OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API

Updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore).

hostapd/ChangeLog

@@ -4,6 +4,10 @@ ChangeLog for hostapd
 	* added a new configuration option, wpa_ptk_rekey, that can be used to
 	  enforce frequent PTK rekeying, e.g., to mitigate some attacks against
 	  TKIP deficiencies
+	* updated OpenSSL code for EAP-FAST to use an updated version of the
+	  session ticket overriding API that was included into the upstream
+	  OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
+	  needed with that version anymore)
 
 2008-11-01 - v0.6.5
 	* added support for SHA-256 as X.509 certificate digest when using the

src/crypto/tls_openssl.c

@@ -1,6 +1,6 @@
 /*
  * WPA Supplicant / SSL/TLS interface functions for openssl
- * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -37,6 +37,16 @@
 #define OPENSSL_d2i_TYPE unsigned char **
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x00909000L
+#ifdef SSL_OP_NO_TICKET
+/*
+ * Session ticket override patch was merged into OpenSSL 0.9.9 tree on
+ * 2008-11-15. This version uses a bit different API compared to the old patch.
+ */
+#define CONFIG_OPENSSL_TICKET_OVERRIDE
+#endif
+#endif
+
 static int tls_openssl_ref_count = 0;
 
 struct tls_connection {
@@ -2333,12 +2343,18 @@ int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
 				    int ext_type, const u8 *data,
 				    size_t data_len)
 {
-	if (conn == NULL || conn->ssl == NULL)
+	if (conn == NULL || conn->ssl == NULL || ext_type != 35)
 		return -1;
 
+#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
+	if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
+				       data_len) != 1)
+		return -1;
+#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
 	if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data,
 				    data_len) != 1)
 		return -1;
+#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
 
 	return 0;
 }
@@ -2564,6 +2580,33 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
 }
 
 
+#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
+static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
+				     int len, void *arg)
+{
+	struct tls_connection *conn = arg;
+
+	if (conn == NULL || conn->session_ticket_cb == NULL)
+		return 0;
+
+	wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
+
+	os_free(conn->session_ticket);
+	conn->session_ticket = NULL;
+
+	wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
+		    "extension", data, len);
+
+	conn->session_ticket = os_malloc(len);
+	if (conn->session_ticket == NULL)
+		return 0;
+
+	os_memcpy(conn->session_ticket, data, len);
+	conn->session_ticket_len = len;
+
+	return 1;
+}
+#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
 #ifdef SSL_OP_NO_TICKET
 static void tls_hello_ext_cb(SSL *s, int client_server, int type,
 			     unsigned char *data, int len, void *arg)
@@ -2618,6 +2661,7 @@ static int tls_hello_ext_cb(SSL *s, TLS_EXTENSION *ext, void *arg)
 	return 0;
 }
 #endif /* SSL_OP_NO_TICKET */
+#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
 #endif /* EAP_FAST || EAP_FAST_DYNAMIC */
 
 
@@ -2634,6 +2678,10 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
 		if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
 					      conn) != 1)
 			return -1;
+#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
+		SSL_set_session_ticket_ext_cb(conn->ssl,
+					      tls_session_ticket_ext_cb, conn);
+#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
 #ifdef SSL_OP_NO_TICKET
 		SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb);
 		SSL_set_tlsext_debug_arg(conn->ssl, conn);
@@ -2642,9 +2690,13 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
 					       conn) != 1)
 			return -1;
 #endif /* SSL_OP_NO_TICKET */
+#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
 	} else {
 		if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
 			return -1;
+#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
+		SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
+#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
 #ifdef SSL_OP_NO_TICKET
 		SSL_set_tlsext_debug_callback(conn->ssl, NULL);
 		SSL_set_tlsext_debug_arg(conn->ssl, conn);
@@ -2652,6 +2704,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
 		if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1)
 			return -1;
 #endif /* SSL_OP_NO_TICKET */
+#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
 	}
 
 	return 0;

wpa_supplicant/ChangeLog

@@ -14,6 +14,10 @@ ChangeLog for wpa_supplicant
 	  CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config
 	* fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
 	  not bytes
+	* updated OpenSSL code for EAP-FAST to use an updated version of the
+	  session ticket overriding API that was included into the upstream
+	  OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
+	  needed with that version anymore)
 
 2008-11-01 - v0.6.5
 	* added support for SHA-256 as X.509 certificate digest when using the