Use larger buffer for TLS encryption to avoid issues with GnuTLS

It looks like GnuTLS (at least newer versions) is using random padding
on the application data and the previously used 100 byte extra buffer
for tls_connection_encrypt() calls was not enough to handle all cases.
This resulted in semi-random authentication failures with EAP-PEAP and
EAP-TTLS during Phase 2.

Increase the extra space for encryption from 100 to 300 bytes and add an
error message into tls_gnutls.c to make it easier to notice this issue
should it ever show up again even with the larger buffer.
This commit is contained in:
Jouni Malinen 2009-02-09 22:37:55 +02:00
parent 363a9e2434
commit edd757e8a3
2 changed files with 9 additions and 1 deletions

View file

@ -1060,6 +1060,14 @@ int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn,
return -1; return -1;
if (conn->push_buf_len < out_len) if (conn->push_buf_len < out_len)
out_len = conn->push_buf_len; out_len = conn->push_buf_len;
else if (conn->push_buf_len > out_len) {
wpa_printf(MSG_INFO, "GnuTLS: Not enough buffer space for "
"encrypted message (in_len=%lu push_buf_len=%lu "
"out_len=%lu",
(unsigned long) in_len,
(unsigned long) conn->push_buf_len,
(unsigned long) out_len);
}
os_memcpy(out_data, conn->push_buf, out_len); os_memcpy(out_data, conn->push_buf, out_len);
os_free(conn->push_buf); os_free(conn->push_buf);
conn->push_buf = NULL; conn->push_buf = NULL;

View file

@ -904,7 +904,7 @@ int eap_peer_tls_encrypt(struct eap_sm *sm, struct eap_ssl_data *data,
if (in_data) { if (in_data) {
eap_peer_tls_reset_output(data); eap_peer_tls_reset_output(data);
len = wpabuf_len(in_data) + 100; len = wpabuf_len(in_data) + 300;
data->tls_out = os_malloc(len); data->tls_out = os_malloc(len);
if (data->tls_out == NULL) if (data->tls_out == NULL)
return -1; return -1;