On Mon, 10 Nov 2003, Alan DeKok wrote:
> Kostas Kalevras <[EMAIL PROTECTED]> wrote:
> > So we do get an EAP-TLS Fragment ACK. But the callback function will
> > *never* get called for a packet like this (it isn't an actual TLS
> > segment in any case). As a result i don't think that the checks run
> > in the eaptls_ack_handler() function can actually work.
>
> Hm... I used the Aegis client to test the TTLS code, so it worked
> for me...
Probably with small enough certificates to not worry about fragmentation.
>
> > I 've removed them and now the TTLS session works much better (i do
> > get a core dump just before sending back the Access-Accept but i 'll
> > probably figure that one out).
>
> Do you have a patch, with a little more detailed explanation as to
> what is going wrong, and why?
I am attaching the patch (though it just makes eaptls_ack_handler to return
immediately).
Let me try and outline the problem.
For TLS fragments the client will respond with an EAP-TTLS message with only one
zero data byte. This signifies a fragment ACK.
In eap_tls we have registered eaptls_msg as a callback function for all tls
messages which will set various variables like
state->info.origin = (unsigned char)write_p;
state->info.content_type = (unsigned char)content_type;
state->info.record_len = len;
state->info.version = msg_version;
Though since this one byte packet is *not* an actual TLS packet this function
will not run in this case. Nevertheless, eaptls_ack_handler currently will use
these variables to determine the nature of the received packet. As a result it
will fail and kill the EAP-TTLS (or EAP-TLS for that matter) session.
So the way i see it the fix is to just make eaptls_ack_handler a dummy function
which will just return EAPTLS_REQUEST. Though i don't know the eap module that
well to be sure that this is the correct solution.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' GandalfIndex: eap_tls.c
===================================================================
RCS file: /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/eap_tls.c,v
retrieving revision 1.18
diff -u -r1.18 eap_tls.c
--- eap_tls.c 23 Oct 2003 22:04:09 -0000 1.18
+++ eap_tls.c 10 Nov 2003 15:09:02 -0000
@@ -214,6 +214,12 @@
tls_session_t *tls_session;
tls_session = (tls_session_t *)handler->opaque;
+ if (tls_session == NULL){
+ radlog(L_ERR, "rlm_eap_tls: Unexpected ACK received");
+ return EAPTLS_FAIL;
+ }
+ return EAPTLS_REQUEST;
+
if ((tls_session == NULL) ||
(tls_session->info.origin == 0)) {
radlog(L_ERR, "rlm_eap_tls: Unexpected ACK received");
