From 4d4233eaf4217106e7fc09d6bc95183d6ac7e7c2 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 24 Aug 2008 13:08:15 +0300 Subject: [PATCH] Fixed internal TLSv1 server implementation for abbreviated handshake When the TLS handshake had been completed earlier by the server in case of abbreviated handshake, the output buffer length was left uninitialized. It must be initialized to zero in this case. This code is used by EAP-FAST server and the uninitialized length could have caused it to try to send a very large frame (though, this would be terminated by the 50 roundtrip EAP limit). This broke EAP-FAST server code in some cases when PAC was used to establish the tunnel. --- hostapd/ChangeLog | 2 ++ src/crypto/tls_internal.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog index f3c01559f..2db46b845 100644 --- a/hostapd/ChangeLog +++ b/hostapd/ChangeLog @@ -5,6 +5,8 @@ ChangeLog for hostapd internal X.509/TLSv1 implementation * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer identity lengths) + * fixed internal TLSv1 implementation for abbreviated handshake (used + by EAP-FAST server) 2008-08-10 - v0.6.4 * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2 diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c index dfd0db060..42120c8a8 100644 --- a/src/crypto/tls_internal.c +++ b/src/crypto/tls_internal.c @@ -366,8 +366,10 @@ u8 * tls_connection_server_handshake(void *tls_ctx, wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)", __func__, in_data, (unsigned long) in_len); out = tlsv1_server_handshake(conn->server, in_data, in_len, out_len); - if (out == NULL && tlsv1_server_established(conn->server)) + if (out == NULL && tlsv1_server_established(conn->server)) { out = os_malloc(1); + *out_len = 0; + } return out; #else /* CONFIG_TLS_INTERNAL_SERVER */ return NULL;