All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] eap-tls: Keep l_tls instance for reauthentication
@ 2022-05-26 16:01 Andrew Zaborowski
  0 siblings, 0 replies; 3+ messages in thread
From: Andrew Zaborowski @ 2022-05-26 16:01 UTC (permalink / raw)
  To: iwd

[-- Attachment #1: Type: text/plain, Size: 2394 bytes --]

After one of the eap-tls-common-based methods succeeds keep the TLS
tunnel instance until the method is freed, rather than free it the
moment the method succeeds.  This fixes repeated method runs where until
now each next run would attempt to create a new TLS tunnel instance
but would have no authentication data (CA certificate, client
certificate, private key and private key passphrase) since those are
were by the old l_tls object from the moment of the l_tls_set_auth_data()
call.

Use l_tls_reset() to reset the TLS state after method success, followed
by a new l_tls_start() when the reauthentication starts.
---
Depends on the ell l_tls_reset patch.

 src/eap-tls-common.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index 75d3aa33..acc5b387 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -131,10 +131,13 @@ static void __eap_tls_common_state_reset(struct eap_tls_state *eap_tls)
 	eap_tls->expecting_frag_ack = false;
 	eap_tls->tunnel_ready = false;
 
-	if (eap_tls->tunnel) {
-		l_tls_free(eap_tls->tunnel);
-		eap_tls->tunnel = NULL;
-	}
+	/*
+	 * Keep the tunnel instance to avoid losing the authentication
+	 * settings that we may have loaded with l_tls_set_auth_data()
+	 * since .reset_state is not supposed to clear settings.
+	 */
+	if (eap_tls->tunnel)
+		l_tls_reset(eap_tls->tunnel);
 
 	eap_tls->tx_frag_offset = 0;
 	eap_tls->tx_frag_last_len = 0;
@@ -167,6 +170,10 @@ static void __eap_tls_common_state_free(struct eap_tls_state *eap_tls)
 		l_key_free(eap_tls->client_key);
 
 	l_strv_free(eap_tls->domain_mask);
+
+	if (eap_tls->tunnel)
+		l_tls_free(eap_tls->tunnel);
+
 	l_free(eap_tls);
 }
 
@@ -569,7 +576,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
 	struct eap_tls_state *eap_tls = eap_get_data(eap);
 
 	if (eap_tls->tunnel)
-		return false;
+		goto start;
 
 	eap_tls->tunnel = l_tls_new(false, eap_tls_tunnel_data_received,
 					eap_tls_tunnel_data_send,
@@ -626,6 +633,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
 	if (eap_tls->domain_mask)
 		l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
 
+start:
 	if (!l_tls_start(eap_tls->tunnel)) {
 		l_error("%s: Failed to start the TLS client",
 						eap_get_method_name(eap));
-- 
2.32.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] eap-tls: Keep l_tls instance for reauthentication
@ 2022-05-26 16:24 Denis Kenzior
  0 siblings, 0 replies; 3+ messages in thread
From: Denis Kenzior @ 2022-05-26 16:24 UTC (permalink / raw)
  To: iwd

[-- Attachment #1: Type: text/plain, Size: 908 bytes --]

Hi Andrew,

On 5/26/22 11:01, Andrew Zaborowski wrote:
> After one of the eap-tls-common-based methods succeeds keep the TLS
> tunnel instance until the method is freed, rather than free it the
> moment the method succeeds.  This fixes repeated method runs where until
> now each next run would attempt to create a new TLS tunnel instance
> but would have no authentication data (CA certificate, client
> certificate, private key and private key passphrase) since those are
> were by the old l_tls object from the moment of the l_tls_set_auth_data()
> call.
> 
> Use l_tls_reset() to reset the TLS state after method success, followed
> by a new l_tls_start() when the reauthentication starts.
> ---
> Depends on the ell l_tls_reset patch.
> 
>   src/eap-tls-common.c | 18 +++++++++++++-----
>   1 file changed, 13 insertions(+), 5 deletions(-)
> 

Applied, thanks.

Regards,
-Denis

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH] eap-tls: Keep l_tls instance for reauthentication
@ 2022-05-25 16:38 Andrew Zaborowski
  0 siblings, 0 replies; 3+ messages in thread
From: Andrew Zaborowski @ 2022-05-25 16:38 UTC (permalink / raw)
  To: iwd

[-- Attachment #1: Type: text/plain, Size: 3237 bytes --]

After one of the eap-tls-common-based methods succeeds keep the TLS
tunnel instance until the method is freed, rather than free it the
moment the method succeeds.  This fixes repeated method runs where until
now each next run would attempt to create a new TLS tunnel instance
but would have no authentication data (CA certificate, client
certificate, private key and private key passphrase) since those are
owned by the l_tls object from the moment of the l_tls_set_auth_data()
call.

Use l_tls_close() to reset the TLS state after method success, followed
by a new l_tls_start() when the reauthentication starts.  In the
tunnel's tx handler and disconnect handler do nothing if the method
isn't currently running (because it already succeeded.)
---
 src/eap-tls-common.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index 75d3aa33..92f5c07b 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -131,10 +131,13 @@ static void __eap_tls_common_state_reset(struct eap_tls_state *eap_tls)
 	eap_tls->expecting_frag_ack = false;
 	eap_tls->tunnel_ready = false;
 
-	if (eap_tls->tunnel) {
-		l_tls_free(eap_tls->tunnel);
-		eap_tls->tunnel = NULL;
-	}
+	/*
+	 * Keep the tunnel instance to avoid losing the authentication
+	 * settings that we may have loaded with l_tls_set_auth_data()
+	 * since .reset_state is not supposed to clear settings.
+	 */
+	if (eap_tls->tunnel)
+		l_tls_close(eap_tls->tunnel);
 
 	eap_tls->tx_frag_offset = 0;
 	eap_tls->tx_frag_last_len = 0;
@@ -167,6 +170,10 @@ static void __eap_tls_common_state_free(struct eap_tls_state *eap_tls)
 		l_key_free(eap_tls->client_key);
 
 	l_strv_free(eap_tls->domain_mask);
+
+	if (eap_tls->tunnel)
+		l_tls_free(eap_tls->tunnel);
+
 	l_free(eap_tls);
 }
 
@@ -209,6 +216,9 @@ static void eap_tls_tunnel_data_send(const uint8_t *data, size_t data_len,
 	struct eap_state *eap = user_data;
 	struct eap_tls_state *eap_tls = eap_get_data(eap);
 
+	if (eap_tls->version_negotiated == EAP_TLS_VERSION_NOT_NEGOTIATED)
+		return;
+
 	if (!eap_tls->tx_pdu_buf)
 		eap_tls->tx_pdu_buf = databuf_new(data_len);
 
@@ -268,6 +278,9 @@ static void eap_tls_tunnel_disconnected(enum l_tls_alert_desc reason,
 	struct eap_state *eap = user_data;
 	struct eap_tls_state *eap_tls = eap_get_data(eap);
 
+	if (eap_tls->version_negotiated == EAP_TLS_VERSION_NOT_NEGOTIATED)
+		return;
+
 	l_info("%s: Tunnel has disconnected with alert: %s",
 			eap_get_method_name(eap), l_tls_alert_to_str(reason));
 
@@ -569,7 +582,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
 	struct eap_tls_state *eap_tls = eap_get_data(eap);
 
 	if (eap_tls->tunnel)
-		return false;
+		goto start;
 
 	eap_tls->tunnel = l_tls_new(false, eap_tls_tunnel_data_received,
 					eap_tls_tunnel_data_send,
@@ -626,6 +639,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
 	if (eap_tls->domain_mask)
 		l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
 
+start:
 	if (!l_tls_start(eap_tls->tunnel)) {
 		l_error("%s: Failed to start the TLS client",
 						eap_get_method_name(eap));
-- 
2.32.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-26 16:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-26 16:01 [PATCH] eap-tls: Keep l_tls instance for reauthentication Andrew Zaborowski
  -- strict thread matches above, loose matches on Subject: below --
2022-05-26 16:24 Denis Kenzior
2022-05-25 16:38 Andrew Zaborowski

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.