@ -1,6 +1,6 @@
/*
* WPA Supplicant / SSL / TLS interface functions for openssl
* Copyright ( c ) 2004 - 200 7 , Jouni Malinen < j @ w1 . fi >
* Copyright ( c ) 2004 - 200 8 , Jouni Malinen < j @ w1 . fi >
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License version 2 as
@ -37,6 +37,16 @@
# define OPENSSL_d2i_TYPE unsigned char **
# endif
# if OPENSSL_VERSION_NUMBER >= 0x00909000L
# ifdef SSL_OP_NO_TICKET
/*
* Session ticket override patch was merged into OpenSSL 0.9 .9 tree on
* 2008 - 11 - 15. This version uses a bit different API compared to the old patch .
*/
# define CONFIG_OPENSSL_TICKET_OVERRIDE
# endif
# endif
static int tls_openssl_ref_count = 0 ;
struct tls_connection {
@ -2333,12 +2343,18 @@ int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
int ext_type , const u8 * data ,
size_t data_len )
{
if ( conn = = NULL | | conn - > ssl = = NULL )
if ( conn = = NULL | | conn - > ssl = = NULL | | ext_type ! = 35 )
return - 1 ;
# ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
if ( SSL_set_session_ticket_ext ( conn - > ssl , ( void * ) data ,
data_len ) ! = 1 )
return - 1 ;
# else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
if ( SSL_set_hello_extension ( conn - > ssl , ext_type , ( void * ) data ,
data_len ) ! = 1 )
return - 1 ;
# endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
return 0 ;
}
@ -2564,6 +2580,33 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
}
# ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
static int tls_session_ticket_ext_cb ( SSL * s , const unsigned char * data ,
int len , void * arg )
{
struct tls_connection * conn = arg ;
if ( conn = = NULL | | conn - > session_ticket_cb = = NULL )
return 0 ;
wpa_printf ( MSG_DEBUG , " OpenSSL: %s: length=%d " , __func__ , len ) ;
os_free ( conn - > session_ticket ) ;
conn - > session_ticket = NULL ;
wpa_hexdump ( MSG_DEBUG , " OpenSSL: ClientHello SessionTicket "
" extension " , data , len ) ;
conn - > session_ticket = os_malloc ( len ) ;
if ( conn - > session_ticket = = NULL )
return 0 ;
os_memcpy ( conn - > session_ticket , data , len ) ;
conn - > session_ticket_len = len ;
return 1 ;
}
# else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
# ifdef SSL_OP_NO_TICKET
static void tls_hello_ext_cb ( SSL * s , int client_server , int type ,
unsigned char * data , int len , void * arg )
@ -2618,6 +2661,7 @@ static int tls_hello_ext_cb(SSL *s, TLS_EXTENSION *ext, void *arg)
return 0 ;
}
# endif /* SSL_OP_NO_TICKET */
# endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
# endif /* EAP_FAST || EAP_FAST_DYNAMIC */
@ -2634,6 +2678,10 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
if ( SSL_set_session_secret_cb ( conn - > ssl , tls_sess_sec_cb ,
conn ) ! = 1 )
return - 1 ;
# ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
SSL_set_session_ticket_ext_cb ( conn - > ssl ,
tls_session_ticket_ext_cb , conn ) ;
# else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
# ifdef SSL_OP_NO_TICKET
SSL_set_tlsext_debug_callback ( conn - > ssl , tls_hello_ext_cb ) ;
SSL_set_tlsext_debug_arg ( conn - > ssl , conn ) ;
@ -2642,9 +2690,13 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
conn ) ! = 1 )
return - 1 ;
# endif /* SSL_OP_NO_TICKET */
# endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
} else {
if ( SSL_set_session_secret_cb ( conn - > ssl , NULL , NULL ) ! = 1 )
return - 1 ;
# ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
SSL_set_session_ticket_ext_cb ( conn - > ssl , NULL , NULL ) ;
# else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
# ifdef SSL_OP_NO_TICKET
SSL_set_tlsext_debug_callback ( conn - > ssl , NULL ) ;
SSL_set_tlsext_debug_arg ( conn - > ssl , conn ) ;
@ -2652,6 +2704,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
if ( SSL_set_hello_extension_cb ( conn - > ssl , NULL , NULL ) ! = 1 )
return - 1 ;
# endif /* SSL_OP_NO_TICKET */
# endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
}
return 0 ;