contrib/wpa_supplicant/openssl-tls-extensions.patch

   1 This is a quick hack for testing EAP-FAST with openssl.
   2
   3 Addition of TLS extensions to ClientHello/ServerHello is more or less
   4 ok, though not very clean in the way that the caller needs to take
   5 care of constructing set of all extensions. In addition there is not
   6 mechanism for reading the TLS extensions, i.e., this would not be
   7 enough for EAP-FAST authenticator.
   8
   9 Rest of the changes are obviously ugly and/or incorrect for most
  10 parts, but it demonstrates the minimum set of changes to skip some of
  11 the error cases that prevented completion of TLS handshake without
  12 certificates. In other words, this is just a proof-of-concept type of
  13 example to make it possible to experiment with EAP-FAST. Cleaner patch
  14 for the needed functionality would be welcome..
  15
  16
  17 diff -upr openssl-0.9.7e.orig/include/openssl/ssl.h openssl-0.9.7e/include/openssl/ssl.h
  18 --- openssl-0.9.7e.orig/include/openssl/ssl.h   2004-07-27 11:28:49.000000000 -0700
  19 +++ openssl-0.9.7e/include/openssl/ssl.h        2004-12-24 20:29:01.000000000 -0800
  20 @@ -929,6 +929,11 @@ struct ssl_st
  21         int first_packet;
  22         int client_version;     /* what was passed, used for
  23                                  * SSLv3/TLS rollback check */
  24 +
  25 +       /* Optional ClientHello/ServerHello extension to be added to the end
  26 +        * of the SSLv3/TLS hello message. */
  27 +       char *hello_extension;
  28 +       int hello_extension_len;
  29         };
  30
  31  #ifdef __cplusplus
  32 diff -upr openssl-0.9.7e.orig/ssl/s3_both.c openssl-0.9.7e/ssl/s3_both.c
  33 --- openssl-0.9.7e.orig/ssl/s3_both.c   2003-02-12 09:05:17.000000000 -0800
  34 +++ openssl-0.9.7e/ssl/s3_both.c        2004-12-31 21:18:15.556846272 -0800
  35 @@ -199,6 +199,12 @@ int ssl3_get_finished(SSL *s, int a, int
  36                 64, /* should actually be 36+4 :-) */
  37                 &ok);
  38
  39 +       if (!ok && s->hello_extension)
  40 +               {
  41 +               /* Quick hack to test EAP-FAST. */
  42 +               return(1);
  43 +       }
  44 +
  45         if (!ok) return((int)n);
  46
  47         /* If this occurs, we have missed a message */
  48 diff -upr openssl-0.9.7e.orig/ssl/s3_clnt.c openssl-0.9.7e/ssl/s3_clnt.c
  49 --- openssl-0.9.7e.orig/ssl/s3_clnt.c   2004-05-15 09:39:22.000000000 -0700
  50 +++ openssl-0.9.7e/ssl/s3_clnt.c        2004-12-31 21:16:38.617583280 -0800
  51 @@ -588,6 +588,12 @@ static int ssl3_client_hello(SSL *s)
  52                         *(p++)=comp->id;
  53                         }
  54                 *(p++)=0; /* Add the NULL method */
  55 +
  56 +               if (s->hello_extension)
  57 +                       {
  58 +                       memcpy(p,s->hello_extension,s->hello_extension_len);
  59 +                       p+=s->hello_extension_len;
  60 +                       }
  61
  62                 l=(p-d);
  63                 d=buf;
  64 @@ -779,6 +785,11 @@ static int ssl3_get_server_certificate(S
  65
  66         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
  67                 {
  68 +               if (s->hello_extension)
  69 +                       {
  70 +                       /* Quick hack to test EAP-FAST. */
  71 +                       return(1);
  72 +                       }
