mirror
/
esp-idf
kopia lustrzana https://github.com/espressif/esp-idf
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność
esp-idf/components/wpa_supplicant/src/eap_peer/eap_tls.c

319 wiersze
7.5 KiB
C
Czysty Zwykły widok Historia

wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
/*
EAP-TLS: Update specification references to RFC 5216 and 9190 The previously used references were pointing to an obsoleted RFC and draft versions. Replace these with current versions. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 19:56:13 +00:00
* EAP peer method: EAP-TLS (RFC 5216, RFC 9190)
* Copyright (c) 2004-2008, 2012-2019, Jouni Malinen <j@w1.fi>
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
supplicant/esp_wifi: move supplicant to idf Move supplicant to idf and do following refactoring: 1. Make the folder structure consitent with supplicant upstream 2. Remove duplicated header files and minimize the public header files 3. Refactor for WiFi/supplicant interfaces
2018-08-13 08:37:56 +00:00
#include "utils/includes.h"
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
supplicant/esp_wifi: move supplicant to idf Move supplicant to idf and do following refactoring: 1. Make the folder structure consitent with supplicant upstream 2. Remove duplicated header files and minimize the public header files 3. Refactor for WiFi/supplicant interfaces
2018-08-13 08:37:56 +00:00
#ifdef EAP_TLS
#include "utils/common.h"
wpa_supplicant: sync eap code with upstream
2022-05-13 04:57:47 +00:00
#include "crypto/tls.h"
supplicant/esp_wifi: move supplicant to idf Move supplicant to idf and do following refactoring: 1. Make the folder structure consitent with supplicant upstream 2. Remove duplicated header files and minimize the public header files 3. Refactor for WiFi/supplicant interfaces
2018-08-13 08:37:56 +00:00
#include "eap_peer/eap_i.h"
#include "eap_peer/eap_defs.h"
#include "eap_peer/eap_tls_common.h"
#include "eap_peer/eap_config.h"
#include "eap_peer/eap_methods.h"
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
esp_wifi: Add support for EAP-FAST authentication method
2021-08-30 10:12:32 +00:00
static void eap_tls_deinit(struct eap_sm *sm, void *priv);
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
struct eap_tls_data {
struct eap_ssl_data ssl;
u8 *key_data;
u8 *session_id;
size_t id_len;
void *ssl_ctx;
u8 eap_type;
EAP peer: External server certificate chain validation This adds support for optional functionality to validate server certificate chain in TLS-based EAP methods in an external program. wpa_supplicant control interface is used to indicate when such validation is needed and what the result of the external validation is. This external validation can extend or replace the internal validation. When ca_cert or ca_path parameter is set, the internal validation is used. If these parameters are omitted, only the external validation is used. It needs to be understood that leaving those parameters out will disable most of the validation steps done with the TLS library and that configuration is not really recommend. By default, the external validation is not used. It can be enabled by addingtls_ext_cert_check=1 into the network profile phase1 parameter. When enabled, external validation is required through the CTRL-REQ/RSP mechanism similarly to other EAP authentication parameters through the control interface. The request to perform external validation is indicated by the following event: CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid> Before that event, the server certificate chain is provided with the CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump> parameter. depth=# indicates which certificate is in question (0 for the server certificate, 1 for its issues, and so on). The result of the external validation is provided with the following command: CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad> It should be noted that this is currently enabled only for OpenSSL (and BoringSSL/LibreSSL). Due to the constraints in the library API, the validation result from external processing cannot be reported cleanly with TLS alert. In other words, if the external validation reject the server certificate chain, the pending TLS handshake is terminated without sending more messages to the server. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 16:16:54 +00:00
struct wpabuf *pending_resp;
EAP-TLS: Do not allow TLSv1.3 success without protected result indication RFC 9190 requires protected result indication to be used with TLSv1.3, so do not allow EAP-TLS to complete successfully if the server does not send that indication. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 12:14:18 +00:00
