summaryrefslogtreecommitdiff
path: root/src/eap_server/eap_server_tls_common.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/eap_server/eap_server_tls_common.c')
-rw-r--r--src/eap_server/eap_server_tls_common.c25
1 files changed, 22 insertions, 3 deletions
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 69096954b8262..0ae7867fccf7f 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -47,7 +47,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer, int eap_type)
{
u8 session_ctx[8];
- unsigned int flags = 0;
+ unsigned int flags = sm->tls_flags;
if (sm->ssl_ctx == NULL) {
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
@@ -107,7 +107,7 @@ void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
- char *label, size_t len)
+ const char *label, size_t len)
{
u8 *out;
@@ -145,6 +145,13 @@ u8 * eap_server_tls_derive_session_id(struct eap_sm *sm,
struct tls_random keys;
u8 *out;
+ if (eap_type == EAP_TYPE_TLS && data->tls_v13) {
+ *len = 64;
+ return eap_server_tls_derive_key(sm, data,
+ "EXPORTER_EAP_TLS_Session-Id",
+ 64);
+ }
+
if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys))
return NULL;
@@ -305,6 +312,8 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
{
+ char buf[20];
+
if (data->tls_out) {
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
@@ -327,6 +336,16 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
return -1;
}
+ if (tls_get_version(sm->ssl_ctx, data->conn, buf, sizeof(buf)) == 0) {
+ wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf);
+ data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
+ }
+
+ if (!sm->serial_num &&
+ tls_connection_established(sm->ssl_ctx, data->conn))
+ sm->serial_num = tls_connection_peer_serial_num(sm->ssl_ctx,
+ data->conn);
+
return 0;
}
@@ -373,7 +392,7 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
if (data->tls_in &&
eap_server_tls_process_cont(data, *pos, end - *pos) < 0)
return -1;
-
+
if (flags & EAP_TLS_FLAGS_MORE_FRAGMENTS) {
if (eap_server_tls_process_fragment(data, flags, tls_msg_len,
*pos, end - *pos) < 0)
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 15:40:11 +0000