OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API

Updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore).
This commit is contained in:
Jouni Malinen 2008-11-16 21:29:12 +02:00
parent 1e8b9d2889
commit 0cf03892a4
3 changed files with 63 additions and 2 deletions

View file

@ -4,6 +4,10 @@ ChangeLog for hostapd
* added a new configuration option, wpa_ptk_rekey, that can be used to * added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against enforce frequent PTK rekeying, e.g., to mitigate some attacks against
TKIP deficiencies TKIP deficiencies
* updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore)
2008-11-01 - v0.6.5 2008-11-01 - v0.6.5
* added support for SHA-256 as X.509 certificate digest when using the * added support for SHA-256 as X.509 certificate digest when using the

View file

@ -1,6 +1,6 @@
/* /*
* WPA Supplicant / SSL/TLS interface functions for openssl * WPA Supplicant / SSL/TLS interface functions for openssl
* Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi> * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -37,6 +37,16 @@
#define OPENSSL_d2i_TYPE unsigned char ** #define OPENSSL_d2i_TYPE unsigned char **
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
#ifdef SSL_OP_NO_TICKET
/*
* Session ticket override patch was merged into OpenSSL 0.9.9 tree on
* 2008-11-15. This version uses a bit different API compared to the old patch.
*/
#define CONFIG_OPENSSL_TICKET_OVERRIDE
#endif
#endif
static int tls_openssl_ref_count = 0; static int tls_openssl_ref_count = 0;
struct tls_connection { struct tls_connection {
@ -2333,12 +2343,18 @@ int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
int ext_type, const u8 *data, int ext_type, const u8 *data,
size_t data_len) size_t data_len)
{ {
if (conn == NULL || conn->ssl == NULL) if (conn == NULL || conn->ssl == NULL || ext_type != 35)
return -1; return -1;
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
data_len) != 1)
return -1;
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data, if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data,
data_len) != 1) data_len) != 1)
return -1; return -1;
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
return 0; return 0;
} }
@ -2564,6 +2580,33 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
} }
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
int len, void *arg)
{
struct tls_connection *conn = arg;
if (conn == NULL || conn->session_ticket_cb == NULL)
return 0;
wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
os_free(conn->session_ticket);
conn->session_ticket = NULL;
wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
"extension", data, len);
conn->session_ticket = os_malloc(len);
if (conn->session_ticket == NULL)
return 0;
os_memcpy(conn->session_ticket, data, len);
conn->session_ticket_len = len;
return 1;
}
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET #ifdef SSL_OP_NO_TICKET
static void tls_hello_ext_cb(SSL *s, int client_server, int type, static void tls_hello_ext_cb(SSL *s, int client_server, int type,
unsigned char *data, int len, void *arg) unsigned char *data, int len, void *arg)
@ -2618,6 +2661,7 @@ static int tls_hello_ext_cb(SSL *s, TLS_EXTENSION *ext, void *arg)
return 0; return 0;
} }
#endif /* SSL_OP_NO_TICKET */ #endif /* SSL_OP_NO_TICKET */
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#endif /* EAP_FAST || EAP_FAST_DYNAMIC */ #endif /* EAP_FAST || EAP_FAST_DYNAMIC */
@ -2634,6 +2678,10 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
conn) != 1) conn) != 1)
return -1; return -1;
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
SSL_set_session_ticket_ext_cb(conn->ssl,
tls_session_ticket_ext_cb, conn);
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET #ifdef SSL_OP_NO_TICKET
SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb); SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb);
SSL_set_tlsext_debug_arg(conn->ssl, conn); SSL_set_tlsext_debug_arg(conn->ssl, conn);
@ -2642,9 +2690,13 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
conn) != 1) conn) != 1)
return -1; return -1;
#endif /* SSL_OP_NO_TICKET */ #endif /* SSL_OP_NO_TICKET */
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
} else { } else {
if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
return -1; return -1;
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET #ifdef SSL_OP_NO_TICKET
SSL_set_tlsext_debug_callback(conn->ssl, NULL); SSL_set_tlsext_debug_callback(conn->ssl, NULL);
SSL_set_tlsext_debug_arg(conn->ssl, conn); SSL_set_tlsext_debug_arg(conn->ssl, conn);
@ -2652,6 +2704,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1) if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1)
return -1; return -1;
#endif /* SSL_OP_NO_TICKET */ #endif /* SSL_OP_NO_TICKET */
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
} }
return 0; return 0;

View file

@ -14,6 +14,10 @@ ChangeLog for wpa_supplicant
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config
* fixed EAP-AKA to use RES Length field in AT_RES as length in bits, * fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
not bytes not bytes
* updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore)
2008-11-01 - v0.6.5 2008-11-01 - v0.6.5
* added support for SHA-256 as X.509 certificate digest when using the * added support for SHA-256 as X.509 certificate digest when using the