params->dh_file = (char *) config->dh_file;
params->subject_match = (char *) config->subject_match;
params->altsubject_match = (char *) config->altsubject_match;
+ params->engine = config->engine;
params->engine_id = config->engine_id;
params->pin = config->pin;
params->key_id = config->key_id;
params->dh_file = (char *) config->dh_file2;
params->subject_match = (char *) config->subject_match2;
params->altsubject_match = (char *) config->altsubject_match2;
- params->engine_id = config->engine_id;
- params->pin = config->pin;
+ params->engine = config->engine2;
+ params->engine_id = config->engine2_id;
+ params->pin = config->pin2;
params->key_id = config->key2_id;
params->cert_id = config->cert2_id;
params->ca_cert_id = config->ca_cert2_id;
struct eap_peer_config *config, int phase2)
{
os_memset(params, 0, sizeof(*params));
- params->engine = config->engine;
- if (phase2)
+ if (phase2) {
+ wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
eap_tls_params_from_conf2(params, config);
- else
+ } else {
+ wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
eap_tls_params_from_conf1(params, config);
+ }
params->tls_ia = data->tls_ia;
/*
length_included = data->tls_out_pos == 0 &&
(data->tls_out_len > data->tls_out_limit ||
data->include_tls_length);
+ if (!length_included &&
+ eap_type == EAP_TYPE_PEAP && peap_version == 0 &&
+ !tls_connection_established(data->eap->ssl_ctx, data->conn)) {
+ /*
+ * Windows Server 2008 NPS really wants to have the TLS Message
+ * length included in phase 0 even for unfragmented frames or
+ * it will get very confused with Compound MAC calculation and
+ * Outer TLVs.
+ */
+ length_included = 1;
+ }
*out_data = eap_msg_alloc(EAP_VENDOR_IETF, eap_type,
1 + length_included * 4 + len,
ret->ignore = TRUE;
return NULL;
}
- *flags = *pos++;
- left--;
+ if (left == 0) {
+ wpa_printf(MSG_DEBUG, "SSL: Invalid TLS message: no Flags "
+ "octet included");
+ if (!sm->workaround) {
+ ret->ignore = TRUE;
+ return NULL;
+ }
+
+ wpa_printf(MSG_DEBUG, "SSL: Workaround - assume no Flags "
+ "indicates ACK frame");
+ *flags = 0;
+ } else {
+ *flags = *pos++;
+ left--;
+ }
wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) wpabuf_len(reqData),
*flags);
if (in_data) {
eap_peer_tls_reset_output(data);
- len = wpabuf_len(in_data) + 100;
+ len = wpabuf_len(in_data) + 300;
data->tls_out = os_malloc(len);
if (data->tls_out == NULL)
return -1;