From e1b0ff3f6973be59b5fb055bdad32ab6a19f114e Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Wed, 20 Feb 2013 08:40:54 -0500 Subject: [PATCH] Make EAP-Key-Name things work --- raddb/sites-available/default | 14 ++++++++++++- src/modules/rlm_eap/libeap/eap_tls.c | 2 ++ src/modules/rlm_eap/libeap/mppe_keys.c | 38 ++++++++++++++++++++++++++++++++-- 3 files changed, 51 insertions(+), 3 deletions(-) diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 7012948..0aa0054 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -710,9 +710,21 @@ post-auth { # RFC 2865 behaviour for the class attribute, AND if the NAS # supports long Class attributes. Many older or cheap NASes # only support 16-octet Class attributes. - # # insert_acct_class + # MacSEC requires the use of EAP-Key-Name. However, we don't + # want to send it for all EAP sessions. Therefore, the EAP + # modules put required data into the EAP-Session-Id attribute. + # This attribute is never put into a request or reply packet. + # + # Uncomment the next few lines to copy the required data into + # the EAP-Key-Name attribute +# if (reply:EAP-Session-Id) { +# update reply { +# EAP-Key-Name := "%{reply:EAP-Session-Id}" +# } +# } + # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c index f7d8a9e..9843d39 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.c +++ b/src/modules/rlm_eap/libeap/eap_tls.c @@ -199,6 +199,8 @@ int eaptls_success(EAP_HANDLER *handler, int peap_flag) RDEBUGW("Not adding MPPE keys because there is no PRF label"); } + eaptls_gen_eap_key(tls_session->ssl, + handler->eap_type, &handler->request->reply->vps); return 1; } diff --git a/src/modules/rlm_eap/libeap/mppe_keys.c b/src/modules/rlm_eap/libeap/mppe_keys.c index 7951826..9fdcd36 100644 --- a/src/modules/rlm_eap/libeap/mppe_keys.c +++ b/src/modules/rlm_eap/libeap/mppe_keys.c @@ -132,6 +132,11 @@ void eaptls_gen_mppe_keys(VALUE_PAIR **reply_vps, SSL *s, unsigned char *p = seed; size_t prf_size; + if (!s->s3) { + DEBUG("ERROR: No SSLv3 information"); + return; + } + prf_size = strlen(prf_label); memcpy(p, prf_label, prf_size); @@ -171,8 +176,13 @@ void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size) uint8_t seed[sizeof(FR_TLS_PRF_CHALLENGE)-1 + 2*SSL3_RANDOM_SIZE]; uint8_t *p = seed; - memcpy(p, FR_TLS_PRF_CHALLENGE, sizeof(FR_TLS_PRF_CHALLENGE)-1); - p += sizeof(FR_TLS_PRF_CHALLENGE)-1; + if (!s->s3) { + DEBUG("ERROR: No SSLv3 information"); + return; + } + + memcpy(p, EAPTLS_PRF_CHALLENGE, sizeof(EAPTLS_PRF_CHALLENGE)-1); + p += sizeof(EAPTLS_PRF_CHALLENGE)-1; memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); p += SSL3_RANDOM_SIZE; memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); @@ -182,3 +192,27 @@ void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size) memcpy(buffer, out, size); } + +/* + * Actually generates EAP-Session-Id, which is an internal server + * attribute. Not all systems want to send EAP-Key-Nam + */ +void eaptls_gen_eap_key(SSL *s, uint32_t header, VALUE_PAIR **vps) +{ + VALUE_PAIR *vp; + + if (!s->s3) { + DEBUG("ERROR: No SSLv3 information"); + return; + } + + vp = paircreate(PW_EAP_SESSION_ID, PW_TYPE_OCTETS); + if (!vp) return; + + vp->vp_octets[0] = header & 0xff; + memcpy(vp->vp_octets + 1, s->s3->client_random, SSL3_RANDOM_SIZE); + memcpy(vp->vp_octets + 1 + SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE); + vp->length = 1 + 2 * SSL3_RANDOM_SIZE; + pairadd(vps, vp); +} -- 2.1.4