1 This is a quick hack for testing EAP-FAST with openssl.
3 Addition of TLS extensions to ClientHello/ServerHello is more or less
4 ok, though not very clean in the way that the caller needs to take
5 care of constructing set of all extensions. In addition there is not
6 mechanism for reading the TLS extensions, i.e., this would not be
7 enough for EAP-FAST authenticator.
9 Rest of the changes are obviously ugly and/or incorrect for most
10 parts, but it demonstrates the minimum set of changes to skip some of
11 the error cases that prevented completion of TLS handshake without
12 certificates. In other words, this is just a proof-of-concept type of
13 example to make it possible to experiment with EAP-FAST. Cleaner patch
14 for the needed functionality would be welcome..
17 diff -upr openssl-0.9.7e.orig/include/openssl/ssl.h openssl-0.9.7e/include/openssl/ssl.h
18 --- openssl-0.9.7e.orig/include/openssl/ssl.h 2004-07-27 11:28:49.000000000 -0700
19 +++ openssl-0.9.7e/include/openssl/ssl.h 2004-12-24 20:29:01.000000000 -0800
20 @@ -929,6 +929,11 @@ struct ssl_st
22 int client_version; /* what was passed, used for
23 * SSLv3/TLS rollback check */
25 + /* Optional ClientHello/ServerHello extension to be added to the end
26 + * of the SSLv3/TLS hello message. */
27 + char *hello_extension;
28 + int hello_extension_len;
32 diff -upr openssl-0.9.7e.orig/ssl/s3_both.c openssl-0.9.7e/ssl/s3_both.c
33 --- openssl-0.9.7e.orig/ssl/s3_both.c 2003-02-12 09:05:17.000000000 -0800
34 +++ openssl-0.9.7e/ssl/s3_both.c 2004-12-31 21:18:15.556846272 -0800
35 @@ -199,6 +199,12 @@ int ssl3_get_finished(SSL *s, int a, int
36 64, /* should actually be 36+4 :-) */
39 + if (!ok && s->hello_extension)
41 + /* Quick hack to test EAP-FAST. */
45 if (!ok) return((int)n);
47 /* If this occurs, we have missed a message */
48 diff -upr openssl-0.9.7e.orig/ssl/s3_clnt.c openssl-0.9.7e/ssl/s3_clnt.c
49 --- openssl-0.9.7e.orig/ssl/s3_clnt.c 2004-05-15 09:39:22.000000000 -0700
50 +++ openssl-0.9.7e/ssl/s3_clnt.c 2004-12-31 21:16:38.617583280 -0800
51 @@ -588,6 +588,12 @@ static int ssl3_client_hello(SSL *s)
54 *(p++)=0; /* Add the NULL method */
56 + if (s->hello_extension)
58 + memcpy(p,s->hello_extension,s->hello_extension_len);
59 + p+=s->hello_extension_len;
64 @@ -779,6 +785,11 @@ static int ssl3_get_server_certificate(S
66 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
68 + if (s->hello_extension)
70 + /* Quick hack to test EAP-FAST. */
73 al=SSL_AD_UNEXPECTED_MESSAGE;
74 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
76 @@ -951,6 +962,12 @@ static int ssl3_get_key_exchange(SSL *s)
80 + if (s->hello_extension)
82 + /* Quick hack to test EAP-FAST. */
86 /* use same message size as in ssl3_get_certificate_request()
87 * as ServerKeyExchange message may be skipped */
89 @@ -1264,6 +1281,12 @@ static int ssl3_get_certificate_request(
90 unsigned char *p,*d,*q;
91 STACK_OF(X509_NAME) *ca_sk=NULL;
93 + if (s->hello_extension)
95 + /* Quick hack to test EAP-FAST. */
100 SSL3_ST_CR_CERT_REQ_A,
101 SSL3_ST_CR_CERT_REQ_B,
102 @@ -1407,6 +1430,12 @@ static int ssl3_get_server_done(SSL *s)
106 + if (s->hello_extension)
108 + /* Quick hack to test EAP-FAST. */
112 n=ssl3_get_message(s,
113 SSL3_ST_CR_SRVR_DONE_A,
114 SSL3_ST_CR_SRVR_DONE_B,
115 @@ -1439,6 +1468,12 @@ static int ssl3_send_client_key_exchange
117 #endif /* OPENSSL_NO_KRB5 */
119 + if (s->hello_extension)
121 + /* Quick hack to test EAP-FAST. */
125 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
127 d=(unsigned char *)s->init_buf->data;
128 @@ -1880,6 +1915,12 @@ static int ssl3_check_cert_and_algorithm
132 + if (s->hello_extension)
134 + /* Quick hack to test EAP-FAST. */
138 sc=s->session->sess_cert;
141 diff -upr openssl-0.9.7e.orig/ssl/ssl.h openssl-0.9.7e/ssl/ssl.h
142 --- openssl-0.9.7e.orig/ssl/ssl.h 2004-07-27 11:28:49.000000000 -0700
143 +++ openssl-0.9.7e/ssl/ssl.h 2004-12-24 20:29:01.000000000 -0800
144 @@ -929,6 +929,11 @@ struct ssl_st
146 int client_version; /* what was passed, used for
147 * SSLv3/TLS rollback check */
149 + /* Optional ClientHello/ServerHello extension to be added to the end
150 + * of the SSLv3/TLS hello message. */
151 + char *hello_extension;
152 + int hello_extension_len;
156 diff -upr openssl-0.9.7e.orig/ssl/ssl_lib.c openssl-0.9.7e/ssl/ssl_lib.c
157 --- openssl-0.9.7e.orig/ssl/ssl_lib.c 2004-05-11 05:46:12.000000000 -0700
158 +++ openssl-0.9.7e/ssl/ssl_lib.c 2004-12-24 20:35:22.000000000 -0800
159 @@ -478,6 +478,7 @@ void SSL_free(SSL *s)
160 kssl_ctx_free(s->kssl_ctx);
161 #endif /* OPENSSL_NO_KRB5 */
163 + OPENSSL_free(s->hello_extension);