summaryrefslogtreecommitdiff
path: root/src/eap_server/eap_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/eap_server/eap_server.c')
-rw-r--r--src/eap_server/eap_server.c81
1 files changed, 77 insertions, 4 deletions
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 84ecafc7ca3e5..38a1b5c9ee220 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -326,6 +326,9 @@ SM_STATE(EAP, RETRANSMIT)
if (eap_copy_buf(&sm->eap_if.eapReqData, sm->lastReqData) == 0)
sm->eap_if.eapReq = TRUE;
}
+
+ wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR,
+ MAC2STR(sm->peer_addr));
}
@@ -415,7 +418,7 @@ static void eap_server_erp_init(struct eap_sm *sm)
u8 *emsk = NULL;
size_t emsk_len = 0;
u8 EMSKname[EAP_EMSK_NAME_LEN];
- u8 len[2];
+ u8 len[2], ctx[3];
const char *domain;
size_t domain_len, nai_buf_len;
struct eap_server_erp_key *erp = NULL;
@@ -452,7 +455,7 @@ static void eap_server_erp_init(struct eap_sm *sm)
wpa_hexdump_key(MSG_DEBUG, "EAP: EMSK", emsk, emsk_len);
- WPA_PUT_BE16(len, 8);
+ WPA_PUT_BE16(len, EAP_EMSK_NAME_LEN);
if (hmac_sha256_kdf(sm->eap_if.eapSessionId, sm->eap_if.eapSessionIdLen,
"EMSK", len, sizeof(len),
EMSKname, EAP_EMSK_NAME_LEN) < 0) {
@@ -476,9 +479,11 @@ static void eap_server_erp_init(struct eap_sm *sm)
erp->rRK_len = emsk_len;
wpa_hexdump_key(MSG_DEBUG, "EAP: ERP rRK", erp->rRK, erp->rRK_len);
+ ctx[0] = EAP_ERP_CS_HMAC_SHA256_128;
+ WPA_PUT_BE16(&ctx[1], erp->rRK_len);
if (hmac_sha256_kdf(erp->rRK, erp->rRK_len,
- "EAP Re-authentication Integrity Key@ietf.org",
- len, sizeof(len), erp->rIK, erp->rRK_len) < 0) {
+ "Re-authentication Integrity Key@ietf.org",
+ ctx, sizeof(ctx), erp->rIK, erp->rRK_len) < 0) {
wpa_printf(MSG_DEBUG, "EAP: Could not derive rIK for ERP");
goto fail;
}
@@ -632,6 +637,9 @@ SM_STATE(EAP, TIMEOUT_FAILURE)
SM_ENTRY(EAP, TIMEOUT_FAILURE);
sm->eap_if.eapTimeout = TRUE;
+
+ wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR,
+ MAC2STR(sm->peer_addr));
}
@@ -1009,6 +1017,9 @@ SM_STATE(EAP, RETRANSMIT2)
if (eap_copy_buf(&sm->eap_if.eapReqData, sm->lastReqData) == 0)
sm->eap_if.eapReq = TRUE;
}
+
+ wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR,
+ MAC2STR(sm->peer_addr));
}
@@ -1099,6 +1110,9 @@ SM_STATE(EAP, TIMEOUT_FAILURE2)
SM_ENTRY(EAP, TIMEOUT_FAILURE2);
sm->eap_if.eapTimeout = TRUE;
+
+ wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR,
+ MAC2STR(sm->peer_addr));
}
@@ -1108,6 +1122,9 @@ SM_STATE(EAP, FAILURE2)
eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData);
sm->eap_if.eapFail = TRUE;
+
+ wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR,
+ MAC2STR(sm->peer_addr));
}
@@ -1134,6 +1151,9 @@ SM_STATE(EAP, SUCCESS2)
* started properly.
*/
sm->start_reauth = TRUE;
+
+ wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR,
+ MAC2STR(sm->peer_addr));
}
@@ -1800,6 +1820,8 @@ static void eap_user_free(struct eap_user *user)
return;
bin_clear_free(user->password, user->password_len);
user->password = NULL;
+ bin_clear_free(user->salt, user->salt_len);
+ user->salt = NULL;
os_free(user);
}
@@ -1866,6 +1888,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->server_id_len = conf->server_id_len;
sm->erp = conf->erp;
sm->tls_session_lifetime = conf->tls_session_lifetime;
+ sm->tls_flags = conf->tls_flags;
#ifdef CONFIG_TESTING_OPTIONS
sm->tls_test_flags = conf->tls_test_flags;
@@ -1897,6 +1920,7 @@ void eap_server_sm_deinit(struct eap_sm *sm)
wpabuf_free(sm->lastReqData);
wpabuf_free(sm->eap_if.eapRespData);
os_free(sm->identity);
+ os_free(sm->serial_num);
os_free(sm->pac_opaque_encr_key);
os_free(sm->eap_fast_a_id);
os_free(sm->eap_fast_a_id_info);
@@ -1969,6 +1993,55 @@ const u8 * eap_get_identity(struct eap_sm *sm, size_t *len)
/**
+ * eap_get_serial_num - Get the serial number of user certificate
+ * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
+ * Returns: Pointer to the serial number or %NULL if not available
+ */
+const char * eap_get_serial_num(struct eap_sm *sm)
+{
+ return sm->serial_num;
+}
+
+
+void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len)
+{
+#ifdef CONFIG_ERP
+ const struct eap_hdr *hdr;
+ const u8 *pos, *end;
+ struct erp_tlvs parse;
+
+ if (len < sizeof(*hdr) + 1)
+ return;
+ hdr = (const struct eap_hdr *) eap;
+ end = eap + len;
+ pos = (const u8 *) (hdr + 1);
+ if (hdr->code != EAP_CODE_INITIATE || *pos != EAP_ERP_TYPE_REAUTH)
+ return;
+ pos++;
+ if (pos + 3 > end)
+ return;
+
+ /* Skip Flags and SEQ */
+ pos += 3;
+
+ if (erp_parse_tlvs(pos, end, &parse, 1) < 0 || !parse.keyname)
+ return;
+ wpa_hexdump_ascii(MSG_DEBUG,
+ "EAP: Update identity based on EAP-Initiate/Re-auth keyName-NAI",
+ parse.keyname, parse.keyname_len);
+ os_free(sm->identity);
+ sm->identity = os_malloc(parse.keyname_len);
+ if (sm->identity) {
+ os_memcpy(sm->identity, parse.keyname, parse.keyname_len);
+ sm->identity_len = parse.keyname_len;
+ } else {
+ sm->identity_len = 0;
+ }
+#endif /* CONFIG_ERP */
+}
+
+
+/**
* eap_get_interface - Get pointer to EAP-EAPOL interface data
* @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
* Returns: Pointer to the EAP-EAPOL interface data
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-12 15:45:55 +0000