From: Alan T. DeKok Date: Thu, 14 Feb 2013 16:48:37 +0000 (-0500) Subject: Added preliminary support for EAP-Key-Name X-Git-Tag: release_2_2_1~174 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36932d8d56c408ced51ef55fb91c25362c674274;p=thirdparty%2Ffreeradius-server.git Added preliminary support for EAP-Key-Name We use EAP-Session-Id internally, as not everyone wants to send EAP-Key-Name in a packet. The eaptls_gen_eap_key() function generates the EAP-Session-Id. The eaptls_success() function calls the "gen key" function on success. This means that the key is available on all TLS-based EAP methods If someone wants to send EAP-Key-Name, they should use unlang to make EAP-Session-Id to EAP-Key-Name --- diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index f9dfe8ae375..f602702637c 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -225,6 +225,9 @@ ATTRIBUTE Cache-Entry-Hits 1142 integer VALUE Cache-Status-Only no 0 VALUE Cache-Status-Only yes 1 + +ATTRIBUTE EAP-Session-Id 1146 octets + # # Range: 1200-1279 # EAP-SIM (and other EAP type) weirdness. diff --git a/src/include/radius.h b/src/include/radius.h index 3e06aedb251..ab9343175a2 100644 --- a/src/include/radius.h +++ b/src/include/radius.h @@ -237,6 +237,8 @@ #define PW_CACHE_STATUS_ONLY 1141 #define PW_CACHE_ENTRY_HITS 1142 +#define PW_EAP_SESSION_ID 1146 + /* * Integer Translations */ diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c index 46410956aa4..2e25cc4740c 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.c +++ b/src/modules/rlm_eap/libeap/eap_tls.c @@ -223,6 +223,8 @@ int eaptls_success(EAP_HANDLER *handler, int peap_flag) RDEBUG("WARNING: Not adding MPPE keys because there is no PRF label"); } + eaptls_gen_eap_key(tls_session->ssl->session, + handler->eap_type, request); return 1; } diff --git a/src/modules/rlm_eap/libeap/eap_tls.h b/src/modules/rlm_eap/libeap/eap_tls.h index ff3098e566f..53f5dc78686 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.h +++ b/src/modules/rlm_eap/libeap/eap_tls.h @@ -194,6 +194,7 @@ int eaptls_request(EAP_DS *eap_ds, tls_session_t *ssn); void eaptls_gen_mppe_keys(VALUE_PAIR **reply_vps, SSL *s, const char *prf_label); void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size); +void eaptls_gen_eap_key(SSL *s, uint32_t header, REQUEST *request); #define BUFFER_SIZE 1024 diff --git a/src/modules/rlm_eap/libeap/mppe_keys.c b/src/modules/rlm_eap/libeap/mppe_keys.c index 05577f5198a..36af2d236ef 100644 --- a/src/modules/rlm_eap/libeap/mppe_keys.c +++ b/src/modules/rlm_eap/libeap/mppe_keys.c @@ -192,3 +192,21 @@ void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size) memcpy(buffer, out, size); } + +/* + * Actually generates EAP-Session-Id, which is an internal server + * attribute. Not all systems want to send EAP-Key-Nam + */ +void eaptls_gen_eap_key(SSL *s, uint32_t header, REQUEST *request) +{ + VALUE_PAIR *vp; + + vp = radius_paircreate(request, &request->reply->vps, + PW_EAP_SESSION_ID, PW_TYPE_OCTETS); + if (!vp) return; + + vp->vp_octets[0] = header & 0xff; + memcpy(vp->vp_octets + 1, s->s3->client_random, SSL3_RANDOM_SIZE); + memcpy(vp->vp_octets + 1 + SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE); +}