Ubuntu
freeradius package

  1. Bug #1955009
  2. Comment #11

Comment 11 for bug 1955009

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

With this patch https://github.com/FreeRADIUS/freeradius-server/commit/a1f5fd2213c0104d0e124d804ab8c210c9fedb18:

From a1f5fd2213c0104d0e124d804ab8c210c9fedb18 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <email address hidden>
Date: Thu, 30 Dec 2021 15:31:55 -0500
Subject: [PATCH] OpenSSL3 sends invalid content types all of the time...

---
 src/main/cb.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/main/cb.c b/src/main/cb.c
index 372b8fa8228..0796914b41f 100644
--- a/src/main/cb.c
+++ b/src/main/cb.c
@@ -132,11 +132,11 @@ void cbtls_msg(int write_p, int msg_version, int content_type,
  tls_session_t *state = (tls_session_t *)arg;

  /*
- * OpenSSL 1.0.2 calls this function with 'pseudo'
- * content types. Which breaks our tracking of
- * the SSL Session state.
+ * OpenSSL calls this function with 'pseudo' content
+ * types. Which breaks our tracking of the SSL Session
+ * state.
   */
- if ((msg_version == 0) && (content_type > UINT8_MAX)) {
+ if ((msg_version == 0) || (content_type >= UINT8_MAX)) {
   DEBUG4("(TLS) Ignoring cbtls_msg call with pseudo content type %i, version %i",
          content_type, msg_version);
   return;

The test passes, and it does log "Ignoring cbtls_msg call ..." multiple times:
...
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Authenticate
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Continuing EAP-TLS
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Peer sent flags ---
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: [eaptls verify] = ok
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Done initial handshake
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: (other): before SSL initialization
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL initialization
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 769
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL initialization
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: <<< recv TLS 1.3 [length 00b7]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 003d]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0345]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 014d]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0004]
...

I thought this would also be needed https://github.com/FreeRADIUS/freeradius-server/commit/cbbbd30f84a5b2a7d435ce0da765796ee3987e21, but the test passes without it.

The point is that current 3.0.x branch has a few more openssl-3-related commits. We can cherry pick the one needed for this test, or all of them, or do that and wait for a 3.0.26 release and then remove the patches.