freebsd-skq/contrib/wpa_supplicant/openssl-tls-extensions.patch

167 lines
4.9 KiB
Diff

This is a quick hack for testing EAP-FAST with openssl.
Addition of TLS extensions to ClientHello/ServerHello is more or less
ok, though not very clean in the way that the caller needs to take
care of constructing set of all extensions. In addition there is not
mechanism for reading the TLS extensions, i.e., this would not be
enough for EAP-FAST authenticator.
Rest of the changes are obviously ugly and/or incorrect for most
parts, but it demonstrates the minimum set of changes to skip some of
the error cases that prevented completion of TLS handshake without
certificates. In other words, this is just a proof-of-concept type of
example to make it possible to experiment with EAP-FAST. Cleaner patch
for the needed functionality would be welcome..
diff -upr openssl-0.9.7e.orig/include/openssl/ssl.h openssl-0.9.7e/include/openssl/ssl.h
--- openssl-0.9.7e.orig/include/openssl/ssl.h 2004-07-27 11:28:49.000000000 -0700
+++ openssl-0.9.7e/include/openssl/ssl.h 2004-12-24 20:29:01.000000000 -0800
@@ -929,6 +929,11 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* Optional ClientHello/ServerHello extension to be added to the end
+ * of the SSLv3/TLS hello message. */
+ char *hello_extension;
+ int hello_extension_len;
};
#ifdef __cplusplus
diff -upr openssl-0.9.7e.orig/ssl/s3_both.c openssl-0.9.7e/ssl/s3_both.c
--- openssl-0.9.7e.orig/ssl/s3_both.c 2003-02-12 09:05:17.000000000 -0800
+++ openssl-0.9.7e/ssl/s3_both.c 2004-12-31 21:18:15.556846272 -0800
@@ -199,6 +199,12 @@ int ssl3_get_finished(SSL *s, int a, int
64, /* should actually be 36+4 :-) */
&ok);
+ if (!ok && s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
if (!ok) return((int)n);
/* If this occurs, we have missed a message */
diff -upr openssl-0.9.7e.orig/ssl/s3_clnt.c openssl-0.9.7e/ssl/s3_clnt.c
--- openssl-0.9.7e.orig/ssl/s3_clnt.c 2004-05-15 09:39:22.000000000 -0700
+++ openssl-0.9.7e/ssl/s3_clnt.c 2004-12-31 21:16:38.617583280 -0800
@@ -588,6 +588,12 @@ static int ssl3_client_hello(SSL *s)
*(p++)=comp->id;
}
*(p++)=0; /* Add the NULL method */
+
+ if (s->hello_extension)
+ {
+ memcpy(p,s->hello_extension,s->hello_extension_len);
+ p+=s->hello_extension_len;
+ }
l=(p-d);
d=buf;
@@ -779,6 +785,11 @@ static int ssl3_get_server_certificate(S
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
{
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
goto f_err;
@@ -951,6 +962,12 @@ static int ssl3_get_key_exchange(SSL *s)
DH *dh=NULL;
#endif
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
/* use same message size as in ssl3_get_certificate_request()
* as ServerKeyExchange message may be skipped */
n=ssl3_get_message(s,
@@ -1264,6 +1281,12 @@ static int ssl3_get_certificate_request(
unsigned char *p,*d,*q;
STACK_OF(X509_NAME) *ca_sk=NULL;
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
n=ssl3_get_message(s,
SSL3_ST_CR_CERT_REQ_A,
SSL3_ST_CR_CERT_REQ_B,
@@ -1407,6 +1430,12 @@ static int ssl3_get_server_done(SSL *s)
int ok,ret=0;
long n;
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
n=ssl3_get_message(s,
SSL3_ST_CR_SRVR_DONE_A,
SSL3_ST_CR_SRVR_DONE_B,
@@ -1439,6 +1468,12 @@ static int ssl3_send_client_key_exchange
KSSL_ERR kssl_err;
#endif /* OPENSSL_NO_KRB5 */
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
if (s->state == SSL3_ST_CW_KEY_EXCH_A)
{
d=(unsigned char *)s->init_buf->data;
@@ -1880,6 +1915,12 @@ static int ssl3_check_cert_and_algorithm
DH *dh;
#endif
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
sc=s->session->sess_cert;
if (sc == NULL)
diff -upr openssl-0.9.7e.orig/ssl/ssl.h openssl-0.9.7e/ssl/ssl.h
--- openssl-0.9.7e.orig/ssl/ssl.h 2004-07-27 11:28:49.000000000 -0700
+++ openssl-0.9.7e/ssl/ssl.h 2004-12-24 20:29:01.000000000 -0800
@@ -929,6 +929,11 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* Optional ClientHello/ServerHello extension to be added to the end
+ * of the SSLv3/TLS hello message. */
+ char *hello_extension;
+ int hello_extension_len;
};
#ifdef __cplusplus
diff -upr openssl-0.9.7e.orig/ssl/ssl_lib.c openssl-0.9.7e/ssl/ssl_lib.c
--- openssl-0.9.7e.orig/ssl/ssl_lib.c 2004-05-11 05:46:12.000000000 -0700
+++ openssl-0.9.7e/ssl/ssl_lib.c 2004-12-24 20:35:22.000000000 -0800
@@ -478,6 +478,7 @@ void SSL_free(SSL *s)
kssl_ctx_free(s->kssl_ctx);
#endif /* OPENSSL_NO_KRB5 */
+ OPENSSL_free(s->hello_extension);
OPENSSL_free(s);
}