From 063cbb87a6d29ed6ce0a50888a354a1dd7227a62 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Sun, 7 Oct 2018 16:49:26 +0300
Subject: [PATCH] EAP server: Add eap_get_serial_num()

This can be used to fetch the serial number of the peer certificate
during TLS-based EAP session.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 src/eap_server/eap.h                   |  1 +
 src/eap_server/eap_i.h                 |  1 +
 src/eap_server/eap_server.c            | 12 ++++++++++++
 src/eap_server/eap_server_tls_common.c |  5 +++++
 4 files changed, 19 insertions(+)

diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index bb3641f84..4fbc661c2 100644
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -152,6 +152,7 @@ void eap_sm_notify_cached(struct eap_sm *sm);
 void eap_sm_pending_cb(struct eap_sm *sm);
 int eap_sm_method_pending(struct eap_sm *sm);
 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
+const char * eap_get_serial_num(struct eap_sm *sm);
 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
 void eap_server_clear_identity(struct eap_sm *sm);
 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 3d6f8d53a..cf8a9f0d9 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -159,6 +159,7 @@ struct eap_sm {
 	void *eap_method_priv;
 	u8 *identity;
 	size_t identity_len;
+	char *serial_num;
 	/* Whether Phase 2 method should validate identity match */
 	int require_identity_match;
 	int lastId; /* Identifier used in the last EAP-Packet */
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index c9da72e9e..38a1b5c9e 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -1920,6 +1920,7 @@ void eap_server_sm_deinit(struct eap_sm *sm)
 	wpabuf_free(sm->lastReqData);
 	wpabuf_free(sm->eap_if.eapRespData);
 	os_free(sm->identity);
+	os_free(sm->serial_num);
 	os_free(sm->pac_opaque_encr_key);
 	os_free(sm->eap_fast_a_id);
 	os_free(sm->eap_fast_a_id_info);
@@ -1991,6 +1992,17 @@ const u8 * eap_get_identity(struct eap_sm *sm, size_t *len)
 }
 
 
+/**
+ * eap_get_serial_num - Get the serial number of user certificate
+ * @sm: Pointer to EAP state machine allocated with eap_server_sm_init()
+ * Returns: Pointer to the serial number or %NULL if not available
+ */
+const char * eap_get_serial_num(struct eap_sm *sm)
+{
+	return sm->serial_num;
+}
+
+
 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len)
 {
 #ifdef CONFIG_ERP
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 4f9cb0875..0ae7867fc 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -341,6 +341,11 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
 		data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
 	}
 
+	if (!sm->serial_num &&
+	    tls_connection_established(sm->ssl_ctx, data->conn))
+		sm->serial_num = tls_connection_peer_serial_num(sm->ssl_ctx,
+								data->conn);
+
 	return 0;
 }