From 529ae6e683e71f3397fc2195c754ba35af6a1ae8 Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Mon, 10 Dec 2018 14:51:36 +0100 Subject: [PATCH] eap-tls: Check AP identity in tls ready callbck Check that the TLS logic has verified the server is trusted by the CA if one was configured. This is more of an assert as ell intentionally only allows empty certificate chains from the peer in server mode (if a CA certficate is set) although this could be made configurable. --- src/eap-tls-common.c | 7 ++++++- src/eap-tls.c | 2 -- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c index 2ba0b9e4..81e32b3c 100644 --- a/src/eap-tls-common.c +++ b/src/eap-tls-common.c @@ -217,7 +217,12 @@ static void eap_tls_tunnel_ready(const char *peer_identity, void *user_data) struct eap_state *eap = user_data; struct eap_tls_state *eap_tls = eap_get_data(eap); - /* TODO: if we have a CA certificate require non-NULL peer_identity */ + if (eap_tls->ca_cert && !peer_identity) { + l_error("%s: TLS did not verify AP identity", + eap_get_method_name(eap)); + eap_method_error(eap); + return; + } /* * Since authenticator may not send us EAP-Success/EAP-Failure diff --git a/src/eap-tls.c b/src/eap-tls.c index 3233ae35..88b26f61 100644 --- a/src/eap-tls.c +++ b/src/eap-tls.c @@ -39,8 +39,6 @@ static bool eap_tls_tunnel_ready(struct eap_state *eap, uint8_t msk_emsk[128]; uint8_t iv[64]; - /* TODO: if we have a CA certificate require non-NULL peer_identity */ - eap_method_success(eap); eap_tls_common_set_completed(eap);