OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API
Updated OpenSSL code for EAP-FAST to use an updated version of the session ticket overriding API that was included into the upstream OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is needed with that version anymore).
This commit is contained in:
parent
1e8b9d2889
commit
0cf03892a4
3 changed files with 63 additions and 2 deletions
|
@ -4,6 +4,10 @@ ChangeLog for hostapd
|
||||||
* added a new configuration option, wpa_ptk_rekey, that can be used to
|
* added a new configuration option, wpa_ptk_rekey, that can be used to
|
||||||
enforce frequent PTK rekeying, e.g., to mitigate some attacks against
|
enforce frequent PTK rekeying, e.g., to mitigate some attacks against
|
||||||
TKIP deficiencies
|
TKIP deficiencies
|
||||||
|
* updated OpenSSL code for EAP-FAST to use an updated version of the
|
||||||
|
session ticket overriding API that was included into the upstream
|
||||||
|
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
|
||||||
|
needed with that version anymore)
|
||||||
|
|
||||||
2008-11-01 - v0.6.5
|
2008-11-01 - v0.6.5
|
||||||
* added support for SHA-256 as X.509 certificate digest when using the
|
* added support for SHA-256 as X.509 certificate digest when using the
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
* WPA Supplicant / SSL/TLS interface functions for openssl
|
* WPA Supplicant / SSL/TLS interface functions for openssl
|
||||||
* Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
|
* Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify
|
* This program is free software; you can redistribute it and/or modify
|
||||||
* it under the terms of the GNU General Public License version 2 as
|
* it under the terms of the GNU General Public License version 2 as
|
||||||
|
@ -37,6 +37,16 @@
|
||||||
#define OPENSSL_d2i_TYPE unsigned char **
|
#define OPENSSL_d2i_TYPE unsigned char **
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
|
||||||
|
#ifdef SSL_OP_NO_TICKET
|
||||||
|
/*
|
||||||
|
* Session ticket override patch was merged into OpenSSL 0.9.9 tree on
|
||||||
|
* 2008-11-15. This version uses a bit different API compared to the old patch.
|
||||||
|
*/
|
||||||
|
#define CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
static int tls_openssl_ref_count = 0;
|
static int tls_openssl_ref_count = 0;
|
||||||
|
|
||||||
struct tls_connection {
|
struct tls_connection {
|
||||||
|
@ -2333,12 +2343,18 @@ int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
|
||||||
int ext_type, const u8 *data,
|
int ext_type, const u8 *data,
|
||||||
size_t data_len)
|
size_t data_len)
|
||||||
{
|
{
|
||||||
if (conn == NULL || conn->ssl == NULL)
|
if (conn == NULL || conn->ssl == NULL || ext_type != 35)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||||
|
if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
|
||||||
|
data_len) != 1)
|
||||||
|
return -1;
|
||||||
|
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||||
if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data,
|
if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data,
|
||||||
data_len) != 1)
|
data_len) != 1)
|
||||||
return -1;
|
return -1;
|
||||||
|
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -2564,6 +2580,33 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||||
|
static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
|
||||||
|
int len, void *arg)
|
||||||
|
{
|
||||||
|
struct tls_connection *conn = arg;
|
||||||
|
|
||||||
|
if (conn == NULL || conn->session_ticket_cb == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
|
||||||
|
|
||||||
|
os_free(conn->session_ticket);
|
||||||
|
conn->session_ticket = NULL;
|
||||||
|
|
||||||
|
wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
|
||||||
|
"extension", data, len);
|
||||||
|
|
||||||
|
conn->session_ticket = os_malloc(len);
|
||||||
|
if (conn->session_ticket == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
os_memcpy(conn->session_ticket, data, len);
|
||||||
|
conn->session_ticket_len = len;
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||||
#ifdef SSL_OP_NO_TICKET
|
#ifdef SSL_OP_NO_TICKET
|
||||||
static void tls_hello_ext_cb(SSL *s, int client_server, int type,
|
static void tls_hello_ext_cb(SSL *s, int client_server, int type,
|
||||||
unsigned char *data, int len, void *arg)
|
unsigned char *data, int len, void *arg)
|
||||||
|
@ -2618,6 +2661,7 @@ static int tls_hello_ext_cb(SSL *s, TLS_EXTENSION *ext, void *arg)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif /* SSL_OP_NO_TICKET */
|
#endif /* SSL_OP_NO_TICKET */
|
||||||
|
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||||
#endif /* EAP_FAST || EAP_FAST_DYNAMIC */
|
#endif /* EAP_FAST || EAP_FAST_DYNAMIC */
|
||||||
|
|
||||||
|
|
||||||
|
@ -2634,6 +2678,10 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
|
||||||
if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
|
if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
|
||||||
conn) != 1)
|
conn) != 1)
|
||||||
return -1;
|
return -1;
|
||||||
|
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||||
|
SSL_set_session_ticket_ext_cb(conn->ssl,
|
||||||
|
tls_session_ticket_ext_cb, conn);
|
||||||
|
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||||
#ifdef SSL_OP_NO_TICKET
|
#ifdef SSL_OP_NO_TICKET
|
||||||
SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb);
|
SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb);
|
||||||
SSL_set_tlsext_debug_arg(conn->ssl, conn);
|
SSL_set_tlsext_debug_arg(conn->ssl, conn);
|
||||||
|
@ -2642,9 +2690,13 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
|
||||||
conn) != 1)
|
conn) != 1)
|
||||||
return -1;
|
return -1;
|
||||||
#endif /* SSL_OP_NO_TICKET */
|
#endif /* SSL_OP_NO_TICKET */
|
||||||
|
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||||
} else {
|
} else {
|
||||||
if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
|
if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
|
||||||
return -1;
|
return -1;
|
||||||
|
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||||
|
SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
|
||||||
|
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||||
#ifdef SSL_OP_NO_TICKET
|
#ifdef SSL_OP_NO_TICKET
|
||||||
SSL_set_tlsext_debug_callback(conn->ssl, NULL);
|
SSL_set_tlsext_debug_callback(conn->ssl, NULL);
|
||||||
SSL_set_tlsext_debug_arg(conn->ssl, conn);
|
SSL_set_tlsext_debug_arg(conn->ssl, conn);
|
||||||
|
@ -2652,6 +2704,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
|
||||||
if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1)
|
if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1)
|
||||||
return -1;
|
return -1;
|
||||||
#endif /* SSL_OP_NO_TICKET */
|
#endif /* SSL_OP_NO_TICKET */
|
||||||
|
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -14,6 +14,10 @@ ChangeLog for wpa_supplicant
|
||||||
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config
|
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config
|
||||||
* fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
|
* fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
|
||||||
not bytes
|
not bytes
|
||||||
|
* updated OpenSSL code for EAP-FAST to use an updated version of the
|
||||||
|
session ticket overriding API that was included into the upstream
|
||||||
|
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
|
||||||
|
needed with that version anymore)
|
||||||
|
|
||||||
2008-11-01 - v0.6.5
|
2008-11-01 - v0.6.5
|
||||||
* added support for SHA-256 as X.509 certificate digest when using the
|
* added support for SHA-256 as X.509 certificate digest when using the
|
||||||
|
|
Loading…
Reference in a new issue