[PATCH] increase internal tls client key exchange buffer

Christian Lamparter chunkeey at googlemail.com
Thu Feb 17 10:15:21 EST 2011

This patch fixes a problem I had when I tried to connect
an embedded system [wpa_supplicant, CONFIG_TLS=internal]
to my TLS secured network.

TLSv1: Send CertificateVerify
TLSv1: CertificateVerify hash - hexdump(len=36): ha .. ha 
PKCS #1: pkcs1_generate_encryption_block - Invalid buffer lengths \
			(modlen=512 outlen=454 inlen=36)

It turned out that a fixed 1000 byte message buffer was just
a little bit too small for the 4096 bit RSA certificates
I'm using.

Signed-off-by: Christian Lamparter <chunkeey at googlemail.com>
BTW, I tried several different msglen. The "smallest" value
with which works is "1117". For now, I opted for 2000, simply
because "we can" and it doesn't cost that much more anyway.

Or, is there a easy way to "predict" the buffer size beforehand?
(Yes, I've run tests with hostapd (with the internal tls_server) too.
But tls_send_server_hello doesn't seem to be affected...)


Oh and Felix: the "embedded system" was a TP-Link WR841ND v7.1 
running the latest OpenWrt built, so maybe you want to put the
patch into the "trunk" repository as well?!
diff --git a/src/tls/tlsv1_client_write.c b/src/tls/tlsv1_client_write.c
index 9ecec46..5d63c27 100644
--- a/src/tls/tlsv1_client_write.c
+++ b/src/tls/tlsv1_client_write.c
@@ -669,7 +669,7 @@ static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn,
 	*out_len = 0;
-	msglen = 1000;
+	msglen = 2000;
 	if (conn->certificate_requested)
 		msglen += tls_client_cert_chain_der_len(conn);

More information about the HostAP mailing list