Discussed in https://www.spinics.net/lists/hostap/msg05376.html --- src/crypto/tls_openssl.c | 17 +++++++++++++---- src/eap_peer/eap_peap.c | 4 ++++ src/eap_peer/eap_ttls.c | 5 +++++ 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index f7dfecbbf..6b552293e 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1045,6 +1045,8 @@ void * tls_init(const struct tls_config *conf) SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); + SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); + #ifdef SSL_MODE_NO_AUTO_CHAIN /* Number of deployed use cases assume the default OpenSSL behavior of * auto chaining the local certificate is in use. BoringSSL removed this @@ -4543,10 +4545,17 @@ struct wpabuf * tls_connection_decrypt(void *tls_ctx, return NULL; res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf)); if (res < 0) { - tls_show_errors(MSG_INFO, __func__, - "Decryption failed - SSL_read"); - wpabuf_free(buf); - return NULL; + int err = SSL_get_error(conn->ssl, res); + if (err == SSL_ERROR_WANT_READ) { + wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want " + "more data"); + res = 0; + } else { + tls_show_errors(MSG_INFO, __func__, + "Decryption failed - SSL_read"); + wpabuf_free(buf); + return NULL; + } } wpabuf_put(buf, res); diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c index 7bcba4de2..cb34a0fc3 100644 --- a/src/eap_peer/eap_peap.c +++ b/src/eap_peer/eap_peap.c @@ -819,6 +819,10 @@ static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); if (res) return res; + if (wpabuf_len(in_decrypted) == 0) { + wpabuf_free(in_decrypted); + return 1; + } continue_req: wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c index 642d179c6..3bf1e97e6 100644 --- a/src/eap_peer/eap_ttls.c +++ b/src/eap_peer/eap_ttls.c @@ -1441,6 +1441,7 @@ static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, if ((in_data == NULL || wpabuf_len(in_data) == 0) && data->phase2_start) { +start: return eap_ttls_phase2_start(sm, data, ret, identifier, out_data); } @@ -1455,6 +1456,10 @@ static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data, retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); if (retval) goto done; + if (wpabuf_len(in_decrypted) == 0) { + wpabuf_free(in_decrypted); + goto start; + } continue_req: data->phase2_start = 0; -- 2.20.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap