Phase2 EAP client authentication method.
charon.plugins.eap-peap.phase2_piggyback = no
- Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+ Phase2 EAP Identity request piggybacked by server onto TLS Finished message,
+ relevant only if TLS 1.2 or earlier is negotiated.
charon.plugins.eap-peap.phase2_tnc = no
Start phase2 EAP TNC protocol after successful client authentication.
*/
identification_t *peer;
+ /**
+ * TLS connection
+ */
+ tls_t *tls;
+
/**
* Current EAP-PEAP phase2 state
*/
eap_type_t type;
pen_t vendor;
- if (this->ph2_method == NULL && this->start_phase2 && this->start_phase2_id)
+ if (!this->ph2_method && this->start_phase2 &&
+ (this->start_phase2_id ||
+ this->tls->get_version_max(this->tls) >= TLS_1_3))
{
- /*
- * Start Phase 2 with an EAP Identity request either piggybacked right
- * onto the TLS Finished payload or delayed after the reception of an
- * empty EAP Acknowledge message.
+ /* for TLS < 1.3, either start Phase 2 with an EAP Identity request
+ * piggybacked right onto the TLS Finished payload or delayed after the
+ * reception of an empty EAP Acknowledge message. with TLS 1.3, Phase 2
+ * is always started immediately as the client finishes the handshake
+ * after the server
*/
this->ph2_method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
0, EAP_SERVER, this->server, this->peer);
- if (this->ph2_method == NULL)
+ if (!this->ph2_method)
{
DBG1(DBG_IKE, "%N method not available",
eap_type_names, EAP_IDENTITY);
return INVALID_STATE;
}
+METHOD(eap_peap_server_t, set_tls, void,
+ private_eap_peap_server_t *this, tls_t *tls)
+{
+ this->tls = tls;
+}
+
METHOD(tls_application_t, destroy, void,
private_eap_peap_server_t *this)
{
.build = _build,
.destroy = _destroy,
},
+ .set_tls = _set_tls,
},
.server = server->clone(server),
.peer = peer->clone(peer),
typedef struct eap_peap_server_t eap_peap_server_t;
+#include "tls.h"
#include "tls_application.h"
#include <library.h>
* Implements the TLS application data handler.
*/
tls_application_t application;
+
+ /**
+ * Set a reference to the parent TLS connection this application is
+ * assigned to.
+ *
+ * @param tls TLS connection
+ */
+ void (*set_tls)(eap_peap_server_t *this, tls_t *tls);
};
/**