  73                 al=SSL_AD_UNEXPECTED_MESSAGE;
  74                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
  75                 goto f_err;
  76 @@ -951,6 +962,12 @@ static int ssl3_get_key_exchange(SSL *s)
  77         DH *dh=NULL;
  78  #endif
  79
  80 +       if (s->hello_extension)
  81 +               {
  82 +               /* Quick hack to test EAP-FAST. */
  83 +               return(1);
  84 +               }
  85 +
  86         /* use same message size as in ssl3_get_certificate_request()
  87          * as ServerKeyExchange message may be skipped */
  88         n=ssl3_get_message(s,
  89 @@ -1264,6 +1281,12 @@ static int ssl3_get_certificate_request(
  90         unsigned char *p,*d,*q;
  91         STACK_OF(X509_NAME) *ca_sk=NULL;
  92
  93 +       if (s->hello_extension)
  94 +               {
  95 +               /* Quick hack to test EAP-FAST. */
  96 +               return(1);
  97 +               }
  98 +
  99         n=ssl3_get_message(s,
 100                 SSL3_ST_CR_CERT_REQ_A,
 101                 SSL3_ST_CR_CERT_REQ_B,
 102 @@ -1407,6 +1430,12 @@ static int ssl3_get_server_done(SSL *s)
 103         int ok,ret=0;
 104         long n;
 105
 106 +       if (s->hello_extension)
 107 +               {
 108 +               /* Quick hack to test EAP-FAST. */
 109 +               return(1);
 110 +               }
 111 +
 112         n=ssl3_get_message(s,
 113                 SSL3_ST_CR_SRVR_DONE_A,
 114                 SSL3_ST_CR_SRVR_DONE_B,
 115 @@ -1439,6 +1468,12 @@ static int ssl3_send_client_key_exchange
 116          KSSL_ERR kssl_err;
 117  #endif /* OPENSSL_NO_KRB5 */
 118
 119 +       if (s->hello_extension)
 120 +               {
 121 +               /* Quick hack to test EAP-FAST. */
 122 +               return(1);
 123 +               }
 124 +
 125         if (s->state == SSL3_ST_CW_KEY_EXCH_A)
 126                 {
 127                 d=(unsigned char *)s->init_buf->data;
 128 @@ -1880,6 +1915,12 @@ static int ssl3_check_cert_and_algorithm
 129         DH *dh;
 130  #endif
 131
 132 +       if (s->hello_extension)
 133 +               {
 134 +               /* Quick hack to test EAP-FAST. */
 135 +               return(1);
 136 +               }
 137 +
 138         sc=s->session->sess_cert;
 139
 140         if (sc == NULL)
 141 diff -upr openssl-0.9.7e.orig/ssl/ssl.h openssl-0.9.7e/ssl/ssl.h
 142 --- openssl-0.9.7e.orig/ssl/ssl.h       2004-07-27 11:28:49.000000000 -0700
 143 +++ openssl-0.9.7e/ssl/ssl.h    2004-12-24 20:29:01.000000000 -0800
 144 @@ -929,6 +929,11 @@ struct ssl_st
 145         int first_packet;
 146         int client_version;     /* what was passed, used for
 147                                  * SSLv3/TLS rollback check */
 148 +
 149 +       /* Optional ClientHello/ServerHello extension to be added to the end
 150 +        * of the SSLv3/TLS hello message. */
 151 +       char *hello_extension;
 152 +       int hello_extension_len;
 153         };
 154
 155  #ifdef __cplusplus
 156 diff -upr openssl-0.9.7e.orig/ssl/ssl_lib.c openssl-0.9.7e/ssl/ssl_lib.c
 157 --- openssl-0.9.7e.orig/ssl/ssl_lib.c   2004-05-11 05:46:12.000000000 -0700
 158 +++ openssl-0.9.7e/ssl/ssl_lib.c        2004-12-24 20:35:22.000000000 -0800
 159 @@ -478,6 +478,7 @@ void SSL_free(SSL *s)
 160                 kssl_ctx_free(s->kssl_ctx);
 161  #endif /* OPENSSL_NO_KRB5 */
 162
 163 +       OPENSSL_free(s->hello_extension);
 164         OPENSSL_free(s);
 165         }
 166