aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-08-23 19:05:14 (GMT)
committerJouni Malinen <j@w1.fi>2015-08-23 23:29:30 (GMT)
commite23e35e39a65c59ca10caa880640db1a0dac9a8d (patch)
tree3c0031e08a7ae82e985d407025c614fba5712a69 /src
parentb3b8085ae8ff1eacad3f1815d13548d09976e910 (diff)
downloadhostap-e23e35e39a65c59ca10caa880640db1a0dac9a8d.zip
hostap-e23e35e39a65c59ca10caa880640db1a0dac9a8d.tar.gz
hostap-e23e35e39a65c59ca10caa880640db1a0dac9a8d.tar.bz2
EAP server: Set per-EAP method session context
This can be used to limit TLS session resumption within a TLS library implementation to apply only for the cases where the same EAP method is used. While the EAP server method matching will be enforced separately by EAP server method implementations, this additional steps can optimize cases by falling back to full authentication instead of having to reject attempts after having completed session resumption successfully. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src')
-rw-r--r--src/eap_server/eap_server_tls_common.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index ec15016..05677b7 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -46,6 +46,7 @@ static void eap_server_tls_log_cb(void *ctx, const char *msg)
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer, int eap_type)
{
+ u8 session_ctx[8];
unsigned int flags = 0;
if (sm->ssl_ctx == NULL) {
@@ -72,8 +73,11 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
if (eap_type != EAP_TYPE_FAST)
flags |= TLS_CONN_DISABLE_SESSION_TICKET;
+ os_memcpy(session_ctx, "hostapd", 7);
+ session_ctx[7] = (u8) eap_type;
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
- flags, NULL, 0)) {
+ flags, session_ctx,
+ sizeof(session_ctx))) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn);