EAP-TLS/TTLS/PEAP/FAST peer: Stop connection more quickly on local failure

If there is only zero-length buffer of output data in error case, mark
that as an immediate failure instead of trying to report that
non-existing error report to the server. This allows faster connection
termination in cases where a non-recoverable error occurs in local TLS
processing, e.g., if none of the configured ciphers are available.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 2a108da67e6481a78f502edc38440bb3568f9dce..8e147196c75d5a6d5966d75f8ceca00c3e9dae8d 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -682,12 +682,18 @@ int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
        if (tls_connection_get_failed(data->ssl_ctx, data->conn)) {
                /* TLS processing has failed - return error */
                wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
-                          "report error");
+                          "report error (len=%u)",
+                          (unsigned int) wpabuf_len(data->tls_out));
                ret = -1;
                /* TODO: clean pin if engine used? */
+               if (wpabuf_len(data->tls_out) == 0) {
+                       wpabuf_free(data->tls_out);
+                       data->tls_out = NULL;
+                       return -1;
+               }
        }
 
-       if (data->tls_out == NULL || wpabuf_len(data->tls_out) == 0) {
+       if (wpabuf_len(data->tls_out) == 0) {
                /*
                 * TLS negotiation should now be complete since all other cases
                 * needing more data should have been caught above based on