3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-22 14:49:24 +01:00

eap-tls: Keep l_tls instance for reauthentication

After one of the eap-tls-common-based methods succeeds keep the TLS
tunnel instance until the method is freed, rather than free it the
moment the method succeeds.  This fixes repeated method runs where until
now each next run would attempt to create a new TLS tunnel instance
but would have no authentication data (CA certificate, client
certificate, private key and private key passphrase) since those are
were by the old l_tls object from the moment of the l_tls_set_auth_data()
call.

Use l_tls_reset() to reset the TLS state after method success, followed
by a new l_tls_start() when the reauthentication starts.
This commit is contained in:
Andrew Zaborowski 2022-05-26 18:01:53 +02:00 committed by Denis Kenzior
parent 0e77e33a4d
commit eb8362bf76

View File

@ -131,10 +131,13 @@ static void __eap_tls_common_state_reset(struct eap_tls_state *eap_tls)
eap_tls->expecting_frag_ack = false; eap_tls->expecting_frag_ack = false;
eap_tls->tunnel_ready = false; eap_tls->tunnel_ready = false;
if (eap_tls->tunnel) { /*
l_tls_free(eap_tls->tunnel); * Keep the tunnel instance to avoid losing the authentication
eap_tls->tunnel = NULL; * settings that we may have loaded with l_tls_set_auth_data()
} * since .reset_state is not supposed to clear settings.
*/
if (eap_tls->tunnel)
l_tls_reset(eap_tls->tunnel);
eap_tls->tx_frag_offset = 0; eap_tls->tx_frag_offset = 0;
eap_tls->tx_frag_last_len = 0; eap_tls->tx_frag_last_len = 0;
@ -167,6 +170,10 @@ static void __eap_tls_common_state_free(struct eap_tls_state *eap_tls)
l_key_free(eap_tls->client_key); l_key_free(eap_tls->client_key);
l_strv_free(eap_tls->domain_mask); l_strv_free(eap_tls->domain_mask);
if (eap_tls->tunnel)
l_tls_free(eap_tls->tunnel);
l_free(eap_tls); l_free(eap_tls);
} }
@ -569,7 +576,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
struct eap_tls_state *eap_tls = eap_get_data(eap); struct eap_tls_state *eap_tls = eap_get_data(eap);
if (eap_tls->tunnel) if (eap_tls->tunnel)
return false; goto start;
eap_tls->tunnel = l_tls_new(false, eap_tls_tunnel_data_received, eap_tls->tunnel = l_tls_new(false, eap_tls_tunnel_data_received,
eap_tls_tunnel_data_send, eap_tls_tunnel_data_send,
@ -626,6 +633,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
if (eap_tls->domain_mask) if (eap_tls->domain_mask)
l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask); l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
start:
if (!l_tls_start(eap_tls->tunnel)) { if (!l_tls_start(eap_tls->tunnel)) {
l_error("%s: Failed to start the TLS client", l_error("%s: Failed to start the TLS client",
eap_get_method_name(eap)); eap_get_method_name(eap));