From: Jouni Malinen <j@w1.fi>
Date: Tue, 28 Jul 2015 13:32:27 +0000 (+0300)
Subject: EAP-TLS/TTLS/PEAP/FAST peer: Stop connection more quickly on local failure
X-Git-Tag: hostap_2_5~272
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3947997dcc9c4bc79a1c7e5838111c4605434715;p=thirdparty%2Fhostap.git

EAP-TLS/TTLS/PEAP/FAST peer: Stop connection more quickly on local failure

If there is only zero-length buffer of output data in error case, mark
that as an immediate failure instead of trying to report that
non-existing error report to the server. This allows faster connection
termination in cases where a non-recoverable error occurs in local TLS
processing, e.g., if none of the configured ciphers are available.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 2a108da67..8e147196c 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -682,12 +682,18 @@ int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
 	if (tls_connection_get_failed(data->ssl_ctx, data->conn)) {
 		/* TLS processing has failed - return error */
 		wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
-			   "report error");
+			   "report error (len=%u)",
+			   (unsigned int) wpabuf_len(data->tls_out));
 		ret = -1;
 		/* TODO: clean pin if engine used? */
+		if (wpabuf_len(data->tls_out) == 0) {
+			wpabuf_free(data->tls_out);
+			data->tls_out = NULL;
+			return -1;
+		}
 	}
 
-	if (data->tls_out == NULL || wpabuf_len(data->tls_out) == 0) {
+	if (wpabuf_len(data->tls_out) == 0) {
 		/*
 		 * TLS negotiation should now be complete since all other cases
 		 * needing more data should have been caught above based on