OpenSSL: Remove support for the old EAP-FAST interface

Commit f5fa824e9a ('Update OpenSSL 0.9.8
patch for EAP-FAST support') changed the OpenSSL 0.9.8 patch to support
the new API that was introduced in OpenSSL 1.0.0 for EAP-FAST. As such,
there should be no valid users of the old API anymore and tls_openssl.c
can be cleaned up to use only the new API.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-12-09 12:05:03 +02:00
parent f68e86a4d6
commit c25addb156

View file

@ -45,14 +45,6 @@
#define ERR_remove_thread_state(tid) ERR_remove_state(0) #define ERR_remove_thread_state(tid) ERR_remove_state(0)
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
/*
* Session ticket override patch was merged into OpenSSL 0.9.9 tree on
* 2008-11-15. This version uses a bit different API compared to the old patch.
*/
#define CONFIG_OPENSSL_TICKET_OVERRIDE
#endif
#if defined(OPENSSL_IS_BORINGSSL) #if defined(OPENSSL_IS_BORINGSSL)
/* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */ /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
typedef size_t stack_index_t; typedef size_t stack_index_t;
@ -2923,15 +2915,9 @@ int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
if (conn == NULL || conn->ssl == NULL || ext_type != 35) if (conn == NULL || conn->ssl == NULL || ext_type != 35)
return -1; return -1;
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
if (SSL_set_session_ticket_ext(conn->ssl, (void *) data, if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
data_len) != 1) data_len) != 1)
return -1; return -1;
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data,
data_len) != 1)
return -1;
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
return 0; return 0;
} }
@ -3464,7 +3450,6 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
} }
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data, static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
int len, void *arg) int len, void *arg)
{ {
@ -3490,62 +3475,6 @@ static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
return 1; return 1;
} }
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET
static void tls_hello_ext_cb(SSL *s, int client_server, int type,
unsigned char *data, int len, void *arg)
{
struct tls_connection *conn = arg;
if (conn == NULL || conn->session_ticket_cb == NULL)
return;
wpa_printf(MSG_DEBUG, "OpenSSL: %s: type=%d length=%d", __func__,
type, len);
if (type == TLSEXT_TYPE_session_ticket && !client_server) {
os_free(conn->session_ticket);
conn->session_ticket = NULL;
wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
"extension", data, len);
conn->session_ticket = os_malloc(len);
if (conn->session_ticket == NULL)
return;
os_memcpy(conn->session_ticket, data, len);
conn->session_ticket_len = len;
}
}
#else /* SSL_OP_NO_TICKET */
static int tls_hello_ext_cb(SSL *s, TLS_EXTENSION *ext, void *arg)
{
struct tls_connection *conn = arg;
if (conn == NULL || conn->session_ticket_cb == NULL)
return 0;
wpa_printf(MSG_DEBUG, "OpenSSL: %s: type=%d length=%d", __func__,
ext->type, ext->length);
os_free(conn->session_ticket);
conn->session_ticket = NULL;
if (ext->type == 35) {
wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
"extension", ext->data, ext->length);
conn->session_ticket = os_malloc(ext->length);
if (conn->session_ticket == NULL)
return SSL_AD_INTERNAL_ERROR;
os_memcpy(conn->session_ticket, ext->data, ext->length);
conn->session_ticket_len = ext->length;
}
return 0;
}
#endif /* SSL_OP_NO_TICKET */
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */ #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
@ -3562,33 +3491,12 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
conn) != 1) conn) != 1)
return -1; return -1;
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
SSL_set_session_ticket_ext_cb(conn->ssl, SSL_set_session_ticket_ext_cb(conn->ssl,
tls_session_ticket_ext_cb, conn); tls_session_ticket_ext_cb, conn);
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET
SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb);
SSL_set_tlsext_debug_arg(conn->ssl, conn);
#else /* SSL_OP_NO_TICKET */
if (SSL_set_hello_extension_cb(conn->ssl, tls_hello_ext_cb,
conn) != 1)
return -1;
#endif /* SSL_OP_NO_TICKET */
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
} else { } else {
if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
return -1; return -1;
#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL); SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET
SSL_set_tlsext_debug_callback(conn->ssl, NULL);
SSL_set_tlsext_debug_arg(conn->ssl, conn);
#else /* SSL_OP_NO_TICKET */
if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1)
return -1;
#endif /* SSL_OP_NO_TICKET */
#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
} }
return 0; return 0;