With this patch https://github.com/FreeRADIUS/freeradius-
server/commit/a1f5fd2213c0104d0e124d804ab8c210c9fedb18:
From a1f5fd2213c0104d0e124d804ab8c210c9fedb18 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <al...@freeradius.org>
Date: Thu, 30 Dec 2021 15:31:55 -0500
Subject: [PATCH] OpenSSL3 sends invalid content types all of the time...
---
src/main/cb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/main/cb.c b/src/main/cb.c
index 372b8fa8228..0796914b41f 100644
--- a/src/main/cb.c
+++ b/src/main/cb.c
@@ -132,11 +132,11 @@ void cbtls_msg(int write_p, int msg_version, int
content_type,
tls_session_t *state = (tls_session_t *)arg;
/*
- * OpenSSL 1.0.2 calls this function with 'pseudo'
- * content types. Which breaks our tracking of
- * the SSL Session state.
+ * OpenSSL calls this function with 'pseudo' content
+ * types. Which breaks our tracking of the SSL Session
+ * state.
*/
- if ((msg_version == 0) && (content_type > UINT8_MAX)) {
+ if ((msg_version == 0) || (content_type >= UINT8_MAX)) {
DEBUG4("(TLS) Ignoring cbtls_msg call with pseudo content type
%i, version %i",
content_type, msg_version);
return;
The test passes, and it does log "Ignoring cbtls_msg call ..." multiple times:
...
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Authenticate
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Continuing EAP-TLS
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Peer sent flags ---
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: [eaptls verify] = ok
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Done initial handshake
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: (other): before SSL
initialization
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL
initialization
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 769
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL
initialization
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: <<< recv TLS 1.3 [length 00b7]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS read
client hello
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 003d]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write
server hello
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0345]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write
certificate
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 014d]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write key
exchange
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0004]
...
I thought this would also be needed
https://github.com/FreeRADIUS/freeradius-server/commit/cbbbd30f84a5b2a7d435ce0da765796ee3987e21,
but the test passes without it.
The point is that current 3.0.x branch has a few more openssl-3-related
commits. We can cherry pick the one needed for this test, or all of
them, or do that and wait for a 3.0.26 release and then remove the
patches.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1955009
Title:
Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
