DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Add support for an optional context parameter to TLS exporter

Browse source 
Allow an additional context value to be passed to TLS exporter as
specified in RFC 5705 section 4.

This does not yet implement it for the internal TLS implementation.
However, as currently nothing uses context yet, this will not break
anything right now. WolfSSL maintainers also stated that they are not
going to add context support yet, but would look into it if/when this is
required by a published draft or a standard.

Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
This commit is contained in:
Ervin Oro 2019-03-11 13:21:36 +02:00 committed by Jouni Malinen
parent fab49f6145
commit a916ff5cd8
16 changed files with 62 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/eap_peer/eap_tls_common.c
View file

@ -349,6 +349,8 @@ void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
* @data: Data for TLS processing
* @label: Label string for deriving the keys, e.g., "client EAP encryption"
* @context: Optional extra upper-layer context (max len 2^16)
* @context_len: The length of the context value
* @len: Length of the key material to generate (usually 64 for MSK)
* Returns: Pointer to allocated key on success or %NULL on failure
*
@ -357,9 +359,12 @@ void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
* different label to bind the key usage into the generated material.
*
* The caller is responsible for freeing the returned buffer.
*
* Note: To provide the RFC 5705 context, the context variable must be non-NULL.
*/
u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
const char *label, size_t len)
const char *label, const u8 *context,
size_t context_len, size_t len)
{
u8 *out;
@ -367,8 +372,8 @@ u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
if (out == NULL)
return NULL;
if (tls_connection_export_key(data->ssl_ctx, data->conn, label, out,
len)) {
if (tls_connection_export_key(data->ssl_ctx, data->conn, label,
context, context_len, out, len)) {
os_free(out);
return NULL;
}
@ -409,7 +414,7 @@ u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm,
if (!id)
return NULL;
method_id = eap_peer_tls_derive_key(
sm, data, "EXPORTER_EAP_TLS_Method-Id", 64);
sm, data, "EXPORTER_EAP_TLS_Method-Id", NULL, 0, 64);
if (!method_id) {
os_free(id);
return NULL;