git.ipfire.org Git - thirdparty/hostap.git/commit

author	Alexander Clouter <alex@digriz.org.uk>
	Fri, 16 Oct 2020 08:49:36 +0000 (09:49 +0100)
committer	Jouni Malinen <j@w1.fi>
	Sat, 20 Feb 2021 15:02:35 +0000 (17:02 +0200)
commit	872609c15110d32ee2d306aeeeffdd4e42ef6fc6
tree	9f781144371b147e3939115e216aec1126827e39	tree
parent	9acf8da223657e3948351cc1bbab355b3d2469ae	commit \| diff

EAP-TTLS/PEAP peer: Fix failure when using session tickets under TLS 1.3

EAP peer does not expect data present when beginning the Phase 2 in
EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the
handshake completes.

There are several strategies that can be used to handle this, but this
patch picks up from the discussion[1] and implements the proposed use of
SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by
default in OpenSSL 1.1.1, but it needs to be enabled for older versions.

The main OpenSSL wrapper change in tls_connection_decrypt() takes care
of the new possible case with SSL_MODE_AUTO_RETRY for
SSL_ERROR_WANT_READ to indicate that a non-application_data was
processed. That is not really an error case with TLS 1.3, so allow it to
complete and return an empty decrypted application data buffer.
EAP-PEAP/TTLS processing can then use this to move ahead with starting
Phase 2.

[1] https://www.spinics.net/lists/hostap/msg05376.html

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>

src/crypto/tls_openssl.c		diff \| blob \| blame \| history
src/eap_peer/eap_peap.c		diff \| blob \| blame \| history
src/eap_peer/eap_ttls.c		diff \| blob \| blame \| history