EAP server: Add tls_session_lifetime configuration

This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index f8ca6da6e61f03644df1da5928d4327670144548..e91c86c039bd4057b00c470f2e268279fd52cb1e 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2079,6 +2079,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
                bss->private_key_passwd = os_strdup(pos);
        } else if (os_strcmp(buf, "check_crl") == 0) {
                bss->check_crl = atoi(pos);
+       } else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
+               bss->tls_session_lifetime = atoi(pos);
        } else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
                os_free(bss->ocsp_stapling_response);
                bss->ocsp_stapling_response = os_strdup(pos);

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 16905885c5b6b901cb2e003762875ab0af3aa77a..4a829ead401205398b487310bd29e7620db1997d 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -768,6 +768,12 @@ eap_server=0
 # 2 = check all CRLs in the certificate path
 #check_crl=1
 
+# TLS Session Lifetime in seconds
+# This can be used to allow TLS sessions to be cached and resumed with an
+# abbreviated handshake when using EAP-TLS/TTLS/PEAP.
+# (default: 0 = session caching and resumption disabled)
+#tls_session_lifetime=3600
+
 # Cached OCSP stapling response (DER encoded)
 # If set, this file is sent as a certificate status response by the EAP server
 # if the EAP peer requests certificate status in the ClientHello message.

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 07550bd3671b6e68df80c4a12b6533c4418e9594..c9a37643c14f797798bfa2551efd62f4a0186440 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -330,6 +330,7 @@ struct hostapd_bss_config {
        char *private_key;
        char *private_key_passwd;
        int check_crl;
+       unsigned int tls_session_lifetime;
        char *ocsp_stapling_response;
        char *dh_file;
        char *openssl_ciphers;

diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index f10e1b724f9575c4558d7fb44c878fb1f8bc60ef..934dcfc8d6318c4496296d009ad03bb82b5e827f 100644 (file)
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -132,6 +132,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
 #endif /* CONFIG_HS20 */
        srv.erp = conf->eap_server_erp;
        srv.erp_domain = conf->erp_domain;
+       srv.tls_session_lifetime = conf->tls_session_lifetime;
 
        hapd->radius_srv = radius_server_init(&srv);
        if (hapd->radius_srv == NULL) {
@@ -151,9 +152,12 @@ int authsrv_init(struct hostapd_data *hapd)
        if (hapd->conf->eap_server &&
            (hapd->conf->ca_cert || hapd->conf->server_cert ||
             hapd->conf->private_key || hapd->conf->dh_file)) {
+               struct tls_config conf;
                struct tls_connection_params params;
 
-               hapd->ssl_ctx = tls_init(NULL);
+               os_memset(&conf, 0, sizeof(conf));
+               conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
+               hapd->ssl_ctx = tls_init(&conf);
                if (hapd->ssl_ctx == NULL) {
                        wpa_printf(MSG_ERROR, "Failed to initialize TLS");
                        authsrv_deinit(hapd);

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 2edc9e066ae5e84f858ea5015b07e0da3ee81904..0f2d428cf752aa7c826570c06bac82a0aa1677ce 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2106,6 +2106,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
        conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
        conf.erp_domain = hapd->conf->erp_domain;
        conf.erp = hapd->conf->eap_server_erp;
+       conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
        conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
        conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
        conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 31c4e367cab2e01cf8439ebe141375718bc516e8..d2196ddc44fc430dd73a324f7ed198eb01e9ce62 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -79,6 +79,7 @@ struct tls_config {
        int fips_mode;
        int cert_in_cb;
        const char *openssl_ciphers;
+       unsigned int tls_session_lifetime;
 
        void (*event_cb)(void *ctx, enum tls_event ev,
                         union tls_event_data *data);

diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 09be5818b71872139cb40b6e5ec1d2879c33cacb..69eaab8de946b4b0dfc960038974cf93978b4fc6 100644 (file)
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -131,6 +131,7 @@ struct eap_config {
        const u8 *server_id;
        size_t server_id_len;
        int erp;
+       unsigned int tls_session_lifetime;
 