bool prot_success_received;
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
};
static void * eap_tls_init(struct eap_sm *sm)
{
struct eap_tls_data *data;
struct eap_peer_config *config = eap_get_config(sm);
fix(wpa_supplicant): Update cipher suite list for TLSv1.3 suiteb and some refactoring - Use MBEDTLS_TLS1_3_AES_256_GCM_SHA384 cipher for TLSv1.3-suiteb - Call psa_crypto_init() in tls_connection_init() to reduce redundancy
2024-02-06 07:42:12 +00:00
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
if (config == NULL ||
config->private_key == 0) {
wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
return NULL;
}
data = (struct eap_tls_data *)os_zalloc(sizeof(*data));
if (data == NULL)
return NULL;
data->ssl_ctx = sm->ssl_ctx;
if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TLS)) {
wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL.");
eap_tls_deinit(sm, data);
return NULL;
}
data->eap_type = EAP_TYPE_TLS;
return data;
}
esp_wifi: Add support for EAP-FAST authentication method
2021-08-30 10:12:32 +00:00
EAP peer: Clear keying material on deinit Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 18:16:30 +00:00
static void eap_tls_free_key(struct eap_tls_data *data)
{
if (data->key_data) {
bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
data->key_data = NULL;
}
}
esp_wifi: Add support for EAP-FAST authentication method
2021-08-30 10:12:32 +00:00
static void eap_tls_deinit(struct eap_sm *sm, void *priv)
{
struct eap_tls_data *data = priv;
if (data == NULL)
return;
eap_peer_tls_ssl_deinit(sm, &data->ssl);
EAP peer: Clear keying material on deinit Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 18:16:30 +00:00
eap_tls_free_key(data);
esp_wifi: Add support for EAP-FAST authentication method
2021-08-30 10:12:32 +00:00
os_free(data->session_id);
EAP peer: External server certificate chain validation This adds support for optional functionality to validate server certificate chain in TLS-based EAP methods in an external program. wpa_supplicant control interface is used to indicate when such validation is needed and what the result of the external validation is. This external validation can extend or replace the internal validation. When ca_cert or ca_path parameter is set, the internal validation is used. If these parameters are omitted, only the external validation is used. It needs to be understood that leaving those parameters out will disable most of the validation steps done with the TLS library and that configuration is not really recommend. By default, the external validation is not used. It can be enabled by addingtls_ext_cert_check=1 into the network profile phase1 parameter. When enabled, external validation is required through the CTRL-REQ/RSP mechanism similarly to other EAP authentication parameters through the control interface. The request to perform external validation is indicated by the following event: CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid> Before that event, the server certificate chain is provided with the CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump> parameter. depth=# indicates which certificate is in question (0 for the server certificate, 1 for its issues, and so on). The result of the external validation is provided with the following command: CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad> It should be noted that this is currently enabled only for OpenSSL (and BoringSSL/LibreSSL). Due to the constraints in the library API, the validation result from external processing cannot be reported cleanly with TLS alert. In other words, if the external validation reject the server certificate chain, the pending TLS handshake is terminated without sending more messages to the server. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 16:16:54 +00:00
wpabuf_free(data->pending_resp);
esp_wifi: Add support for EAP-FAST authentication method
2021-08-30 10:12:32 +00:00
os_free(data);
}
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
static struct wpabuf * eap_tls_failure(struct eap_sm *sm,
struct eap_tls_data *data,
struct eap_method_ret *ret, int res,
struct wpabuf *resp, u8 id)
{
wpa_printf(MSG_DEBUG, "EAP-TLS: TLS processing failed");
ret->methodState = METHOD_DONE;
ret->decision = DECISION_FAIL;
if (res == -1) {
struct eap_peer_config *config = eap_get_config(sm);
if (config) {
/*
* The TLS handshake failed. So better forget the old
* PIN. It may be wrong, we cannot be sure but trying
* the wrong one again might block it on the card--so
* better ask the user again.
*/
os_free(config->pin);
config->pin = NULL;
}
}
if (resp) {
/*
* This is likely an alert message, so send it instead of just
* ACKing the error.
