EAP server: Add eap_get_serial_num()

This can be used to fetch the serial number of the peer certificate
during TLS-based EAP session.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index bb3641f846e1d3c39952d59d00d513d0fb4acf5d..4fbc661c22fe258e35ea9d0bfca2e36fc6aa54c5 100644 (file)
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -152,6 +152,7 @@ void eap_sm_notify_cached(struct eap_sm *sm);
 void eap_sm_pending_cb(struct eap_sm *sm);
 int eap_sm_method_pending(struct eap_sm *sm);
 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
+const char * eap_get_serial_num(struct eap_sm *sm);
 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
 void eap_server_clear_identity(struct eap_sm *sm);
 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,

diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 3d6f8d53ab3d1a4e45695ddf3eb556fb0f15312a..cf8a9f0d98e1fda835594394fd3acffaee5644fc 100644 (file)
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -159,6 +159,7 @@ struct eap_sm {
        void *eap_method_priv;
        u8 *identity;
        size_t identity_len;
+       char *serial_num;
        /* Whether Phase 2 method should validate identity match */
        int require_identity_match;
        int lastId; /* Identifier used in the last EAP-Packet */

diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index c9da72e9ebab9cfe582cdb42a2079913fb7ef8f0..38a1b5c9ee220402b13a2025f4a3c91340af2553 100644 (file)
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -1920,6 +1920,7 @@ void eap_server_sm_deinit(struct eap_sm *sm)
        wpabuf_free(sm->lastReqData);
        wpabuf_free(sm->eap_if.eapRespData);
        os_free(sm->identity);
+       os_free(sm->serial_num);
        os_free(sm->pac_opaque_encr_key);
        os_free(sm->eap_fast_a_id);
        os_free(sm->eap_fast_a_id_info);
@@ -1991,6 +1992,17 @@ const u8 * eap_get_identity(struct eap_sm *sm, size_t *len)
 }
 
 
+/**
+ * eap_get_serial_num - Get the serial number of user certificate
+ * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
+ * Returns: Pointer to the serial number or %NULL if not available
+ */
+const char * eap_get_serial_num(struct eap_sm *sm)
+{
+       return sm->serial_num;
+}
+
+
 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len)
 {
 #ifdef CONFIG_ERP

diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 4f9cb0875748d166b70f1745a3dd1e17e0605085..0ae7867fccf7fe2e9d0395bee20e34b05b3c10a6 100644 (file)
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -341,6 +341,11 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
                data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
        }
 
+       if (!sm->serial_num &&
+           tls_connection_established(sm->ssl_ctx, data->conn))
+               sm->serial_num = tls_connection_peer_serial_num(sm->ssl_ctx,
+                                                               data->conn);
+
        return 0;
 }