3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-25 17:59:25 +01:00

eap-tls: Check AP identity in tls ready callbck

Check that the TLS logic has verified the server is trusted by the CA if
one was configured.  This is more of an assert as ell intentionally only
allows empty certificate chains from the peer in server mode (if a CA
certficate is set) although this could be made configurable.
This commit is contained in:
Andrew Zaborowski 2018-12-10 14:51:36 +01:00 committed by Denis Kenzior
parent 57ce6d0ca5
commit 529ae6e683
2 changed files with 6 additions and 3 deletions

View File

@ -217,7 +217,12 @@ static void eap_tls_tunnel_ready(const char *peer_identity, void *user_data)
struct eap_state *eap = user_data; struct eap_state *eap = user_data;
struct eap_tls_state *eap_tls = eap_get_data(eap); struct eap_tls_state *eap_tls = eap_get_data(eap);
/* TODO: if we have a CA certificate require non-NULL peer_identity */ if (eap_tls->ca_cert && !peer_identity) {
l_error("%s: TLS did not verify AP identity",
eap_get_method_name(eap));
eap_method_error(eap);
return;
}
/* /*
* Since authenticator may not send us EAP-Success/EAP-Failure * Since authenticator may not send us EAP-Success/EAP-Failure

View File

@ -39,8 +39,6 @@ static bool eap_tls_tunnel_ready(struct eap_state *eap,
uint8_t msk_emsk[128]; uint8_t msk_emsk[128];
uint8_t iv[64]; uint8_t iv[64];
/* TODO: if we have a CA certificate require non-NULL peer_identity */
eap_method_success(eap); eap_method_success(eap);
eap_tls_common_set_completed(eap); eap_tls_common_set_completed(eap);