[PATCH] increase internal tls client key exchange buffer
Thu Feb 17 07:15:21 PST 2011
This patch fixes a problem I had when I tried to connect
an embedded system [wpa_supplicant, CONFIG_TLS=internal]
to my TLS secured network.
TLSv1: Send CertificateVerify
TLSv1: CertificateVerify hash - hexdump(len=36): ha .. ha
PKCS #1: pkcs1_generate_encryption_block - Invalid buffer lengths \
(modlen=512 outlen=454 inlen=36)
It turned out that a fixed 1000 byte message buffer was just
a little bit too small for the 4096 bit RSA certificates
Signed-off-by: Christian Lamparter <chunkeey at googlemail.com>
BTW, I tried several different msglen. The "smallest" value
with which works is "1117". For now, I opted for 2000, simply
because "we can" and it doesn't cost that much more anyway.
Or, is there a easy way to "predict" the buffer size beforehand?
(Yes, I've run tests with hostapd (with the internal tls_server) too.
But tls_send_server_hello doesn't seem to be affected...)
Oh and Felix: the "embedded system" was a TP-Link WR841ND v7.1
running the latest OpenWrt built, so maybe you want to put the
patch into the "trunk" repository as well?!
diff --git a/src/tls/tlsv1_client_write.c b/src/tls/tlsv1_client_write.c
index 9ecec46..5d63c27 100644
@@ -669,7 +669,7 @@ static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
*out_len = 0;
- msglen = 1000;
+ msglen = 2000;
msglen += tls_client_cert_chain_der_len(conn);
More information about the Hostap