From 562bc59576ddaa1adfaa89e16ef5667ac4785715 Mon Sep 17 00:00:00 2001
From: Ervin Oro <ervin.oro@aalto.fi>
Date: Mon, 11 Mar 2019 13:21:36 +0200
Subject: [PATCH] Add support for an optional context parameter to TLS exporter

Allow an additional context value to be passed to TLS exporter as
specified in RFC 5705 section 4.

This does not yet implement it for the internal TLS implementation.
However, as currently nothing uses context yet, this will not break
anything right now. WolfSSL maintainers also stated that they are not
going to add context support yet, but would look into it if/when this is
required by a published draft or a standard.

Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
---
 .../esp_supplicant/src/crypto/tls_mbedtls.c         |  9 +++++++--
 components/wpa_supplicant/src/eap_peer/eap_peap.c   |  1 +
 components/wpa_supplicant/src/eap_peer/eap_tls.c    |  1 +
 .../wpa_supplicant/src/eap_peer/eap_tls_common.c    | 13 +++++++++----
 .../wpa_supplicant/src/eap_peer/eap_tls_common.h    |  3 ++-
 components/wpa_supplicant/src/eap_peer/eap_ttls.c   |  4 +++-
 6 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
index 42b846a802..274ed6af70 100644
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@@ -997,9 +997,13 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
 }
 
 static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
-		       const char *label, int server_random_first,
+		       const char *label, const u8 *context,
+		       size_t context_len, int server_random_first,
 		       u8 *out, size_t out_len)
 {
+	if (context)
+		return -1;
+
 	int ret;
 	u8 seed[2 * TLS_RANDOM_LEN];
 	mbedtls_ssl_context *ssl = &conn->tls->ssl;
@@ -1038,7 +1042,8 @@ int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
 			      const char *label, const u8 *context,
 			      size_t context_len, u8 *out, size_t out_len)
 {
-	return tls_connection_prf(tls_ctx, conn, label, 0, out, out_len);
+	return tls_connection_prf(tls_ctx, conn, label,context, context_len,
+			0, out, out_len);
 }
 
 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
diff --git a/components/wpa_supplicant/src/eap_peer/eap_peap.c b/components/wpa_supplicant/src/eap_peer/eap_peap.c
index 0c52ad92a3..a4cf1a2376 100644
--- a/components/wpa_supplicant/src/eap_peer/eap_peap.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_peap.c
@@ -1204,6 +1204,7 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
 				   "key derivation", label);
 			data->key_data =
 				eap_peer_tls_derive_key(sm, &data->ssl, label,
+							NULL, 0,
 							EAP_TLS_KEY_LEN +
 							EAP_EMSK_LEN);
 			if (data->key_data) {
diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls.c b/components/wpa_supplicant/src/eap_peer/eap_tls.c
index ec16b1eb68..6e219fbf31 100644
--- a/components/wpa_supplicant/src/eap_peer/eap_tls.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c
@@ -146,6 +146,7 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
 
 	eap_tls_free_key(data);
 	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label,
+						 NULL, 0,
 						 EAP_TLS_KEY_LEN +
 						 EAP_EMSK_LEN);
 	if (data->key_data) {
diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls_common.c b/components/wpa_supplicant/src/eap_peer/eap_tls_common.c
index ea1ad72571..8fe3a3a033 100644
--- a/components/wpa_supplicant/src/eap_peer/eap_tls_common.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_tls_common.c
@@ -256,6 +256,8 @@ void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
  * @data: Data for TLS processing
  * @label: Label string for deriving the keys, e.g., "client EAP encryption"
+ * @context: Optional extra upper-layer context (max len 2^16)
+ * @context_len: The length of the context value
  * @len: Length of the key material to generate (usually 64 for MSK)
  * Returns: Pointer to allocated key on success or %NULL on failure
  *
@@ -264,9 +266,12 @@ void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
  * different label to bind the key usage into the generated material.
  *
  * The caller is responsible for freeing the returned buffer.
+ *
+ * Note: To provide the RFC 5705 context, the context variable must be non-NULL.
  */
 u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
-			     const char *label, size_t len)
+			     const char *label, const u8 *context,
+			     size_t context_len, size_t len)
 {
 	u8 *out;
 
@@ -274,8 +279,8 @@ u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
 	if (out == NULL)
 		return NULL;
 
-	if (tls_connection_export_key(data->ssl_ctx, data->conn, label, 0, 0, out,
-				len)) {
+	if (tls_connection_export_key(data->ssl_ctx, data->conn, label,
+				      context, context_len, out, len)) {
 		os_free(out);
 		return NULL;
 	}
@@ -315,7 +320,7 @@ u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm,
 		if (!id)
 			return NULL;
 		method_id = eap_peer_tls_derive_key(
-			sm, data, "EXPORTER_EAP_TLS_Method-Id", 64);
+			sm, data, "EXPORTER_EAP_TLS_Method-Id", NULL, 0, 64);
 		if (!method_id) {
 			os_free(id);
 			return NULL;
diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls_common.h b/components/wpa_supplicant/src/eap_peer/eap_tls_common.h
index fea1458ee9..de91692c7a 100644
--- a/components/wpa_supplicant/src/eap_peer/eap_tls_common.h
+++ b/components/wpa_supplicant/src/eap_peer/eap_tls_common.h
@@ -103,7 +103,8 @@ int eap_peer_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
 			  struct eap_peer_config *config, u8 eap_type);
 void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data);
 u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
-			     const char *label, size_t len);
+			     const char *label, const u8 *context,
+			     size_t context_len, size_t len);
 u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm,
 				    struct eap_ssl_data *data, u8 eap_type,
 				    size_t *len);
diff --git a/components/wpa_supplicant/src/eap_peer/eap_ttls.c b/components/wpa_supplicant/src/eap_peer/eap_ttls.c
index 527cea5c74..0005c427c7 100644
--- a/components/wpa_supplicant/src/eap_peer/eap_ttls.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_ttls.c
@@ -220,6 +220,7 @@ static int eap_ttls_v0_derive_key(struct eap_sm *sm,
 	eap_ttls_free_key(data);
 	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,
 						 "ttls keying material",
+						 NULL, 0,
 						 EAP_TLS_KEY_LEN);
 	if (!data->key_data) {
 		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive key");
@@ -251,7 +252,8 @@ static int eap_ttls_v0_derive_key(struct eap_sm *sm,
 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
 			    struct eap_ttls_data *data, size_t len)
 {
-	return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len);
+	return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge",
+				       NULL, 0, len);
 }
 #endif /* CONFIG_FIPS */