libtls: Don't send TLS close notifies in EAP after application succeeds

With the introduction of PT-TLS, we started sending TLS close notifies after
the application layer completes (7bbf7aa9). While this makes sense for TCP based
transports, it is not required in EAP methods. In EAP, handshake completion
can be directly signaled using the outer EAP-SUCCESS message. This also saves
one round-trip in the EAP exchange.

Windows 7/8 does not seem to like TLS close notifies at all in EAP, and either
stalls (EAP-TTLS) or disconnects (PEAP).

Fixes #556.

diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6a8d5030c9376a42a57492eba7a5a259ceeaf3a7..201612470fe38dac7dfe2f135aff13f63f91ea64 100644 (file)
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -487,7 +487,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
                                                                                this->alert, peer, server)->handshake;
        }
        this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
-                                                                                                  this->application);
+                                                                                                  this->application, purpose);
        this->compression = tls_compression_create(this->fragmentation, this->alert);
        this->protection = tls_protection_create(this->compression, this->alert);
        this->crypto->set_protection(this->crypto, this->protection);

diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index 6e4347e3cfefe95353d961c8cc9b75255877af62..a97ca1eaaa47347e55465cdf151d0904e9697390 100644 (file)
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -96,8 +96,31 @@ struct private_tls_fragmentation_t {
         * Upper layer application data protocol
         */
        tls_application_t *application;
+
+       /**
+        * Type of context this TLS instance runs in
+        */
+       tls_purpose_t purpose;
 };
 
+/**
+ * Check if we should send a close notify once the application finishes
+ */
+static bool send_close_notify(private_tls_fragmentation_t *this)
+{
+       switch (this->purpose)
+       {
+               case TLS_PURPOSE_EAP_TLS:
+               case TLS_PURPOSE_EAP_TTLS:
+               case TLS_PURPOSE_EAP_PEAP:
+                       /* not for TLS-in-EAP, as we indicate completion with EAP-SUCCCESS.
+                        * Windows does not like close notifies, and hangs/disconnects. */
+                       return FALSE;
+               default:
+                       return TRUE;
+       }
+}
+
 /**
  * Process a TLS alert
  */
@@ -223,6 +246,10 @@ static status_t process_application(private_tls_fragmentation_t *this,
                                continue;
                        case SUCCESS:
                                this->application_finished = TRUE;
+                               if (!send_close_notify(this))
+                               {
+                                       return SUCCESS;
+                               }
                                /* FALL */
                        case FAILED:
                        default:
@@ -368,6 +395,10 @@ static status_t build_application(private_tls_fragmentation_t *this)
                                break;
                        case SUCCESS:
                                this->application_finished = TRUE;
+                               if (!send_close_notify(this))
+                               {
+                                       break;
+                               }
                                /* FALL */
                        case FAILED:
                        default:
@@ -463,7 +494,8 @@ METHOD(tls_fragmentation_t, destroy, void,
  * See header
  */
 tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
-                                                       tls_alert_t *alert, tls_application_t *application)
+                                                       tls_alert_t *alert, tls_application_t *application,
+                                                       tls_purpose_t purpose)
 {
        private_tls_fragmentation_t *this;
 
@@ -478,6 +510,7 @@ tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
                .alert = alert,
                .state = ALERT_NONE,
                .application = application,
+               .purpose = purpose,
        );
 
        return &this->public;

diff --git a/src/libtls/tls_fragmentation.h b/src/libtls/tls_fragmentation.h
index f650e7be8dc5bd1b7d7966f94e816ea1f1d4f1d5..a49f27b20f8b72092cca3902bdbaab4e28071eec 100644 (file)
--- a/src/libtls/tls_fragmentation.h
+++ b/src/libtls/tls_fragmentation.h
@@ -80,9 +80,11 @@ struct tls_fragmentation_t {
  * @param handshake                    upper layer handshake protocol
  * @param alert                                TLS alert handler
  * @param application          upper layer application data or NULL
+ * @param purpose                      type of context this TLS stack is running in
  * @return                                     TLS fragmentation layer
  */
 tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
-                                                       tls_alert_t *alert, tls_application_t *application);
+                                                       tls_alert_t *alert, tls_application_t *application,
+                                                       tls_purpose_t purpose);
 
 #endif /** TLS_FRAGMENTATION_H_ @}*/