EAP server: Add tls_session_lifetime configuration
This new hostapd configuration parameter can be used to enable TLS session resumption. This commit adds the configuration parameter through the configuration system and RADIUS/EAPOL/EAP server components. The actual changes to enable session caching will be addressed in followup commits. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
3f1b792fbe
commit
681e199dfb
13 changed files with 28 additions and 1 deletions
|
@ -2079,6 +2079,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
||||||
bss->private_key_passwd = os_strdup(pos);
|
bss->private_key_passwd = os_strdup(pos);
|
||||||
} else if (os_strcmp(buf, "check_crl") == 0) {
|
} else if (os_strcmp(buf, "check_crl") == 0) {
|
||||||
bss->check_crl = atoi(pos);
|
bss->check_crl = atoi(pos);
|
||||||
|
} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
|
||||||
|
bss->tls_session_lifetime = atoi(pos);
|
||||||
} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
|
} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
|
||||||
os_free(bss->ocsp_stapling_response);
|
os_free(bss->ocsp_stapling_response);
|
||||||
bss->ocsp_stapling_response = os_strdup(pos);
|
bss->ocsp_stapling_response = os_strdup(pos);
|
||||||
|
|
|
@ -768,6 +768,12 @@ eap_server=0
|
||||||
# 2 = check all CRLs in the certificate path
|
# 2 = check all CRLs in the certificate path
|
||||||
#check_crl=1
|
#check_crl=1
|
||||||
|
|
||||||
|
# TLS Session Lifetime in seconds
|
||||||
|
# This can be used to allow TLS sessions to be cached and resumed with an
|
||||||
|
# abbreviated handshake when using EAP-TLS/TTLS/PEAP.
|
||||||
|
# (default: 0 = session caching and resumption disabled)
|
||||||
|
#tls_session_lifetime=3600
|
||||||
|
|
||||||
# Cached OCSP stapling response (DER encoded)
|
# Cached OCSP stapling response (DER encoded)
|
||||||
# If set, this file is sent as a certificate status response by the EAP server
|
# If set, this file is sent as a certificate status response by the EAP server
|
||||||
# if the EAP peer requests certificate status in the ClientHello message.
|
# if the EAP peer requests certificate status in the ClientHello message.
|
||||||
|
|
|
@ -330,6 +330,7 @@ struct hostapd_bss_config {
|
||||||
char *private_key;
|
char *private_key;
|
||||||
char *private_key_passwd;
|
char *private_key_passwd;
|
||||||
int check_crl;
|
int check_crl;
|
||||||
|
unsigned int tls_session_lifetime;
|
||||||
char *ocsp_stapling_response;
|
char *ocsp_stapling_response;
|
||||||
char *dh_file;
|
char *dh_file;
|
||||||
char *openssl_ciphers;
|
char *openssl_ciphers;
|
||||||
|
|
|
@ -132,6 +132,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
|
||||||
#endif /* CONFIG_HS20 */
|
#endif /* CONFIG_HS20 */
|
||||||
srv.erp = conf->eap_server_erp;
|
srv.erp = conf->eap_server_erp;
|
||||||
srv.erp_domain = conf->erp_domain;
|
srv.erp_domain = conf->erp_domain;
|
||||||
|
srv.tls_session_lifetime = conf->tls_session_lifetime;
|
||||||
|
|
||||||
hapd->radius_srv = radius_server_init(&srv);
|
hapd->radius_srv = radius_server_init(&srv);
|
||||||
if (hapd->radius_srv == NULL) {
|
if (hapd->radius_srv == NULL) {
|
||||||
|
@ -151,9 +152,12 @@ int authsrv_init(struct hostapd_data *hapd)
|
||||||
if (hapd->conf->eap_server &&
|
if (hapd->conf->eap_server &&
|
||||||
(hapd->conf->ca_cert || hapd->conf->server_cert ||
|
(hapd->conf->ca_cert || hapd->conf->server_cert ||
|
||||||
hapd->conf->private_key || hapd->conf->dh_file)) {
|
hapd->conf->private_key || hapd->conf->dh_file)) {
|
||||||
|
struct tls_config conf;
|
||||||
struct tls_connection_params params;
|
struct tls_connection_params params;
|
||||||
|
|
||||||
hapd->ssl_ctx = tls_init(NULL);
|
os_memset(&conf, 0, sizeof(conf));
|
||||||
|
conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
|
||||||
|
hapd->ssl_ctx = tls_init(&conf);
|
||||||
if (hapd->ssl_ctx == NULL) {
|
if (hapd->ssl_ctx == NULL) {
|
||||||
wpa_printf(MSG_ERROR, "Failed to initialize TLS");
|
wpa_printf(MSG_ERROR, "Failed to initialize TLS");
|
||||||
authsrv_deinit(hapd);
|
authsrv_deinit(hapd);
|
||||||
|
|
|
@ -2106,6 +2106,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
|
||||||
conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
|
conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
|
||||||
conf.erp_domain = hapd->conf->erp_domain;
|
conf.erp_domain = hapd->conf->erp_domain;
|
||||||
conf.erp = hapd->conf->eap_server_erp;
|
conf.erp = hapd->conf->eap_server_erp;
|
||||||
|
conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
|
||||||
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
|
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
|
||||||
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
|
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
|
||||||
conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
|
conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
|
||||||
|
|
|
@ -79,6 +79,7 @@ struct tls_config {
|
||||||
int fips_mode;
|
int fips_mode;
|
||||||
int cert_in_cb;
|
int cert_in_cb;
|
||||||
const char *openssl_ciphers;
|
const char *openssl_ciphers;
|
||||||
|
unsigned int tls_session_lifetime;
|
||||||
|
|
||||||
void (*event_cb)(void *ctx, enum tls_event ev,
|
void (*event_cb)(void *ctx, enum tls_event ev,
|
||||||
union tls_event_data *data);
|
union tls_event_data *data);
|
||||||
|
|
|
@ -131,6 +131,7 @@ struct eap_config {
|
||||||
const u8 *server_id;
|
const u8 *server_id;
|
||||||
size_t server_id_len;
|
size_t server_id_len;
|
||||||
int erp;
|
int erp;
|
||||||
|
unsigned int tls_session_lifetime;
|
||||||
|
|
||||||
#ifdef CONFIG_TESTING_OPTIONS
|
#ifdef CONFIG_TESTING_OPTIONS
|
||||||
u32 tls_test_flags;
|
u32 tls_test_flags;
|
||||||
|
|
|
@ -210,6 +210,7 @@ struct eap_sm {
|
||||||
Boolean initiate_reauth_start_sent;
|
Boolean initiate_reauth_start_sent;
|
||||||
Boolean try_initiate_reauth;
|
Boolean try_initiate_reauth;
|
||||||
int erp;
|
int erp;
|
||||||
|
unsigned int tls_session_lifetime;
|
||||||
|
|
||||||
#ifdef CONFIG_TESTING_OPTIONS
|
#ifdef CONFIG_TESTING_OPTIONS
|
||||||
u32 tls_test_flags;
|
u32 tls_test_flags;
|
||||||
|
|
|
@ -1865,6 +1865,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
|
||||||
sm->server_id = conf->server_id;
|
sm->server_id = conf->server_id;
|
||||||
sm->server_id_len = conf->server_id_len;
|
sm->server_id_len = conf->server_id_len;
|
||||||
sm->erp = conf->erp;
|
sm->erp = conf->erp;
|
||||||
|
sm->tls_session_lifetime = conf->tls_session_lifetime;
|
||||||
|
|
||||||
#ifdef CONFIG_TESTING_OPTIONS
|
#ifdef CONFIG_TESTING_OPTIONS
|
||||||
sm->tls_test_flags = conf->tls_test_flags;
|
sm->tls_test_flags = conf->tls_test_flags;
|
||||||
|
|
|
@ -835,6 +835,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
|
||||||
eap_conf.server_id = eapol->conf.server_id;
|
eap_conf.server_id = eapol->conf.server_id;
|
||||||
