Reject TLS-based EAP server method if TLS context not initialized

It was possible to configure hostapd in a way that could try to
initialize a TLS-based EAP method even when TLS library context was not
initialized (e.g., due to not configuring server or CA certificate).
Such a case could potentially result in NULL pointer dereference in the
TLS library, so check for this condition and reject EAP method
initialization.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 9efb5b2..526e1bc 100644 (file)
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -33,6 +33,11 @@ struct wpabuf * eap_tls_msg_alloc(EapType type, size_t payload_len,
 int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
                            int verify_peer)
 {
+       if (sm->ssl_ctx == NULL) {
+               wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
+               return -1;
+       }
+
        data->eap = sm;
        data->phase2 = sm->init_phase2;