From edd757e8a3d165cbfc4d1721f30a8aa276f9329b Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 9 Feb 2009 22:37:55 +0200 Subject: [PATCH] Use larger buffer for TLS encryption to avoid issues with GnuTLS It looks like GnuTLS (at least newer versions) is using random padding on the application data and the previously used 100 byte extra buffer for tls_connection_encrypt() calls was not enough to handle all cases. This resulted in semi-random authentication failures with EAP-PEAP and EAP-TTLS during Phase 2. Increase the extra space for encryption from 100 to 300 bytes and add an error message into tls_gnutls.c to make it easier to notice this issue should it ever show up again even with the larger buffer. --- src/crypto/tls_gnutls.c | 8 ++++++++ src/eap_peer/eap_tls_common.c | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c index 150873c1c..db66ae15e 100644 --- a/src/crypto/tls_gnutls.c +++ b/src/crypto/tls_gnutls.c @@ -1060,6 +1060,14 @@ int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn, return -1; if (conn->push_buf_len < out_len) out_len = conn->push_buf_len; + else if (conn->push_buf_len > out_len) { + wpa_printf(MSG_INFO, "GnuTLS: Not enough buffer space for " + "encrypted message (in_len=%lu push_buf_len=%lu " + "out_len=%lu", + (unsigned long) in_len, + (unsigned long) conn->push_buf_len, + (unsigned long) out_len); + } os_memcpy(out_data, conn->push_buf, out_len); os_free(conn->push_buf); conn->push_buf = NULL; diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 839ceb6ad..19afb90dc 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -904,7 +904,7 @@ int eap_peer_tls_encrypt(struct eap_sm *sm, struct eap_ssl_data *data, if (in_data) { eap_peer_tls_reset_output(data); - len = wpabuf_len(in_data) + 100; + len = wpabuf_len(in_data) + 300; data->tls_out = os_malloc(len); if (data->tls_out == NULL) return -1;