1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
This is a quick hack for testing EAP-FAST with openssl.
Addition of TLS extensions to ClientHello/ServerHello is more or less
ok, though not very clean in the way that the caller needs to take
care of constructing set of all extensions. In addition there is not
mechanism for reading the TLS extensions, i.e., this would not be
enough for EAP-FAST authenticator.
Rest of the changes are obviously ugly and/or incorrect for most
parts, but it demonstrates the minimum set of changes to skip some of
the error cases that prevented completion of TLS handshake without
certificates. In other words, this is just a proof-of-concept type of
example to make it possible to experiment with EAP-FAST. Cleaner patch
for the needed functionality would be welcome..
diff -upr openssl-0.9.7e.orig/include/openssl/ssl.h openssl-0.9.7e/include/openssl/ssl.h
--- openssl-0.9.7e.orig/include/openssl/ssl.h 2004-07-27 11:28:49.000000000 -0700
+++ openssl-0.9.7e/include/openssl/ssl.h 2004-12-24 20:29:01.000000000 -0800
@@ -929,6 +929,11 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* Optional ClientHello/ServerHello extension to be added to the end
+ * of the SSLv3/TLS hello message. */
+ char *hello_extension;
+ int hello_extension_len;
};
#ifdef __cplusplus
diff -upr openssl-0.9.7e.orig/ssl/s3_both.c openssl-0.9.7e/ssl/s3_both.c
--- openssl-0.9.7e.orig/ssl/s3_both.c 2003-02-12 09:05:17.000000000 -0800
+++ openssl-0.9.7e/ssl/s3_both.c 2004-12-31 21:18:15.556846272 -0800
@@ -199,6 +199,12 @@ int ssl3_get_finished(SSL *s, int a, int
64, /* should actually be 36+4 :-) */
&ok);
+ if (!ok && s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
if (!ok) return((int)n);
/* If this occurs, we have missed a message */
diff -upr openssl-0.9.7e.orig/ssl/s3_clnt.c openssl-0.9.7e/ssl/s3_clnt.c
--- openssl-0.9.7e.orig/ssl/s3_clnt.c 2004-05-15 09:39:22.000000000 -0700
+++ openssl-0.9.7e/ssl/s3_clnt.c 2004-12-31 21:16:38.617583280 -0800
@@ -588,6 +588,12 @@ static int ssl3_client_hello(SSL *s)
*(p++)=comp->id;
}
*(p++)=0; /* Add the NULL method */
+
+ if (s->hello_extension)
+ {
+ memcpy(p,s->hello_extension,s->hello_extension_len);
+ p+=s->hello_extension_len;
+ }
l=(p-d);
d=buf;
@@ -779,6 +785,11 @@ static int ssl3_get_server_certificate(S
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
{
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
goto f_err;
@@ -951,6 +962,12 @@ static int ssl3_get_key_exchange(SSL *s)
DH *dh=NULL;
#endif
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
/* use same message size as in ssl3_get_certificate_request()
* as ServerKeyExchange message may be skipped */
n=ssl3_get_message(s,
@@ -1264,6 +1281,12 @@ static int ssl3_get_certificate_request(
unsigned char *p,*d,*q;
STACK_OF(X509_NAME) *ca_sk=NULL;
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
n=ssl3_get_message(s,
SSL3_ST_CR_CERT_REQ_A,
SSL3_ST_CR_CERT_REQ_B,
@@ -1407,6 +1430,12 @@ static int ssl3_get_server_done(SSL *s)
int ok,ret=0;
long n;
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
n=ssl3_get_message(s,
SSL3_ST_CR_SRVR_DONE_A,
SSL3_ST_CR_SRVR_DONE_B,
@@ -1439,6 +1468,12 @@ static int ssl3_send_client_key_exchange
KSSL_ERR kssl_err;
#endif /* OPENSSL_NO_KRB5 */
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
if (s->state == SSL3_ST_CW_KEY_EXCH_A)
{
d=(unsigned char *)s->init_buf->data;
@@ -1880,6 +1915,12 @@ static int ssl3_check_cert_and_algorithm
DH *dh;
#endif
+ if (s->hello_extension)
+ {
+ /* Quick hack to test EAP-FAST. */
+ return(1);
+ }
+
sc=s->session->sess_cert;
if (sc == NULL)
diff -upr openssl-0.9.7e.orig/ssl/ssl.h openssl-0.9.7e/ssl/ssl.h
--- openssl-0.9.7e.orig/ssl/ssl.h 2004-07-27 11:28:49.000000000 -0700
+++ openssl-0.9.7e/ssl/ssl.h 2004-12-24 20:29:01.000000000 -0800
@@ -929,6 +929,11 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* Optional ClientHello/ServerHello extension to be added to the end
+ * of the SSLv3/TLS hello message. */
+ char *hello_extension;
+ int hello_extension_len;
};
#ifdef __cplusplus
diff -upr openssl-0.9.7e.orig/ssl/ssl_lib.c openssl-0.9.7e/ssl/ssl_lib.c
--- openssl-0.9.7e.orig/ssl/ssl_lib.c 2004-05-11 05:46:12.000000000 -0700
+++ openssl-0.9.7e/ssl/ssl_lib.c 2004-12-24 20:35:22.000000000 -0800
@@ -478,6 +478,7 @@ void SSL_free(SSL *s)
kssl_ctx_free(s->kssl_ctx);
#endif /* OPENSSL_NO_KRB5 */
+ OPENSSL_free(s->hello_extension);
OPENSSL_free(s);
}
|
