Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

EAP server: Add tls_session_lifetime configuration

This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 9 years ago
parent
3f1b792fbe
commit
681e199dfb
13 changed files with 28 additions and 1 deletions
Split View Show Diff Stats
  1. 2 0
      hostapd/config_file.c
  2. 6 0
      hostapd/hostapd.conf
  3. 1 0
      src/ap/ap_config.h
  4. 5 1
      src/ap/authsrv.c
  5. 1 0
      src/ap/ieee802_1x.c
  6. 1 0
      src/crypto/tls.h
  7. 1 0
      src/eap_server/eap.h
  8. 1 0
      src/eap_server/eap_i.h
  9. 1 0
      src/eap_server/eap_server.c
  10. 2 0
      src/eapol_auth/eapol_auth_sm.c
  11. 1 0
      src/eapol_auth/eapol_auth_sm.h
  12. 4 0
      src/radius/radius_server.c
  13. 2 0
      src/radius/radius_server.h

+ 2 - 0
hostapd/config_file.c
View File 

@@ -2079,6 +2079,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 
 		bss->private_key_passwd = os_strdup(pos);
 
 	} else if (os_strcmp(buf, "check_crl") == 0) {
 
 		bss->check_crl = atoi(pos);
 
+	} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
 
+		bss->tls_session_lifetime = atoi(pos);
 
 	} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
 
 		os_free(bss->ocsp_stapling_response);
 
 		bss->ocsp_stapling_response = os_strdup(pos);

+ 6 - 0
hostapd/hostapd.conf
View File 

@@ -768,6 +768,12 @@ eap_server=0
 
 # 2 = check all CRLs in the certificate path
 
 #check_crl=1
 
 
+# TLS Session Lifetime in seconds
 
+# This can be used to allow TLS sessions to be cached and resumed with an
 
+# abbreviated handshake when using EAP-TLS/TTLS/PEAP.
 
+# (default: 0 = session caching and resumption disabled)
 
+#tls_session_lifetime=3600
 
+
 
 # Cached OCSP stapling response (DER encoded)
 
 # If set, this file is sent as a certificate status response by the EAP server
 
 # if the EAP peer requests certificate status in the ClientHello message.

+ 1 - 0
src/ap/ap_config.h
View File 

@@ -330,6 +330,7 @@ struct hostapd_bss_config {
 
 	char *private_key;
 
 	char *private_key_passwd;
 
 	int check_crl;
 
+	unsigned int tls_session_lifetime;
 
 	char *ocsp_stapling_response;
 
 	char *dh_file;
 
 	char *openssl_ciphers;

+ 5 - 1
src/ap/authsrv.c
View File 

@@ -132,6 +132,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
 
 #endif /* CONFIG_HS20 */
 
 	srv.erp = conf->eap_server_erp;
 
 	srv.erp_domain = conf->erp_domain;
 
+	srv.tls_session_lifetime = conf->tls_session_lifetime;
 
 
 	hapd->radius_srv = radius_server_init(&srv);
 
 	if (hapd->radius_srv == NULL) {
 
@@ -151,9 +152,12 @@ int authsrv_init(struct hostapd_data *hapd)
 
 	if (hapd->conf->eap_server &&
 
 	    (hapd->conf->ca_cert || hapd->conf->server_cert ||
 
 	     hapd->conf->private_key || hapd->conf->dh_file)) {
 
+		struct tls_config conf;
 
 		struct tls_connection_params params;
 
 
-		hapd->ssl_ctx = tls_init(NULL);
 
+		os_memset(&conf, 0, sizeof(conf));
 
+		conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
 
+		hapd->ssl_ctx = tls_init(&conf);
 
 		if (hapd->ssl_ctx == NULL) {
 
 			wpa_printf(MSG_ERROR, "Failed to initialize TLS");
 
 			authsrv_deinit(hapd);

+ 1 - 0
src/ap/ieee802_1x.c
View File 

@@ -2106,6 +2106,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 
 	conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
 
 	conf.erp_domain = hapd->conf->erp_domain;
 
 	conf.erp = hapd->conf->eap_server_erp;
 
+	conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
 
 	conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
 
 	conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
 
 	conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;

+ 1 - 0
src/crypto/tls.h
View File 

@@ -79,6 +79,7 @@ struct tls_config {
 
 	int fips_mode;
 
 	int cert_in_cb;
 
 	const char *openssl_ciphers;
 
