extern HIDDEN fr_dict_attr_t const *attr_eap_message;
extern HIDDEN fr_dict_attr_t const *attr_eap_msk;
extern HIDDEN fr_dict_attr_t const *attr_eap_emsk;
+extern HIDDEN fr_dict_attr_t const *attr_framed_mtu;
extern HIDDEN fr_dict_attr_t const *attr_freeradius_proxied_to;
extern HIDDEN fr_dict_attr_t const *attr_ms_mppe_send_key;
extern HIDDEN fr_dict_attr_t const *attr_ms_mppe_recv_key;
fr_dict_attr_t const *attr_eap_message;
fr_dict_attr_t const *attr_eap_msk;
fr_dict_attr_t const *attr_eap_emsk;
+fr_dict_attr_t const *attr_framed_mtu;
fr_dict_attr_t const *attr_freeradius_proxied_to;
fr_dict_attr_t const *attr_ms_mppe_send_key;
fr_dict_attr_t const *attr_ms_mppe_recv_key;
{ .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
{ .out = &attr_eap_msk, .name = "EAP-MSK", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
{ .out = &attr_eap_emsk, .name = "EAP-EMSK", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
+ { .out = &attr_framed_mtu, .name = "Framed-MTU", .type = FR_TYPE_UINT32, .dict = &dict_radius },
{ .out = &attr_freeradius_proxied_to, .name = "Vendor-Specific.FreeRADIUS.Proxied-To", .type = FR_TYPE_IPV4_ADDR, .dict = &dict_radius },
{ .out = &attr_ms_mppe_send_key, .name = "Vendor-Specific.Microsoft.MPPE-Send-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
{ .out = &attr_ms_mppe_recv_key, .name = "Vendor-Specific.Microsoft.MPPE-Recv-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
eap_tls_session_t *eap_tls_session;
fr_tls_session_t *tls_session;
fr_tls_conf_t *conf = fr_tls_ctx_conf(ssl_ctx);
+ fr_pair_t *vp;
fr_assert(request->parent); /* must be a subrequest */
*/
eap_tls_session->include_length = true;
+ /*
+ * We use default fragment size, unless the Framed-MTU
+ * tells us it's too big. Note that we do NOT account
+ * for the EAP-TLS headers if conf->fragment_size is
+ * large, because that config item looks to be confusing.
+ *
+ * i.e. it should REALLY be called MTU, and the code here
+ * should figure out what that means for TLS fragment size.
+ * asking the administrator to know the internal details
+ * of EAP-TLS in order to calculate fragment sizes is
+ * just too much.
+ */
+ vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_framed_mtu);
+
/*
* Every new session is started only from EAP-TLS-START.
* Before Sending our initial EAP-TLS start open a new
* these data structures when we get the response.
*/
eap_tls_session->tls_session = tls_session = fr_tls_session_alloc_server(eap_tls_session, ssl_ctx,
- request, client_cert);
+ request, vp ? vp->vp_uint32 : 0, client_cert);
if (unlikely(!tls_session)) return NULL;
/*
extern HIDDEN fr_dict_attr_t const *attr_tls_session_resumed;
extern HIDDEN fr_dict_attr_t const *attr_tls_session_ttl;
-extern HIDDEN fr_dict_attr_t const *attr_framed_mtu;
-
extern fr_value_box_t const *enum_tls_packet_type_load_session;
extern fr_value_box_t const *enum_tls_packet_type_store_session;
extern fr_value_box_t const *enum_tls_packet_type_clear_session;
extern fr_dict_autoload_t tls_dict[];
fr_dict_autoload_t tls_dict[] = {
{ .out = &dict_freeradius, .proto = "freeradius" },
- { .out = &dict_radius, .proto = "radius" },
{ .out = &dict_tls, .proto = "tls" },
{ NULL }
};
fr_dict_attr_t const *attr_tls_session_cipher_suite;
fr_dict_attr_t const *attr_tls_session_version;
-fr_dict_attr_t const *attr_framed_mtu;
-
fr_dict_attr_t const *attr_tls_packet_type;
fr_dict_attr_t const *attr_tls_session_data;
fr_dict_attr_t const *attr_tls_session_id;
{ .out = &attr_tls_session_cipher_suite, .name = "TLS-Session-Cipher-Suite", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
{ .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_framed_mtu, .name = "Framed-MTU", .type = FR_TYPE_UINT32, .dict = &dict_radius },
-
/*
* Eventually all TLS attributes will be in the TLS dictionary
*/
* talloc'd object.
* @param[in] ssl_ctx containing the base configuration for this session.
* @param[in] request The current #request_t.
+ * @param[in] dynamic_mtu If greater than 100, overrides the MTU configured for the SSL_CTX.
* @param[in] client_cert Whether to require a client_cert.
* @return
* - A new session on success.
* - NULL on error.
*/
-fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, bool client_cert)
+fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, size_t dynamic_mtu, bool client_cert)
{
fr_tls_session_t *tls_session = NULL;
SSL *ssl = NULL;
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
- /*
- * We use default fragment size, unless the Framed-MTU
- * tells us it's too big. Note that we do NOT account
- * for the EAP-TLS headers if conf->fragment_size is
- * large, because that config item looks to be confusing.
- *
- * i.e. it should REALLY be called MTU, and the code here
- * should figure out what that means for TLS fragment size.
- * asking the administrator to know the internal details
- * of EAP-TLS in order to calculate fragment sizes is
- * just too much.
- */
tls_session->mtu = conf->fragment_size;
- vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_framed_mtu);
- if (vp && (vp->vp_uint32 > 100) && (vp->vp_uint32 < tls_session->mtu)) {
- RDEBUG2("Setting fragment_len to %u from &Framed-MTU", vp->vp_uint32);
- tls_session->mtu = vp->vp_uint32;
+ if (dynamic_mtu > 100 && dynamic_mtu < tls_session->mtu) {
+ RDEBUG2("Setting fragment_len to %zu from dynamic_mtu", dynamic_mtu);
+ tls_session->mtu = dynamic_mtu;
}
if (conf->cache.mode != FR_TLS_CACHE_DISABLED) {
fr_tls_session_t *fr_tls_session_alloc_client(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx);
-fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, bool client_cert);
+fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, size_t dynamic_mtu, bool client_cert);
#ifdef __cplusplus
}
projects / thirdparty / freeradius-server.git / commitdiff
