Added preliminary support for EAP-Key-Name

We use EAP-Session-Id internally, as not everyone wants to send
EAP-Key-Name in a packet.  The eaptls_gen_eap_key() function
generates the EAP-Session-Id.  The eaptls_success() function
calls the "gen key" function on success.  This means that
the key is available on all TLS-based EAP methods

If someone wants to send EAP-Key-Name, they should use unlang
to make EAP-Session-Id to EAP-Key-Name

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index f9dfe8ae3754ee7284daf90b9744c69e125b607b..f602702637cc4e52b7001bcf8830a22f0709ea75 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -225,6 +225,9 @@ ATTRIBUTE   Cache-Entry-Hits                        1142    integer
 
 VALUE  Cache-Status-Only               no                      0
 VALUE  Cache-Status-Only               yes                     1
+
+ATTRIBUTE      EAP-Session-Id                          1146    octets
+
 #
 #      Range:  1200-1279
 #              EAP-SIM (and other EAP type) weirdness.

diff --git a/src/include/radius.h b/src/include/radius.h
index 3e06aedb2517d86950d980b69e48bb1a5737b7ee..ab9343175a2b3e7355bf63a74788b111525276d2 100644 (file)
--- a/src/include/radius.h
+++ b/src/include/radius.h
@@ -237,6 +237,8 @@
 #define PW_CACHE_STATUS_ONLY           1141
 #define PW_CACHE_ENTRY_HITS            1142
 
+#define PW_EAP_SESSION_ID              1146
+
 /*
  *     Integer Translations
  */

diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c
index 46410956aa4fb7f1a4b3d2e25b0b490d1e702d17..2e25cc4740cdfd84215baa7b734e6305b3de806e 100644 (file)
--- a/src/modules/rlm_eap/libeap/eap_tls.c
+++ b/src/modules/rlm_eap/libeap/eap_tls.c
@@ -223,6 +223,8 @@ int eaptls_success(EAP_HANDLER *handler, int peap_flag)
                RDEBUG("WARNING: Not adding MPPE keys because there is no PRF label");
        }
 
+       eaptls_gen_eap_key(tls_session->ssl->session,
+                          handler->eap_type, request);
        return 1;
 }
 

diff --git a/src/modules/rlm_eap/libeap/eap_tls.h b/src/modules/rlm_eap/libeap/eap_tls.h
index ff3098e566f992be55eb3967d12825eda954f63e..53f5dc786864ec11c6fd082523f088c202ac8d28 100644 (file)
--- a/src/modules/rlm_eap/libeap/eap_tls.h
+++ b/src/modules/rlm_eap/libeap/eap_tls.h
@@ -194,6 +194,7 @@ int                 eaptls_request(EAP_DS *eap_ds, tls_session_t *ssn);
 void            eaptls_gen_mppe_keys(VALUE_PAIR **reply_vps, SSL *s,
                                     const char *prf_label);
 void           eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size);
+void           eaptls_gen_eap_key(SSL *s, uint32_t header, REQUEST *request);
 
 #define BUFFER_SIZE 1024
 

diff --git a/src/modules/rlm_eap/libeap/mppe_keys.c b/src/modules/rlm_eap/libeap/mppe_keys.c
index 05577f5198afaf6806fece1b6098a4cfd0becad1..36af2d236ef2ea805f9cca9751a2bca4500bb1dc 100644 (file)
--- a/src/modules/rlm_eap/libeap/mppe_keys.c
+++ b/src/modules/rlm_eap/libeap/mppe_keys.c
@@ -192,3 +192,21 @@ void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size)
 
        memcpy(buffer, out, size);
 }
+
+/*
+ *     Actually generates EAP-Session-Id, which is an internal server
+ *     attribute.  Not all systems want to send EAP-Key-Nam
+ */
+void eaptls_gen_eap_key(SSL *s, uint32_t header, REQUEST *request)
+{
+       VALUE_PAIR *vp;
+
+       vp = radius_paircreate(request, &request->reply->vps,
+                              PW_EAP_SESSION_ID, PW_TYPE_OCTETS);
+       if (!vp) return;
+
+       vp->vp_octets[0] = header & 0xff;
+       memcpy(vp->vp_octets + 1, s->s3->client_random, SSL3_RANDOM_SIZE);
+       memcpy(vp->vp_octets + 1 + SSL3_RANDOM_SIZE,
+              s->s3->server_random, SSL3_RANDOM_SIZE);
+}