EAP server: Set per-EAP method session context

This can be used to limit TLS session resumption within a TLS library
implementation to apply only for the cases where the same EAP method is
used. While the EAP server method matching will be enforced separately
by EAP server method implementations, this additional steps can optimize
cases by falling back to full authentication instead of having to reject
attempts after having completed session resumption successfully.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-23 22:05:14 +03:00
parent b3b8085ae8
commit e23e35e39a

View file

@ -46,6 +46,7 @@ static void eap_server_tls_log_cb(void *ctx, const char *msg)
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer, int eap_type) int verify_peer, int eap_type)
{ {
u8 session_ctx[8];
unsigned int flags = 0; unsigned int flags = 0;
if (sm->ssl_ctx == NULL) { if (sm->ssl_ctx == NULL) {
@ -72,8 +73,11 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
if (eap_type != EAP_TYPE_FAST) if (eap_type != EAP_TYPE_FAST)
flags |= TLS_CONN_DISABLE_SESSION_TICKET; flags |= TLS_CONN_DISABLE_SESSION_TICKET;
os_memcpy(session_ctx, "hostapd", 7);
session_ctx[7] = (u8) eap_type;
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer, if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
flags, NULL, 0)) { flags, session_ctx,
sizeof(session_ctx))) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification " wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate"); "of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn); tls_connection_deinit(sm->ssl_ctx, data->conn);