EAP server: Disable TLS session ticket with EAP-TLS/TTLS/PEAP

The EAP server is not yet capable of using TLS session ticket to resume
a session. Explicitly disable use of TLS session ticket with
EAP-TLS/TTLS/PEAP to avoid wasting resources on generating a session
ticket that cannot be used for anything.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-23 21:22:22 +03:00
parent 93bc654996
commit 3f1b792fbe
6 changed files with 11 additions and 8 deletions

View file

@ -428,7 +428,7 @@ static void * eap_fast_init(struct eap_sm *sm)
} }
data->state = START; data->state = START;
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_FAST)) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL."); wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL.");
eap_fast_reset(sm, data); eap_fast_reset(sm, data);
return NULL; return NULL;

View file

@ -151,7 +151,7 @@ static void * eap_peap_init(struct eap_sm *sm)
data->state = START; data->state = START;
data->crypto_binding = OPTIONAL_BINDING; data->crypto_binding = OPTIONAL_BINDING;
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_PEAP)) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
eap_peap_reset(sm, data); eap_peap_reset(sm, data);
return NULL; return NULL;

View file

@ -60,7 +60,7 @@ static void * eap_tls_init(struct eap_sm *sm)
return NULL; return NULL;
data->state = START; data->state = START;
if (eap_server_tls_ssl_init(sm, &data->ssl, 1)) { if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_TLS)) {
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL."); wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
eap_tls_reset(sm, data); eap_tls_reset(sm, data);
return NULL; return NULL;
@ -82,7 +82,7 @@ static void * eap_unauth_tls_init(struct eap_sm *sm)
return NULL; return NULL;
data->state = START; data->state = START;
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_UNAUTH_TLS_TYPE)) {
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL."); wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
eap_tls_reset(sm, data); eap_tls_reset(sm, data);
return NULL; return NULL;
@ -104,7 +104,8 @@ static void * eap_wfa_unauth_tls_init(struct eap_sm *sm)
return NULL; return NULL;
data->state = START; data->state = START;
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { if (eap_server_tls_ssl_init(sm, &data->ssl, 0,
EAP_WFA_UNAUTH_TLS_TYPE)) {
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL."); wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
eap_tls_reset(sm, data); eap_tls_reset(sm, data);
return NULL; return NULL;

View file

@ -44,7 +44,7 @@ static void eap_server_tls_log_cb(void *ctx, const char *msg)
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer) int verify_peer, int eap_type)
{ {
unsigned int flags = 0; unsigned int flags = 0;
@ -70,6 +70,8 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
#endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_TESTING_OPTIONS */
#endif /* CONFIG_TLS_INTERNAL */ #endif /* CONFIG_TLS_INTERNAL */
if (eap_type != EAP_TYPE_FAST)
flags |= TLS_CONN_DISABLE_SESSION_TICKET;
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer, if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
flags, NULL, 0)) { flags, NULL, 0)) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification " wpa_printf(MSG_INFO, "SSL: Failed to configure verification "

View file

@ -317,7 +317,7 @@ static void * eap_ttls_init(struct eap_sm *sm)
data->ttls_version = EAP_TTLS_VERSION; data->ttls_version = EAP_TTLS_VERSION;
data->state = START; data->state = START;
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
eap_ttls_reset(sm, data); eap_ttls_reset(sm, data);
return NULL; return NULL;

View file

@ -70,7 +70,7 @@ struct eap_ssl_data {
struct wpabuf * eap_tls_msg_alloc(EapType type, size_t payload_len, struct wpabuf * eap_tls_msg_alloc(EapType type, size_t payload_len,
u8 code, u8 identifier); u8 code, u8 identifier);
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer); int verify_peer, int eap_type);
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data); void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data);
u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
char *label, size_t len); char *label, size_t len);