5 files changed, 44 insertions, 0 deletions

diff --git a/src/charon/plugins/eap_tls/eap_tls.c b/src/charon/plugins/eap_tls/eap_tls.c
index 3518dfca1..4e543d45d 100644
--- a/src/charon/plugins/eap_tls/eap_tls.c
+++ b/src/charon/plugins/eap_tls/eap_tls.c
@@ -366,6 +366,11 @@ METHOD(eap_method_t, get_type, eap_type_t,
 METHOD(eap_method_t, get_msk, status_t,
 	private_eap_tls_t *this, chunk_t *msk)
 {
+	*msk = this->tls->get_eap_msk(this->tls);
+	if (msk->len)
+	{
+		return SUCCESS;
+	}
 	return FAILED;
 }
 
diff --git a/src/charon/plugins/eap_tls/tls/tls.c b/src/charon/plugins/eap_tls/tls/tls.c
index 8c94e42c6..c011ad678 100644
--- a/src/charon/plugins/eap_tls/tls/tls.c
+++ b/src/charon/plugins/eap_tls/tls/tls.c
@@ -141,6 +141,12 @@ METHOD(tls_t, change_cipher, void,
 	this->protection->set_cipher(this->protection, inbound, signer, crypter, iv);
 }
 
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tls_t *this)
+{
+	return this->crypto->get_eap_msk(this->crypto);
+}
+
 METHOD(tls_t, destroy, void,
 	private_tls_t *this)
 {
@@ -169,6 +175,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
 			.get_version = _get_version,
 			.set_version = _set_version,
 			.change_cipher = _change_cipher,
+			.get_eap_msk = _get_eap_msk,
 			.destroy = _destroy,
 		},
 		.is_server = is_server,
diff --git a/src/charon/plugins/eap_tls/tls/tls.h b/src/charon/plugins/eap_tls/tls/tls.h
index b07516a94..ffaa83eba 100644
--- a/src/charon/plugins/eap_tls/tls/tls.h
+++ b/src/charon/plugins/eap_tls/tls/tls.h
@@ -187,6 +187,13 @@ struct tls_t {
 						  crypter_t *crypter, chunk_t iv);
 
 	/**
+	 * Get the MSK for EAP-TLS.
+	 *
+	 * @return			MSK, internal data
+	 */
+	chunk_t (*get_eap_msk)(tls_t *this);
+
+	/**
 	 * Destroy a tls_t.
 	 */
 	void (*destroy)(tls_t *this);
diff --git a/src/charon/plugins/eap_tls/tls/tls_crypto.c b/src/charon/plugins/eap_tls/tls/tls_crypto.c
index e0977216e..5a23fb559 100644
--- a/src/charon/plugins/eap_tls/tls/tls_crypto.c
+++ b/src/charon/plugins/eap_tls/tls/tls_crypto.c
@@ -83,6 +83,11 @@ struct private_tls_crypto_t {
 	 * IV for output decryption, if < TLSv1.2
 	 */
 	chunk_t iv_out;
+
+	/**
+	 * EAP-TLS MSK
+	 */
+	chunk_t msk;
 };
 
 typedef struct {
@@ -358,6 +363,11 @@ METHOD(tls_crypto_t, derive_master_secret, void,
 	this->prf->set_key(this->prf, chunk_from_thing(master));
 	memset(master, 0, sizeof(master));
 
+	/* MSK for EAP-TLS */
+	this->msk = chunk_alloc(64);
+	this->prf->get_bytes(this->prf, "client EAP encryption", seed,
+						 this->msk.len, this->msk.ptr);
+
 	/* derive key block for key expansion */
 	mks = this->signer_out->get_key_size(this->signer_out);
 	if (this->crypter_out)
@@ -448,6 +458,12 @@ METHOD(tls_crypto_t, get_prf, tls_prf_t*,
 	return this->prf;
 }
 
+METHOD(tls_crypto_t, get_eap_msk, chunk_t,
+	private_tls_crypto_t *this)
+{
+	return this->msk;
+}
+
 METHOD(tls_crypto_t, destroy, void,
 	private_tls_crypto_t *this)
 {
@@ -457,6 +473,7 @@ METHOD(tls_crypto_t, destroy, void,
 	DESTROY_IF(this->crypter_out);
 	free(this->iv_in.ptr);
 	free(this->iv_out.ptr);
+	free(this->msk.ptr);
 	DESTROY_IF(this->prf);
 	free(this->suites);
 	free(this);
@@ -476,6 +493,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls)
 			.derive_master_secret = _derive_master_secret,
 			.change_cipher = _change_cipher,
 			.get_prf = _get_prf,
+			.get_eap_msk = _get_eap_msk,
 			.destroy = _destroy,
 		},
 		.tls = tls,
diff --git a/src/charon/plugins/eap_tls/tls/tls_crypto.h b/src/charon/plugins/eap_tls/tls/tls_crypto.h
index 672764369..4b29652a8 100644
--- a/src/charon/plugins/eap_tls/tls/tls_crypto.h
+++ b/src/charon/plugins/eap_tls/tls/tls_crypto.h
@@ -74,6 +74,13 @@ struct tls_crypto_t {
 	tls_prf_t* (*get_prf)(tls_crypto_t *this);
 
 	/**
+	 * Get the MSK to use in EAP-TLS.
+	 *
+	 * @return				MSK, points to internal data
+	 */
+	chunk_t (*get_eap_msk)(tls_crypto_t *this);
+
+	/**
 	 * Destroy a tls_crypto_t.
 	 */
 	void (*destroy)(tls_crypto_t *this);