHED_SESSION_POLICY);
if (vp) pairadd(&vps, vp);
if (handler->certs) {
pairadd(&vps, paircopy(handler->certs));
}
if (vps) {
SSL_SESSION_set_ex_data(tls_session->ssl->session,
eaptls_session_idx, vps);
} else {
RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session.");
SSL_CTX_remove_session(tls_session->ctx,
tls_session->ssl->session);
}
/*
* Else the session WAS allowed. Copy the cached
* reply.
*/
} else {
vps = SSL_SESSION_get_ex_data(tls_session->ssl->session,
eaptls_session_idx);
if (!vps) {
RDEBUG("WARNING: No information in cached session!");
return eaptls_fail(handler, peap_flag);
} else {
RDEBUG("Adding cached attributes:");
debug_pair_list(vps);
for (vp = vps; vp != NULL; vp = vp->next) {
/*
* TLS-* attrs get added back to
* the request list.
*/
if ((vp->attribute >= 1910) &&
(vp->attribute < 1929)) {
pairadd(&request->packet->vps,
paircopyvp(vp));
} else {
pairadd(&request->reply->vps,
paircopyvp(vp));
}
}
/*
* Mark the request as resumed.
*/
vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
if (vp) pairadd(&request->packet->vps, vp);
}
}
/*
* Call compose AFTER checking for cached data.
*/
eaptls_compose(handler->eap_ds, &reply);
/*
* Automatically generate MPPE keying material.
*/
if (tls_session->prf_label) {
eaptls_gen_mppe_keys(&handler->request->reply->vps,
tls_session->ssl, tls_session->prf_label);
} else {
RDEBUG("WARNING: Not adding MPPE keys because there is no PRF label");
}
eaptls_gen_eap_key(tls_session->ssl,
handler->eap_type, &handler->request->reply->vps);
return 1;
}