]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1854981)
EAP-TLS peer: MSK/EMSK derivation with TLS v1.3
authorJouni Malinen <j@w1.fi>
Tue, 1 May 2018 14:53:07 +0000 (17:53 +0300)
committerJouni Malinen <j@w1.fi>
Tue, 1 May 2018 14:53:07 +0000 (17:53 +0300)
Use new MSK/EMSK derivation mechanism if TLS v1.3 or newer is used per
draft-mattsson-eap-tls13-02.txt.

Signed-off-by: Jouni Malinen <j@w1.fi>
src/eap_peer/eap_tls.c patch | blob | blame | history

diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c
index 0cfcfed63f737f1ea87eeae9843eb85e642e5142..d50619ea0fb5f968fb5a43cc7ce34f2d45f8d9b8 100644 (file)
--- a/src/eap_peer/eap_tls.c
+++ b/src/eap_peer/eap_tls.c
@@ -173,6 +173,8 @@ static struct wpabuf * eap_tls_failure(struct eap_sm *sm,
 static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
                            struct eap_method_ret *ret)
 {
+       const char *label;
+
        wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
 
        if (data->ssl.tls_out) {
@@ -181,18 +183,21 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
        }
 
        if (data->ssl.tls_v13) {
+               label = "client EAP encryption KM";
+
                /* A possible NewSessionTicket may be received before
                 * EAP-Success, so need to allow it to be received. */
                ret->methodState = METHOD_MAY_CONT;
                ret->decision = DECISION_COND_SUCC;
        } else {
+               label = "client EAP encryption";
+
                ret->methodState = METHOD_DONE;
                ret->decision = DECISION_UNCOND_SUCC;
        }
 
        eap_tls_free_key(data);
-       data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,
-                                                "client EAP encryption",
+       data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label,
                                                 EAP_TLS_KEY_LEN +
                                                 EAP_EMSK_LEN);
        if (data->key_data) {
Unnamed repository; edit this file 'description' to name the repository.