Derive MSK for EAP-TLS authentication

diff --git a/src/charon/plugins/eap_tls/eap_tls.c b/src/charon/plugins/eap_tls/eap_tls.c
index 3518dfca1312724e4dfd273ad65f59e1eaea890e..4e543d45d5d9b4791714fb4ab814665ee22bde43 100644 (file)
--- a/src/charon/plugins/eap_tls/eap_tls.c
+++ b/src/charon/plugins/eap_tls/eap_tls.c
@@ -366,6 +366,11 @@ METHOD(eap_method_t, get_type, eap_type_t,
 METHOD(eap_method_t, get_msk, status_t,
        private_eap_tls_t *this, chunk_t *msk)
 {
+       *msk = this->tls->get_eap_msk(this->tls);
+       if (msk->len)
+       {
+               return SUCCESS;
+       }
        return FAILED;
 }
 

diff --git a/src/charon/plugins/eap_tls/tls/tls.c b/src/charon/plugins/eap_tls/tls/tls.c
index 8c94e42c6eee65018f4db130c3c42a22757f9b0d..c011ad67848bf2e59a10f73ace0fd22ebf483d58 100644 (file)
--- a/src/charon/plugins/eap_tls/tls/tls.c
+++ b/src/charon/plugins/eap_tls/tls/tls.c
@@ -141,6 +141,12 @@ METHOD(tls_t, change_cipher, void,
        this->protection->set_cipher(this->protection, inbound, signer, crypter, iv);
 }
 
+METHOD(tls_t, get_eap_msk, chunk_t,
+       private_tls_t *this)
+{
+       return this->crypto->get_eap_msk(this->crypto);
+}
+
 METHOD(tls_t, destroy, void,
        private_tls_t *this)
 {
@@ -169,6 +175,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
                        .get_version = _get_version,
                        .set_version = _set_version,
                        .change_cipher = _change_cipher,
+                       .get_eap_msk = _get_eap_msk,
                        .destroy = _destroy,
                },
                .is_server = is_server,

diff --git a/src/charon/plugins/eap_tls/tls/tls.h b/src/charon/plugins/eap_tls/tls/tls.h
index b07516a944fb76deb32cdb31d1e13de9b61bc530..ffaa83ebaff57573ff3efb082a79d79bda2f7636 100644 (file)
--- a/src/charon/plugins/eap_tls/tls/tls.h
+++ b/src/charon/plugins/eap_tls/tls/tls.h
@@ -186,6 +186,13 @@ struct tls_t {
        void (*change_cipher)(tls_t *this, bool inbound, signer_t *signer,
                                                  crypter_t *crypter, chunk_t iv);
 
+       /**
+        * Get the MSK for EAP-TLS.
+        *
+        * @return                      MSK, internal data
+        */
+       chunk_t (*get_eap_msk)(tls_t *this);
+
        /**
         * Destroy a tls_t.
         */

diff --git a/src/charon/plugins/eap_tls/tls/tls_crypto.c b/src/charon/plugins/eap_tls/tls/tls_crypto.c
index e0977216e71cd7dafd09a2b9f62e01a7b4df8c19..5a23fb559252544451bab65738d02aa9564292eb 100644 (file)
--- a/src/charon/plugins/eap_tls/tls/tls_crypto.c
+++ b/src/charon/plugins/eap_tls/tls/tls_crypto.c
@@ -83,6 +83,11 @@ struct private_tls_crypto_t {
         * IV for output decryption, if < TLSv1.2
         */
        chunk_t iv_out;
+
+       /**
+        * EAP-TLS MSK
+        */
+       chunk_t msk;
 };
 
 typedef struct {
@@ -358,6 +363,11 @@ METHOD(tls_crypto_t, derive_master_secret, void,
        this->prf->set_key(this->prf, chunk_from_thing(master));
        memset(master, 0, sizeof(master));
 
+       /* MSK for EAP-TLS */
+       this->msk = chunk_alloc(64);
+       this->prf->get_bytes(this->prf, "client EAP encryption", seed,
+                                                this->msk.len, this->msk.ptr);
+
        /* derive key block for key expansion */
        mks = this->signer_out->get_key_size(this->signer_out);
        if (this->crypter_out)
@@ -448,6 +458,12 @@ METHOD(tls_crypto_t, get_prf, tls_prf_t*,
        return this->prf;
 }
 
+METHOD(tls_crypto_t, get_eap_msk, chunk_t,
+       private_tls_crypto_t *this)
+{
+       return this->msk;
+}
+
 METHOD(tls_crypto_t, destroy, void,
        private_tls_crypto_t *this)
 {
@@ -457,6 +473,7 @@ METHOD(tls_crypto_t, destroy, void,
        DESTROY_IF(this->crypter_out);
        free(this->iv_in.ptr);
        free(this->iv_out.ptr);
+       free(this->msk.ptr);
        DESTROY_IF(this->prf);
        free(this->suites);
        free(this);
@@ -476,6 +493,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls)
                        .derive_master_secret = _derive_master_secret,
                        .change_cipher = _change_cipher,
                        .get_prf = _get_prf,
+                       .get_eap_msk = _get_eap_msk,
                        .destroy = _destroy,
                },
                .tls = tls,

diff --git a/src/charon/plugins/eap_tls/tls/tls_crypto.h b/src/charon/plugins/eap_tls/tls/tls_crypto.h
index 672764369b7479ac259fc79570e2a58332590886..4b29652a89dae0912e0c27108424ffa55ac6aa03 100644 (file)
--- a/src/charon/plugins/eap_tls/tls/tls_crypto.h
+++ b/src/charon/plugins/eap_tls/tls/tls_crypto.h
@@ -73,6 +73,13 @@ struct tls_crypto_t {
         */
        tls_prf_t* (*get_prf)(tls_crypto_t *this);
 
+       /**
+        * Get the MSK to use in EAP-TLS.
+        *
+        * @return                              MSK, points to internal data
+        */
+       chunk_t (*get_eap_msk)(tls_crypto_t *this);
+
        /**
         * Destroy a tls_crypto_t.
         */