Re: Patch: eaptls packets too large, clash MTU
Quoting sumi <sumi.rs@gmail.com>:
hi,
attachment is missing...?
thanks sumi
Should not the case, but I'm currently forced to use a braindamaged "webmailer"... So, both inline and als attachment. diff -ru ../orig/freeradius-1.1.1/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c --- ../orig/freeradius-1.1.1/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2006-02-06 10:37:03.000000000 -0500 +++ ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2006-04-21 19:45:47.000000000 -0400 @@ -443,11 +459,25 @@ * tells us it's too big. */ ssn->offset = inst->conf->fragment_size; + + /* + * Framed-MTU is the whole packet, so we cut off the + * EAPOW header (4 bytes) to be prepended by the NAS. + * NOTE: This does not account for other protocols and + * purposes like wired PPP, which has 8 bytes overhead. + */ vp = pairfind(handler->request->packet->vps, PW_FRAMED_MTU); if (vp && ((vp->lvalue - 4) < ssn->offset)) { ssn->offset = vp->lvalue - 4; } + /* + * And even more for the EAP TLS header: + * code + id + length + type + flags + TLS len + * 1 + 1 + 2 + 1 + 1 + 4 = 10 + */ + ssn->offset -= 10; + handler->opaque = ((void *)ssn); handler->free_opaque = session_free;
On 8/11/06, Michael Joosten <michael.joosten@c-lab.de> wrote:
Hello,
while using EAPTLS via RADIUS for authentication of a PPP/L2TP/IPSec VPN (Microsoft style), I discovered that the generated EAPTLS packets are a little bit to large. If you take Framed-MTU serious, most of the EAPTLS header is not accounted for. Result: PPP communication with max. possible IPSec MTU fails silently, because the EAPTLS packets (esp. those with long certificates) are silently discarded.
Patch attached. Should I also submit this to the bug database?
Regards, Michael Joosten
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- "If u look at what u dont have in life, u dont have anything
But if u look at what u have in life, u have everything.....!!"
participants (1)
-
Michael Joosten