EAP-TLS server: Update user information based on serial number

This allows EAP user database entries for "cert-<serial number>" to be
used for client certificate based parameters when using EAP-TLS. This
commit addresses only the full authentication case and TLS session
resumption is not yet covered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

src/eap_server/eap_server_tls.c

@@ -22,6 +22,7 @@ struct eap_tls_data {
 	enum { START, CONTINUE, SUCCESS, FAILURE } state;
 	int established;
 	u8 eap_type;
+	int phase2;
 };
 
 
@@ -85,6 +86,8 @@ static void * eap_tls_init(struct eap_sm *sm)
 
 	data->eap_type = EAP_TYPE_TLS;
 
+	data->phase2 = sm->init_phase2;
+
 	return data;
 }
 
@@ -202,6 +205,20 @@ check_established:
 		wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
 		eap_tls_state(data, SUCCESS);
 		eap_tls_valid_session(sm, data);
+		if (sm->serial_num) {
+			char user[128];
+			int user_len;
+
+			user_len = os_snprintf(user, sizeof(user), "cert-%s",
+					       sm->serial_num);
+			if (eap_user_get(sm, (const u8 *) user, user_len,
+					 data->phase2) < 0)
+				wpa_printf(MSG_DEBUG,
+					   "EAP-TLS: No user entry found based on the serial number of the client certificate ");
+			else
+				wpa_printf(MSG_DEBUG,
+					   "EAP-TLS: Updated user entry based on the serial number of the client certificate ");
+		}
 	}
 
 	return res;
@@ -288,6 +305,8 @@ static void eap_tls_process(struct eap_sm *sm, void *priv,
 		   "EAP-TLS: Resuming previous session");
 	eap_tls_state(data, SUCCESS);
 	tls_connection_set_success_data_resumed(data->ssl.conn);
+	/* TODO: Cache serial number with session and update EAP user
+	 * information based on the cached serial number */
 }