Patch: eaptls packets too large, clash MTU

Michael Joosten michael.joosten at c-lab.de
Thu Aug 10 22:20:38 CEST 2006 

Quoting sumi <sumi.rs at gmail.com>:

> hi,
>
> attachment is missing...?
>
> thanks
> sumi
>

Should not the case, but I'm currently forced to use a braindamaged
"webmailer"...

So, both inline and als attachment.

diff -ru
../orig/freeradius-1.1.1/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
---
../orig/freeradius-1.1.1/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2006-02-06
10:37:03.000000000 -0500
+++ ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2006-04-21
19:45:47.000000000 -0400
@@ -443,11 +459,25 @@
 	 *	tells us it's too big.
 	 */
 	ssn->offset = inst->conf->fragment_size;
+
+	/*
+	 *      Framed-MTU is the whole packet, so we cut off the
+	 *      EAPOW header (4 bytes) to be prepended by the NAS.
+	 *      NOTE: This does not account for other protocols and
+	 *      purposes like wired PPP, which has 8 bytes overhead.
+	 */
 	vp = pairfind(handler->request->packet->vps, PW_FRAMED_MTU);
 	if (vp && ((vp->lvalue - 4) < ssn->offset)) {
 		ssn->offset = vp->lvalue - 4;
 	}

+	/*
+	 *      And even more for the EAP TLS header:
+	 *      code + id + length + type + flags + TLS len
+	 *           1 + 1 + 2 + 1 + 1 + 4 = 10
+	 */
+	ssn->offset -= 10;
+
 	handler->opaque = ((void *)ssn);
 	handler->free_opaque = session_free;



>
> On 8/11/06, Michael Joosten <michael.joosten at c-lab.de> wrote:
> >
> > Hello,
> >
> > while using EAPTLS via RADIUS for authentication of a PPP/L2TP/IPSec VPN
> > (Microsoft style), I discovered that the generated EAPTLS packets are a
> > little
> > bit to large. If you take Framed-MTU serious, most of the EAPTLS header is
> > not
> > accounted for. Result: PPP communication with max. possible IPSec MTU
> > fails
> > silently, because the EAPTLS packets (esp. those with long certificates)
> > are
> > silently discarded.
> >
> > Patch attached. Should I also submit this to the bug database?
> >
> > Regards, Michael Joosten
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/devel.html
> >
>
>
>
> --
> "If u look at what u dont have in life, u dont have anything
>
>          But if u look at what u have in life, u have everything.....!!"
>


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeradius111-TLStoobig-patch3.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060810/c9e6171a/attachment.txt>

More information about the Freeradius-Devel mailing list