From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 24 Oct 2024 22:59:49 +0000 (-0600)
Subject: Don't load the RADIUS dictionary in our TLS library
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=203d5d3149ff02103ffdedf24901d0f778b4e17c;p=thirdparty%2Ffreeradius-server.git

Don't load the RADIUS dictionary in our TLS library
---

diff --git a/src/lib/eap/attrs.h b/src/lib/eap/attrs.h
index 712668f5817..97291674620 100644
--- a/src/lib/eap/attrs.h
+++ b/src/lib/eap/attrs.h
@@ -40,6 +40,7 @@ extern HIDDEN fr_dict_attr_t const *attr_eap_channel_binding_message;
 extern HIDDEN fr_dict_attr_t const *attr_eap_message;
 extern HIDDEN fr_dict_attr_t const *attr_eap_msk;
 extern HIDDEN fr_dict_attr_t const *attr_eap_emsk;
+extern HIDDEN fr_dict_attr_t const *attr_framed_mtu;
 extern HIDDEN fr_dict_attr_t const *attr_freeradius_proxied_to;
 extern HIDDEN fr_dict_attr_t const *attr_ms_mppe_send_key;
 extern HIDDEN fr_dict_attr_t const *attr_ms_mppe_recv_key;
diff --git a/src/lib/eap/base.c b/src/lib/eap/base.c
index e4e7c334850..46b5e82cfaf 100644
--- a/src/lib/eap/base.c
+++ b/src/lib/eap/base.c
@@ -90,6 +90,7 @@ fr_dict_attr_t const *attr_eap_channel_binding_message;
 fr_dict_attr_t const *attr_eap_message;
 fr_dict_attr_t const *attr_eap_msk;
 fr_dict_attr_t const *attr_eap_emsk;
+fr_dict_attr_t const *attr_framed_mtu;
 fr_dict_attr_t const *attr_freeradius_proxied_to;
 fr_dict_attr_t const *attr_ms_mppe_send_key;
 fr_dict_attr_t const *attr_ms_mppe_recv_key;
@@ -109,6 +110,7 @@ fr_dict_attr_autoload_t eap_base_dict_attr[] = {
 	{ .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
 	{ .out = &attr_eap_msk, .name = "EAP-MSK", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
 	{ .out = &attr_eap_emsk, .name = "EAP-EMSK", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
+	{ .out = &attr_framed_mtu, .name = "Framed-MTU", .type = FR_TYPE_UINT32, .dict = &dict_radius },
 	{ .out = &attr_freeradius_proxied_to, .name = "Vendor-Specific.FreeRADIUS.Proxied-To", .type = FR_TYPE_IPV4_ADDR, .dict = &dict_radius },
 	{ .out = &attr_ms_mppe_send_key, .name = "Vendor-Specific.Microsoft.MPPE-Send-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
 	{ .out = &attr_ms_mppe_recv_key, .name = "Vendor-Specific.Microsoft.MPPE-Recv-Key", .type = FR_TYPE_OCTETS, .dict = &dict_radius },
diff --git a/src/lib/eap/tls.c b/src/lib/eap/tls.c
index dde2da54c06..a3cdfae5d04 100644
--- a/src/lib/eap/tls.c
+++ b/src/lib/eap/tls.c
@@ -1130,6 +1130,7 @@ eap_tls_session_t *eap_tls_session_init(request_t *request, eap_session_t *eap_s
 	eap_tls_session_t	*eap_tls_session;
 	fr_tls_session_t	*tls_session;
 	fr_tls_conf_t		*conf = fr_tls_ctx_conf(ssl_ctx);
+	fr_pair_t		*vp;
 
 	fr_assert(request->parent);	/* must be a subrequest */
 
@@ -1151,6 +1152,20 @@ eap_tls_session_t *eap_tls_session_init(request_t *request, eap_session_t *eap_s
 	 */
 	eap_tls_session->include_length = true;
 
+	/*
+	 *	We use default fragment size, unless the Framed-MTU
+	 *	tells us it's too big.  Note that we do NOT account
+	 *	for the EAP-TLS headers if conf->fragment_size is
+	 *	large, because that config item looks to be confusing.
+	 *
+	 *	i.e. it should REALLY be called MTU, and the code here
+	 *	should figure out what that means for TLS fragment size.
+	 *	asking the administrator to know the internal details
+	 *	of EAP-TLS in order to calculate fragment sizes is
+	 *	just too much.
+	 */
+	vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_framed_mtu);
+
 	/*
 	 *	Every new session is started only from EAP-TLS-START.
 	 *	Before Sending our initial EAP-TLS start open a new
@@ -1160,7 +1175,7 @@ eap_tls_session_t *eap_tls_session_init(request_t *request, eap_session_t *eap_s
 	 *	these data structures when we get the response.
 	 */
 	eap_tls_session->tls_session = tls_session = fr_tls_session_alloc_server(eap_tls_session, ssl_ctx,
-										 request, client_cert);
+										 request, vp ? vp->vp_uint32 : 0, client_cert);
 	if (unlikely(!tls_session)) return NULL;
 
