aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2018-12-03 21:29:56 (GMT)
committerJouni Malinen <j@w1.fi>2018-12-03 21:29:56 (GMT)
commit11adf76a71ce01dc87b78a0dc28621641c773673 (patch)
treeca729de2b8b96444e6f4922891a355af4cf30899
parent9da196adf938c5bd4187b1d13538752802b8c090 (diff)
downloadhostap-11adf76a71ce01dc87b78a0dc28621641c773673.zip
hostap-11adf76a71ce01dc87b78a0dc28621641c773673.tar.gz
hostap-11adf76a71ce01dc87b78a0dc28621641c773673.tar.bz2
EAP-TLS server: Update user information based on serial number
This allows EAP user database entries for "cert-<serial number>" to be used for client certificate based parameters when using EAP-TLS. This commit addresses only the full authentication case and TLS session resumption is not yet covered. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/eap_server/eap_server_tls.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c
index 8b9e53c..13d2349 100644
--- a/src/eap_server/eap_server_tls.c
+++ b/src/eap_server/eap_server_tls.c
@@ -22,6 +22,7 @@ struct eap_tls_data {
enum { START, CONTINUE, SUCCESS, FAILURE } state;
int established;
u8 eap_type;
+ int phase2;
};
@@ -85,6 +86,8 @@ static void * eap_tls_init(struct eap_sm *sm)
data->eap_type = EAP_TYPE_TLS;
+ data->phase2 = sm->init_phase2;
+
return data;
}
@@ -202,6 +205,20 @@ check_established:
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
eap_tls_state(data, SUCCESS);
eap_tls_valid_session(sm, data);
+ if (sm->serial_num) {
+ char user[128];
+ int user_len;
+
+ user_len = os_snprintf(user, sizeof(user), "cert-%s",
+ sm->serial_num);
+ if (eap_user_get(sm, (const u8 *) user, user_len,
+ data->phase2) < 0)
+ wpa_printf(MSG_DEBUG,
+ "EAP-TLS: No user entry found based on the serial number of the client certificate ");
+ else
+ wpa_printf(MSG_DEBUG,
+ "EAP-TLS: Updated user entry based on the serial number of the client certificate ");
+ }
}
return res;
@@ -288,6 +305,8 @@ static void eap_tls_process(struct eap_sm *sm, void *priv,
"EAP-TLS: Resuming previous session");
eap_tls_state(data, SUCCESS);
tls_connection_set_success_data_resumed(data->ssl.conn);
+ /* TODO: Cache serial number with session and update EAP user
+ * information based on the cached serial number */
}