# RFC 2865 behaviour for the class attribute, AND if the NAS
# supports long Class attributes. Many older or cheap NASes
# only support 16-octet Class attributes.
- #
# insert_acct_class
+ # MacSEC requires the use of EAP-Key-Name. However, we don't
+ # want to send it for all EAP sessions. Therefore, the EAP
+ # modules put required data into the EAP-Session-Id attribute.
+ # This attribute is never put into a request or reply packet.
+ #
+ # Uncomment the next few lines to copy the required data into
+ # the EAP-Key-Name attribute
+# if (reply:EAP-Session-Id) {
+# update reply {
+# EAP-Key-Name := "%{reply:EAP-Session-Id}"
+# }
+# }
+
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
unsigned char *p = seed;
size_t prf_size;
+ if (!s->s3) {
+ DEBUG("ERROR: No SSLv3 information");
+ return;
+ }
+
prf_size = strlen(prf_label);
memcpy(p, prf_label, prf_size);
uint8_t seed[sizeof(FR_TLS_PRF_CHALLENGE)-1 + 2*SSL3_RANDOM_SIZE];
uint8_t *p = seed;
- memcpy(p, FR_TLS_PRF_CHALLENGE, sizeof(FR_TLS_PRF_CHALLENGE)-1);
- p += sizeof(FR_TLS_PRF_CHALLENGE)-1;
+ if (!s->s3) {
+ DEBUG("ERROR: No SSLv3 information");
+ return;
+ }
+
+ memcpy(p, EAPTLS_PRF_CHALLENGE, sizeof(EAPTLS_PRF_CHALLENGE)-1);
+ p += sizeof(EAPTLS_PRF_CHALLENGE)-1;
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
memcpy(buffer, out, size);
}
+
+/*
+ * Actually generates EAP-Session-Id, which is an internal server
+ * attribute. Not all systems want to send EAP-Key-Nam
+ */
+void eaptls_gen_eap_key(SSL *s, uint32_t header, VALUE_PAIR **vps)
+{
+ VALUE_PAIR *vp;
+
+ if (!s->s3) {
+ DEBUG("ERROR: No SSLv3 information");
+ return;
+ }
+
+ vp = paircreate(PW_EAP_SESSION_ID, PW_TYPE_OCTETS);
+ if (!vp) return;
+
+ vp->vp_octets[0] = header & 0xff;
+ memcpy(vp->vp_octets + 1, s->s3->client_random, SSL3_RANDOM_SIZE);
+ memcpy(vp->vp_octets + 1 + SSL3_RANDOM_SIZE,
+ s->s3->server_random, SSL3_RANDOM_SIZE);
+ vp->length = 1 + 2 * SSL3_RANDOM_SIZE;
+ pairadd(vps, vp);
+}