head 1.2; access; symbols perseant-exfatfs-base-20250801:1.2 perseant-exfatfs-base-20240630:1.2 perseant-exfatfs:1.2.0.40 perseant-exfatfs-base:1.2 cjep_sun2x:1.2.0.38 cjep_sun2x-base:1.2 cjep_staticlib_x-base1:1.2 cjep_staticlib_x:1.2.0.36 cjep_staticlib_x-base:1.2 phil-wifi-20200421:1.2 phil-wifi-20200411:1.2 phil-wifi-20200406:1.2 pgoyette-compat-merge-20190127:1.2 pgoyette-compat-20190127:1.2 pgoyette-compat-20190118:1.2 pgoyette-compat-1226:1.2 pgoyette-compat-1126:1.2 pgoyette-compat-1020:1.2 pgoyette-compat-0930:1.2 pgoyette-compat-0906:1.2 pgoyette-compat-0728:1.2 pgoyette-compat-0625:1.2 pgoyette-compat-0521:1.2 pgoyette-compat-0502:1.2 pgoyette-compat-0422:1.2 pgoyette-compat-0415:1.2 pgoyette-compat-0407:1.2 pgoyette-compat-0330:1.2 pgoyette-compat-0322:1.2 pgoyette-compat-0315:1.2 pgoyette-compat:1.2.0.34 pgoyette-compat-base:1.2 prg-localcount2-base3:1.2 prg-localcount2-base2:1.2 prg-localcount2-base1:1.2 prg-localcount2:1.2.0.32 prg-localcount2-base:1.2 pgoyette-localcount-20170426:1.2 bouyer-socketcan-base1:1.2 pgoyette-localcount-20170320:1.2 bouyer-socketcan:1.2.0.30 bouyer-socketcan-base:1.2 pgoyette-localcount-20170107:1.2 pgoyette-localcount-20161104:1.2 localcount-20160914:1.2 pgoyette-localcount-20160806:1.2 pgoyette-localcount-20160726:1.2 pgoyette-localcount:1.2.0.28 pgoyette-localcount-base:1.2 netbsd-5-2-3-RELEASE:1.2 netbsd-5-1-5-RELEASE:1.2 yamt-pagecache-base9:1.2 yamt-pagecache-tag8:1.2 tls-earlyentropy:1.2.0.24 tls-earlyentropy-base:1.2 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.2 riastradh-drm2-base3:1.2 netbsd-5-2-2-RELEASE:1.2 netbsd-5-1-4-RELEASE:1.2 netbsd-5-2-1-RELEASE:1.2 netbsd-5-1-3-RELEASE:1.2 agc-symver:1.2.0.26 agc-symver-base:1.2 tls-maxphys-base:1.2 yamt-pagecache-base8:1.2 netbsd-5-2:1.2.0.22 yamt-pagecache-base7:1.2 netbsd-5-2-RELEASE:1.2 netbsd-5-2-RC1:1.2 yamt-pagecache-base6:1.2 yamt-pagecache-base5:1.2 yamt-pagecache-base4:1.2 netbsd-5-1-2-RELEASE:1.2 netbsd-5-1-1-RELEASE:1.2 yamt-pagecache-base3:1.2 yamt-pagecache-base2:1.2 yamt-pagecache:1.2.0.20 yamt-pagecache-base:1.2 bouyer-quota2-nbase:1.2 bouyer-quota2:1.2.0.18 bouyer-quota2-base:1.2 matt-nb5-pq3:1.2.0.16 matt-nb5-pq3-base:1.2 netbsd-5-1:1.2.0.14 netbsd-5-1-RELEASE:1.2 netbsd-5-1-RC4:1.2 netbsd-5-1-RC3:1.2 netbsd-5-1-RC2:1.2 netbsd-5-1-RC1:1.2 netbsd-5-0-2-RELEASE:1.2 netbsd-5-0-1-RELEASE:1.2 jym-xensuspend-nbase:1.2 netbsd-5-0:1.2.0.12 netbsd-5-0-RELEASE:1.2 netbsd-5-0-RC4:1.2 netbsd-5-0-RC3:1.2 netbsd-5-0-RC2:1.2 jym-xensuspend:1.2.0.10 jym-xensuspend-base:1.2 netbsd-5-0-RC1:1.2 netbsd-5:1.2.0.8 netbsd-5-base:1.2 matt-mips64:1.1.1.2.0.16 mjf-devfs2:1.2.0.6 mjf-devfs2-base:1.2 netbsd-4-0-1-RELEASE:1.1.1.2 wrstuden-fixsa-newbase:1.1.1.2 yamt-pf42-base4:1.2 yamt-pf42-base3:1.2 hpcarm-cleanup-nbase:1.2 yamt-pf42-base2:1.2 yamt-pf42:1.2.0.4 yamt-pf42-base:1.2 keiichi-mipv6:1.2.0.2 keiichi-mipv6-base:1.2 matt-armv6-nbase:1.2 matt-armv6-prevmlocking:1.1.1.2 wrstuden-fixsa-base-1:1.1.1.2 netbsd-4-0:1.1.1.2.0.14 netbsd-4-0-RELEASE:1.1.1.2 cube-autoconf:1.1.1.2.0.12 cube-autoconf-base:1.1.1.2 netbsd-4-0-RC5:1.1.1.2 netbsd-4-0-RC4:1.1.1.2 netbsd-4-0-RC3:1.1.1.2 netbsd-4-0-RC2:1.1.1.2 netbsd-4-0-RC1:1.1.1.2 matt-armv6:1.1.1.2.0.10 matt-armv6-base:1.1.1.2 matt-mips64-base:1.1.1.2 hpcarm-cleanup:1.1.1.2.0.8 hpcarm-cleanup-base:1.2 wrstuden-fixsa:1.1.1.2.0.6 wrstuden-fixsa-base:1.1.1.2 abandoned-netbsd-4-base:1.1.1.2 abandoned-netbsd-4:1.1.1.2.0.2 netbsd-4:1.1.1.2.0.4 netbsd-4-base:1.1.1.2 v0_4_9:1.1.1.2 v0_4_8:1.1.1.2 v0_3_9:1.1.1.1 MALINEN:1.1.1; locks; strict; comment @# @; 1.2 date 2008.01.26.21.55.16; author christos; state dead; branches; next 1.1; 1.1 date 2005.10.01.10.20.18; author scw; state Exp; branches 1.1.1.1; next ; 1.1.1.1 date 2005.10.01.10.20.18; author scw; state Exp; branches; next 1.1.1.2; 1.1.1.2 date 2006.04.12.15.09.02; author rpaulo; state Exp; branches 1.1.1.2.10.1; next ; 1.1.1.2.10.1 date 2008.03.23.00.17.33; author matt; state dead; branches; next ; desc @@ 1.2 log @Moved to dist/wpa since now hostapd and wpa_supplicant share a lot of code. @ text @This is a quick hack for testing EAP-FAST with openssl. Addition of TLS extensions to ClientHello/ServerHello is more or less ok, though not very clean in the way that the caller needs to take care of constructing set of all extensions. In addition there is not mechanism for reading the TLS extensions, i.e., this would not be enough for EAP-FAST authenticator. Rest of the changes are obviously ugly and/or incorrect for most parts, but it demonstrates the minimum set of changes to skip some of the error cases that prevented completion of TLS handshake without certificates. In other words, this is just a proof-of-concept type of example to make it possible to experiment with EAP-FAST. Cleaner patch for the needed functionality would be welcome.. diff -upr openssl-0.9.7e.orig/include/openssl/ssl.h openssl-0.9.7e/include/openssl/ssl.h --- openssl-0.9.7e.orig/include/openssl/ssl.h 2004-07-27 11:28:49.000000000 -0700 +++ openssl-0.9.7e/include/openssl/ssl.h 2004-12-24 20:29:01.000000000 -0800 @@@@ -929,6 +929,11 @@@@ struct ssl_st int first_packet; int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ + + /* Optional ClientHello/ServerHello extension to be added to the end + * of the SSLv3/TLS hello message. */ + char *hello_extension; + int hello_extension_len; }; #ifdef __cplusplus diff -upr openssl-0.9.7e.orig/ssl/s3_both.c openssl-0.9.7e/ssl/s3_both.c --- openssl-0.9.7e.orig/ssl/s3_both.c 2003-02-12 09:05:17.000000000 -0800 +++ openssl-0.9.7e/ssl/s3_both.c 2004-12-31 21:18:15.556846272 -0800 @@@@ -199,6 +199,12 @@@@ int ssl3_get_finished(SSL *s, int a, int 64, /* should actually be 36+4 :-) */ &ok); + if (!ok && s->hello_extension) + { + /* Quick hack to test EAP-FAST. */ + return(1); + } + if (!ok) return((int)n); /* If this occurs, we have missed a message */ diff -upr openssl-0.9.7e.orig/ssl/s3_clnt.c openssl-0.9.7e/ssl/s3_clnt.c --- openssl-0.9.7e.orig/ssl/s3_clnt.c 2004-05-15 09:39:22.000000000 -0700 +++ openssl-0.9.7e/ssl/s3_clnt.c 2004-12-31 21:16:38.617583280 -0800 @@@@ -588,6 +588,12 @@@@ static int ssl3_client_hello(SSL *s) *(p++)=comp->id; } *(p++)=0; /* Add the NULL method */ + + if (s->hello_extension) + { + memcpy(p,s->hello_extension,s->hello_extension_len); + p+=s->hello_extension_len; + } l=(p-d); d=buf; @@@@ -779,6 +785,11 @@@@ static int ssl3_get_server_certificate(S if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { + if (s->hello_extension) + { + /* Quick hack to test EAP-FAST. */ + return(1); + } al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); goto f_err; @@@@ -951,6 +962,12 @@@@ static int ssl3_get_key_exchange(SSL *s) DH *dh=NULL; #endif + if (s->hello_extension) + { + /* Quick hack to test EAP-FAST. */ + return(1); + } + /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=ssl3_get_message(s, @@@@ -1264,6 +1281,12 @@@@ static int ssl3_get_certificate_request( unsigned char *p,*d,*q; STACK_OF(X509_NAME) *ca_sk=NULL; + if (s->hello_extension) + { + /* Quick hack to test EAP-FAST. */ + return(1); + } + n=ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A, SSL3_ST_CR_CERT_REQ_B, @@@@ -1407,6 +1430,12 @@@@ static int ssl3_get_server_done(SSL *s) int ok,ret=0; long n; + if (s->hello_extension) + { + /* Quick hack to test EAP-FAST. */ + return(1); + } + n=ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A, SSL3_ST_CR_SRVR_DONE_B, @@@@ -1439,6 +1468,12 @@@@ static int ssl3_send_client_key_exchange KSSL_ERR kssl_err; #endif /* OPENSSL_NO_KRB5 */ + if (s->hello_extension) + { + /* Quick hack to test EAP-FAST. */ + return(1); + } + if (s->state == SSL3_ST_CW_KEY_EXCH_A) { d=(unsigned char *)s->init_buf->data; @@@@ -1880,6 +1915,12 @@@@ static int ssl3_check_cert_and_algorithm DH *dh; #endif + if (s->hello_extension) + { + /* Quick hack to test EAP-FAST. */ + return(1); + } + sc=s->session->sess_cert; if (sc == NULL) diff -upr openssl-0.9.7e.orig/ssl/ssl.h openssl-0.9.7e/ssl/ssl.h --- openssl-0.9.7e.orig/ssl/ssl.h 2004-07-27 11:28:49.000000000 -0700 +++ openssl-0.9.7e/ssl/ssl.h 2004-12-24 20:29:01.000000000 -0800 @@@@ -929,6 +929,11 @@@@ struct ssl_st int first_packet; int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ + + /* Optional ClientHello/ServerHello extension to be added to the end + * of the SSLv3/TLS hello message. */ + char *hello_extension; + int hello_extension_len; }; #ifdef __cplusplus diff -upr openssl-0.9.7e.orig/ssl/ssl_lib.c openssl-0.9.7e/ssl/ssl_lib.c --- openssl-0.9.7e.orig/ssl/ssl_lib.c 2004-05-11 05:46:12.000000000 -0700 +++ openssl-0.9.7e/ssl/ssl_lib.c 2004-12-24 20:35:22.000000000 -0800 @@@@ -478,6 +478,7 @@@@ void SSL_free(SSL *s) kssl_ctx_free(s->kssl_ctx); #endif /* OPENSSL_NO_KRB5 */ + OPENSSL_free(s->hello_extension); OPENSSL_free(s); } @ 1.1 log @Initial revision @ text @@ 1.1.1.1 log @Import of WPA supplicant 0.3.9 (strippped down as per FreeBSD's version). @ text @@ 1.1.1.2 log @Import of WPA supplicant 0.4.8 @ text @d1 1 a1 4 This patch is adding support for TLS hello extensions and externally generated pre-shared key material to OpenSSL 0.9.8. This is based on the patch from Alexey Kobozev (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). d3 5 d9 6 d16 5 a20 21 diff -uprN openssl-0.9.8.orig/include/openssl/ssl.h openssl-0.9.8/include/openssl/ssl.h --- openssl-0.9.8.orig/include/openssl/ssl.h 2005-06-10 12:51:16.000000000 -0700 +++ openssl-0.9.8/include/openssl/ssl.h 2005-07-19 20:02:15.000000000 -0700 @@@@ -340,6 +340,7 @@@@ extern "C" { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; +typedef struct tls_extension_st TLS_EXTENSION; /* used to hold info on the particular ciphers used */ typedef struct ssl_cipher_st @@@@ -361,6 +362,8 @@@@ DECLARE_STACK_OF(SSL_CIPHER) typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; +typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { @@@@ -968,6 +971,15 @@@@ struct ssl_st d25 4 a28 8 + /* TLS externsions */ + TLS_EXTENSION *tls_extension; + int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg); + void *tls_extension_cb_arg; + + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn tls_session_secret_cb; + void *tls_session_secret_cb_arg; d32 46 a77 2 @@@@ -1533,6 +1545,13 @@@@ void *SSL_COMP_get_compression_methods(v int SSL_COMP_add_compression_method(int id,void *cm); d80 5 a84 6 +/* TLS extensions functions */ +int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len); +int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg); + +/* Pre-shared secret session resumption functions */ +int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); d86 6 a91 17 /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@@@ -1714,6 +1733,7 @@@@ void ERR_load_SSL_strings(void); #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 +#define SSL_F_SSL_SET_HELLO_EXTENSION 213 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff -uprN openssl-0.9.8.orig/include/openssl/tls1.h openssl-0.9.8/include/openssl/tls1.h --- openssl-0.9.8.orig/include/openssl/tls1.h 2003-07-22 05:34:21.000000000 -0700 +++ openssl-0.9.8/include/openssl/tls1.h 2005-07-19 20:02:15.000000000 -0700 @@@@ -282,6 +282,14 @@@@ extern "C" { #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ #endif d93 1 a93 46 +/* TLS extension struct */ +struct tls_extension_st +{ + unsigned short type; + unsigned short length; + void *data; +}; + #ifdef __cplusplus } #endif diff -uprN openssl-0.9.8.orig/ssl/Makefile openssl-0.9.8/ssl/Makefile --- openssl-0.9.8.orig/ssl/Makefile 2005-05-30 16:20:30.000000000 -0700 +++ openssl-0.9.8/ssl/Makefile 2005-07-19 20:02:15.000000000 -0700 @@@@ -24,7 +24,7 @@@@ LIBSRC= \ s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \ s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \ - t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \ + t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c t1_ext.c \ d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \ d1_both.c d1_enc.c \ ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ @@@@ -35,7 +35,7 @@@@ LIBOBJ= \ s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \ - t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \ + t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o t1_ext.o \ d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \ d1_both.o d1_enc.o \ ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \ @@@@ -968,3 +968,4 @@@@ t1_srvr.o: ../include/openssl/ssl23.h .. t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_srvr.c +t1_ext.o: t1_ext.c ssl_locl.h diff -uprN openssl-0.9.8.orig/ssl/s3_clnt.c openssl-0.9.8/ssl/s3_clnt.c --- openssl-0.9.8.orig/ssl/s3_clnt.c 2005-05-16 03:11:03.000000000 -0700 +++ openssl-0.9.8/ssl/s3_clnt.c 2005-07-19 20:02:15.000000000 -0700 @@@@ -606,6 +606,20 @@@@ int ssl3_client_hello(SSL *s) } *(p++)=0; /* Add the NULL method */ + /* send client hello extensions if any */ + if (s->version >= TLS1_VERSION && s->tls_extension) d95 2 a96 9 + // set the total extensions length + s2n(s->tls_extension->length + 4, p); + + // put the extensions with type and length + s2n(s->tls_extension->type, p); + s2n(s->tls_extension->length, p); + + memcpy(p, s->tls_extension->data, s->tls_extension->length); + p+=s->tls_extension->length; d99 5 a103 10 l=(p-d); d=buf; *(d++)=SSL3_MT_CLIENT_HELLO; @@@@ -628,7 +642,7 @@@@ int ssl3_get_server_hello(SSL *s) STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; unsigned char *p,*d; - int i,al,ok; + int i,al,ok,pre_shared; unsigned int j; a104 4 SSL_COMP *comp; @@@@ -693,7 +707,24 @@@@ int ssl3_get_server_hello(SSL *s) goto f_err; } d106 1 a106 9 - if (j != 0 && j == s->session->session_id_length + /* check if we want to resume the session based on external pre-shared secret */ + pre_shared = 0; + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s->session->master_key_length=sizeof(s->session->master_key); + if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + NULL, &pref_cipher, s->tls_session_secret_cb_arg)) d108 2 a109 5 + s->hit=1; + s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j); + s->session->session_id_length = j; + memcpy(s->session->session_id, p, j); + pre_shared = 1; a110 1 + } d112 6 a117 10 + if ((pre_shared || j != 0) && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length diff -uprN openssl-0.9.8.orig/ssl/s3_srvr.c openssl-0.9.8/ssl/s3_srvr.c --- openssl-0.9.8.orig/ssl/s3_srvr.c 2005-05-22 17:32:55.000000000 -0700 +++ openssl-0.9.8/ssl/s3_srvr.c 2005-07-19 20:02:15.000000000 -0700 @@@@ -955,6 +955,75 @@@@ int ssl3_get_client_hello(SSL *s) } #endif d119 1 a119 4 + /* Check for TLS client hello extension here */ + if (p < (d+n) && s->version >= TLS1_VERSION) + { + if (s->tls_extension_cb) d121 2 a122 23 + TLS_EXTENSION tls_ext; + unsigned short ext_total_len; + + n2s(p, ext_total_len); + n2s(p, tls_ext.type); + n2s(p, tls_ext.length); + + // sanity check in TLS extension len + if (tls_ext.length > (d+n) - p) + { + // just cut the lenth to packet border + tls_ext.length = (d+n) - p; + } + + tls_ext.data = p; + + // returns an alert code or 0 + al = s->tls_extension_cb(s, &tls_ext, s->tls_extension_cb_arg); + if (al != 0) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PEER_ERROR); + goto f_err; + } a123 1 + } d125 8 a132 9 + /* Check if we want to use external pre-shared secret for this handshake */ + /* for not reused session only */ + if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s->session->master_key_length=sizeof(s->session->master_key); + if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) d134 2 a135 25 + s->hit=1; + s->session->ciphers=ciphers; + s->session->verify_result=X509_V_OK; + + ciphers=NULL; + + /* check if some cipher was preferred by call back */ + pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); + if (pref_cipher == NULL) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); + goto f_err; + } + + s->session->cipher=pref_cipher; + + if (s->cipher_list) + sk_SSL_CIPHER_free(s->cipher_list); + + if (s->cipher_list_by_id) + sk_SSL_CIPHER_free(s->cipher_list_by_id); + + s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); + s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); a136 1 + } d138 1 a138 13 /* Given s->session->ciphers and SSL_get_ciphers, we must * pick a cipher */ diff -uprN openssl-0.9.8.orig/ssl/ssl_err.c openssl-0.9.8/ssl/ssl_err.c --- openssl-0.9.8.orig/ssl/ssl_err.c 2005-06-10 12:51:16.000000000 -0700 +++ openssl-0.9.8/ssl/ssl_err.c 2005-07-19 20:02:15.000000000 -0700 @@@@ -242,6 +242,7 @@@@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, +{ERR_FUNC(SSL_F_SSL_SET_HELLO_EXTENSION), "SSL_set_hello_extension"}, {0,NULL} }; d140 5 a144 21 diff -uprN openssl-0.9.8.orig/ssl/ssl.h openssl-0.9.8/ssl/ssl.h --- openssl-0.9.8.orig/ssl/ssl.h 2005-06-10 12:51:16.000000000 -0700 +++ openssl-0.9.8/ssl/ssl.h 2005-07-19 20:02:15.000000000 -0700 @@@@ -340,6 +340,7 @@@@ extern "C" { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; +typedef struct tls_extension_st TLS_EXTENSION; /* used to hold info on the particular ciphers used */ typedef struct ssl_cipher_st @@@@ -361,6 +362,8 @@@@ DECLARE_STACK_OF(SSL_CIPHER) typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; +typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { @@@@ -968,6 +971,15 @@@@ struct ssl_st d149 4 a152 8 + /* TLS externsions */ + TLS_EXTENSION *tls_extension; + int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg); + void *tls_extension_cb_arg; + + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn tls_session_secret_cb; + void *tls_session_secret_cb_arg; d156 6 a161 28 @@@@ -1533,6 +1545,13 @@@@ void *SSL_COMP_get_compression_methods(v int SSL_COMP_add_compression_method(int id,void *cm); #endif +/* TLS extensions functions */ +int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len); +int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg); + +/* Pre-shared secret session resumption functions */ +int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@@@ -1714,6 +1733,7 @@@@ void ERR_load_SSL_strings(void); #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 +#define SSL_F_SSL_SET_HELLO_EXTENSION 213 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff -uprN openssl-0.9.8.orig/ssl/ssl_sess.c openssl-0.9.8/ssl/ssl_sess.c --- openssl-0.9.8.orig/ssl/ssl_sess.c 2005-04-29 13:10:06.000000000 -0700 +++ openssl-0.9.8/ssl/ssl_sess.c 2005-07-19 20:02:15.000000000 -0700 @@@@ -656,6 +656,15 @@@@ long SSL_CTX_get_timeout(const SSL_CTX * return(s->session_timeout); } d163 2 a164 76 +int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) +{ + if (s == NULL) return(0); + s->tls_session_secret_cb = tls_session_secret_cb; + s->tls_session_secret_cb_arg = arg; + return(1); +} + typedef struct timeout_param_st { SSL_CTX *ctx; diff -uprN openssl-0.9.8.orig/ssl/t1_ext.c openssl-0.9.8/ssl/t1_ext.c --- openssl-0.9.8.orig/ssl/t1_ext.c 1969-12-31 16:00:00.000000000 -0800 +++ openssl-0.9.8/ssl/t1_ext.c 2005-07-19 20:03:29.000000000 -0700 @@@@ -0,0 +1,48 @@@@ + +#include +#include "ssl_locl.h" + + +int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len) +{ + if(s->version >= TLS1_VERSION) + { + if(s->tls_extension) + { + OPENSSL_free(s->tls_extension); + s->tls_extension = NULL; + } + + if(ext_data) + { + s->tls_extension = OPENSSL_malloc(sizeof(TLS_EXTENSION) + ext_len); + if(!s->tls_extension) + { + SSLerr(SSL_F_SSL_SET_HELLO_EXTENSION, ERR_R_MALLOC_FAILURE); + return 0; + } + + s->tls_extension->type = ext_type; + s->tls_extension->length = ext_len; + s->tls_extension->data = s->tls_extension + 1; + memcpy(s->tls_extension->data, ext_data, ext_len); + } + + return 1; + } + + return 0; +} + +int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg) +{ + if(s->version >= TLS1_VERSION) + { + s->tls_extension_cb = cb; + s->tls_extension_cb_arg = arg; + + return 1; + } + + return 0; +} diff -uprN openssl-0.9.8.orig/ssl/t1_lib.c openssl-0.9.8/ssl/t1_lib.c --- openssl-0.9.8.orig/ssl/t1_lib.c 2005-04-26 09:02:40.000000000 -0700 +++ openssl-0.9.8/ssl/t1_lib.c 2005-07-19 20:02:15.000000000 -0700 @@@@ -131,6 +131,10 @@@@ int tls1_new(SSL *s) void tls1_free(SSL *s) { + if(s->tls_extension) + { + OPENSSL_free(s->tls_extension); + } ssl3_free(s); a166 28 diff -uprN openssl-0.9.8.orig/ssl/tls1.h openssl-0.9.8/ssl/tls1.h --- openssl-0.9.8.orig/ssl/tls1.h 2003-07-22 05:34:21.000000000 -0700 +++ openssl-0.9.8/ssl/tls1.h 2005-07-19 20:02:15.000000000 -0700 @@@@ -282,6 +282,14 @@@@ extern "C" { #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ #endif +/* TLS extension struct */ +struct tls_extension_st +{ + unsigned short type; + unsigned short length; + void *data; +}; + #ifdef __cplusplus } #endif diff -uprN openssl-0.9.8.orig/util/ssleay.num openssl-0.9.8/util/ssleay.num --- openssl-0.9.8.orig/util/ssleay.num 2005-05-08 17:22:02.000000000 -0700 +++ openssl-0.9.8/util/ssleay.num 2005-07-19 20:02:15.000000000 -0700 @@@@ -226,3 +226,6 @@@@ DTLSv1_server_method SSL_COMP_get_compression_methods 276 EXIST:!VMS:FUNCTION:COMP SSL_COMP_get_compress_methods 276 EXIST:VMS:FUNCTION:COMP SSL_SESSION_get_id 277 EXIST::FUNCTION: +SSL_set_hello_extension 278 EXIST::FUNCTION: +SSL_set_hello_extension_cb 279 EXIST::FUNCTION: +SSL_set_session_secret_cb 280 EXIST::FUNCTION: @ 1.1.1.2.10.1 log @sync with HEAD @ text @@