eap_conf.server_id_len = eapol->conf.server_id_len;
|
eap_conf.server_id_len = eapol->conf.server_id_len;
|
||||||
eap_conf.erp = eapol->conf.erp;
|
eap_conf.erp = eapol->conf.erp;
|
||||||
|
eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
|
||||||
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
|
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
|
||||||
if (sm->eap == NULL) {
|
if (sm->eap == NULL) {
|
||||||
eapol_auth_free(sm);
|
eapol_auth_free(sm);
|
||||||
|
@ -1229,6 +1230,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
|
||||||
}
|
}
|
||||||
dst->erp_send_reauth_start = src->erp_send_reauth_start;
|
dst->erp_send_reauth_start = src->erp_send_reauth_start;
|
||||||
dst->erp = src->erp;
|
dst->erp = src->erp;
|
||||||
|
dst->tls_session_lifetime = src->tls_session_lifetime;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
|
|
@ -27,6 +27,7 @@ struct eapol_auth_config {
|
||||||
int erp_send_reauth_start;
|
int erp_send_reauth_start;
|
||||||
char *erp_domain; /* a copy of this will be allocated */
|
char *erp_domain; /* a copy of this will be allocated */
|
||||||
int erp; /* Whether ERP is enabled on authentication server */
|
int erp; /* Whether ERP is enabled on authentication server */
|
||||||
|
unsigned int tls_session_lifetime;
|
||||||
u8 *pac_opaque_encr_key;
|
u8 *pac_opaque_encr_key;
|
||||||
u8 *eap_fast_a_id;
|
u8 *eap_fast_a_id;
|
||||||
size_t eap_fast_a_id_len;
|
size_t eap_fast_a_id_len;
|
||||||
|
|
|
@ -265,6 +265,8 @@ struct radius_server_data {
|
||||||
|
|
||||||
struct dl_list erp_keys; /* struct eap_server_erp_key */
|
struct dl_list erp_keys; /* struct eap_server_erp_key */
|
||||||
|
|
||||||
|
unsigned int tls_session_lifetime;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* wps - Wi-Fi Protected Setup context
|
* wps - Wi-Fi Protected Setup context
|
||||||
*
|
*
|
||||||
|
@ -688,6 +690,7 @@ radius_server_get_new_session(struct radius_server_data *data,
|
||||||
eap_conf.server_id = (const u8 *) data->server_id;
|
eap_conf.server_id = (const u8 *) data->server_id;
|
||||||
eap_conf.server_id_len = os_strlen(data->server_id);
|
eap_conf.server_id_len = os_strlen(data->server_id);
|
||||||
eap_conf.erp = data->erp;
|
eap_conf.erp = data->erp;
|
||||||
|
eap_conf.tls_session_lifetime = data->tls_session_lifetime;
|
||||||
radius_server_testing_options(sess, &eap_conf);
|
radius_server_testing_options(sess, &eap_conf);
|
||||||
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
|
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
|
||||||
&eap_conf);
|
&eap_conf);
|
||||||
|
@ -1745,6 +1748,7 @@ radius_server_init(struct radius_server_conf *conf)
|
||||||
}
|
}
|
||||||
data->erp = conf->erp;
|
data->erp = conf->erp;
|
||||||
data->erp_domain = conf->erp_domain;
|
data->erp_domain = conf->erp_domain;
|
||||||
|
data->tls_session_lifetime = conf->tls_session_lifetime;
|
||||||
|
|
||||||
if (conf->subscr_remediation_url) {
|
if (conf->subscr_remediation_url) {
|
||||||
data->subscr_remediation_url =
|
data->subscr_remediation_url =
|
||||||
|
|
|
@ -170,6 +170,8 @@ struct radius_server_conf {
|
||||||
|
|
||||||
const char *erp_domain;
|
const char *erp_domain;
|
||||||
|
|
||||||
|
unsigned int tls_session_lifetime;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* wps - Wi-Fi Protected Setup context
|
* wps - Wi-Fi Protected Setup context
|
||||||
*
|
*
|
||||||
|
|
Loading…
Reference in a new issue