projects / mech_eap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6ee66b4)
EAP-TTLS/PEAP/FAST peer: Stop immediately on local TLS processing failure
authorJouni Malinen <j@w1.fi>
Tue, 28 Jul 2015 13:30:41 +0000 (16:30 +0300)
committerJouni Malinen <j@w1.fi>
Tue, 28 Jul 2015 18:00:18 +0000 (21:00 +0300)
EAP-TLS was already doing this, but the other TLS-based EAP methods did
not mark methodState DONE and decision FAIL on local TLS processing
errors (instead, they left the connection waiting for a longer timeout).

Signed-off-by: Jouni Malinen <j@w1.fi>
src/eap_peer/eap_fast.c patch | blob | history
src/eap_peer/eap_peap.c patch | blob | history
src/eap_peer/eap_ttls.c patch | blob | history

diff --git a/src/eap_peer/eap_fast.c b/src/eap_peer/eap_fast.c
index f636e74..4cbe3ba 100644 (file)
--- a/src/eap_peer/eap_fast.c
+++ b/src/eap_peer/eap_fast.c
@@ -1572,6 +1572,13 @@ static struct wpabuf * eap_fast_process(struct eap_sm *sm, void *priv,
                                                  EAP_TYPE_FAST,
                                                  data->fast_version, id, &msg,
                                                  &resp);
+               if (res < 0) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-FAST: TLS processing failed");
+                       ret->methodState = METHOD_DONE;
+                       ret->decision = DECISION_FAIL;
+                       return resp;
+               }
 
                if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
                        char cipher[80];
diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
index 4f68fce..98a48a6 100644 (file)
--- a/src/eap_peer/eap_peap.c
+++ b/src/eap_peer/eap_peap.c
@@ -1011,6 +1011,13 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
                                                  data->peap_version, id, &msg,
                                                  &resp);
 
+               if (res < 0) {
+                       wpa_printf(MSG_DEBUG,
+                                  "EAP-PEAP: TLS processing failed");
+                       ret->methodState = METHOD_DONE;
+                       ret->decision = DECISION_FAIL;
+                       return resp;
+               }
                if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
                        char *label;
                        wpa_printf(MSG_DEBUG,
diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index 189a6f1..3f59a5f 100644 (file)
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@@ -1394,6 +1394,12 @@ static int eap_ttls_process_handshake(struct eap_sm *sm,
        res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
                                          data->ttls_version, identifier,
                                          in_data, out_data);
+       if (res < 0) {
+               wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS processing failed");
+               ret->methodState = METHOD_DONE;
+               ret->decision = DECISION_FAIL;
+               return -1;
+       }
 
        if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
                wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to "
Moonshot GSS-API mechanism