EAP server: Disable TLS session ticket with EAP-TLS/TTLS/PEAP
The EAP server is not yet capable of using TLS session ticket to resume a session. Explicitly disable use of TLS session ticket with EAP-TLS/TTLS/PEAP to avoid wasting resources on generating a session ticket that cannot be used for anything. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
93bc654996
commit
3f1b792fbe
6 changed files with 11 additions and 8 deletions
|
@ -428,7 +428,7 @@ static void * eap_fast_init(struct eap_sm *sm)
|
||||||
}
|
}
|
||||||
data->state = START;
|
data->state = START;
|
||||||
|
|
||||||
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
|
if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_FAST)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL.");
|
wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL.");
|
||||||
eap_fast_reset(sm, data);
|
eap_fast_reset(sm, data);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
@ -151,7 +151,7 @@ static void * eap_peap_init(struct eap_sm *sm)
|
||||||
data->state = START;
|
data->state = START;
|
||||||
data->crypto_binding = OPTIONAL_BINDING;
|
data->crypto_binding = OPTIONAL_BINDING;
|
||||||
|
|
||||||
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
|
if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_PEAP)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
|
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
|
||||||
eap_peap_reset(sm, data);
|
eap_peap_reset(sm, data);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
@ -60,7 +60,7 @@ static void * eap_tls_init(struct eap_sm *sm)
|
||||||
return NULL;
|
return NULL;
|
||||||
data->state = START;
|
data->state = START;
|
||||||
|
|
||||||
if (eap_server_tls_ssl_init(sm, &data->ssl, 1)) {
|
if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_TLS)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
|
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
|
||||||
eap_tls_reset(sm, data);
|
eap_tls_reset(sm, data);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -82,7 +82,7 @@ static void * eap_unauth_tls_init(struct eap_sm *sm)
|
||||||
return NULL;
|
return NULL;
|
||||||
data->state = START;
|
data->state = START;
|
||||||
|
|
||||||
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
|
if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_UNAUTH_TLS_TYPE)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
|
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
|
||||||
eap_tls_reset(sm, data);
|
eap_tls_reset(sm, data);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -104,7 +104,8 @@ static void * eap_wfa_unauth_tls_init(struct eap_sm *sm)
|
||||||
return NULL;
|
return NULL;
|
||||||
data->state = START;
|
data->state = START;
|
||||||
|
|
||||||
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
|
if (eap_server_tls_ssl_init(sm, &data->ssl, 0,
|
||||||
|
EAP_WFA_UNAUTH_TLS_TYPE)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
|
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
|
||||||
eap_tls_reset(sm, data);
|
eap_tls_reset(sm, data);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
@ -44,7 +44,7 @@ static void eap_server_tls_log_cb(void *ctx, const char *msg)
|
||||||
|
|
||||||
|
|
||||||
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
||||||
int verify_peer)
|
int verify_peer, int eap_type)
|
||||||
{
|
{
|
||||||
unsigned int flags = 0;
|
unsigned int flags = 0;
|
||||||
|
|
||||||
|
@ -70,6 +70,8 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
||||||
#endif /* CONFIG_TESTING_OPTIONS */
|
#endif /* CONFIG_TESTING_OPTIONS */
|
||||||
#endif /* CONFIG_TLS_INTERNAL */
|
#endif /* CONFIG_TLS_INTERNAL */
|
||||||
|
|
||||||
|
if (eap_type != EAP_TYPE_FAST)
|
||||||
|
flags |= TLS_CONN_DISABLE_SESSION_TICKET;
|
||||||
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
|
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
|
||||||
flags, NULL, 0)) {
|
flags, NULL, 0)) {
|
||||||
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
|
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
|
||||||
|
|
|
@ -317,7 +317,7 @@ static void * eap_ttls_init(struct eap_sm *sm)
|
||||||
data->ttls_version = EAP_TTLS_VERSION;
|
data->ttls_version = EAP_TTLS_VERSION;
|
||||||
data->state = START;
|
data->state = START;
|
||||||
|
|
||||||
if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
|
if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
|
||||||
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
|
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
|
||||||
eap_ttls_reset(sm, data);
|
eap_ttls_reset(sm, data);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
@ -70,7 +70,7 @@ struct eap_ssl_data {
|
||||||
struct wpabuf * eap_tls_msg_alloc(EapType type, size_t payload_len,
|
struct wpabuf * eap_tls_msg_alloc(EapType type, size_t payload_len,
|
||||||
u8 code, u8 identifier);
|
u8 code, u8 identifier);
|
||||||
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
||||||
int verify_peer);
|
int verify_peer, int eap_type);
|
||||||
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data);
|
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data);
|
||||||
u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
|
u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
|
||||||
char *label, size_t len);
|
char *label, size_t len);
|
||||||
|
|
Loading…
Reference in a new issue