From 0cf03892a4324b36cfce3a102833eca3302029e1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 16 Nov 2008 21:29:12 +0200 Subject: [PATCH] OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API Updated OpenSSL code for EAP-FAST to use an updated version of the session ticket overriding API that was included into the upstream OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is needed with that version anymore). --- hostapd/ChangeLog | 4 +++ src/crypto/tls_openssl.c | 57 ++++++++++++++++++++++++++++++++++++++-- wpa_supplicant/ChangeLog | 4 +++ 3 files changed, 63 insertions(+), 2 deletions(-) diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog index b2cfb5bfe..a1ddf40ee 100644 --- a/hostapd/ChangeLog +++ b/hostapd/ChangeLog @@ -4,6 +4,10 @@ ChangeLog for hostapd * added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies + * updated OpenSSL code for EAP-FAST to use an updated version of the + session ticket overriding API that was included into the upstream + OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is + needed with that version anymore) 2008-11-01 - v0.6.5 * added support for SHA-256 as X.509 certificate digest when using the diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index f5b1b9847..d4e559906 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1,6 +1,6 @@ /* * WPA Supplicant / SSL/TLS interface functions for openssl - * Copyright (c) 2004-2007, Jouni Malinen + * Copyright (c) 2004-2008, Jouni Malinen * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -37,6 +37,16 @@ #define OPENSSL_d2i_TYPE unsigned char ** #endif +#if OPENSSL_VERSION_NUMBER >= 0x00909000L +#ifdef SSL_OP_NO_TICKET +/* + * Session ticket override patch was merged into OpenSSL 0.9.9 tree on + * 2008-11-15. This version uses a bit different API compared to the old patch. + */ +#define CONFIG_OPENSSL_TICKET_OVERRIDE +#endif +#endif + static int tls_openssl_ref_count = 0; struct tls_connection { @@ -2333,12 +2343,18 @@ int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn, int ext_type, const u8 *data, size_t data_len) { - if (conn == NULL || conn->ssl == NULL) + if (conn == NULL || conn->ssl == NULL || ext_type != 35) return -1; +#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE + if (SSL_set_session_ticket_ext(conn->ssl, (void *) data, + data_len) != 1) + return -1; +#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */ if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data, data_len) != 1) return -1; +#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */ return 0; } @@ -2564,6 +2580,33 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len, } +#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE +static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data, + int len, void *arg) +{ + struct tls_connection *conn = arg; + + if (conn == NULL || conn->session_ticket_cb == NULL) + return 0; + + wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len); + + os_free(conn->session_ticket); + conn->session_ticket = NULL; + + wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket " + "extension", data, len); + + conn->session_ticket = os_malloc(len); + if (conn->session_ticket == NULL) + return 0; + + os_memcpy(conn->session_ticket, data, len); + conn->session_ticket_len = len; + + return 1; +} +#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */ #ifdef SSL_OP_NO_TICKET static void tls_hello_ext_cb(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg) @@ -2618,6 +2661,7 @@ static int tls_hello_ext_cb(SSL *s, TLS_EXTENSION *ext, void *arg) return 0; } #endif /* SSL_OP_NO_TICKET */ +#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */ #endif /* EAP_FAST || EAP_FAST_DYNAMIC */ @@ -2634,6 +2678,10 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx, if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, conn) != 1) return -1; +#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE + SSL_set_session_ticket_ext_cb(conn->ssl, + tls_session_ticket_ext_cb, conn); +#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */ #ifdef SSL_OP_NO_TICKET SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb); SSL_set_tlsext_debug_arg(conn->ssl, conn); @@ -2642,9 +2690,13 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx, conn) != 1) return -1; #endif /* SSL_OP_NO_TICKET */ +#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */ } else { if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) return -1; +#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE + SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL); +#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */ #ifdef SSL_OP_NO_TICKET SSL_set_tlsext_debug_callback(conn->ssl, NULL); SSL_set_tlsext_debug_arg(conn->ssl, conn); @@ -2652,6 +2704,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx, if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1) return -1; #endif /* SSL_OP_NO_TICKET */ +#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */ } return 0; diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog index 1f7d8d65a..29b30a5bc 100644 --- a/wpa_supplicant/ChangeLog +++ b/wpa_supplicant/ChangeLog @@ -14,6 +14,10 @@ ChangeLog for wpa_supplicant CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config * fixed EAP-AKA to use RES Length field in AT_RES as length in bits, not bytes + * updated OpenSSL code for EAP-FAST to use an updated version of the + session ticket overriding API that was included into the upstream + OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is + needed with that version anymore) 2008-11-01 - v0.6.5 * added support for SHA-256 as X.509 certificate digest when using the