diff options
author | Jouni Malinen <j@w1.fi> | 2008-04-15 17:24:06 +0300 |
---|---|---|
committer | Jouni Malinen <j@w1.fi> | 2008-04-15 17:24:06 +0300 |
commit | fe2b7dda0265d81412292cda9d31edb2252482d9 (patch) | |
tree | 2adac8e8901bc2d1a5a6ebbc5c162aec7d311554 /patches | |
parent | d4092763cf386a3590d13240b4dad2162c7a0c2f (diff) | |
download | external_wpa_supplicant_8_ti-fe2b7dda0265d81412292cda9d31edb2252482d9.zip external_wpa_supplicant_8_ti-fe2b7dda0265d81412292cda9d31edb2252482d9.tar.gz external_wpa_supplicant_8_ti-fe2b7dda0265d81412292cda9d31edb2252482d9.tar.bz2 |
Fixed fallback to full handshake when server rejects PAC-Opaque
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
Diffstat (limited to 'patches')
-rw-r--r-- | patches/openssl-0.9.8g-tls-extensions.patch | 56 |
1 files changed, 20 insertions, 36 deletions
diff --git a/patches/openssl-0.9.8g-tls-extensions.patch b/patches/openssl-0.9.8g-tls-extensions.patch index 507b7d9..8ccbfaa 100644 --- a/patches/openssl-0.9.8g-tls-extensions.patch +++ b/patches/openssl-0.9.8g-tls-extensions.patch @@ -1,4 +1,4 @@ -This patch adds support for TLS SessionTicket extension (RFC 4507) for +This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev <akobozev@cisco.com> @@ -10,25 +10,14 @@ command line. diff -upr openssl-0.9.8g.orig/ssl/s3_clnt.c openssl-0.9.8g/ssl/s3_clnt.c ---- openssl-0.9.8g.orig/ssl/s3_clnt.c 2007-08-30 17:28:51.000000000 -0700 -+++ openssl-0.9.8g/ssl/s3_clnt.c 2007-11-01 20:08:08.000000000 -0700 -@@ -660,7 +660,7 @@ int ssl3_get_server_hello(SSL *s) - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *c; - unsigned char *p,*d; -- int i,al,ok; -+ int i,al,ok,pre_shared; - unsigned int j; - long n; - #ifndef OPENSSL_NO_COMP -@@ -727,7 +727,26 @@ int ssl3_get_server_hello(SSL *s) +--- openssl-0.9.8g.orig/ssl/s3_clnt.c 2007-08-31 03:28:51.000000000 +0300 ++++ openssl-0.9.8g/ssl/s3_clnt.c 2008-04-15 17:11:46.000000000 +0300 +@@ -727,6 +727,20 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } -- if (j != 0 && j == s->session->session_id_length -+ /* check if we want to resume the session based on external pre-shared secret */ -+ pre_shared = 0; +#ifndef OPENSSL_NO_TLSEXT ++ /* check if we want to resume the session based on external pre-shared secret */ + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; @@ -36,22 +25,17 @@ diff -upr openssl-0.9.8g.orig/ssl/s3_clnt.c openssl-0.9.8g/ssl/s3_clnt.c + if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + NULL, &pref_cipher, s->tls_session_secret_cb_arg)) + { -+ s->hit=1; + s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j); -+ s->session->session_id_length = j; -+ memcpy(s->session->session_id, p, j); -+ pre_shared = 1; + } + } +#endif /* OPENSSL_NO_TLSEXT */ + -+ if ((pre_shared || j != 0) && j == s->session->session_id_length + if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { - if(s->sid_ctx_length != s->session->sid_ctx_length diff -upr openssl-0.9.8g.orig/ssl/s3_srvr.c openssl-0.9.8g/ssl/s3_srvr.c ---- openssl-0.9.8g.orig/ssl/s3_srvr.c 2007-09-30 11:55:59.000000000 -0700 -+++ openssl-0.9.8g/ssl/s3_srvr.c 2007-11-02 19:24:20.000000000 -0700 +--- openssl-0.9.8g.orig/ssl/s3_srvr.c 2007-09-30 21:55:59.000000000 +0300 ++++ openssl-0.9.8g/ssl/s3_srvr.c 2008-04-15 17:10:37.000000000 +0300 @@ -928,6 +928,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; @@ -137,8 +121,8 @@ diff -upr openssl-0.9.8g.orig/ssl/s3_srvr.c openssl-0.9.8g/ssl/s3_srvr.c d=p= &(buf[4]); diff -upr openssl-0.9.8g.orig/ssl/ssl.h openssl-0.9.8g/ssl/ssl.h ---- openssl-0.9.8g.orig/ssl/ssl.h 2007-10-19 00:42:38.000000000 -0700 -+++ openssl-0.9.8g/ssl/ssl.h 2007-11-01 20:08:08.000000000 -0700 +--- openssl-0.9.8g.orig/ssl/ssl.h 2007-10-19 10:42:38.000000000 +0300 ++++ openssl-0.9.8g/ssl/ssl.h 2008-04-15 17:10:37.000000000 +0300 @@ -342,6 +342,7 @@ extern "C" { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ @@ -193,8 +177,8 @@ diff -upr openssl-0.9.8g.orig/ssl/ssl.h openssl-0.9.8g/ssl/ssl.h /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff -upr openssl-0.9.8g.orig/ssl/ssl_err.c openssl-0.9.8g/ssl/ssl_err.c ---- openssl-0.9.8g.orig/ssl/ssl_err.c 2007-10-11 07:36:59.000000000 -0700 -+++ openssl-0.9.8g/ssl/ssl_err.c 2007-11-01 20:08:08.000000000 -0700 +--- openssl-0.9.8g.orig/ssl/ssl_err.c 2007-10-11 17:36:59.000000000 +0300 ++++ openssl-0.9.8g/ssl/ssl_err.c 2008-04-15 17:10:37.000000000 +0300 @@ -250,6 +250,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, @@ -204,8 +188,8 @@ diff -upr openssl-0.9.8g.orig/ssl/ssl_err.c openssl-0.9.8g/ssl/ssl_err.c }; diff -upr openssl-0.9.8g.orig/ssl/ssl_sess.c openssl-0.9.8g/ssl/ssl_sess.c ---- openssl-0.9.8g.orig/ssl/ssl_sess.c 2007-10-19 00:36:34.000000000 -0700 -+++ openssl-0.9.8g/ssl/ssl_sess.c 2007-11-01 20:08:08.000000000 -0700 +--- openssl-0.9.8g.orig/ssl/ssl_sess.c 2007-10-19 10:36:34.000000000 +0300 ++++ openssl-0.9.8g/ssl/ssl_sess.c 2008-04-15 17:10:37.000000000 +0300 @@ -704,6 +704,52 @@ long SSL_CTX_get_timeout(const SSL_CTX * return(s->session_timeout); } @@ -260,8 +244,8 @@ diff -upr openssl-0.9.8g.orig/ssl/ssl_sess.c openssl-0.9.8g/ssl/ssl_sess.c { SSL_CTX *ctx; diff -upr openssl-0.9.8g.orig/ssl/t1_lib.c openssl-0.9.8g/ssl/t1_lib.c ---- openssl-0.9.8g.orig/ssl/t1_lib.c 2007-10-19 00:44:10.000000000 -0700 -+++ openssl-0.9.8g/ssl/t1_lib.c 2007-11-01 20:08:08.000000000 -0700 +--- openssl-0.9.8g.orig/ssl/t1_lib.c 2007-10-19 10:44:10.000000000 +0300 ++++ openssl-0.9.8g/ssl/t1_lib.c 2008-04-15 17:10:37.000000000 +0300 @@ -105,6 +105,12 @@ int tls1_new(SSL *s) void tls1_free(SSL *s) @@ -318,8 +302,8 @@ diff -upr openssl-0.9.8g.orig/ssl/t1_lib.c openssl-0.9.8g/ssl/t1_lib.c ret); } diff -upr openssl-0.9.8g.orig/ssl/tls1.h openssl-0.9.8g/ssl/tls1.h ---- openssl-0.9.8g.orig/ssl/tls1.h 2007-08-27 18:12:44.000000000 -0700 -+++ openssl-0.9.8g/ssl/tls1.h 2007-11-01 20:08:08.000000000 -0700 +--- openssl-0.9.8g.orig/ssl/tls1.h 2007-08-28 04:12:44.000000000 +0300 ++++ openssl-0.9.8g/ssl/tls1.h 2008-04-15 17:10:37.000000000 +0300 @@ -365,6 +365,14 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SER #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ #endif @@ -336,8 +320,8 @@ diff -upr openssl-0.9.8g.orig/ssl/tls1.h openssl-0.9.8g/ssl/tls1.h } #endif diff -upr openssl-0.9.8g.orig/util/ssleay.num openssl-0.9.8g/util/ssleay.num ---- openssl-0.9.8g.orig/util/ssleay.num 2007-08-12 15:31:16.000000000 -0700 -+++ openssl-0.9.8g/util/ssleay.num 2007-11-01 20:08:08.000000000 -0700 +--- openssl-0.9.8g.orig/util/ssleay.num 2007-08-13 01:31:16.000000000 +0300 ++++ openssl-0.9.8g/util/ssleay.num 2008-04-15 17:10:37.000000000 +0300 @@ -241,3 +241,5 @@ SSL_CTX_sess_get_remove_cb SSL_set_SSL_CTX 290 EXIST::FUNCTION: SSL_get_servername 291 EXIST::FUNCTION:TLSEXT |