It looks like GnuTLS (at least newer versions) is using random padding
on the application data and the previously used 100 byte extra buffer
for tls_connection_encrypt() calls was not enough to handle all cases.
This resulted in semi-random authentication failures with EAP-PEAP and
EAP-TTLS during Phase 2.
Increase the extra space for encryption from 100 to 300 bytes and add an
error message into tls_gnutls.c to make it easier to notice this issue
should it ever show up again even with the larger buffer.
return -1;
if (conn->push_buf_len < out_len)
out_len = conn->push_buf_len;
+ else if (conn->push_buf_len > out_len) {
+ wpa_printf(MSG_INFO, "GnuTLS: Not enough buffer space for "
+ "encrypted message (in_len=%lu push_buf_len=%lu "
+ "out_len=%lu",
+ (unsigned long) in_len,
+ (unsigned long) conn->push_buf_len,
+ (unsigned long) out_len);
+ }
os_memcpy(out_data, conn->push_buf, out_len);
os_free(conn->push_buf);
conn->push_buf = NULL;
if (in_data) {
eap_peer_tls_reset_output(data);
- len = wpabuf_len(in_data) + 100;
+ len = wpabuf_len(in_data) + 300;
data->tls_out = os_malloc(len);
if (data->tls_out == NULL)
return -1;