*/
return resp;
}
return eap_peer_tls_build_ack(id, data->eap_type, 0);
}
static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
struct eap_method_ret *ret)
{
EAP-TLS peer: MSK/EMSK derivation with TLS v1.3 Use new MSK/EMSK derivation mechanism if TLS v1.3 or newer is used per draft-mattsson-eap-tls13-02.txt. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:53:07 +00:00
const char *label;
Add Type-Code context to EAP-TLS 1.3 exported Key_Material and Method-Id Change to require the Type-Code in context for Key_Material and Method-Id has now been published as draft-ietf-emu-eap-tls13-04. https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-04#section-2.3 Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
2019-04-15 17:05:49 +00:00
const u8 eap_tls13_context[] = { EAP_TYPE_TLS };
const u8 *context = NULL;
size_t context_len = 0;
EAP-TLS peer: MSK/EMSK derivation with TLS v1.3 Use new MSK/EMSK derivation mechanism if TLS v1.3 or newer is used per draft-mattsson-eap-tls13-02.txt. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:53:07 +00:00
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
EAP-TLS peer: Support fragmentation of last message With TLS v1.3, the Finished message from the client can require fragmentation. Postpone key derivation and marking of the EAP session fully completed until all the fragments of that last message are sent to avoid losing all the subsequent fragments. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:49:19 +00:00
if (data->ssl.tls_out) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Fragment(s) remaining");
return;
}
EAP-TLS peer: Allow NewSessionTicket after Client Finished with TLS v1.3 The EAP session cannot be marked fully completed on sending Client Finished with TLS v1.3 since the server may still send NewSessionTicket before EAP-Success. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:51:34 +00:00
if (data->ssl.tls_v13) {
EAP-TLS: Update key derivation label per draft-ietf-emu-eap-tls13-00 The label strings used for deriving Key_Material with TLS v1.3 were changed, so update the implementation to match the new values. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-01 14:41:59 +00:00
label = "EXPORTER_EAP_TLS_Key_Material";
Add Type-Code context to EAP-TLS 1.3 exported Key_Material and Method-Id Change to require the Type-Code in context for Key_Material and Method-Id has now been published as draft-ietf-emu-eap-tls13-04. https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-04#section-2.3 Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
2019-04-15 17:05:49 +00:00
context = eap_tls13_context;
context_len = 1;
EAP-TLS peer: MSK/EMSK derivation with TLS v1.3 Use new MSK/EMSK derivation mechanism if TLS v1.3 or newer is used per draft-mattsson-eap-tls13-02.txt. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:53:07 +00:00
EAP-TLS peer: Allow NewSessionTicket after Client Finished with TLS v1.3 The EAP session cannot be marked fully completed on sending Client Finished with TLS v1.3 since the server may still send NewSessionTicket before EAP-Success. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:51:34 +00:00
/* A possible NewSessionTicket may be received before
* EAP-Success, so need to allow it to be received. */
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_COND_SUCC;
} else {
EAP-TLS peer: MSK/EMSK derivation with TLS v1.3 Use new MSK/EMSK derivation mechanism if TLS v1.3 or newer is used per draft-mattsson-eap-tls13-02.txt. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:53:07 +00:00
label = "client EAP encryption";
EAP-TLS peer: Allow NewSessionTicket after Client Finished with TLS v1.3 The EAP session cannot be marked fully completed on sending Client Finished with TLS v1.3 since the server may still send NewSessionTicket before EAP-Success. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:51:34 +00:00
ret->methodState = METHOD_DONE;
ret->decision = DECISION_UNCOND_SUCC;
}
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
EAP peer: Clear keying material on deinit Reduce the amount of time keying material (MSK, EMSK, temporary private data) remains in memory in EAP methods. This provides additional protection should there be any issues that could expose process memory to external observers. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-29 18:16:30 +00:00
eap_tls_free_key(data);
EAP-TLS peer: MSK/EMSK derivation with TLS v1.3 Use new MSK/EMSK derivation mechanism if TLS v1.3 or newer is used per draft-mattsson-eap-tls13-02.txt. Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 14:53:07 +00:00
data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label,
Add Type-Code context to EAP-TLS 1.3 exported Key_Material and Method-Id Change to require the Type-Code in context for Key_Material and Method-Id has now been published as draft-ietf-emu-eap-tls13-04. https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-04#section-2.3 Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
2019-04-15 17:05:49 +00:00
context, context_len,
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
