Add option "include_length" for TTLS, too.

We've always set it to "yes" in the past, by inheriting the
value from the TLS configuration.  In contrast, PEAP always sets it
to "no".

However... RFC 5281 says that we should set it to "no".  Since the
previous code works with everyone, we don't want to change the
defaults.  But we DO add the flag that allows it to be RFC compliant.y

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 969f884..209b588 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -370,6 +370,11 @@
                        #  outer requests.
                        #
                        virtual_server = "inner-tunnel"
+
+                       #  This has the same meaning as the
+                       #  same field in the "tls" module, above.
+                       #  The default value here is "yes".
+               #       include_length = yes
                }
 
                ##################################################

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
index 91a4234..1a3b3c0 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
@@ -48,6 +48,17 @@ typedef struct rlm_eap_ttls_t {
        int     copy_request_to_tunnel;
 
        /*
+        *      RFC 5281 (TTLS) says that the length field MUST NOT be
+        *      in fragments after the first one.  However, we've done
+        *      it that way for years, and no one has complained.
+        *
+        *      In the interests of allowing the server to follow the
+        *      RFC, we add the option here.  If set to "no", it sends
+        *      the length field in ONLY the first fragment.
+        */
+       int     include_length;
+
+       /*
         *      Virtual server for inner tunnel session.
         */
        char    *virtual_server;
@@ -67,6 +78,9 @@ static CONF_PARSER module_config[] = {
        { "virtual_server", PW_TYPE_STRING_PTR,
          offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
 
+       { "include_length", PW_TYPE_BOOLEAN,
+         offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
+
        { NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 
@@ -175,6 +189,8 @@ static int eapttls_authenticate(void *arg, EAP_HANDLER *handler)
 
        RDEBUG2("Authenticate");
 
+       tls_session->length_flag = inst->include_length;
+
        /*
         *      Process TLS layer until done.
         */