diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 8916b03db..fc933f578 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -1313,6 +1313,8 @@ struct hostapd_config * hostapd_config_read(const char *fname) } else if (os_strcmp(buf, "dh_file") == 0) { os_free(bss->dh_file); bss->dh_file = os_strdup(pos); + } else if (os_strcmp(buf, "fragment_size") == 0) { + bss->fragment_size = atoi(pos); #ifdef EAP_SERVER_FAST } else if (os_strcmp(buf, "pac_opaque_encr_key") == 0) { os_free(bss->pac_opaque_encr_key); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 041b947cf..e948c20d9 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -504,6 +504,9 @@ eap_server=0 # "openssl dhparam -out /etc/hostapd.dh.pem 1024" #dh_file=/etc/hostapd.dh.pem +# Fragment size for EAP methods +#fragment_size=1400 + # Configuration data for EAP-SIM database/authentication gateway interface. # This is a text string in implementation specific format. The example # implementation in eap_sim_db.c uses this as the UNIX domain socket name for diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index f509b5bbb..2608839e4 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -254,6 +254,7 @@ struct hostapd_bss_config { int pac_key_refresh_time; int eap_sim_aka_result_ind; int tnc; + int fragment_size; char *radius_server_clients; int radius_server_auth_port; diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index eb160f8e0..edafcb86e 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1651,6 +1651,7 @@ int ieee802_1x_init(struct hostapd_data *hapd) conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; conf.tnc = hapd->conf->tnc; conf.wps = hapd->wps; + conf.fragment_size = hapd->conf->fragment_size; os_memset(&cb, 0, sizeof(cb)); cb.eapol_send = ieee802_1x_eapol_send; diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h index 92400a568..637086ba0 100644 --- a/src/eap_server/eap.h +++ b/src/eap_server/eap.h @@ -107,6 +107,7 @@ struct eap_config { struct wps_context *wps; const struct wpabuf *assoc_wps_ie; const u8 *peer_addr; + int fragment_size; }; diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h index 4269a8cfd..da8f8489f 100644 --- a/src/eap_server/eap_i.h +++ b/src/eap_server/eap_i.h @@ -187,6 +187,9 @@ struct eap_sm { Boolean start_reauth; u8 peer_addr[ETH_ALEN]; + + /* Fragmentation size for EAP method init() handler */ + int fragment_size; }; int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len, diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c index fdc26f934..a2e5bde82 100644 --- a/src/eap_server/eap_server.c +++ b/src/eap_server/eap_server.c @@ -1257,6 +1257,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx, sm->assoc_wps_ie = wpabuf_dup(conf->assoc_wps_ie); if (conf->peer_addr) os_memcpy(sm->peer_addr, conf->peer_addr, ETH_ALEN); + sm->fragment_size = conf->fragment_size; wpa_printf(MSG_DEBUG, "EAP: Server state machine created"); diff --git a/src/eap_server/eap_server_ikev2.c b/src/eap_server/eap_server_ikev2.c index 06074ee28..ec4fa8796 100644 --- a/src/eap_server/eap_server_ikev2.c +++ b/src/eap_server/eap_server_ikev2.c @@ -93,7 +93,8 @@ static void * eap_ikev2_init(struct eap_sm *sm) if (data == NULL) return NULL; data->state = MSG; - data->fragment_size = IKEV2_FRAGMENT_SIZE; + data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size : + IKEV2_FRAGMENT_SIZE; data->ikev2.state = SA_INIT; data->ikev2.peer_auth = PEER_AUTH_SECRET; data->ikev2.key_pad = (u8 *) os_strdup("Key Pad for EAP-IKEv2"); diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c index 25ae683f0..e149ee3e4 100644 --- a/src/eap_server/eap_server_tls_common.c +++ b/src/eap_server/eap_server_tls_common.c @@ -45,8 +45,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, return -1; } - /* TODO: make this configurable */ - data->tls_out_limit = 1398; + data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet diff --git a/src/eap_server/eap_server_tnc.c b/src/eap_server/eap_server_tnc.c index f3b70edab..a2d6f1708 100644 --- a/src/eap_server/eap_server_tnc.c +++ b/src/eap_server/eap_server_tnc.c @@ -91,7 +91,8 @@ static void * eap_tnc_init(struct eap_sm *sm) return NULL; } - data->fragment_size = 1300; + data->fragment_size = sm->fragment_size > 100 ? + sm->fragment_size - 98 : 1300; return data; } diff --git a/src/eap_server/eap_server_wsc.c b/src/eap_server/eap_server_wsc.c index b6c0df462..272a6195b 100644 --- a/src/eap_server/eap_server_wsc.c +++ b/src/eap_server/eap_server_wsc.c @@ -136,7 +136,8 @@ static void * eap_wsc_init(struct eap_sm *sm) os_free(data); return NULL; } - data->fragment_size = WSC_FRAGMENT_SIZE; + data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size : + WSC_FRAGMENT_SIZE; return data; } diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c index a1976e8f0..90800092e 100644 --- a/src/eapol_auth/eapol_auth_sm.c +++ b/src/eapol_auth/eapol_auth_sm.c @@ -830,6 +830,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr, eap_conf.wps = eapol->conf.wps; eap_conf.assoc_wps_ie = assoc_wps_ie; eap_conf.peer_addr = addr; + eap_conf.fragment_size = eapol->conf.fragment_size; sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf); if (sm->eap == NULL) { eapol_auth_free(sm); @@ -1077,6 +1078,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst, dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind; dst->tnc = src->tnc; dst->wps = src->wps; + dst->fragment_size = src->fragment_size; return 0; } diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h index ef943ad47..bfeef7b9b 100644 --- a/src/eapol_auth/eapol_auth_sm.h +++ b/src/eapol_auth/eapol_auth_sm.h @@ -40,6 +40,7 @@ struct eapol_auth_config { int eap_sim_aka_result_ind; int tnc; struct wps_context *wps; + int fragment_size; /* Opaque context pointer to owner data for callback functions */ void *ctx;