On 20.1.2017 11.33, Hartmaier Alexander wrote:

Can you confirm that Radiator stores the information saved by
eap_save_resume_context for the same duration as OpenSSL is told to do so?
In Radius/TLS.pm line 818 it looks like EAPTLS_SessionResumptionLimit is
used to set this timeout too.

Yes, that's correct. The information saved for resume has the same lifetime. Also, if it happens that a session is resumed by TLS layer but Radiator has no information about the resumed session, the authentication will fail.

Can you please write up how we should persist our custom data set in the
EAPTLS_CertificateVerifyHook and retrieve it in the PostAuth hook?
I suggest defining and documenting one key that is persisted and
restored by eap_save_resume_context / eap_recover_resume_context which
can then be used by hooks to store data in.

I have attached a short PostAuthHook that does this. During the full auth, the hook stores a custom value from EAPContext so that it is available when TLS resume is done. When a TLS resume is done, it copies the value from resume data to EAPContext. This allows you to always access your custom value when the hook has run. You may want to add more error checks, etc. but it should work as a sample.

The hook can be configured as PostAuthHook for an AuthBy or a Handler. In addition to this, for a demo, use this for EAPTLS_CertificateVerifyHook:

EAPTLS_CertificateVerifyHook sub {my $p = $_[5]; \
$p->{EAPContext}->{hvn_test} = 'hvn_test set in CertificateVerifyHook. Time: '. time(); \
   return $_[0];}

The verify hook sets a custom value that the PostAuthHook stores and restores as needed. The timestamp is there to show how the value stays the same once it's set during the full authentication.

Is $p->{EAPContext}->{eap_resume_context} already available in a
EAPTLS_CertificateVerifyHook or will data I'll write into it be

No, the resume context is created only when TLS has accepted a new session. You need to store the values in EAPContext as you are already doing.

Also in a PostAuth hook when a session has been resumed?

Yes, as seen in the attached hook.

I've tried using $p->{EAPContext}->{eap_resume_context} instead of
$p->{EAPContext} for all custom variables but the reply attributes set
by our PostAuth hook aren't restored from the resume context as it seems.
Is eap_save_resume_context called before the PostAuth hook is called?

It is, but you may want to see the hook to see if it works better in your case.

What about my suggestion to add a warning to Radius::Context::get if a
context can't be found?
Does this make sense as Radiator has one per-auth context and one
per-resumeable session?

I'd say get() does what it's now expected. In other words, it will return the existing value or create a new context. Note that there is also find() that returns the existing value, if any, and does not reset the timeout. But in any case, the caller needs to see if it got anything and act accordingly.

Just saw that the last paragraph in 4.22.77. PostAuthHook is duplicate.

I have made a ticket about this, thanks!

Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
sub {
    my $p = ${$_[0]};
    my $result = ${$_[2]};

    my $context = $p->{EAPContext};
    return unless ($result == $main::ACCEPT &&

    unless ($context->{eap_resume_context})
	# Should not happen
	main::log($main::LOG_ERR, "PostAuthHook: No eap_resume_context", $p);

    my $custom_val;
    my $reused = Net::SSLeay::session_reused($context->{ssl});
    if ($reused)
	# TLS session resumed. Get our custom value from the
	# previously saved resume data and store it in EAP context
	$custom_val = $context->{eap_resume_context}->{hvn_test};
	$context->{hvn_test} = $custom_val;
	# Full authentication. Need to store the custom value for
	# later. Get it from EAP context where it was saved by
	# EAPTLS_CertificateVerifyHook
	$custom_val = $context->{hvn_test};
	$context->{eap_resume_context}->{hvn_test} = $custom_val;

    # The custom value always present in EAP context
    main::log($main::LOG_DEBUG, "PostAuthHook: reused: $reused custom_val: $context->{hvn_test}", $p);

radiator mailing list

Reply via email to