aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-07-13 13:29:39 (GMT)
committerJouni Malinen <j@w1.fi>2019-07-13 13:29:39 (GMT)
commit36ec5881657157752dced741256441c230e42fe6 (patch)
tree0ccf3cf0fce1bd7e38499c246451ea097688a090
parent4e2e1eeb5f9d4e2c46b74241e7b267d09c995247 (diff)
downloadhostap-36ec5881657157752dced741256441c230e42fe6.zip
hostap-36ec5881657157752dced741256441c230e42fe6.tar.gz
hostap-36ec5881657157752dced741256441c230e42fe6.tar.bz2
EAP-TLS server: Add application data to indicate end of v1.3 handshake
This adds an encrypted version of a one octet application data payload to the end of the handshake when TLS v1.3 is used to indicate explicit termination of the handshake (either after Finished message or after the optional NewSessionTicket message). The current draft-ietf-emu-eap-tls13-05 defines this to be a zero length payload, but since that is not allowed by OpenSSL, use a one octet payload instead for now with hopes of getting the draft specification updated instead of having to modify OpenSSL for this. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/eap_server/eap_server_tls.c37
1 files changed, 36 insertions, 1 deletions
diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c
index 9860a36..0712d4c 100644
--- a/src/eap_server/eap_server_tls.c
+++ b/src/eap_server/eap_server_tls.c
@@ -261,8 +261,43 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
"handshake message");
return;
}
- if (eap_server_tls_phase1(sm, &data->ssl) < 0)
+ if (eap_server_tls_phase1(sm, &data->ssl) < 0) {
eap_tls_state(data, FAILURE);
+ return;
+ }
+
+ if (data->ssl.tls_v13 &&
+ tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+ struct wpabuf *plain, *encr;
+
+ wpa_printf(MSG_DEBUG,
+ "EAP-TLS: Send empty application data to indicate end of exchange");
+ /* FIX: This should be an empty application data based on
+ * draft-ietf-emu-eap-tls13-05, but OpenSSL does not allow zero
+ * length payload (SSL_write() documentation explicitly
+ * describes this as not allowed), so work around that for now
+ * by sending out a payload of one octet. Hopefully the draft
+ * specification will change to allow this so that no crypto
+ * library changes are needed. */
+ plain = wpabuf_alloc(1);
+ if (!plain)
+ return;
+ wpabuf_put_u8(plain, 0);
+ encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
+ wpabuf_free(plain);
+ if (!encr)
+ return;
+ if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) {
+ wpa_printf(MSG_INFO,
+ "EAP-TLS: Failed to resize output buffer");
+ wpabuf_free(encr);
+ return;
+ }
+ wpabuf_put_buf(data->ssl.tls_out, encr);
+ wpa_hexdump_buf(MSG_DEBUG,
+ "EAP-TLS: Data appended to the message", encr);
+ wpabuf_free(encr);
+ }
}