EAP-FAST server: allow expired PAC for PAC refresh
Instead of falling back to full TLS handshake on expired PAC, allow the PAC to be used to allow a PAC update with some level of server authentication (i.e., do not fall back to full TLS handshake since we cannot be sure that the peer would be able to validate server certificate now). However, reject the authentication since the PAC was not valid anymore. Peer can connect again with the newly provisioned PAC after this.
This commit is contained in:
parent
39452b4deb
commit
36100718de
1 changed files with 15 additions and 6 deletions
|
@ -241,12 +241,20 @@ static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
|
||||||
if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) {
|
if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore "
|
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore "
|
||||||
"(lifetime=%ld now=%ld)", lifetime, now.sec);
|
"(lifetime=%ld now=%ld)", lifetime, now.sec);
|
||||||
os_free(buf);
|
data->send_new_pac = 2;
|
||||||
return 0;
|
/*
|
||||||
}
|
* Allow PAC to be used to allow a PAC update with some level
|
||||||
|
* of server authentication (i.e., do not fall back to full TLS
|
||||||
if (lifetime - now.sec < data->pac_key_refresh_time)
|
* handshake since we cannot be sure that the peer would be
|
||||||
|
* able to validate server certificate now). However, reject
|
||||||
|
* the authentication since the PAC was not valid anymore. Peer
|
||||||
|
* can connect again with the newly provisioned PAC after this.
|
||||||
|
*/
|
||||||
|
} else if (lifetime - now.sec < data->pac_key_refresh_time) {
|
||||||
|
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key soft timeout; send "
|
||||||
|
"an update if authentication succeeds");
|
||||||
data->send_new_pac = 1;
|
data->send_new_pac = 1;
|
||||||
|
}
|
||||||
|
|
||||||
eap_fast_derive_master_secret(pac_key, server_random, client_random,
|
eap_fast_derive_master_secret(pac_key, server_random, client_random,
|
||||||
master_secret);
|
master_secret);
|
||||||
|
@ -1218,7 +1226,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received "
|
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received "
|
||||||
"- PAC provisioning succeeded");
|
"- PAC provisioning succeeded");
|
||||||
eap_fast_state(data, data->anon_provisioning ?
|
eap_fast_state(data, (data->anon_provisioning ||
|
||||||
|
data->send_new_pac == 2) ?
|
||||||
FAILURE : SUCCESS);
|
FAILURE : SUCCESS);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue