ESP-IDF
Select one of the symbols to view example projects that use it.
 
Outline
#include "utils/includes.h"
#include "utils/common.h"
#include "crypto/tls.h"
#include "eap_peer/eap_i.h"
#include "eap_peer/eap_defs.h"
#include "eap_peer/eap_tls_common.h"
#include "eap_peer/eap_config.h"
#include "eap_peer/eap_methods.h"
eap_tls_data
eap_tls_init(struct eap_sm *)
eap_tls_free_key(struct eap_tls_data *)
eap_tls_deinit(struct eap_sm *, void *)
eap_tls_failure(struct eap_sm *, struct eap_tls_data *, struct eap_method_ret *, int, struct wpabuf *, u8)
eap_tls_success(struct eap_sm *, struct eap_tls_data *, struct eap_method_ret *)
eap_tls_process(struct eap_sm *, void *, struct eap_method_ret *, const struct wpabuf *)
eap_tls_isKeyAvailable(struct eap_sm *, void *)
eap_tls_getKey(struct eap_sm *, void *, size_t *)
eap_peer_tls_register()
Files
ESP-IDF
components
app_trace
app_update
bootloader_support
bt
cmock
console
cxx
driver
efuse
esp_adc
esp_app_format
esp_bootloader_format
esp_coex
esp_common
esp_driver_ana_cmpr
esp_driver_cam
esp_driver_dac
esp_driver_gpio
esp_driver_gptimer
esp_driver_i2c
esp_driver_i2s
esp_driver_jpeg
esp_driver_ledc
esp_driver_mcpwm
esp_driver_parlio
esp_driver_pcnt
esp_driver_rmt
esp_driver_sdio
esp_driver_sdm
esp_driver_sdmmc
esp_driver_sdspi
esp_driver_spi
esp_driver_tsens
esp_driver_uart
esp_driver_usb_serial_jtag
esp_eth
esp_event
esp_gdbstub
esp_hid
esp_http_client
esp_http_server
esp_https_ota
esp_https_server
esp_hw_support
esp_lcd
esp_local_ctrl
esp_mm
esp_netif
esp_partition
esp_phy
esp_pm
esp_psram
esp_ringbuf
esp_rom
esp_security
esp_system
esp_timer
esp_vfs_console
esp_wifi
esp-tls
espcoredump
hal
heap
http_parser
ieee802154
log
mqtt
newlib
nvs_flash
nvs_sec_provider
openthread
perfmon
protobuf-c
protocomm
pthread
rt
sdmmc
soc
spi_flash
spiffs
tcp_transport
ulp
unity
vfs
wear_levelling
wifi_provisioning
wpa_supplicant
esp_supplicant
include
port
src
ap
common
crypto
drivers
eap_common
eap_peer
chap.c
chap.h
eap_common.c
eap_common.h
eap_config.h
eap_defs.h
eap_fast_common.c
eap_fast_common.h
eap_fast_pac.c
eap_fast_pac.h
eap_fast.c
eap_i.h
eap_methods.h
eap_mschapv2.c
eap_peap_common.c
eap_peap_common.h
eap_peap.c
eap_tls_common.c
eap_tls_common.h
eap_tls.c
eap_tls.h
eap_tlv_common.h
eap_ttls.c
eap_ttls.h
eap.c
eap.h
mschapv2.c
mschapv2.h
eap_server
eapol_auth
rsn_supp
tls
utils
wps
xtensa
examples
lwIP
FreeRTOS
cJSON
mbedTLS
SourceVuESP-IDF Framework and ExamplesESP-IDFcomponents/wpa_supplicant/src/eap_peer/eap_tls.c
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
/* * EAP peer method: EAP-TLS (RFC 5216, RFC 9190) * Copyright (c) 2004-2008, 2012-2019, Jouni Malinen <j@w1.fi> * * This software may be distributed under the terms of the BSD license. * See README for more details. *//* ... */ #include "utils/includes.h" #ifdef EAP_TLS #include "utils/common.h" #include "crypto/tls.h" #include "eap_peer/eap_i.h" #include "eap_peer/eap_defs.h" #include "eap_peer/eap_tls_common.h" #include "eap_peer/eap_config.h" #include "eap_peer/eap_methods.h"7 includes static void eap_tls_deinit(struct eap_sm *sm, void *priv); struct eap_tls_data { struct eap_ssl_data ssl; u8 *key_data; u8 *session_id; size_t id_len; void *ssl_ctx; u8 eap_type; struct wpabuf *pending_resp; bool prot_success_received; }{ ... }; static void * eap_tls_init(struct eap_sm *sm) { struct eap_tls_data *data; struct eap_peer_config *config = eap_get_config(sm); if (config == NULL || config->private_key == 0) { wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured"); return NULL; }{...} data = (struct eap_tls_data *)os_zalloc(sizeof(*data)); if (data == NULL) return NULL; data->ssl_ctx = sm->ssl_ctx; if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TLS)) { wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL."); eap_tls_deinit(sm, data); return NULL; }{...} data->eap_type = EAP_TYPE_TLS; return data; }{ ... } static void eap_tls_free_key(struct eap_tls_data *data) { if (data->key_data) { bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); data->key_data = NULL; }{...} }{ ... } static void eap_tls_deinit(struct eap_sm *sm, void *priv) { struct eap_tls_data *data = priv; if (data == NULL) return; eap_peer_tls_ssl_deinit(sm, &data->ssl); eap_tls_free_key(data); os_free(data->session_id); wpabuf_free(data->pending_resp); os_free(data); }{ ... } static struct wpabuf * eap_tls_failure(struct eap_sm *sm, struct eap_tls_data *data, struct eap_method_ret *ret, int res, struct wpabuf *resp, u8 id) { wpa_printf(MSG_DEBUG, "EAP-TLS: TLS processing failed"); ret->methodState = METHOD_DONE; ret->decision = DECISION_FAIL; if (res == -1) { struct eap_peer_config *config = eap_get_config(sm); if (config) { /* * The TLS handshake failed. So better forget the old * PIN. It may be wrong, we cannot be sure but trying * the wrong one again might block it on the card--so * better ask the user again. *//* ... */ os_free(config->pin); config->pin = NULL; }{...} }{...} if (resp) { /* * This is likely an alert message, so send it instead of just * ACKing the error. *//* ... */ return resp; }{...} return eap_peer_tls_build_ack(id, data->eap_type, 0); }{ ... } static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data, struct eap_method_ret *ret) { const char *label; const u8 eap_tls13_context[] = { EAP_TYPE_TLS }; const u8 *context = NULL; size_t context_len = 0; wpa_printf(MSG_DEBUG, "EAP-TLS: Done"); if (data->ssl.tls_out) { wpa_printf(MSG_DEBUG, "EAP-TLS: Fragment(s) remaining"); return; }{...} if (data->ssl.tls_v13) { label = "EXPORTER_EAP_TLS_Key_Material"; context = eap_tls13_context; context_len = 1; /* A possible NewSessionTicket may be received before * EAP-Success, so need to allow it to be received. *//* ... */ ret->methodState = METHOD_MAY_CONT; ret->decision = DECISION_COND_SUCC; }{...} else { label = "client EAP encryption"; ret->methodState = METHOD_DONE; ret->decision = DECISION_UNCOND_SUCC; }{...} eap_tls_free_key(data); data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label, context, context_len, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (data->key_data) { wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived key", data->key_data, EAP_TLS_KEY_LEN); wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived EMSK", data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN); }{...} else { wpa_printf(MSG_INFO, "EAP-TLS: Failed to derive key"); }{...} os_free(data->session_id); data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_TLS, &data->id_len); if (data->session_id) { wpa_hexdump(MSG_DEBUG, "EAP-TLS: Derived Session-Id", data->session_id, data->id_len); }{...} else { wpa_printf(MSG_ERROR, "EAP-TLS: Failed to derive Session-Id"); }{...} }{ ... } static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, const struct wpabuf *reqData) { size_t left; int res; struct wpabuf *resp; u8 flags, id; const u8 *pos; struct eap_tls_data *data = priv; if (sm->waiting_ext_cert_check && data->pending_resp) { struct eap_peer_config *config = eap_get_config(sm); if (config->pending_ext_cert_check == EXT_CERT_CHECK_GOOD) { wpa_printf(MSG_DEBUG, "EAP-TLS: External certificate check succeeded - continue handshake"); resp = data->pending_resp; data->pending_resp = NULL; sm->waiting_ext_cert_check = 0; return resp; }{...} if (config->pending_ext_cert_check == EXT_CERT_CHECK_BAD) { wpa_printf(MSG_DEBUG, "EAP-TLS: External certificate check failed - force authentication failure"); ret->methodState = METHOD_DONE; ret->decision = DECISION_FAIL; sm->waiting_ext_cert_check = 0; return NULL; }{...} wpa_printf(MSG_DEBUG, "EAP-TLS: Continuing to wait external server certificate validation"); return NULL; }{...} pos = eap_peer_tls_process_init(sm, &data->ssl, data->eap_type, ret, reqData, &left, &flags); if (pos == NULL) return NULL; id = eap_get_id(reqData); if (flags & EAP_TLS_FLAGS_START) { wpa_printf(MSG_DEBUG, "EAP-TLS: Start"); left = 0; /* make sure that this frame is empty, even though it * should always be, anyway *//* ... */ }{...} resp = NULL; res = eap_peer_tls_process_helper(sm, &data->ssl, data->eap_type, 0, id, pos, left, &resp); if (res < 0) { return eap_tls_failure(sm, data, ret, res, resp, id); }{...} if (sm->waiting_ext_cert_check) { wpa_printf(MSG_DEBUG, "EAP-TLS: Waiting external server certificate validation"); wpabuf_free(data->pending_resp); data->pending_resp = resp; return NULL; }{...} /* RFC 9190 Section 2.5 */ if (res == 2 && data->ssl.tls_v13 && wpabuf_len(resp) == 1 && *wpabuf_head_u8(resp) == 0) { wpa_printf(MSG_DEBUG, "EAP-TLS: ACKing protected success indication (appl data 0x00)"); eap_peer_tls_reset_output(&data->ssl); res = 1; ret->methodState = METHOD_DONE; ret->decision = DECISION_UNCOND_SUCC; data->prot_success_received = true; }{...} if (tls_connection_established(data->ssl_ctx, data->ssl.conn) && (!data->ssl.tls_v13 || data->prot_success_received)) eap_tls_success(sm, data, ret); if (res == 1) { wpabuf_free(resp); return eap_peer_tls_build_ack(id, data->eap_type, 0); }{...} return resp; }{ ... } static bool eap_tls_isKeyAvailable(struct eap_sm *sm, void *priv) { struct eap_tls_data *data = priv; return data->key_data != NULL; }{ ... } static u8 * eap_tls_getKey(struct eap_sm *sm, void *priv, size_t *len) { struct eap_tls_data *data = priv; u8 *key; if (data->key_data == NULL) return NULL; key = os_malloc(EAP_TLS_KEY_LEN); if (key == NULL) return NULL; *len = EAP_TLS_KEY_LEN; os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); return key; }{ ... } int eap_peer_tls_register(void) { struct eap_method *eap; int ret; eap = eap_peer_method_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLS, "TLS"); if (eap == NULL) return -1; eap->init = eap_tls_init; eap->deinit = eap_tls_deinit; eap->process = eap_tls_process; eap->isKeyAvailable = eap_tls_isKeyAvailable; eap->getKey = eap_tls_getKey; ret = eap_peer_method_register(eap); if (ret) eap_peer_method_free(eap); return ret; }{ ... } /* ... */ #endif /* EAP_TLS */
Details
Show:
from
Types: Columns:
This file uses the notable symbols shown below. Click anywhere in the file to view more details.