From 11adf76a71ce01dc87b78a0dc28621641c773673 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 3 Dec 2018 23:29:56 +0200 Subject: [PATCH] EAP-TLS server: Update user information based on serial number This allows EAP user database entries for "cert-" to be used for client certificate based parameters when using EAP-TLS. This commit addresses only the full authentication case and TLS session resumption is not yet covered. Signed-off-by: Jouni Malinen --- src/eap_server/eap_server_tls.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c index 8b9e53c61..13d234982 100644 --- a/src/eap_server/eap_server_tls.c +++ b/src/eap_server/eap_server_tls.c @@ -22,6 +22,7 @@ struct eap_tls_data { enum { START, CONTINUE, SUCCESS, FAILURE } state; int established; u8 eap_type; + int phase2; }; @@ -85,6 +86,8 @@ static void * eap_tls_init(struct eap_sm *sm) data->eap_type = EAP_TYPE_TLS; + data->phase2 = sm->init_phase2; + return data; } @@ -202,6 +205,20 @@ check_established: wpa_printf(MSG_DEBUG, "EAP-TLS: Done"); eap_tls_state(data, SUCCESS); eap_tls_valid_session(sm, data); + if (sm->serial_num) { + char user[128]; + int user_len; + + user_len = os_snprintf(user, sizeof(user), "cert-%s", + sm->serial_num); + if (eap_user_get(sm, (const u8 *) user, user_len, + data->phase2) < 0) + wpa_printf(MSG_DEBUG, + "EAP-TLS: No user entry found based on the serial number of the client certificate "); + else + wpa_printf(MSG_DEBUG, + "EAP-TLS: Updated user entry based on the serial number of the client certificate "); + } } return res; @@ -288,6 +305,8 @@ static void eap_tls_process(struct eap_sm *sm, void *priv, "EAP-TLS: Resuming previous session"); eap_tls_state(data, SUCCESS); tls_connection_set_success_data_resumed(data->ssl.conn); + /* TODO: Cache serial number with session and update EAP user + * information based on the cached serial number */ }