EAP_TLS_KEY_LEN +
EAP_EMSK_LEN);
if (data->key_data) {
wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived key",
data->key_data, EAP_TLS_KEY_LEN);
wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived EMSK",
data->key_data + EAP_TLS_KEY_LEN,
EAP_EMSK_LEN);
} else {
wpa_printf(MSG_INFO, "EAP-TLS: Failed to derive key");
}
os_free(data->session_id);
data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl,
EAP_TYPE_TLS,
&data->id_len);
if (data->session_id) {
wpa_hexdump(MSG_DEBUG, "EAP-TLS: Derived Session-Id",
data->session_id, data->id_len);
} else {
wpa_printf(MSG_ERROR, "EAP-TLS: Failed to derive Session-Id");
}
}
static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const struct wpabuf *reqData)
{
size_t left;
int res;
struct wpabuf *resp;
u8 flags, id;
const u8 *pos;
struct eap_tls_data *data = priv;
EAP peer: External server certificate chain validation This adds support for optional functionality to validate server certificate chain in TLS-based EAP methods in an external program. wpa_supplicant control interface is used to indicate when such validation is needed and what the result of the external validation is. This external validation can extend or replace the internal validation. When ca_cert or ca_path parameter is set, the internal validation is used. If these parameters are omitted, only the external validation is used. It needs to be understood that leaving those parameters out will disable most of the validation steps done with the TLS library and that configuration is not really recommend. By default, the external validation is not used. It can be enabled by addingtls_ext_cert_check=1 into the network profile phase1 parameter. When enabled, external validation is required through the CTRL-REQ/RSP mechanism similarly to other EAP authentication parameters through the control interface. The request to perform external validation is indicated by the following event: CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid> Before that event, the server certificate chain is provided with the CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump> parameter. depth=# indicates which certificate is in question (0 for the server certificate, 1 for its issues, and so on). The result of the external validation is provided with the following command: CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad> It should be noted that this is currently enabled only for OpenSSL (and BoringSSL/LibreSSL). Due to the constraints in the library API, the validation result from external processing cannot be reported cleanly with TLS alert. In other words, if the external validation reject the server certificate chain, the pending TLS handshake is terminated without sending more messages to the server. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 16:16:54 +00:00
if (sm->waiting_ext_cert_check && data->pending_resp) {
struct eap_peer_config *config = eap_get_config(sm);
if (config->pending_ext_cert_check == EXT_CERT_CHECK_GOOD) {
wpa_printf(MSG_DEBUG,
"EAP-TLS: External certificate check succeeded - continue handshake");
resp = data->pending_resp;
data->pending_resp = NULL;
sm->waiting_ext_cert_check = 0;
return resp;
}
if (config->pending_ext_cert_check == EXT_CERT_CHECK_BAD) {
wpa_printf(MSG_DEBUG,
"EAP-TLS: External certificate check failed - force authentication failure");
ret->methodState = METHOD_DONE;
ret->decision = DECISION_FAIL;
sm->waiting_ext_cert_check = 0;
return NULL;
}
wpa_printf(MSG_DEBUG,
"EAP-TLS: Continuing to wait external server certificate validation");
return NULL;
}
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
pos = eap_peer_tls_process_init(sm, &data->ssl, data->eap_type, ret,
reqData, &left, &flags);
if (pos == NULL)
return NULL;
id = eap_get_id(reqData);
if (flags & EAP_TLS_FLAGS_START) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Start");
left = 0; /* make sure that this frame is empty, even though it
* should always be, anyway */
}
resp = NULL;
res = eap_peer_tls_process_helper(sm, &data->ssl, data->eap_type, 0,
id, pos, left, &resp);
if (res < 0) {
return eap_tls_failure(sm, data, ret, res, resp, id);
}
EAP peer: External server certificate chain validation This adds support for optional functionality to validate server certificate chain in TLS-based EAP methods in an external program. wpa_supplicant control interface is used to indicate when such validation is needed and what the result of the external validation is. This external validation can extend or replace the internal validation. When ca_cert or ca_path parameter is set, the internal validation is used. If these parameters are omitted, only the external validation is used. It needs to be understood that leaving those parameters out will disable most of the validation steps done with the TLS library and that configuration is not really recommend. By default, the external validation is not used. It can be enabled by addingtls_ext_cert_check=1 into the network profile phase1 parameter. When enabled, external validation is required through the