diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog index 9b5092b4f..6e4a869c0 100644 --- a/hostapd/ChangeLog +++ b/hostapd/ChangeLog @@ -14,6 +14,9 @@ ChangeLog for hostapd information from CRDA is now used with mac80211); this allows 5 GHz channels to be used with hostapd (if allowed in the current regulatory domain) + * fixed EAP-TLS message processing for the last TLS message if it is + large enough to require fragmentation (e.g., if a large Session + Ticket data is included) 2008-11-01 - v0.6.5 * added support for SHA-256 as X.509 certificate digest when using the diff --git a/src/eap_server/eap_tls.c b/src/eap_server/eap_tls.c index 1b168c582..5747940f7 100644 --- a/src/eap_server/eap_tls.c +++ b/src/eap_server/eap_tls.c @@ -26,6 +26,7 @@ static void eap_tls_reset(struct eap_sm *sm, void *priv); struct eap_tls_data { struct eap_ssl_data ssl; enum { START, CONTINUE, SUCCESS, FAILURE } state; + int established; }; @@ -109,25 +110,24 @@ static struct wpabuf * eap_tls_build_start(struct eap_sm *sm, static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id) { struct eap_tls_data *data = priv; - + struct wpabuf *res; if (data->ssl.state == FRAG_ACK) { return eap_server_tls_build_ack(id, EAP_TYPE_TLS, 0); } if (data->ssl.state == WAIT_FRAG_ACK) { - return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, - id); + res = eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, + id); + goto check_established; } switch (data->state) { case START: return eap_tls_build_start(sm, data, id); case CONTINUE: - if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { - wpa_printf(MSG_DEBUG, "EAP-TLS: Done"); - eap_tls_state(data, SUCCESS); - } + if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) + data->established = 1; break; default: wpa_printf(MSG_DEBUG, "EAP-TLS: %s - unexpected state %d", @@ -135,7 +135,17 @@ static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id) return NULL; } - return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, id); + res = eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, id); + +check_established: + if (data->established && data->ssl.state != WAIT_FRAG_ACK) { + /* TLS handshake has been completed and there are no more + * fragments waiting to be sent out. */ + wpa_printf(MSG_DEBUG, "EAP-TLS: Done"); + eap_tls_state(data, SUCCESS); + } + + return res; }