EAP-TLS server: Add support for session resumption

This allows TLS session resumption to be used to enable abbreviated
handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-23 22:08:02 +03:00
parent b6f2ae3b5b
commit 7f417feaa1

View File

@ -48,6 +48,23 @@ static void eap_tls_state(struct eap_tls_data *data, int state)
eap_tls_state_txt(data->state),
eap_tls_state_txt(state));
data->state = state;
if (state == FAILURE)
tls_connection_remove_session(data->ssl.conn);
}
static void eap_tls_valid_session(struct eap_sm *sm, struct eap_tls_data *data)
{
struct wpabuf *buf;
if (!sm->tls_session_lifetime)
return;
buf = wpabuf_alloc(1);
if (!buf)
return;
wpabuf_put_u8(buf, data->eap_type);
tls_connection_set_success_data(data->ssl.conn, buf);
}
@ -184,6 +201,7 @@ check_established:
* fragments waiting to be sent out. */
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
eap_tls_state(data, SUCCESS);
eap_tls_valid_session(sm, data);
}
return res;
@ -235,10 +253,41 @@ static void eap_tls_process(struct eap_sm *sm, void *priv,
struct wpabuf *respData)
{
struct eap_tls_data *data = priv;
const struct wpabuf *buf;
const u8 *pos;
if (eap_server_tls_process(sm, &data->ssl, respData, data,
data->eap_type, NULL, eap_tls_process_msg) <
0)
0) {
eap_tls_state(data, FAILURE);
return;
}
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
!tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
return;
buf = tls_connection_get_success_data(data->ssl.conn);
if (!buf || wpabuf_len(buf) < 1) {
wpa_printf(MSG_DEBUG,
"EAP-TLS: No success data in resumed session - reject attempt");
eap_tls_state(data, FAILURE);
return;
}
pos = wpabuf_head(buf);
if (*pos != data->eap_type) {
wpa_printf(MSG_DEBUG,
"EAP-TLS: Resumed session for another EAP type (%u) - reject attempt",
*pos);
eap_tls_state(data, FAILURE);
return;
}
wpa_printf(MSG_DEBUG,
"EAP-TLS: Resuming previous session");
eap_tls_state(data, SUCCESS);
tls_connection_set_success_data_resumed(data->ssl.conn);
}