mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-17 18:34:03 -05:00
Support building with BoringSSL
BoringSSL is Google's cleanup of OpenSSL and an attempt to unify Chromium, Android and internal codebases around a single OpenSSL. As part of moving Android to BoringSSL, the wpa_supplicant maintainers in Android requested that I upstream the change. I've worked to reduce the size of the patch a lot but I'm afraid that it still contains a number of #ifdefs. [1] https://www.imperialviolet.org/2014/06/20/boringssl.html Signed-off-by: Adam Langley <agl@chromium.org>
This commit is contained in:
parent
1236eda131
commit
a8572960a9
@ -40,7 +40,7 @@
|
|||||||
|
|
||||||
static BIGNUM * get_group5_prime(void)
|
static BIGNUM * get_group5_prime(void)
|
||||||
{
|
{
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x00908000
|
#if OPENSSL_VERSION_NUMBER < 0x00908000 || defined(OPENSSL_IS_BORINGSSL)
|
||||||
static const unsigned char RFC3526_PRIME_1536[] = {
|
static const unsigned char RFC3526_PRIME_1536[] = {
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
|
||||||
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
|
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
|
||||||
@ -130,7 +130,7 @@ void des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
|
|||||||
}
|
}
|
||||||
pkey[i] = next | 1;
|
pkey[i] = next | 1;
|
||||||
|
|
||||||
DES_set_key(&pkey, &ks);
|
DES_set_key((DES_cblock *) &pkey, &ks);
|
||||||
DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
|
DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
|
||||||
DES_ENCRYPT);
|
DES_ENCRYPT);
|
||||||
}
|
}
|
||||||
@ -199,8 +199,10 @@ static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
|
|||||||
switch (keylen) {
|
switch (keylen) {
|
||||||
case 16:
|
case 16:
|
||||||
return EVP_aes_128_ecb();
|
return EVP_aes_128_ecb();
|
||||||
|
#ifndef OPENSSL_IS_BORINGSSL
|
||||||
case 24:
|
case 24:
|
||||||
return EVP_aes_192_ecb();
|
return EVP_aes_192_ecb();
|
||||||
|
#endif /* OPENSSL_IS_BORINGSSL */
|
||||||
case 32:
|
case 32:
|
||||||
return EVP_aes_256_ecb();
|
return EVP_aes_256_ecb();
|
||||||
}
|
}
|
||||||
@ -378,9 +380,11 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
|
|||||||
case 16:
|
case 16:
|
||||||
cipher = EVP_aes_128_cbc();
|
cipher = EVP_aes_128_cbc();
|
||||||
break;
|
break;
|
||||||
|
#ifndef OPENSSL_IS_BORINGSSL
|
||||||
case 24:
|
case 24:
|
||||||
cipher = EVP_aes_192_cbc();
|
cipher = EVP_aes_192_cbc();
|
||||||
break;
|
break;
|
||||||
|
#endif /* OPENSSL_IS_BORINGSSL */
|
||||||
case 32:
|
case 32:
|
||||||
cipher = EVP_aes_256_cbc();
|
cipher = EVP_aes_256_cbc();
|
||||||
break;
|
break;
|
||||||
|
@ -38,14 +38,26 @@
|
|||||||
#define OPENSSL_SUPPORTS_CTX_APP_DATA
|
#define OPENSSL_SUPPORTS_CTX_APP_DATA
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef SSL_F_SSL_SET_SESSION_TICKET_EXT
|
#if OPENSSL_VERSION_NUMBER < 0x10000000L
|
||||||
#ifdef SSL_OP_NO_TICKET
|
/* ERR_remove_thread_state replaces ERR_remove_state and the latter is
|
||||||
|
* deprecated. However, OpenSSL 0.9.8 doesn't include
|
||||||
|
* ERR_remove_thread_state. */
|
||||||
|
#define ERR_remove_thread_state(tid) ERR_remove_state(0)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
|
||||||
/*
|
/*
|
||||||
* Session ticket override patch was merged into OpenSSL 0.9.9 tree on
|
* Session ticket override patch was merged into OpenSSL 0.9.9 tree on
|
||||||
* 2008-11-15. This version uses a bit different API compared to the old patch.
