After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 755145 - Failing EAP-TLS when MTU is lower than 1314
Failing EAP-TLS when MTU is lower than 1314
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2015-09-17 07:00 UTC by Jiri Klimes
Modified: 2015-09-23 11:05 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Jiri Klimes 2015-09-17 07:00:43 UTC 
Some tests revealed that EAP-TLS (EAP-PEAP) fails if MTU of Wi-Fi interface is lower than 1300 when using NetworkManager.

EAP-TLS/EAP-PEAP allow fragmentation, but wpa_supplicant does not take into account MTU, but rather relies on its 'fragment_size' option as a maximum EAP fragment size. NetworkManager sets this parameter to 1300 in the hope that it was sufficiently low to work in most case. But if the MTU is lower, the connection to EAP fails in wpa_supplicant with "l2_packet_send - sendto: Message too long" error.

Links:
'fragment_size' parameter description:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

Discussion about the issue on hostap list:
http://lists.shmoo.com/pipermail/hostap/2015-August/033546.html
Comment 1 Jiri Klimes 2015-09-17 08:29:28 UTC 
Lets pass fragment_size according to MTU, but also do not go higher than 1280-14 (lowest IPv6 MTU less headers overhead.)

See branch jk/eap-fragment-size-bgo755145
Comment 2 Beniamino Galvani 2015-09-17 14:02:50 UTC 
'make distcheck' fails for me; I suppose this happens because certificates can't be found during the rebuild:

+	nm_setting_802_1x_set_client_cert (s_8021x, "certs/test-cert.p12", NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, NULL);
+	nm_setting_802_1x_set_ca_cert (s_8021x, "certs/test-ca-cert.pem", NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, NULL);
+	nm_setting_802_1x_set_private_key (s_8021x, "certs/test-cert.p12", NULL, NM_SETTING_802_1X_CK_SCHEME_PATH, NULL, NULL);

The rest LGTM.
Comment 3 Thomas Haller 2015-09-18 10:25:54 UTC 
if platform fails to lookup the mtu, it returns 0.

Thus, in the worst case, @fraq can become zero.
»···hdrs = 14; /* EAPOL + EAP-TLS */
»···frag = CLAMP (mtu - hdrs, 0u, 1280u - hdrs);

I think it should be:

    frag = 1280 - hdrs;
    if (mtu > hdrs)
        frag = CLAMP (mtu - hdrs, 100, fraq);




frag_str = g_strdup_printf ("%u", (guint) frag);



Rest LGTM (didn't test make distcheck)
Comment 4 Thomas Haller 2015-09-18 10:27:28 UTC 
(In reply to Thomas Haller from comment #3)
> if platform fails to lookup the mtu, it returns 0.
> 
> Thus, in the worst case, @fraq can become zero.
> »···hdrs = 14; /* EAPOL + EAP-TLS */
> »···frag = CLAMP (mtu - hdrs, 0u, 1280u - hdrs);

okok, if mtu is zero, there is an integer underflow... so the result is identical... let's write that more explicit?
Comment 5 Jiri Klimes 2015-09-23 11:05:14 UTC 
(In reply to Beniamino Galvani from comment #2)
> 'make distcheck' fails for me; I suppose this happens because certificates
> can't be found during the rebuild:
>
Fixed.

(In reply to Thomas Haller from comment #4)
> (In reply to Thomas Haller from comment #3)
> > if platform fails to lookup the mtu, it returns 0.
> > 
> > Thus, in the worst case, @fraq can become zero.
> > »···hdrs = 14; /* EAPOL + EAP-TLS */
> > »···frag = CLAMP (mtu - hdrs, 0u, 1280u - hdrs);
> 
> okok, if mtu is zero, there is an integer underflow... so the result is
> identical... let's write that more explicit?
Done.

master: 94bbe74 supplicant: adjust fragment_size according to MTU (bgo #755145)
nm-1-0: e6160d3 supplicant: adjust fragment_size according to MTU (bgo #755145)