OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API
Updated OpenSSL code for EAP-FAST to use an updated version of the session ticket overriding API that was included into the upstream OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is needed with that version anymore).
This commit is contained in:
parent
1e8b9d2889
commit
0cf03892a4
3 changed files with 63 additions and 2 deletions
|
@ -4,6 +4,10 @@ ChangeLog for hostapd
|
|||
* added a new configuration option, wpa_ptk_rekey, that can be used to
|
||||
enforce frequent PTK rekeying, e.g., to mitigate some attacks against
|
||||
TKIP deficiencies
|
||||
* updated OpenSSL code for EAP-FAST to use an updated version of the
|
||||
session ticket overriding API that was included into the upstream
|
||||
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
|
||||
needed with that version anymore)
|
||||
|
||||
2008-11-01 - v0.6.5
|
||||
* added support for SHA-256 as X.509 certificate digest when using the
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* WPA Supplicant / SSL/TLS interface functions for openssl
|
||||
* Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
|
@ -37,6 +37,16 @@
|
|||
#define OPENSSL_d2i_TYPE unsigned char **
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
|
||||
#ifdef SSL_OP_NO_TICKET
|
||||
/*
|
||||
* Session ticket override patch was merged into OpenSSL 0.9.9 tree on
|
||||
* 2008-11-15. This version uses a bit different API compared to the old patch.
|
||||
*/
|
||||
#define CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||
#endif
|
||||
#endif
|
||||
|
||||
static int tls_openssl_ref_count = 0;
|
||||
|
||||
struct tls_connection {
|
||||
|
@ -2333,12 +2343,18 @@ int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
|
|||
int ext_type, const u8 *data,
|
||||
size_t data_len)
|
||||
{
|
||||
if (conn == NULL || conn->ssl == NULL)
|
||||
if (conn == NULL || conn->ssl == NULL || ext_type != 35)
|
||||
return -1;
|
||||
|
||||
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||
if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
|
||||
data_len) != 1)
|
||||
return -1;
|
||||
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||
if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data,
|
||||
data_len) != 1)
|
||||
return -1;
|
||||
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -2564,6 +2580,33 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
|
|||
}
|
||||
|
||||
|
||||
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||
static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
|
||||
int len, void *arg)
|
||||
{
|
||||
struct tls_connection *conn = arg;
|
||||
|
||||
if (conn == NULL || conn->session_ticket_cb == NULL)
|
||||
return 0;
|
||||
|
||||
wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
|
||||
|
||||
os_free(conn->session_ticket);
|
||||
conn->session_ticket = NULL;
|
||||
|
||||
wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
|
||||
"extension", data, len);
|
||||
|
||||
conn->session_ticket = os_malloc(len);
|
||||
if (conn->session_ticket == NULL)
|
||||
return 0;
|
||||
|
||||
os_memcpy(conn->session_ticket, data, len);
|
||||
conn->session_ticket_len = len;
|
||||
|
||||
return 1;
|
||||
}
|
||||
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||
#ifdef SSL_OP_NO_TICKET
|
||||
static void tls_hello_ext_cb(SSL *s, int client_server, int type,
|
||||
unsigned char *data, int len, void *arg)
|
||||
|
@ -2618,6 +2661,7 @@ static int tls_hello_ext_cb(SSL *s, TLS_EXTENSION *ext, void *arg)
|
|||
return 0;
|
||||
}
|
||||
#endif /* SSL_OP_NO_TICKET */
|
||||
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||
#endif /* EAP_FAST || EAP_FAST_DYNAMIC */
|
||||
|
||||
|
||||
|
@ -2634,6 +2678,10 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
|
|||
if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
|
||||
conn) != 1)
|
||||
return -1;
|
||||
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||
SSL_set_session_ticket_ext_cb(conn->ssl,
|
||||
tls_session_ticket_ext_cb, conn);
|
||||
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||
#ifdef SSL_OP_NO_TICKET
|
||||
SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb);
|
||||
SSL_set_tlsext_debug_arg(conn->ssl, conn);
|
||||
|
@ -2642,9 +2690,13 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
|
|||
conn) != 1)
|
||||
return -1;
|
||||
#endif /* SSL_OP_NO_TICKET */
|
||||
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||
} else {
|
||||
if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
|
||||
return -1;
|
||||
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||
SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
|
||||
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||
#ifdef SSL_OP_NO_TICKET
|
||||
SSL_set_tlsext_debug_callback(conn->ssl, NULL);
|
||||
SSL_set_tlsext_debug_arg(conn->ssl, conn);
|
||||
|
@ -2652,6 +2704,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
|
|||
if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1)
|
||||
return -1;
|
||||
#endif /* SSL_OP_NO_TICKET */
|
||||
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -14,6 +14,10 @@ ChangeLog for wpa_supplicant
|
|||
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config
|
||||
* fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
|
||||
not bytes
|
||||
* updated OpenSSL code for EAP-FAST to use an updated version of the
|
||||
session ticket overriding API that was included into the upstream
|
||||
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
|
||||
needed with that version anymore)
|
||||
|
||||
2008-11-01 - v0.6.5
|
||||
* added support for SHA-256 as X.509 certificate digest when using the
|
||||
|
|
Loading…
Reference in a new issue