Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

OpenSSL: Comment out tls_connection_get_eap_fast_key without EAP-FAST

This avoids internal access of structs and also removes the dependency
on the reimplemented TLS PRF functions when EAP-FAST support is not
enabled. Notably, BoringSSL doesn't support EAP-FAST, so there is no
need to access its internals with openssl_get_keyblock_size().

Signed-Off-By: David Benjamin <davidben@google.com>
David Benjamin 9 years ago
parent
90b4c73fdf
commit
1cece2fafb
1 changed files with 16 additions and 8 deletions
Unified View Show Diff Stats
  1. 16 8
      src/crypto/tls_openssl.c

+ 16 - 8
src/crypto/tls_openssl.c
View File 

@@ -38,6 +38,12 @@
 
 #include "tls.h"
 
 #include "tls.h"
 
 #include "tls_openssl.h"
 
 #include "tls_openssl.h"
 
 
 
+#if !defined(CONFIG_FIPS) &&                             \
 
+    (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) ||   \
 
+     defined(EAP_SERVER_FAST))
 
+#define OPENSSL_NEED_EAP_FAST_PRF
 
+#endif
 
+
 
 #if defined(OPENSSL_IS_BORINGSSL)
 
 #if defined(OPENSSL_IS_BORINGSSL)
 
 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
 
 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
 
 typedef size_t stack_index_t;
 
 typedef size_t stack_index_t;
 
@@ -81,6 +87,7 @@ static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
 
 }
 
 }
 
 
 
 
 
+#ifdef OPENSSL_NEED_EAP_FAST_PRF
 
 static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
 
 static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
 
 					 unsigned char *out, size_t outlen)
 
 					 unsigned char *out, size_t outlen)
 
 {
 
 {
 
@@ -92,6 +99,7 @@ static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
 
 	os_memcpy(out, session->master_key, outlen);
 
 	os_memcpy(out, session->master_key, outlen);
 
 	return outlen;
 
 	return outlen;
 
 }
 
 }
 
+#endif /* OPENSSL_NEED_EAP_FAST_PRF */
 
 
 
 #endif
 
 #endif
 
 
 
@@ -3088,7 +3096,7 @@ int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,
 
 }
 
 }
 
 
 
 
 
-#ifndef CONFIG_FIPS
 
+#ifdef OPENSSL_NEED_EAP_FAST_PRF
 
 static int openssl_get_keyblock_size(SSL *ssl)
 
 static int openssl_get_keyblock_size(SSL *ssl)
 
 {
 
 {
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
@@ -3143,7 +3151,7 @@ static int openssl_get_keyblock_size(SSL *ssl)
 
 		    EVP_CIPHER_iv_length(c));
 
 		    EVP_CIPHER_iv_length(c));
 
 #endif
 
 #endif
 
 }
 
 }
 
-#endif /* CONFIG_FIPS */
 
+#endif /* OPENSSL_NEED_EAP_FAST_PRF */
 
 
 
 
 
 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
 
 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
 
@@ -3160,11 +3168,7 @@ int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
 
 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 
 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 
 				    u8 *out, size_t out_len)
 
 				    u8 *out, size_t out_len)
 
 {
 
 {
 
-#ifdef CONFIG_FIPS
 
-	wpa_printf(MSG_ERROR, "OpenSSL: TLS keys cannot be exported in FIPS "
 
-		   "mode");
 
-	return -1;
 
-#else /* CONFIG_FIPS */
 
+#ifdef OPENSSL_NEED_EAP_FAST_PRF
 
 	SSL *ssl;
 
 	SSL *ssl;
 
 	SSL_SESSION *sess;
 
 	SSL_SESSION *sess;
 
 	u8 *rnd;
 
 	u8 *rnd;
 
@@ -3233,7 +3237,11 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 
 	bin_clear_free(tmp_out, skip);
 
 	bin_clear_free(tmp_out, skip);
 
 
 
 	return ret;
 
 	return ret;
 
-#endif /* CONFIG_FIPS */
 
+#else /* OPENSSL_NEED_EAP_FAST_PRF */
 
+	wpa_printf(MSG_ERROR,
 
+		   "OpenSSL: EAP-FAST keys cannot be exported in FIPS mode");
 
+	return -1;
 
+#endif /* OPENSSL_NEED_EAP_FAST_PRF */
 
 }
 
 }