On Wed, Nov 21, 2007 at 03:56:09AM +0100, Alan DeKok wrote:
The code should now get a little farther in doing PEAP/EAP-TLS, but it still doesn't work. I'm no OpenSSL expert, but at least the FreeRADIUS side looks a little better now.
Something odd is happening with the EAP-PEAP fragmentation.. If I set fragment_size=1300 in FreeRADIUS configuration, the first Phase 2 message from FreeRADIUS has TLS Message Length of 1333. The first fragment includes 1300 bytes, so I would expect to see the remaining 33 bytes on the next fragment. However, that fragment is 37 bytes, i.e., extra 4 bytes. If I change fragment_size to 1200, the TLS Message Length become 1237. This does not sound correct, since the total data length should be more or less the same here regardless of the fragment size (well, up to a certain limit since making this very small could add more fragmentation overhead to phase 2). However, with this fragment_size, the second message is 37 bytes and that matches with the TLS Message Length. The reassembled data is not a valid SSL record, though.. It looks like there are at least two issues. The TLS Message Length is set to about fragment_size regardless of the real phase 2 length, i.e., the phase 2 gets truncated, not fragmented in full. In addition, the phase 1 fragmentation seems to end up reporting incorrect total length for the fragments (i.e., TLS Message Length can be smaller than the sum of the lengths of all fragments). -- Jouni Malinen PGP id EFC895FA