EAP server: Extend EAP-TLS Commitment Message use to PEAP and EAP-TTLS
Use the explicit Commitment Message per draft-ietf-emu-eap-tls13-13 Section 2.5 and extend this functionality to PEAP and EAP-TTLS when using TLS 1.3. Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
This commit is contained in:
parent
fae4eafe4a
commit
0dee287c84
3 changed files with 69 additions and 36 deletions
|
@ -512,9 +512,27 @@ static struct wpabuf * eap_peap_build_phase2_term(struct eap_sm *sm,
|
|||
encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
|
||||
os_free(hdr);
|
||||
|
||||
if (!data->ssl.tls_v13 ||
|
||||
!tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) {
|
||||
wpabuf_free(data->ssl.tls_out);
|
||||
data->ssl.tls_out_pos = 0;
|
||||
return encr_req;
|
||||
}
|
||||
|
||||
if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr_req)) < 0) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"EAP-PEAP: Failed to resize output buffer");
|
||||
wpabuf_free(encr_req);
|
||||
return NULL;
|
||||
}
|
||||
wpabuf_put_buf(data->ssl.tls_out, encr_req);
|
||||
wpa_hexdump_buf(MSG_DEBUG,
|
||||
"EAP-PEAP: Data appended to the message", encr_req);
|
||||
os_free(encr_req);
|
||||
|
||||
return data->ssl.tls_out;
|
||||
}
|
||||
|
||||
|
||||
static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
|
||||
{
|
||||
|
@ -561,8 +579,6 @@ static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
|
|||
data->ssl.tls_out = eap_peap_build_phase2_tlv(sm, data, id);
|
||||
break;
|
||||
case SUCCESS_REQ:
|
||||
wpabuf_free(data->ssl.tls_out);
|
||||
data->ssl.tls_out_pos = 0;
|
||||
data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
|
||||
1);
|
||||
break;
|
||||
|
|
|
@ -266,39 +266,6 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
|
|||
eap_tls_state(data, FAILURE);
|
||||
return;
|
||||
}
|
||||
|
||||
if (data->ssl.tls_v13 &&
|
||||
tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn)) {
|
||||
struct wpabuf *plain, *encr;
|
||||
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"EAP-TLS: Send empty application data to indicate end of exchange");
|
||||
/* FIX: This should be an empty application data based on
|
||||
* draft-ietf-emu-eap-tls13-05, but OpenSSL does not allow zero
|
||||
* length payload (SSL_write() documentation explicitly
|
||||
* describes this as not allowed), so work around that for now
|
||||
* by sending out a payload of one octet. Hopefully the draft
|
||||
* specification will change to allow this so that no crypto
|
||||
* library changes are needed. */
|
||||
plain = wpabuf_alloc(1);
|
||||
if (!plain)
|
||||
return;
|
||||
wpabuf_put_u8(plain, 0);
|
||||
encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
|
||||
wpabuf_free(plain);
|
||||
if (!encr)
|
||||
return;
|
||||
if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"EAP-TLS: Failed to resize output buffer");
|
||||
wpabuf_free(encr);
|
||||
return;
|
||||
}
|
||||
wpabuf_put_buf(data->ssl.tls_out, encr);
|
||||
wpa_hexdump_buf(MSG_DEBUG,
|
||||
"EAP-TLS: Data appended to the message", encr);
|
||||
wpabuf_free(encr);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -366,6 +366,56 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
|
|||
sm->serial_num = tls_connection_peer_serial_num(
|
||||
sm->cfg->ssl_ctx, data->conn);
|
||||
|
||||
/*
|
||||
* https://tools.ietf.org/html/draft-ietf-emu-eap-tls13#section-2.5
|
||||
*
|
||||
* We need to signal the other end that TLS negotiation is done. We
|
||||
* can't send a zero-length application data message, so we send
|
||||
* application data which is one byte of zero.
|
||||
*
|
||||
* Note this is only done for when there is no application data to be
|
||||
* sent. So this is done always for EAP-TLS but notibly not for PEAP
|
||||
* even on resumption.
|
||||
*/
|
||||
if (data->tls_v13 &&
|
||||
tls_connection_established(sm->cfg->ssl_ctx, data->conn)) {
|
||||
struct wpabuf *plain, *encr;
|
||||
|
||||
switch (sm->currentMethod) {
|
||||
case EAP_TYPE_PEAP:
|
||||
break;
|
||||
default:
|
||||
if (!tls_connection_resumed(sm->cfg->ssl_ctx,
|
||||
data->conn))
|
||||
break;
|
||||
/* fallthrough */
|
||||
case EAP_TYPE_TLS:
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"EAP-TLS: Send Commitment Message");
|
||||
|
||||
plain = wpabuf_alloc(1);
|
||||
if (!plain)
|
||||
return -1;
|
||||
wpabuf_put_u8(plain, 0);
|
||||
encr = eap_server_tls_encrypt(sm, data, plain);
|
||||
wpabuf_free(plain);
|
||||
if (!encr)
|
||||
return -1;
|
||||
if (wpabuf_resize(&data->tls_out, wpabuf_len(encr)) < 0)
|
||||
{
|
||||
wpa_printf(MSG_INFO,
|
||||
"EAP-TLS: Failed to resize output buffer");
|
||||
wpabuf_free(encr);
|
||||
return -1;
|
||||
}
|
||||
wpabuf_put_buf(data->tls_out, encr);
|
||||
wpa_hexdump_buf(MSG_DEBUG,
|
||||
"EAP-TLS: Data appended to the message",
|
||||
encr);
|
||||
wpabuf_free(encr);
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue