Last call for 1.1.3?

Tue Aug 22 17:43:52 CEST 2006

Michael Joosten wrote:

>
> 2) The last days I looked at EAP/TLS and the cert_issuer_check, there 
> is a corresponding free() call missing in rlm_eap_tls.c:eaptls_detach().
> Hmmm. On a closer look, actually many of the module's module_config
> string or file name options are missing. Correct or bug?
> I think I patched most of them for my certificate "dissection" patch, 
> shall I make a quick interim patch of only the eap_detach() part 
> against CVS?
>
Done. Bug 385

> 3) It would be nice to apply my patch against the miscalculated 
> EAP/TLS packet size (bug 383) 8-)
>
> Regards, Michael Joosten
>
Also attached. Made against 1.1.1, but I don't that matters.

Michael

-------------- next part --------------

--- radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c-	2006-04-28 20:21:49.000000000 +0200
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2006-08-22 16:53:29.000000000 +0200
@@ -449,15 +449,27 @@
 	if (conf) {
 		if (conf->dh_file) free(conf->dh_file);
 		conf->dh_file = NULL;
+		if (conf->CA_path) free(conf->CA_path);
+		conf->CA_path = NULL;
 		if (conf->certificate_file) free(conf->certificate_file);
 		conf->certificate_file = NULL;
 		if (conf->private_key_file) free(conf->private_key_file);
 		conf->private_key_file = NULL;
 		if (conf->private_key_password) free(conf->private_key_password);
 		conf->private_key_password = NULL;
+		if (conf->CA_file) free(conf->CA_file);
+		conf->CA_file = NULL;
 		if (conf->random_file) free(conf->random_file);
 		conf->random_file = NULL;
 
+		if (conf->check_cert_cn) free(conf->check_cert_cn);
+		conf->check_cert_cn = NULL;
+		if (conf->use_as_cert_cn) free(conf->use_as_cert_cn);
+		conf->check_cipher_list = NULL;
+		if (conf->check_cipher_list) free(conf->check_cipher_list);
+		conf->check_cipher_list = NULL;
+		if (conf->check_cert_issuer) free(conf->check_cert_issuer);
+		conf->check_cert_issuer = NULL;
 		free(inst->conf);
 		inst->conf = NULL;
 	}
-------------- next part --------------
diff -ru ../orig/freeradius-1.1.1/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
--- ../orig/freeradius-1.1.1/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2006-02-06 10:37:03.000000000 -0500
+++ ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c	2006-04-21 19:45:47.000000000 -0400
@@ -443,11 +459,25 @@
 	 *	tells us it's too big.
 	 */
 	ssn->offset = inst->conf->fragment_size;
+
+	/*
+	 *      Framed-MTU is the whole packet, so we cut off the
+	 *      EAPOW header (4 bytes) to be prepended by the NAS.
+	 *      NOTE: This does not account for other protocols and
+	 *      purposes like wired PPP, which has 8 bytes overhead.
+	 */
 	vp = pairfind(handler->request->packet->vps, PW_FRAMED_MTU);
 	if (vp && ((vp->lvalue - 4) < ssn->offset)) {
 		ssn->offset = vp->lvalue - 4;
 	}
 
+	/*
+	 *      And even more for the EAP TLS header:
+	 *      code + id + length + type + flags + TLS len
+	 *           1 + 1 + 2 + 1 + 1 + 4 = 10
+	 */
+	ssn->offset -= 10;
+
 	handler->opaque = ((void *)ssn);
 	handler->free_opaque = session_free;
 