 #ifdef CONFIG_TESTING_OPTIONS
        u32 tls_test_flags;

diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 978c879455f6a53ea1130f33a772115d0127b163..c90443d19cb935bea80037c12bcae591f5206df5 100644 (file)
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -210,6 +210,7 @@ struct eap_sm {
        Boolean initiate_reauth_start_sent;
        Boolean try_initiate_reauth;
        int erp;
+       unsigned int tls_session_lifetime;
 
 #ifdef CONFIG_TESTING_OPTIONS
        u32 tls_test_flags;

diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index b235a0fbaac271590c9493ea83a567b987e990c6..84ecafc7ca3e5db2b4e333079da523e66ccfeb37 100644 (file)
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -1865,6 +1865,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
        sm->server_id = conf->server_id;
        sm->server_id_len = conf->server_id_len;
        sm->erp = conf->erp;
+       sm->tls_session_lifetime = conf->tls_session_lifetime;
 
 #ifdef CONFIG_TESTING_OPTIONS
        sm->tls_test_flags = conf->tls_test_flags;

diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index cbd5287089ebaa5543a10ec981236b085efcfb5c..f9f91ad5c0fbb320836df58f84110a446b90127a 100644 (file)
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -835,6 +835,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
        eap_conf.server_id = eapol->conf.server_id;
        eap_conf.server_id_len = eapol->conf.server_id_len;
        eap_conf.erp = eapol->conf.erp;
+       eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
        sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
        if (sm->eap == NULL) {
                eapol_auth_free(sm);
@@ -1229,6 +1230,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
        }
        dst->erp_send_reauth_start = src->erp_send_reauth_start;
        dst->erp = src->erp;
+       dst->tls_session_lifetime = src->tls_session_lifetime;
 
        return 0;
 

diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h
index 1e0d3cce8c2d71c939d5a67fa1472c198884d68c..e1974e4354dac56c33b864034fe648106913dd80 100644 (file)
--- a/src/eapol_auth/eapol_auth_sm.h
+++ b/src/eapol_auth/eapol_auth_sm.h
@@ -27,6 +27,7 @@ struct eapol_auth_config {
        int erp_send_reauth_start;
        char *erp_domain; /* a copy of this will be allocated */
        int erp; /* Whether ERP is enabled on authentication server */
+       unsigned int tls_session_lifetime;
        u8 *pac_opaque_encr_key;
        u8 *eap_fast_a_id;
        size_t eap_fast_a_id_len;

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index bdb7e42c5e529e2ec82a366df04f1e866afe2607..744283c7dc9d739535e7f1c948205ec6adfee225 100644 (file)
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -265,6 +265,8 @@ struct radius_server_data {
 
        struct dl_list erp_keys; /* struct eap_server_erp_key */
 
+       unsigned int tls_session_lifetime;
+
        /**
         * wps - Wi-Fi Protected Setup context
         *
@@ -688,6 +690,7 @@ radius_server_get_new_session(struct radius_server_data *data,
        eap_conf.server_id = (const u8 *) data->server_id;
        eap_conf.server_id_len = os_strlen(data->server_id);
        eap_conf.erp = data->erp;
+       eap_conf.tls_session_lifetime = data->tls_session_lifetime;
        radius_server_testing_options(sess, &eap_conf);
        sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
                                       &eap_conf);
@@ -1745,6 +1748,7 @@ radius_server_init(struct radius_server_conf *conf)
        }
        data->erp = conf->erp;
        data->erp_domain = conf->erp_domain;
+       data->tls_session_lifetime = conf->tls_session_lifetime;
 
        if (conf->subscr_remediation_url) {
                data->subscr_remediation_url =

diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h
index ca4e38c12e99502622caacbb597fd2b0feaaa079..7a25802c81527f492e1dfc4312b286bdf099c1d7 100644 (file)
--- a/src/radius/radius_server.h
+++ b/src/radius/radius_server.h
@@ -170,6 +170,8 @@ struct radius_server_conf {
 
        const char *erp_domain;
 
+       unsigned int tls_session_lifetime;
+
        /**
         * wps - Wi-Fi Protected Setup context
         *