fix: session resumptions + google ldap auth

2020-08-05 12:44:39 +02:00
parent ab1ab1b130
commit 66fbcf4ca8
7 changed files with 526 additions and 787 deletions
--- a/src/radius/handler/EAPPacketHandler.ts
+++ b/src/radius/handler/EAPPacketHandler.ts
@@ -34,8 +34,11 @@ export class EAPPacketHandler implements IPacketHandler {
 		// EAP MESSAGE
 		let msg = packet.attributes['EAP-Message'] as Buffer;

-		if (Array.isArray(msg)) {
-			msg = Buffer.concat(msg);
+		if (Array.isArray(msg) && !(packet.attributes['EAP-Message'] instanceof Buffer)) {
+			// log('multiple EAP Messages received, concat', msg.length);
+			const allMsgs = msg as Buffer[];
+			msg = Buffer.concat(allMsgs);
+			// log('final EAP Message', msg);
 		}

 		try {
--- a/src/radius/handler/eap/eapMethods/EAP-TTLS.ts
+++ b/src/radius/handler/eap/eapMethods/EAP-TTLS.ts
@@ -3,7 +3,7 @@
 /* eslint-disable no-bitwise */
 import * as tls from 'tls';
 import * as NodeCache from 'node-cache';
-// eslint-disable-next-line @typescript-eslint/ban-ts-ignore
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore
 import { attr_id_to_name, attr_name_to_id } from 'radius';
 import debug from 'debug';
@@ -219,12 +219,13 @@ export class EAPTTLS implements IEAPMethod {
 		if (decodedFlags.lengthIncluded) {
 			msglength = msg.slice(6, 10).readUInt32BE(0); // .readDoubleLE(0); // .toString('hex');
 		}
-		const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
+		const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6).slice(0, msglength);

 		log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
 			flags: `00000000${flags.toString(2)}`.substr(-8),
 			decodedFlags,
 			identifier,
+			msglengthBuffer: msg.length,
 			msglength,
 			data,
 			// dataStr: data.toString()
@@ -388,15 +389,24 @@ export class EAPTTLS implements IEAPMethod {
 			};

 			const responseHandler = (encryptedResponseData: Buffer) => {
+				log('complete');
 				// send back...
 				sendResponsePromise.resolve(
 					this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData)
 				);
 			};

+			const checkExistingSession = (isSessionReused) => {
+				if (isSessionReused) {
+					log('secured, session reused, accept auth!');
+					sendResponsePromise.resolve(this.authResponse(identifier, true, connection.tls, packet));
+				}
+			};
+
 			// register event listeners
 			connection.events.on('incoming', incomingMessageHandler);
 			connection.events.on('response', responseHandler);
+			connection.events.on('secured', checkExistingSession);

 			// emit data to tls server
 			connection.events.emit('decrypt', data);
@@ -405,6 +415,9 @@ export class EAPTTLS implements IEAPMethod {
 			// cleanup
 			connection.events.off('incoming', incomingMessageHandler);
 			connection.events.off('response', responseHandler);
+			connection.events.off('secured', checkExistingSession);
+
+			// connection.events.off('secured');

 			// send response
 			return responseData; // this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData);
@@ -473,7 +486,7 @@ export class EAPTTLS implements IEAPMethod {

 			let vendorId;
 			let data;
-			if (flags & 0b010000000) {
+			if (decodedFlags.V) {
 				// V flag set
 				vendorId = currentBuffer.slice(8, 12).readUInt32BE(0);
 				data = currentBuffer.slice(12, length);