From ef626b4d5053ea56817a39170c41686c014d6e37 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 26 May 2008 12:33:04 +0300 Subject: [PATCH] Added a workaround for handling TLS compression Even though we try to disable TLS compression, it is possible that this cannot be done with all TLS libraries. For example, OpenSSL 0.9.8 does not seem to have a configuration item for disabling all compression (0.9.9 has such an option). If compression is used, Phase 2 decryption may end up producing more data than the input buffer due to compressed data. This shows up especially with EAP-TNC that uses very compressible data format. As a workaround, increase the decryption buffer length to (orig_len+500)*3. This is a hack, but at least it handles most cases. TLS compression should really be disabled for EAP use of TLS, but since this can show up with common setups, it is better to handle this case. --- src/eap_peer/eap_tls_common.c | 8 ++++++++ src/eap_server/eap_fast.c | 8 ++++++++ src/eap_server/eap_peap.c | 8 ++++++++ src/eap_server/eap_ttls.c | 8 ++++++++ 4 files changed, 32 insertions(+) diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 7b8c84d39..d2a494bbf 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -827,6 +827,14 @@ int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data, buf_len = wpabuf_len(in_data); if (data->tls_in_total > buf_len) buf_len = data->tls_in_total; + /* + * Even though we try to disable TLS compression, it is possible that + * this cannot be done with all TLS libraries. Add extra buffer space + * to handle the possibility of the decrypted data being longer than + * input data. + */ + buf_len += 500; + buf_len *= 3; *in_decrypted = wpabuf_alloc(buf_len ? buf_len : 1); if (*in_decrypted == NULL) { eap_peer_tls_reset_input(data); diff --git a/src/eap_server/eap_fast.c b/src/eap_server/eap_fast.c index fb4306bac..c50ffd2c0 100644 --- a/src/eap_server/eap_fast.c +++ b/src/eap_server/eap_fast.c @@ -1334,6 +1334,14 @@ static void eap_fast_process_phase2(struct eap_sm *sm, buf_len = in_len; if (data->ssl.tls_in_total > buf_len) buf_len = data->ssl.tls_in_total; + /* + * Even though we try to disable TLS compression, it is possible that + * this cannot be done with all TLS libraries. Add extra buffer space + * to handle the possibility of the decrypted data being longer than + * input data. + */ + buf_len += 500; + buf_len *= 3; in_decrypted = os_malloc(buf_len); if (in_decrypted == NULL) { os_free(data->ssl.tls_in); diff --git a/src/eap_server/eap_peap.c b/src/eap_server/eap_peap.c index 20e1953c5..77c254ade 100644 --- a/src/eap_server/eap_peap.c +++ b/src/eap_server/eap_peap.c @@ -1161,6 +1161,14 @@ static void eap_peap_process_phase2(struct eap_sm *sm, buf_len = in_len; if (data->ssl.tls_in_total > buf_len) buf_len = data->ssl.tls_in_total; + /* + * Even though we try to disable TLS compression, it is possible that + * this cannot be done with all TLS libraries. Add extra buffer space + * to handle the possibility of the decrypted data being longer than + * input data. + */ + buf_len += 500; + buf_len *= 3; in_decrypted = wpabuf_alloc(buf_len); if (in_decrypted == NULL) { os_free(data->ssl.tls_in); diff --git a/src/eap_server/eap_ttls.c b/src/eap_server/eap_ttls.c index 545958dfa..4c71b5fa2 100644 --- a/src/eap_server/eap_ttls.c +++ b/src/eap_server/eap_ttls.c @@ -1177,6 +1177,14 @@ static void eap_ttls_process_phase2(struct eap_sm *sm, buf_len = in_len; if (data->ssl.tls_in_total > buf_len) buf_len = data->ssl.tls_in_total; + /* + * Even though we try to disable TLS compression, it is possible that + * this cannot be done with all TLS libraries. Add extra buffer space + * to handle the possibility of the decrypted data being longer than + * input data. + */ + buf_len += 500; + buf_len *= 3; in_decrypted = os_malloc(buf_len); if (in_decrypted == NULL) { os_free(data->ssl.tls_in);