Make EAP-Key-Name things work

diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 7012948..0aa0054 100644 (file)
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -710,9 +710,21 @@ post-auth {
        #  RFC 2865 behaviour for the class attribute, AND if the NAS
        #  supports long Class attributes.  Many older or cheap NASes
        #  only support 16-octet Class attributes.
-       #
 #      insert_acct_class
 
+       #  MacSEC requires the use of EAP-Key-Name.  However, we don't
+       #  want to send it for all EAP sessions.  Therefore, the EAP
+       #  modules put required data into the EAP-Session-Id attribute.
+       #  This attribute is never put into a request or reply packet.
+       #
+       #  Uncomment the next few lines to copy the required data into
+       #  the EAP-Key-Name attribute
+#      if (reply:EAP-Session-Id) {
+#              update reply {
+#                      EAP-Key-Name := "%{reply:EAP-Session-Id}"
+#              }
+#      }
+
        #  Remove reply message if the response contains an EAP-Message
        remove_reply_message_if_eap
 

diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c
index f7d8a9e..9843d39 100644 (file)
--- a/src/modules/rlm_eap/libeap/eap_tls.c
+++ b/src/modules/rlm_eap/libeap/eap_tls.c
@@ -199,6 +199,8 @@ int eaptls_success(EAP_HANDLER *handler, int peap_flag)
                RDEBUGW("Not adding MPPE keys because there is no PRF label");
        }
 
+       eaptls_gen_eap_key(tls_session->ssl,
+                          handler->eap_type, &handler->request->reply->vps);
        return 1;
 }
 

diff --git a/src/modules/rlm_eap/libeap/mppe_keys.c b/src/modules/rlm_eap/libeap/mppe_keys.c
index 7951826..9fdcd36 100644 (file)
--- a/src/modules/rlm_eap/libeap/mppe_keys.c
+++ b/src/modules/rlm_eap/libeap/mppe_keys.c
@@ -132,6 +132,11 @@ void eaptls_gen_mppe_keys(VALUE_PAIR **reply_vps, SSL *s,
        unsigned char *p = seed;
        size_t prf_size;
 
+       if (!s->s3) {
+               DEBUG("ERROR: No SSLv3 information");
+               return;
+       }
+
        prf_size = strlen(prf_label);
 
        memcpy(p, prf_label, prf_size);
@@ -171,8 +176,13 @@ void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size)
        uint8_t seed[sizeof(FR_TLS_PRF_CHALLENGE)-1 + 2*SSL3_RANDOM_SIZE];
        uint8_t *p = seed;
 
-       memcpy(p, FR_TLS_PRF_CHALLENGE, sizeof(FR_TLS_PRF_CHALLENGE)-1);
-       p += sizeof(FR_TLS_PRF_CHALLENGE)-1;
+       if (!s->s3) {
+               DEBUG("ERROR: No SSLv3 information");
+               return;
+       }
+
+       memcpy(p, EAPTLS_PRF_CHALLENGE, sizeof(EAPTLS_PRF_CHALLENGE)-1);
+       p += sizeof(EAPTLS_PRF_CHALLENGE)-1;
        memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
        p += SSL3_RANDOM_SIZE;
        memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
@@ -182,3 +192,27 @@ void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size)
 
        memcpy(buffer, out, size);
 }
+
+/*
+ *     Actually generates EAP-Session-Id, which is an internal server
+ *     attribute.  Not all systems want to send EAP-Key-Nam
+ */
+void eaptls_gen_eap_key(SSL *s, uint32_t header, VALUE_PAIR **vps)
+{
+       VALUE_PAIR *vp;
+
+       if (!s->s3) {
+               DEBUG("ERROR: No SSLv3 information");
+               return;
+       }
+
+       vp = paircreate(PW_EAP_SESSION_ID, PW_TYPE_OCTETS);
+       if (!vp) return;
+
+       vp->vp_octets[0] = header & 0xff;
+       memcpy(vp->vp_octets + 1, s->s3->client_random, SSL3_RANDOM_SIZE);
+       memcpy(vp->vp_octets + 1 + SSL3_RANDOM_SIZE,
+              s->s3->server_random, SSL3_RANDOM_SIZE);
+       vp->length = 1 + 2 * SSL3_RANDOM_SIZE;
+       pairadd(vps, vp);
+}