EAP-TLS and EAP-TTLS use different constant MSK PRF label

author Andreas Steffen <andreas.steffen@strongswan.org>

Fri, 6 Aug 2010 15:33:46 +0000 (17:33 +0200)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Sat, 7 Aug 2010 09:26:04 +0000 (11:26 +0200)
author Andreas Steffen <andreas.steffen@strongswan.org>
Fri, 6 Aug 2010 15:33:46 +0000 (17:33 +0200)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Sat, 7 Aug 2010 09:26:04 +0000 (11:26 +0200)
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c

index 453a4cc057941fac39a018c601b6ff6ba3019e4c..03e0d58fdd75de901451a38c039e343747834004 100644 (file)
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -424,7 +424,8 @@ static eap_tls_t *eap_tls_create(identification_t *server,
                 },
                 .is_server = is_server,
         );
-       this->tls = tls_create(is_server, server, peer);
+       /* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
+       this->tls = tls_create(is_server, server, peer, "client EAP encryption");
  
         return &this->public;
  }
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c

index 96b4cff907090caccae8432af67eb0a290c1bca7..fa812a194529651f7d38696cfdc67f2f0ca534af 100644 (file)
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -424,7 +424,8 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
                 },
                 .is_server = is_server,
         );
-       this->tls = tls_create(is_server, server, peer);
+       /* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
+       this->tls = tls_create(is_server, server, peer, "ttls keying material");
  
         return &this->public;
  }
diff --git a/src/libtls/tls.c b/src/libtls/tls.c

index 4384c07497d9a5808f79a310d4d28a780df8961e..f8f7e848eef745e79ee495e116054d655742710d 100644 (file)
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -172,7 +172,7 @@ METHOD(tls_t, destroy, void,
   * See header
   */
  tls_t *tls_create(bool is_server, identification_t *server,
-                                 identification_t *peer)
+                                 identification_t *peer, char *msk_label)
  {
         private_tls_t *this;
  
@@ -193,7 +193,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
                 .peer = peer->clone(peer),
         );
  
-       this->crypto = tls_crypto_create(&this->public);
+       this->crypto = tls_crypto_create(&this->public, msk_label);
         if (is_server)
         {
                 this->handshake = &tls_server_create(&this->public, this->crypto,
diff --git a/src/libtls/tls.h b/src/libtls/tls.h

index 67ee74230433e5c9b03779be061788bcde3d9cee..923c87ae13eb4ea19221653c5e8ce5ee331e8799 100644 (file)
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -162,9 +162,10 @@ struct tls_t {
   * @param is_server            TRUE to act as server, FALSE for client
   * @param server               server identity
   * @param peer                 peer identity
+ * @param msk_label            ASCII string constant used as seed for MSK PRF
   * @return                             TLS stack
   */
  tls_t *tls_create(bool is_server, identification_t *server,
-                                 identification_t *peer);
+                                 identification_t *peer, char *msk_label);
  
  #endif /** TLS_H_ @}*/
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c

index 0bbfd81fb55485c2d05b73948a67a173ad9d7d6d..b8eb87bf6e2f69f8323fb3f184bd4f70db70a132 100644 (file)
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -316,9 +316,14 @@ struct private_tls_crypto_t {
         chunk_t iv_out;
  
         /**
-        * EAP-TLS MSK
+        * EAP-[T]TLS MSK
          */
         chunk_t msk;
+
+       /**
+        * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
+        */
+       char *msk_label;
  };
  
  typedef struct {
@@ -855,7 +860,7 @@ METHOD(tls_crypto_t, derive_eap_msk, void,
         seed = chunk_cata("cc", client_random, server_random);
         free(this->msk.ptr);
         this->msk = chunk_alloc(64);
-       this->prf->get_bytes(this->prf, "client EAP encryption", seed,
+       this->prf->get_bytes(this->prf, this->msk_label, seed,
                                                  this->msk.len, this->msk.ptr);
  }
  
@@ -884,7 +889,7 @@ METHOD(tls_crypto_t, destroy, void,
  /**
   * See header
   */
-tls_crypto_t *tls_crypto_create(tls_t *tls)
+tls_crypto_t *tls_crypto_create(tls_t *tls, char *msk_label)
  {
         private_tls_crypto_t *this;
  
@@ -904,6 +909,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls)
                         .destroy = _destroy,
                 },
                 .tls = tls,
+               .msk_label = msk_label
         );
  
         build_cipher_suite_list(this);
diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h

index 5fe90d86878453e19aec86477f9803dcb31a3d0d..09f1a0e8a6973cb18883da8d899674fbdb13cb24 100644 (file)
--- a/src/libtls/tls_crypto.h
+++ b/src/libtls/tls_crypto.h
@@ -359,7 +359,9 @@ struct tls_crypto_t {
  
  /**
   * Create a tls_crypto instance.
+ *
+ * @param msk_label            ASCII string constant used as seed for MSK PRF
   */
-tls_crypto_t *tls_crypto_create(tls_t *tls);
+tls_crypto_t *tls_crypto_create(tls_t *tls, char *msk_label);
  
  #endif /** TLS_CRYPTO_H_ @}*/
author	Andreas Steffen <andreas.steffen@strongswan.org>
	Fri, 6 Aug 2010 15:33:46 +0000 (17:33 +0200)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Sat, 7 Aug 2010 09:26:04 +0000 (11:26 +0200)
src/libcharon/plugins/eap_tls/eap_tls.c		patch \| blob \| blame \| history
src/libcharon/plugins/eap_ttls/eap_ttls.c		patch \| blob \| blame \| history
src/libtls/tls.c		patch \| blob \| blame \| history
src/libtls/tls.h		patch \| blob \| blame \| history
src/libtls/tls_crypto.c		patch \| blob \| blame \| history
src/libtls/tls_crypto.h		patch \| blob \| blame \| history