EAP-TLS server: Update user information based on serial number

This allows EAP user database entries for "cert-<serial number>" to be
used for client certificate based parameters when using EAP-TLS. This
commit addresses only the full authentication case and TLS session
resumption is not yet covered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c
index 8b9e53c61d799c2274c21549aaa924d32fc8c28c..13d2349823b543da3f7d66611e81a5075e8928a1 100644 (file)
--- a/src/eap_server/eap_server_tls.c
+++ b/src/eap_server/eap_server_tls.c
@@ -22,6 +22,7 @@ struct eap_tls_data {
        enum { START, CONTINUE, SUCCESS, FAILURE } state;
        int established;
        u8 eap_type;
+       int phase2;
 };
 
 
@@ -85,6 +86,8 @@ static void * eap_tls_init(struct eap_sm *sm)
 
        data->eap_type = EAP_TYPE_TLS;
 
+       data->phase2 = sm->init_phase2;
+
        return data;
 }
 
@@ -202,6 +205,20 @@ check_established:
                wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
                eap_tls_state(data, SUCCESS);
                eap_tls_valid_session(sm, data);
+               if (sm->serial_num) {
+                       char user[128];
+                       int user_len;
+
+                       user_len = os_snprintf(user, sizeof(user), "cert-%s",
+                                              sm->serial_num);
+                       if (eap_user_get(sm, (const u8 *) user, user_len,
+                                        data->phase2) < 0)
+                               wpa_printf(MSG_DEBUG,
+                                          "EAP-TLS: No user entry found based on the serial number of the client certificate ");
+                       else
+                               wpa_printf(MSG_DEBUG,
+                                          "EAP-TLS: Updated user entry based on the serial number of the client certificate ");
+               }
        }
 
        return res;
@@ -288,6 +305,8 @@ static void eap_tls_process(struct eap_sm *sm, void *priv,
                   "EAP-TLS: Resuming previous session");
        eap_tls_state(data, SUCCESS);
        tls_connection_set_success_data_resumed(data->ssl.conn);
+       /* TODO: Cache serial number with session and update EAP user
+        * information based on the cached serial number */
 }