mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-12-27 02:32:52 +01:00
eap-tls: Check AP identity in tls ready callbck
Check that the TLS logic has verified the server is trusted by the CA if one was configured. This is more of an assert as ell intentionally only allows empty certificate chains from the peer in server mode (if a CA certficate is set) although this could be made configurable.
This commit is contained in:
parent
57ce6d0ca5
commit
529ae6e683
@ -217,7 +217,12 @@ static void eap_tls_tunnel_ready(const char *peer_identity, void *user_data)
|
||||
struct eap_state *eap = user_data;
|
||||
struct eap_tls_state *eap_tls = eap_get_data(eap);
|
||||
|
||||
/* TODO: if we have a CA certificate require non-NULL peer_identity */
|
||||
if (eap_tls->ca_cert && !peer_identity) {
|
||||
l_error("%s: TLS did not verify AP identity",
|
||||
eap_get_method_name(eap));
|
||||
eap_method_error(eap);
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* Since authenticator may not send us EAP-Success/EAP-Failure
|
||||
|
@ -39,8 +39,6 @@ static bool eap_tls_tunnel_ready(struct eap_state *eap,
|
||||
uint8_t msk_emsk[128];
|
||||
uint8_t iv[64];
|
||||
|
||||
/* TODO: if we have a CA certificate require non-NULL peer_identity */
|
||||
|
||||
eap_method_success(eap);
|
||||
eap_tls_common_set_completed(eap);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user