Fixed EAP-TLS message fragmentation for the last TLS message

It the message was large enough to require fragmentation (e.g., if a large
Session Ticket data is included), More Fragment flag was set, but no
more fragments were actually sent (i.e., Access-Accept was sent out).
This commit is contained in:
Jouni Malinen 2008-11-20 19:39:35 +02:00 committed by Jouni Malinen
parent f32fe71a1f
commit 012783f1ab
2 changed files with 21 additions and 8 deletions

View file

@ -14,6 +14,9 @@ ChangeLog for hostapd
information from CRDA is now used with mac80211); this allows 5 GHz information from CRDA is now used with mac80211); this allows 5 GHz
channels to be used with hostapd (if allowed in the current channels to be used with hostapd (if allowed in the current
regulatory domain) regulatory domain)
* fixed EAP-TLS message processing for the last TLS message if it is
large enough to require fragmentation (e.g., if a large Session
Ticket data is included)
2008-11-01 - v0.6.5 2008-11-01 - v0.6.5
* added support for SHA-256 as X.509 certificate digest when using the * added support for SHA-256 as X.509 certificate digest when using the

View file

@ -26,6 +26,7 @@ static void eap_tls_reset(struct eap_sm *sm, void *priv);
struct eap_tls_data { struct eap_tls_data {
struct eap_ssl_data ssl; struct eap_ssl_data ssl;
enum { START, CONTINUE, SUCCESS, FAILURE } state; enum { START, CONTINUE, SUCCESS, FAILURE } state;
int established;
}; };
@ -109,25 +110,24 @@ static struct wpabuf * eap_tls_build_start(struct eap_sm *sm,
static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id) static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id)
{ {
struct eap_tls_data *data = priv; struct eap_tls_data *data = priv;
struct wpabuf *res;
if (data->ssl.state == FRAG_ACK) { if (data->ssl.state == FRAG_ACK) {
return eap_server_tls_build_ack(id, EAP_TYPE_TLS, 0); return eap_server_tls_build_ack(id, EAP_TYPE_TLS, 0);
} }
if (data->ssl.state == WAIT_FRAG_ACK) { if (data->ssl.state == WAIT_FRAG_ACK) {
return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, res = eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0,
id); id);
goto check_established;
} }
switch (data->state) { switch (data->state) {
case START: case START:
return eap_tls_build_start(sm, data, id); return eap_tls_build_start(sm, data, id);
case CONTINUE: case CONTINUE:
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { if (tls_connection_established(sm->ssl_ctx, data->ssl.conn))
wpa_printf(MSG_DEBUG, "EAP-TLS: Done"); data->established = 1;
eap_tls_state(data, SUCCESS);
}
break; break;
default: default:
wpa_printf(MSG_DEBUG, "EAP-TLS: %s - unexpected state %d", wpa_printf(MSG_DEBUG, "EAP-TLS: %s - unexpected state %d",
@ -135,7 +135,17 @@ static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id)
return NULL; return NULL;
} }
return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, id); res = eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, id);
check_established:
if (data->established && data->ssl.state != WAIT_FRAG_ACK) {
/* TLS handshake has been completed and there are no more
* fragments waiting to be sent out. */
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
eap_tls_state(data, SUCCESS);
}
return res;
} }