CTRL-REQ/RSP mechanism similarly to other EAP authentication parameters through the control interface. The request to perform external validation is indicated by the following event: CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid> Before that event, the server certificate chain is provided with the CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump> parameter. depth=# indicates which certificate is in question (0 for the server certificate, 1 for its issues, and so on). The result of the external validation is provided with the following command: CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad> It should be noted that this is currently enabled only for OpenSSL (and BoringSSL/LibreSSL). Due to the constraints in the library API, the validation result from external processing cannot be reported cleanly with TLS alert. In other words, if the external validation reject the server certificate chain, the pending TLS handshake is terminated without sending more messages to the server. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 16:16:54 +00:00
if (sm->waiting_ext_cert_check) {
wpa_printf(MSG_DEBUG,
"EAP-TLS: Waiting external server certificate validation");
wpabuf_free(data->pending_resp);
data->pending_resp = resp;
return NULL;
}
EAP-TLS: Update specification references to RFC 5216 and 9190 The previously used references were pointing to an obsoleted RFC and draft versions. Replace these with current versions. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 19:56:13 +00:00
/* RFC 9190 Section 2.5 */
EAP-TLS peer: Handle Commitment Message for TLS 1.3 Recognize the explicitly defined Commitment Message per draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TLS with TLS 1.3. Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2020-10-16 08:49:38 +00:00
if (res == 2 && data->ssl.tls_v13 && wpabuf_len(resp) == 1 &&
*wpabuf_head_u8(resp) == 0) {
EAP-TLS: Replace the Commitment Message term with RFC 9190 language While the drafts for RFC 9190 used a separate Commitment Message term, that term was removed from the published RFC. Update the debug prints to match that final language. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 20:05:45 +00:00
wpa_printf(MSG_DEBUG,
"EAP-TLS: ACKing protected success indication (appl data 0x00)");
EAP-TLS peer: Handle possible application data at the end EAP-TLS with TLS 1.3 uses an empty application data record from the server to indicate end of the exchange, so EAP-TLS peer will need to check for this special case and finish the exchange with an empty EAP-TLS (ACK) so that the server can send out EAP-Success. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-12 20:38:05 +00:00
eap_peer_tls_reset_output(&data->ssl);
res = 1;
EAP-TLS: Do not allow TLSv1.3 success without protected result indication RFC 9190 requires protected result indication to be used with TLSv1.3, so do not allow EAP-TLS to complete successfully if the server does not send that indication. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 12:14:18 +00:00
ret->methodState = METHOD_DONE;
ret->decision = DECISION_UNCOND_SUCC;
data->prot_success_received = true;
EAP-TLS peer: Handle possible application data at the end EAP-TLS with TLS 1.3 uses an empty application data record from the server to indicate end of the exchange, so EAP-TLS peer will need to check for this special case and finish the exchange with an empty EAP-TLS (ACK) so that the server can send out EAP-Success. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-12 20:38:05 +00:00
}
EAP-TLS: Do not allow TLSv1.3 success without protected result indication RFC 9190 requires protected result indication to be used with TLSv1.3, so do not allow EAP-TLS to complete successfully if the server does not send that indication. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 12:14:18 +00:00
if (tls_connection_established(data->ssl_ctx, data->ssl.conn) &&
(!data->ssl.tls_v13 || data->prot_success_received))
wpa_supplicant:move part of codes to IDF
2018-04-20 03:33:04 +00:00
eap_tls_success(sm, data, ret);
if (res == 1) {
wpabuf_free(resp);
return eap_peer_tls_build_ack(id, data->eap_type, 0);
}
return resp;
}
static bool eap_tls_isKeyAvailable(struct eap_sm *sm, void *priv)
{
struct eap_tls_data *data = priv;
return data->key_data != NULL;
}
static u8 * eap_tls_getKey(struct eap_sm *sm, void *priv, size_t *len)
{
struct eap_tls_data *data = priv;
u8 *key;
if (data->key_data == NULL)
return NULL;
key = os_malloc(EAP_TLS_KEY_LEN);
if (key == NULL)
return NULL;
*len = EAP_TLS_KEY_LEN;
os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
return key;
}
int eap_peer_tls_register(void)
{
struct eap_method *eap;
int ret;
eap = eap_peer_method_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLS,
"TLS");
if (eap == NULL)
return -1;
eap->init = eap_tls_init;
eap->deinit = eap_tls_deinit;
eap->process = eap_tls_process;
eap->isKeyAvailable = eap_tls_isKeyAvailable;
eap->getKey = eap_tls_getKey;
ret = eap_peer_method_register(eap);
if (ret)
eap_peer_method_free(eap);
return ret;
}
#endif /* EAP_TLS */