aboutsummaryrefslogtreecommitdiffstats
path: root/src/crypto
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-08-10 18:21:40 (GMT)
committerJouni Malinen <j@w1.fi>2019-07-09 13:10:44 (GMT)
commit3af37ece199b2e78589a1e0fc66d35f1681620dc (patch)
treede4c2447cd0f092e7a51a190a48457d82a7fdd94 /src/crypto
parent88b6c6e244341f9874eceb5a50767e65d2113936 (diff)
downloadhostap-3af37ece199b2e78589a1e0fc66d35f1681620dc.zip
hostap-3af37ece199b2e78589a1e0fc66d35f1681620dc.tar.gz
hostap-3af37ece199b2e78589a1e0fc66d35f1681620dc.tar.bz2
Add tls_get_tls_unique() to fetch "tls-unique" for channel binding
This implements "tls-unique" derivation per RFC 5929, Section 3. This will be needed for channel binding, e.g., with EAP-TEAP. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/crypto')
-rw-r--r--src/crypto/tls.h13
-rw-r--r--src/crypto/tls_openssl.c18
2 files changed, 31 insertions, 0 deletions
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 9f07e10..e199187 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -646,4 +646,17 @@ tls_connection_get_success_data(struct tls_connection *conn);
void tls_connection_remove_session(struct tls_connection *conn);
+/**
+ * tls_get_tls_unique - Fetch "tls-unique" for channel binding
+ * @conn: Connection context data from tls_connection_init()
+ * @buf: Buffer for returning the value
+ * @max_len: Maximum length of the buffer in bytes
+ * Returns: Number of bytes written to buf or -1 on error
+ *
+ * This function can be used to fetch "tls-unique" (RFC 5929, Section 3) which
+ * is the first TLS Finished message sent in the most recent TLS handshake of
+ * the TLS connection.
+ */
+int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len);
+
#endif /* TLS_H */
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 1073f64..a7a7793 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -5332,3 +5332,21 @@ void tls_connection_remove_session(struct tls_connection *conn)
wpa_printf(MSG_DEBUG,
"OpenSSL: Removed cached session to disable session resumption");
}
+
+
+int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len)
+{
+ size_t len;
+ int reused;
+
+ reused = SSL_session_reused(conn->ssl);
+ if ((conn->server && !reused) || (!conn->server && reused))
+ len = SSL_get_peer_finished(conn->ssl, buf, max_len);
+ else
+ len = SSL_get_finished(conn->ssl, buf, max_len);
+
+ if (len == 0 || len > max_len)
+ return -1;
+
+ return len;
+}