Commit 269c8385 authored by Sebastien Decugis's avatar Sebastien Decugis
Browse files

Added ability to extract the Extended MSK (EMSK) for future use

parent 883ed988
......@@ -443,14 +443,17 @@ int diameap_eap_statemachine(struct eap_state_machine * eap_sm,
if ((*eap_sm->selectedMethod->eap_method_isDone)(eap_sm) == TRUE)
{
/*diameap_ba_PolicyUpdate();*/
eap_i->aaaEapKeyLength = 0;
eap_i->aaaEapMSKLength = 0;
eap_i->aaaEapEMSKLength = 0;
if (eap_sm->selectedMethod->eap_method_getKey)
{
if ((*eap_sm->selectedMethod->eap_method_getKey)(eap_sm,
&eap_i->aaaEapKeyData, &eap_i->aaaEapKeyLength))
&eap_i->aaaEapMSKData, &eap_i->aaaEapMSKLength,
&eap_i->aaaEapEMSKData, &eap_i->aaaEapEMSKLength))
{
TRACE_DEBUG(INFO,"%s[EAP Protocol] Generating EAP Master Key failed.",DIAMEAP_EXTENSION,eap_sm->selectedMethod->methodname)
eap_i->aaaEapKeyLength = 0;
eap_i->aaaEapMSKLength = 0;
eap_i->aaaEapEMSKLength = 0;
eap_i->aaaEapKeyAvailable = FALSE;
}
else
......@@ -555,7 +558,7 @@ int diameap_eap_statemachine(struct eap_state_machine * eap_sm,
diameap_ba_nextid(eap_sm, &eap_sm->currentId);
CHECK_FCT(diameap_eap_new(EAP_SUCCESS, (u8) eap_sm->currentId, TYPE_NONE, NULL, 0,&eap_i->aaaEapReqData))
;
if (eap_i->aaaEapKeyData != NULL)
if (eap_i->aaaEapMSKData != NULL)
{
TRACE_DEBUG(FULL+1,"%s[EAP Protocol] EAP Key available [User: %s].",DIAMEAP_EXTENSION,eap_sm->user.userid);
eap_i->aaaEapKeyAvailable = TRUE;
......
......@@ -58,8 +58,10 @@ struct diameap_eap_interface
boolean aaaSuccess;
boolean aaaFail;
struct eap_packet aaaEapReqData;
u8 *aaaEapKeyData;
int aaaEapKeyLength;
u8 *aaaEapMSKData;
int aaaEapMSKLength;
u8 *aaaEapEMSKData;
int aaaEapEMSKLength;
boolean aaaEapKeyAvailable;
int aaaMethodTimeout;
......
......@@ -328,7 +328,7 @@ int diameap_plugin_load(void)
if (registerplugin->getKey)
{
plugin->eap_method_getKey = (int(*)(struct eap_state_machine *,
u8**, int*)) dlsym(plugin->handler, registerplugin->getKey);
u8**, int*,u8**, int*)) dlsym(plugin->handler, registerplugin->getKey);
if (plugin->eap_method_getKey == NULL)
{
TRACE_DEBUG(
......
......@@ -308,7 +308,8 @@ static int diameap_initialize_diameap_eap_interface(
eap_i->aaaSuccess = FALSE;
eap_i->aaaFail = FALSE;
eap_i->aaaEapReqData.data = NULL;
eap_i->aaaEapKeyData = NULL;
eap_i->aaaEapMSKData = NULL;
eap_i->aaaEapEMSKData = NULL;
eap_i->aaaEapKeyAvailable = FALSE;
eap_i->aaaMethodTimeout = 0;
......@@ -2956,8 +2957,8 @@ static int diameap_add_eap_success_avps(
if (eap_i.aaaEapKeyAvailable == TRUE)
{
CHECK_FCT(fd_msg_avp_new(dataobj_eap_master_session_key, 0, &avp));
avp_val.os.data = eap_i.aaaEapKeyData;
avp_val.os.len = eap_i.aaaEapKeyLength;
avp_val.os.data = eap_i.aaaEapMSKData;
avp_val.os.len = eap_i.aaaEapMSKLength;
CHECK_FCT(fd_msg_avp_setvalue(avp, &avp_val));
CHECK_FCT( fd_msg_avp_add( ans, MSG_BRW_LAST_CHILD, avp ) );
......
......@@ -113,7 +113,8 @@ struct plugin
int (*eap_method_process)(struct eap_state_machine *smd,
struct eap_packet eapRespData); /* address of the eap_method_process method */
boolean (*eap_method_isDone)(struct eap_state_machine *smd); /* address of the eap_method_isDone method */
int (*eap_method_getKey)(struct eap_state_machine *smd, u8 ** key,int *keylength); /* address of the eap_method_getKey method */
int (*eap_method_getKey)(struct eap_state_machine *smd, u8 ** msk,int *msklength,
u8 ** emsk,int *emsklength); /* address of the eap_method_getKey method */
void (*eap_method_unregister)(void); /* (Optional) address of the eap_method_unregister method */
void (*eap_method_free)(void *); /* (Optional) address of the eap_method_datafree method */
......
......@@ -49,7 +49,7 @@ boolean eap_tls_check(struct eap_state_machine *smd,
int eap_tls_process(struct eap_state_machine *smd,
struct eap_packet eapRespData);
boolean eap_tls_isDone(struct eap_state_machine *smd);
int eap_tls_getKey(struct eap_state_machine *smd, u8** key, int * keylen);
int eap_tls_getKey(struct eap_state_machine *smd, u8** msk, int * msklen, u8** emsk, int * emsklen);
void eap_tls_unregister(void);
void eap_tls_free(void * data);
......@@ -288,23 +288,30 @@ boolean eap_tls_isDone(struct eap_state_machine *smd)
return TRUE;
}
int eap_tls_getKey(struct eap_state_machine *smd, u8 ** key, int *keylen)
int eap_tls_getKey(struct eap_state_machine *smd, u8 ** msk, int *msklen, u8 ** emsk, int *emsklen)
{
struct tls_data * data;
int len = emsk ? 128 : 64;
data = (struct tls_data *) smd->methodData;
*key = malloc(64);
*msk = malloc(len);
if (gnutls_prf(data->session, strlen("client EAP encryption"),
"client EAP encryption", 0, 0, NULL, 64, (char *) *key)
"client EAP encryption", 0, 0, NULL, len, (char *) *msk)
!= GNUTLS_E_SUCCESS)
{
free(*key);
*key = NULL;
*keylen = 0;
free(*msk);
*msk = NULL;
*msklen = 0;
return 1;
}
else
{
*keylen = 64;
*msklen = 64;
}
if (emsk) {
*emsk = malloc(64);
memcpy(*emsk, (*msk)+64, 64);
memset((*msk)+64, 0, 64);
*emsklen = 64;
}
return 0;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment