OpenSSL: Simplify EAP-FAST peer workaround

Commit d4913c585e ('OpenSSL: Fix EAP-FAST peer regression') introduced a workaround to use a new SSL_CTX instance set for TLSv1_method() when using EAP-FAST. While that works, it is unnecessarily complex since there is not really a need to use a separate SSL_CTX to be able to do that. Instead, simply use SSL_set_ssl_method() to update the ssl_method for the SSL instance. In practice, this commit reverts most of the tls_openssl.c changes from that earlier commit and adds that single call into tls_connection_set_params() based on EAP-FAST flag. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:55:41 +02:00 · 2014-12-09 23:55:41 +02:00 · 6a31a31da1
commit 6a31a31da1
parent 2fc4749c91
1 changed files with 39 additions and 93 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -118,8 +118,6 @@ struct tls_connection {
 	X509 *peer_cert;
 	X509 *peer_issuer;
 	X509 *peer_issuer_issuer;
-
-	SSL_CTX *ssl_ctx; /* separate context for EAP-FAST workaround */
 };


@ -1027,77 +1025,60 @@ static void tls_msg_cb(int write_p, int version, int content_type,
 }


-static int openssl_new_ssl(SSL_CTX *ssl_ctx, struct tls_connection *conn)
+struct tls_connection * tls_connection_init(void *ssl_ctx)
 {
+	SSL_CTX *ssl = ssl_ctx;
+	struct tls_connection *conn;
 	long options;
 #ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
-	struct tls_context *context = SSL_CTX_get_app_data(ssl_ctx);
+	struct tls_context *context = SSL_CTX_get_app_data(ssl);
 #else /* OPENSSL_SUPPORTS_CTX_APP_DATA */
 	struct tls_context *context = tls_global;
 #endif /* OPENSSL_SUPPORTS_CTX_APP_DATA */
-	SSL *ssl;
-	BIO *ssl_in, *ssl_out;

-	ssl = SSL_new(ssl_ctx);
-	if (ssl == NULL) {
+	conn = os_zalloc(sizeof(*conn));
+	if (conn == NULL)
+		return NULL;
+	conn->ssl = SSL_new(ssl);
+	if (conn->ssl == NULL) {
 		tls_show_errors(MSG_INFO, __func__,
 				"Failed to initialize new SSL connection");
-		return -1;
+		os_free(conn);
+		return NULL;
 	}

-	SSL_set_app_data(ssl, conn);
-	SSL_set_msg_callback(ssl, tls_msg_cb);
-	SSL_set_msg_callback_arg(ssl, conn);
+	conn->context = context;
+	SSL_set_app_data(conn->ssl, conn);
+	SSL_set_msg_callback(conn->ssl, tls_msg_cb);
+	SSL_set_msg_callback_arg(conn->ssl, conn);
 	options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
 		SSL_OP_SINGLE_DH_USE;
 #ifdef SSL_OP_NO_COMPRESSION
 	options |= SSL_OP_NO_COMPRESSION;
 #endif /* SSL_OP_NO_COMPRESSION */
-	SSL_set_options(ssl, options);
+	SSL_set_options(conn->ssl, options);

-	ssl_in = BIO_new(BIO_s_mem());
-	if (!ssl_in) {
+	conn->ssl_in = BIO_new(BIO_s_mem());
+	if (!conn->ssl_in) {
 		tls_show_errors(MSG_INFO, __func__,
 				"Failed to create a new BIO for ssl_in");
-		SSL_free(ssl);
-		return -1;
-	}
-
-	ssl_out = BIO_new(BIO_s_mem());
-	if (!ssl_out) {
-		tls_show_errors(MSG_INFO, __func__,
-				"Failed to create a new BIO for ssl_out");
-		SSL_free(ssl);
-		BIO_free(ssl_in);
-		return -1;
-	}
-
-	SSL_set_bio(ssl, ssl_in, ssl_out);
-
-	if (conn->ssl)
 		SSL_free(conn->ssl);
-	conn->ssl = ssl;
-	conn->ssl_in = ssl_in;
-	conn->ssl_out = ssl_out;
-	conn->context = context;
-
-	return 0;
-}
-
-
-struct tls_connection * tls_connection_init(void *ssl_ctx)
-{
-	SSL_CTX *ssl = ssl_ctx;
-	struct tls_connection *conn;
-
-	conn = os_zalloc(sizeof(*conn));
-	if (conn == NULL)
-		return NULL;
-	if (openssl_new_ssl(ssl, conn) < 0) {
 		os_free(conn);
 		return NULL;
 	}

+	conn->ssl_out = BIO_new(BIO_s_mem());
+	if (!conn->ssl_out) {
+		tls_show_errors(MSG_INFO, __func__,
+				"Failed to create a new BIO for ssl_out");
+		SSL_free(conn->ssl);
+		BIO_free(conn->ssl_in);
+		os_free(conn);
+		return NULL;
+	}
+
+	SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out);
+
 	return conn;
 }

@ -1112,8 +1093,6 @@ void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
 	os_free(conn->altsubject_match);
 	os_free(conn->suffix_match);
 	os_free(conn->session_ticket);
-	if (conn->ssl_ctx)
-		SSL_CTX_free(conn->ssl_ctx);
 	os_free(conn);
 }

@ -3219,44 +3198,6 @@ static int ocsp_status_cb(SSL *s, void *arg)
 #endif /* HAVE_OCSP */


-static int openssl_eap_fast_workaround(
-	struct tls_connection *conn,
-	const struct tls_connection_params *params)
-{
-#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC)
-	if (!(params->flags & TLS_CONN_EAP_FAST))
-		return 0;
-	if (conn->ssl_ctx)
-		return 0; /* already initialized */
-
-	/*
-	 * The default SSL_CTX with SSLv23_method() does not allow session
-	 * ticket from EAP-FAST to be added into ClientHello, so we have to
-	 * create a separate SSL_CTX instance for EAP-FAST uses.
-	 */
-	wpa_printf(MSG_DEBUG, "OpenSSL: Create new SSL_CTX for EAP-FAST");
-
-	conn->ssl_ctx = SSL_CTX_new(TLSv1_method());
-	if (conn->ssl_ctx == NULL)
-		return -1;
-
-	SSL_CTX_set_info_callback(conn->ssl_ctx, ssl_info_cb);
-#ifdef OPENSSL_SUPPORTS_CTX_APP_DATA
-	SSL_CTX_set_app_data(conn->ssl_ctx, tls_global);
-#endif /* OPENSSL_SUPPORTS_CTX_APP_DATA */
-
-	if (openssl_new_ssl(conn->ssl_ctx, conn) < 0) {
-		SSL_CTX_free(conn->ssl_ctx);
-		conn->ssl_ctx = NULL;
-		return -1;
-	}
-#endif /* EAP_FAST || EAP_FAST_DYNAMIC */
-
-	return 0;
-}
-
-
-
 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 			      const struct tls_connection_params *params)
 {
@ -3266,10 +3207,15 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 	if (conn == NULL)
 		return -1;

-	if (openssl_eap_fast_workaround(conn, params) < 0)
-		return -1;
-	if (conn->ssl_ctx)
-		tls_ctx = conn->ssl_ctx;
+	if (params->flags & TLS_CONN_EAP_FAST) {
+		wpa_printf(MSG_DEBUG,
+			   "OpenSSL: Use TLSv1_method() for EAP-FAST");
+		if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
+			tls_show_errors(MSG_INFO, __func__,
+					"Failed to set TLSv1_method() for EAP-FAST");
+			return -1;
+		}
+	}

 	while ((err = ERR_get_error())) {
 		wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",