Michael Joosten wrote:
2) The last days I looked at EAP/TLS and the cert_issuer_check, there is a corresponding free() call missing in rlm_eap_tls.c:eaptls_detach(). Hmmm. On a closer look, actually many of the module's module_config string or file name options are missing. Correct or bug? I think I patched most of them for my certificate "dissection" patch, shall I make a quick interim patch of only the eap_detach() part against CVS?
Done. Bug 385
3) It would be nice to apply my patch against the miscalculated EAP/TLS packet size (bug 383) 8-)
Regards, Michael Joosten
Also attached. Made against 1.1.1, but I don't that matters. Michael --- radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c- 2006-04-28 20:21:49.000000000 +0200 +++ radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2006-08-22 16:53:29.000000000 +0200 @@ -449,15 +449,27 @@ if (conf) { if (conf->dh_file) free(conf->dh_file); conf->dh_file = NULL; + if (conf->CA_path) free(conf->CA_path); + conf->CA_path = NULL; if (conf->certificate_file) free(conf->certificate_file); conf->certificate_file = NULL; if (conf->private_key_file) free(conf->private_key_file); conf->private_key_file = NULL; if (conf->private_key_password) free(conf->private_key_password); conf->private_key_password = NULL; + if (conf->CA_file) free(conf->CA_file); + conf->CA_file = NULL; if (conf->random_file) free(conf->random_file); conf->random_file = NULL; + if (conf->check_cert_cn) free(conf->check_cert_cn); + conf->check_cert_cn = NULL; + if (conf->use_as_cert_cn) free(conf->use_as_cert_cn); + conf->check_cipher_list = NULL; + if (conf->check_cipher_list) free(conf->check_cipher_list); + conf->check_cipher_list = NULL; + if (conf->check_cert_issuer) free(conf->check_cert_issuer); + conf->check_cert_issuer = NULL; free(inst->conf); inst->conf = NULL; } diff -ru ../orig/freeradius-1.1.1/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c --- ../orig/freeradius-1.1.1/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2006-02-06 10:37:03.000000000 -0500 +++ ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2006-04-21 19:45:47.000000000 -0400 @@ -443,11 +459,25 @@ * tells us it's too big. */ ssn->offset = inst->conf->fragment_size; + + /* + * Framed-MTU is the whole packet, so we cut off the + * EAPOW header (4 bytes) to be prepended by the NAS. + * NOTE: This does not account for other protocols and + * purposes like wired PPP, which has 8 bytes overhead. + */ vp = pairfind(handler->request->packet->vps, PW_FRAMED_MTU); if (vp && ((vp->lvalue - 4) < ssn->offset)) { ssn->offset = vp->lvalue - 4; } + /* + * And even more for the EAP TLS header: + * code + id + length + type + flags + TLS len + * 1 + 1 + 2 + 1 + 1 + 4 = 10 + */ + ssn->offset -= 10; + handler->opaque = ((void *)ssn); handler->free_opaque = session_free;