From 415c00bdbad6498137300230bfb9597c70ff288e Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Tue, 17 May 2016 13:24:43 -0400
Subject: [PATCH 2/2] OpenSSL: Don't implement tls_connection_get_eap_fast_key
if EAP-FAST is disabled.
This avoids internal access of structs and also removes the dependency on the
reimplemented TLS PRF functions when EAP-FAST support is not enabled. Notably,
BoringSSL doesn't support EAP-FAST, so there is no need access its internals
with openssl_get_keyblock_size.
Signed-Off-By: David Benjamin <davidben@google.com>
---
src/crypto/tls_openssl.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
@@ -3087,8 +3087,9 @@ int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,
return 0;
}
-
-#ifndef CONFIG_FIPS
+#if !defined(CONFIG_FIPS) || \
+ (!defined(EAP_FAST) && !defined(EAP_FAST_DYNAMIC) && \
+ !defined(EAP_SERVER_FAST))
static int openssl_get_keyblock_size(SSL *ssl)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
@@ -3143,7 +3144,7 @@ static int openssl_get_keyblock_size(SSL *ssl)
EVP_CIPHER_iv_length(c));
#endif
}
-#endif /* CONFIG_FIPS */
+#endif /* CONFIG_FIPS || !EAP_FAST */
int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
@@ -3162,11 +3163,13 @@ int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
u8 *out, size_t out_len)
{
-#ifdef CONFIG_FIPS
+#if !defined(EAP_FAST) && !defined(EAP_FAST_DYNAMIC) && !defined(EAP_SERVER_FAST)
+ return -1;
+#elif defined(CONFIG_FIPS)
wpa_printf(MSG_ERROR, "OpenSSL: TLS keys cannot be exported in FIPS "
"mode");
return -1;
-#else /* CONFIG_FIPS */
+#else
SSL *ssl;
SSL_SESSION *sess;
u8 *rnd;
@@ -3235,7 +3238,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
bin_clear_free(tmp_out, skip);
return ret;
-#endif /* CONFIG_FIPS */
+#endif
}
--
2.8.0.rc3.226.g39d4020