From bb91243047d22952490ff1d6cd626dd0301c5371 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 28 Jul 2015 16:30:41 +0300 Subject: [PATCH] EAP-TTLS/PEAP/FAST peer: Stop immediately on local TLS processing failure EAP-TLS was already doing this, but the other TLS-based EAP methods did not mark methodState DONE and decision FAIL on local TLS processing errors (instead, they left the connection waiting for a longer timeout). Signed-off-by: Jouni Malinen --- src/eap_peer/eap_fast.c | 7 +++++++ src/eap_peer/eap_peap.c | 7 +++++++ src/eap_peer/eap_ttls.c | 6 ++++++ 3 files changed, 20 insertions(+) diff --git a/src/eap_peer/eap_fast.c b/src/eap_peer/eap_fast.c index f636e74da..4cbe3bacb 100644 --- a/src/eap_peer/eap_fast.c +++ b/src/eap_peer/eap_fast.c @@ -1572,6 +1572,13 @@ static struct wpabuf * eap_fast_process(struct eap_sm *sm, void *priv, EAP_TYPE_FAST, data->fast_version, id, &msg, &resp); + if (res < 0) { + wpa_printf(MSG_DEBUG, + "EAP-FAST: TLS processing failed"); + ret->methodState = METHOD_DONE; + ret->decision = DECISION_FAIL; + return resp; + } if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { char cipher[80]; diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c index 4f68fceae..98a48a6cf 100644 --- a/src/eap_peer/eap_peap.c +++ b/src/eap_peer/eap_peap.c @@ -1011,6 +1011,13 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, data->peap_version, id, &msg, &resp); + if (res < 0) { + wpa_printf(MSG_DEBUG, + "EAP-PEAP: TLS processing failed"); + ret->methodState = METHOD_DONE; + ret->decision = DECISION_FAIL; + return resp; + } if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { char *label; wpa_printf(MSG_DEBUG, diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c index 189a6f1a9..3f59a5f97 100644 --- a/src/eap_peer/eap_ttls.c +++ b/src/eap_peer/eap_ttls.c @@ -1394,6 +1394,12 @@ static int eap_ttls_process_handshake(struct eap_sm *sm, res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, data->ttls_version, identifier, in_data, out_data); + if (res < 0) { + wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS processing failed"); + ret->methodState = METHOD_DONE; + ret->decision = DECISION_FAIL; + return -1; + } if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to "