 	/*
diff --git a/src/lib/tls/attrs.h b/src/lib/tls/attrs.h
index eee88575ba8..075e7c921be 100644
--- a/src/lib/tls/attrs.h
+++ b/src/lib/tls/attrs.h
@@ -67,8 +67,6 @@ extern HIDDEN fr_dict_attr_t const *attr_tls_session_id;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_resumed;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_ttl;
 
-extern HIDDEN fr_dict_attr_t const *attr_framed_mtu;
-
 extern fr_value_box_t const *enum_tls_packet_type_load_session;
 extern fr_value_box_t const *enum_tls_packet_type_store_session;
 extern fr_value_box_t const *enum_tls_packet_type_clear_session;
diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index a963fdf55fe..ff6d0430d1a 100644
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -68,7 +68,6 @@ fr_dict_t const *dict_tls;
 extern fr_dict_autoload_t tls_dict[];
 fr_dict_autoload_t tls_dict[] = {
 	{ .out = &dict_freeradius, .proto = "freeradius" },
-	{ .out = &dict_radius, .proto = "radius" },
 	{ .out = &dict_tls, .proto = "tls" },
 	{ NULL }
 };
@@ -107,8 +106,6 @@ fr_dict_attr_t const *attr_tls_session_require_client_cert;
 fr_dict_attr_t const *attr_tls_session_cipher_suite;
 fr_dict_attr_t const *attr_tls_session_version;
 
-fr_dict_attr_t const *attr_framed_mtu;
-
 fr_dict_attr_t const *attr_tls_packet_type;
 fr_dict_attr_t const *attr_tls_session_data;
 fr_dict_attr_t const *attr_tls_session_id;
@@ -151,8 +148,6 @@ fr_dict_attr_autoload_t tls_dict_attr[] = {
 	{ .out = &attr_tls_session_cipher_suite, .name = "TLS-Session-Cipher-Suite", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 	{ .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 
-	{ .out = &attr_framed_mtu, .name = "Framed-MTU", .type = FR_TYPE_UINT32, .dict = &dict_radius },
-
 	/*
 	 *	Eventually all TLS attributes will be in the TLS dictionary
 	 */
diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c
index 0d6394795e1..007452fbb92 100644
--- a/src/lib/tls/session.c
+++ b/src/lib/tls/session.c
@@ -1679,12 +1679,13 @@ fr_tls_session_t *fr_tls_session_alloc_client(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx)
  *				talloc'd object.
  * @param[in] ssl_ctx		containing the base configuration for this session.
  * @param[in] request		The current #request_t.
+ * @param[in] dynamic_mtu	If greater than 100, overrides the MTU configured for the SSL_CTX.
  * @param[in] client_cert	Whether to require a client_cert.
  * @return
  *	- A new session on success.
  *	- NULL on error.
  */
-fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, bool client_cert)
+fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, size_t dynamic_mtu, bool client_cert)
 {
 	fr_tls_session_t	*tls_session = NULL;
 	SSL			*ssl = NULL;
@@ -1855,23 +1856,10 @@ fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx,
 	SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
 	SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
 
-	/*
-	 *	We use default fragment size, unless the Framed-MTU
-	 *	tells us it's too big.  Note that we do NOT account
-	 *	for the EAP-TLS headers if conf->fragment_size is
-	 *	large, because that config item looks to be confusing.
-	 *
-	 *	i.e. it should REALLY be called MTU, and the code here
-	 *	should figure out what that means for TLS fragment size.
-	 *	asking the administrator to know the internal details
-	 *	of EAP-TLS in order to calculate fragment sizes is
-	 *	just too much.
-	 */
 	tls_session->mtu = conf->fragment_size;
-	vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_framed_mtu);
-	if (vp && (vp->vp_uint32 > 100) && (vp->vp_uint32 < tls_session->mtu)) {
-		RDEBUG2("Setting fragment_len to %u from &Framed-MTU", vp->vp_uint32);
-		tls_session->mtu = vp->vp_uint32;
+	if (dynamic_mtu > 100 && dynamic_mtu < tls_session->mtu) {
+		RDEBUG2("Setting fragment_len to %zu from dynamic_mtu", dynamic_mtu);
+		tls_session->mtu = dynamic_mtu;
 	}
 
 	if (conf->cache.mode != FR_TLS_CACHE_DISABLED) {
diff --git a/src/lib/tls/session.h b/src/lib/tls/session.h
index 2e029945d86..4b1802f45a9 100644
--- a/src/lib/tls/session.h
+++ b/src/lib/tls/session.h
@@ -315,7 +315,7 @@ unlang_action_t	fr_tls_session_async_handshake_push(request_t *request, fr_tls_s
 
 fr_tls_session_t *fr_tls_session_alloc_client(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx);
 
-fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, bool client_cert);
+fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx, request_t *request, size_t dynamic_mtu, bool client_cert);
 
 #ifdef __cplusplus
 }