Commit graph

14 commits

Author SHA1 Message Date
Jouni Malinen
471debb0b3 Fix OpenSSL 0.9.8za patch for EAP-FAST support
OpenSSL 0.9.8za added a fix for CVE-2014-0224 and the original fix broke
EAP-FAST support due to forgotten SSL3_FLAGS_CCS_OK marking for
tls_session_secret_cb. Fix for this regression was added into OpenSSL
1.x and newer. The same fix is needed in this backport patch for
0.9.8za.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
f5fa824e9a Update OpenSSL 0.9.8 patch for EAP-FAST support
The 0.9.9 branch was for development purposes only, so no one should be
using that in production and there is not much point in maintaining the
obsolete patch here either. Similarly, the old 0.9.8 versions are
obsolete at this point in time and taken into account the recent OpenSSL
vulnerabilities, anything older than 0.9.8za should not really be used.

Prepare an updated version of the TLS session ticket patch based on the
current OpenSSL 0.9.8za release and remove all the older TLS extension
patches.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-05 20:43:00 +03:00
Jouni Malinen
df6901dd1a Add OpenSSL 0.9.8x patch for EAP-FAST
The older patch for 0.9.8i does not apply cleanly, so add an updated
version that can be used with the current OpenSSL 0.9.8 release.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-07-07 11:01:02 +03:00
Jouni Malinen
31a4c88580 Updated OpenSSL 0.9.8i patch to use new session ticket override API
The patch for 0.9.9 was merged into the upstream OpenSSL 0.9.9 tree and
is not needed for EAP-FAST support with that OpenSSL version. The patch
for 0.9.8i is now using the same API that was included in 0.9.9.
2008-11-23 21:18:26 +02:00
Jouni Malinen
1b554eb0d7 Modified the OpenSSL patch to use session ticket -specific function
This is the first step in replacing SSL_set_hello_extension() with a new
SSL_set_session_ticket_ext() function that can only be used to override the
session ticket extension, not any arbitrary TLS extension.

SSL_set_hello_extension() is still present as a simple wrapper in this
version to avoid changing the API and to make testing with wpa_supplicant
and hostapd easier. It can be eventually removed when the patch is going in
into OpenSSL distribution.
2008-11-12 06:15:27 +02:00
Jouni Malinen
d13c05cafb Updated indentation in the patch to match style used elsewhere in OpenSSL 2008-11-12 05:06:03 +02:00
Jouni Malinen
1a647aaa69 Update the OpenSSL EAP-FAST patch for current snapshot (20080928)
This reverts the addition of ssl3_digest_cached_records() call from the
previous update (3d1aa251a3) since OpenSSL
has apparently reverted some earlier changes that broke EAP-FAST.
2008-09-28 18:06:12 +03:00
Jouni Malinen
8fbcd59930 Added OpenSSL 0.9.8i patch for EAP-FAST 2008-09-28 17:09:22 +03:00
Jouni Malinen
3d1aa251a3 Updated the OpenSSL EAP-FAST patch for the current OpenSSL 0.9.9 snapshot
sssleay.num had changed (new function allocated) and server code was
modified to call ssl3_digest_cached_records() in the start of abbreviated
handshake to avoid possible segmentation faults later in some cases when
reverting to full handshake. In addition, there is some whitespace cleanup
and added comment explaining TLS ticket processing.
2008-08-24 13:12:54 +03:00
Jouni Malinen
8816045743 Updated the EAP-FAST patch for the latest OpenSSL 0.9.9 snapshot 2008-05-29 11:00:33 +03:00
Jouni Malinen
2298ca6410 Added the EAP-FAST patch for OpenSSL 0.9.8h 2008-05-29 10:47:03 +03:00
Jouni Malinen
fe2b7dda02 Fixed fallback to full handshake when server rejects PAC-Opaque
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
2008-04-15 17:24:06 +03:00
Jouni Malinen
d4092763cf Fixed fallback to full handshake when server rejects PAC-Opaque
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
2008-04-15 17:08:15 +03:00
Jouni Malinen
6fc6879bd5 Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00