Add option "include_length" for TTLS, too.

We've always set it to "yes" in the past, by inheriting the
value from the TLS configuration.  In contrast, PEAP always sets it
to "no".

However... RFC 5281 says that we should set it to "no".  Since the
previous code works with everyone, we don't want to change the
defaults.  But we DO add the flag that allows it to be RFC compliant.y

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 969f8849855661dd2545a782411a5f2d2140aed7..209b588619890bcfb18ddee1e1a0e152f68ac02f 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -370,6 +370,11 @@
                        #  outer requests.
                        #
                        virtual_server = "inner-tunnel"
+
+                       #  This has the same meaning as the
+                       #  same field in the "tls" module, above.
+                       #  The default value here is "yes".
+               #       include_length = yes
                }
 
                ##################################################

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
index 91a4234488985f1a0d06b666cc11c60784d76b0c..1a3b3c009eba4b8ba13975b7f4f4b5bb3fcbc9c5 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
@@ -47,6 +47,17 @@ typedef struct rlm_eap_ttls_t {
         */
        int     copy_request_to_tunnel;
 
+       /*
+        *      RFC 5281 (TTLS) says that the length field MUST NOT be
+        *      in fragments after the first one.  However, we've done
+        *      it that way for years, and no one has complained.
+        *
+        *      In the interests of allowing the server to follow the
+        *      RFC, we add the option here.  If set to "no", it sends
+        *      the length field in ONLY the first fragment.
+        */
+       int     include_length;
+
        /*
         *      Virtual server for inner tunnel session.
         */
@@ -67,6 +78,9 @@ static CONF_PARSER module_config[] = {
        { "virtual_server", PW_TYPE_STRING_PTR,
          offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
 
+       { "include_length", PW_TYPE_BOOLEAN,
+         offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
+
        { NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 
@@ -175,6 +189,8 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
 
        RDEBUG2("Authenticate");
 
+       tls_session->length_flag = inst->include_length;
+
        /*
         *      Process TLS layer until done.
         */