+	unsigned int tls_session_lifetime;
 
 
 	void (*event_cb)(void *ctx, enum tls_event ev,
 
 			 union tls_event_data *data);

+ 1 - 0
src/eap_server/eap.h
View File 

@@ -131,6 +131,7 @@ struct eap_config {
 
 	const u8 *server_id;
 
 	size_t server_id_len;
 
 	int erp;
 
+	unsigned int tls_session_lifetime;
 
 
 #ifdef CONFIG_TESTING_OPTIONS
 
 	u32 tls_test_flags;

+ 1 - 0
src/eap_server/eap_i.h
View File 

@@ -210,6 +210,7 @@ struct eap_sm {
 
 	Boolean initiate_reauth_start_sent;
 
 	Boolean try_initiate_reauth;
 
 	int erp;
 
+	unsigned int tls_session_lifetime;
 
 
 #ifdef CONFIG_TESTING_OPTIONS
 
 	u32 tls_test_flags;

+ 1 - 0
src/eap_server/eap_server.c
View File 

@@ -1865,6 +1865,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
 
 	sm->server_id = conf->server_id;
 
 	sm->server_id_len = conf->server_id_len;
 
 	sm->erp = conf->erp;
 
+	sm->tls_session_lifetime = conf->tls_session_lifetime;
 
 
 #ifdef CONFIG_TESTING_OPTIONS
 
 	sm->tls_test_flags = conf->tls_test_flags;

+ 2 - 0
src/eapol_auth/eapol_auth_sm.c
View File 

@@ -835,6 +835,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
 
 	eap_conf.server_id = eapol->conf.server_id;
 
 	eap_conf.server_id_len = eapol->conf.server_id_len;
 
 	eap_conf.erp = eapol->conf.erp;
 
+	eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
 
 	sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
 
 	if (sm->eap == NULL) {
 
 		eapol_auth_free(sm);
 
@@ -1229,6 +1230,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
 
 	}
 
 	dst->erp_send_reauth_start = src->erp_send_reauth_start;
 
 	dst->erp = src->erp;
 
+	dst->tls_session_lifetime = src->tls_session_lifetime;
 
 
 	return 0;

+ 1 - 0
src/eapol_auth/eapol_auth_sm.h
View File 

@@ -27,6 +27,7 @@ struct eapol_auth_config {
 
 	int erp_send_reauth_start;
 
 	char *erp_domain; /* a copy of this will be allocated */
 
 	int erp; /* Whether ERP is enabled on authentication server */
 
+	unsigned int tls_session_lifetime;
 
 	u8 *pac_opaque_encr_key;
 
 	u8 *eap_fast_a_id;
 
 	size_t eap_fast_a_id_len;

+ 4 - 0
src/radius/radius_server.c
View File 

@@ -265,6 +265,8 @@ struct radius_server_data {
 
 
 	struct dl_list erp_keys; /* struct eap_server_erp_key */
 
 
+	unsigned int tls_session_lifetime;
 
+
 
 	/**
 
 	 * wps - Wi-Fi Protected Setup context
 
 	 *
 
@@ -688,6 +690,7 @@ radius_server_get_new_session(struct radius_server_data *data,
 
 	eap_conf.server_id = (const u8 *) data->server_id;
 
 	eap_conf.server_id_len = os_strlen(data->server_id);
 
 	eap_conf.erp = data->erp;
 
+	eap_conf.tls_session_lifetime = data->tls_session_lifetime;
 
 	radius_server_testing_options(sess, &eap_conf);
 
 	sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
 
 				       &eap_conf);
 
@@ -1745,6 +1748,7 @@ radius_server_init(struct radius_server_conf *conf)
 
 	}
 
 	data->erp = conf->erp;
 
 	data->erp_domain = conf->erp_domain;
 
+	data->tls_session_lifetime = conf->tls_session_lifetime;
 
 
 	if (conf->subscr_remediation_url) {
 
 		data->subscr_remediation_url =

+ 2 - 0
src/radius/radius_server.h
View File 

@@ -170,6 +170,8 @@ struct radius_server_conf {
 
 
 	const char *erp_domain;
 
 
+	unsigned int tls_session_lifetime;
 
+
 
 	/**
 
 	 * wps - Wi-Fi Protected Setup context
 
 	 *