|
* 2008-11-15. This version uses a bit different API compared to the old patch.
|
||||||
*/
|
*/
|
||||||
#define CONFIG_OPENSSL_TICKET_OVERRIDE
|
#define CONFIG_OPENSSL_TICKET_OVERRIDE
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(OPENSSL_IS_BORINGSSL)
|
||||||
|
/* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
|
||||||
|
typedef size_t stack_index_t;
|
||||||
|
#else
|
||||||
|
typedef int stack_index_t;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef SSL_set_tlsext_status_type
|
#ifdef SSL_set_tlsext_status_type
|
||||||
@ -853,7 +865,7 @@ void tls_deinit(void *ssl_ctx)
|
|||||||
ENGINE_cleanup();
|
ENGINE_cleanup();
|
||||||
#endif /* OPENSSL_NO_ENGINE */
|
#endif /* OPENSSL_NO_ENGINE */
|
||||||
CRYPTO_cleanup_all_ex_data();
|
CRYPTO_cleanup_all_ex_data();
|
||||||
ERR_remove_state(0);
|
ERR_remove_thread_state(NULL);
|
||||||
ERR_free_strings();
|
ERR_free_strings();
|
||||||
EVP_cleanup();
|
EVP_cleanup();
|
||||||
os_free(tls_global->ocsp_stapling_response);
|
os_free(tls_global->ocsp_stapling_response);
|
||||||
@ -1102,7 +1114,8 @@ static int tls_match_altsubject_component(X509 *cert, int type,
|
|||||||
{
|
{
|
||||||
GENERAL_NAME *gen;
|
GENERAL_NAME *gen;
|
||||||
void *ext;
|
void *ext;
|
||||||
int i, found = 0;
|
int found = 0;
|
||||||
|
stack_index_t i;
|
||||||
|
|
||||||
ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
|
ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
|
||||||
|
|
||||||
@ -1211,7 +1224,7 @@ static int tls_match_suffix(X509 *cert, const char *match)
|
|||||||
|
|
||||||
ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
|
ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
|
||||||
|
|
||||||
for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
|
for (i = 0; ext && i < (int) sk_GENERAL_NAME_num(ext); i++) {
|
||||||
gen = sk_GENERAL_NAME_value(ext, i);
|
gen = sk_GENERAL_NAME_value(ext, i);
|
||||||
if (gen->type != GEN_DNS)
|
if (gen->type != GEN_DNS)
|
||||||
continue;
|
continue;
|
||||||
@ -1639,7 +1652,7 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
|
|||||||
if (ca_cert && os_strncmp("keystore://", ca_cert, 11) == 0) {
|
if (ca_cert && os_strncmp("keystore://", ca_cert, 11) == 0) {
|
||||||
BIO *bio = BIO_from_keystore(&ca_cert[11]);
|
BIO *bio = BIO_from_keystore(&ca_cert[11]);
|
||||||
STACK_OF(X509_INFO) *stack = NULL;
|
STACK_OF(X509_INFO) *stack = NULL;
|
||||||
int i;
|
stack_index_t i;
|
||||||
|
|
||||||
if (bio) {
|
if (bio) {
|
||||||
stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
|
stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
|
||||||
@ -3386,9 +3399,15 @@ unsigned int tls_capabilities(void *tls_ctx)
|
|||||||
* commented out unless explicitly needed for EAP-FAST in order to be able to
|
* commented out unless explicitly needed for EAP-FAST in order to be able to
|
||||||
* build this file with unmodified openssl. */
|
* build this file with unmodified openssl. */
|
||||||
|
|
||||||
|
#ifdef OPENSSL_IS_BORINGSSL
|
||||||
|
static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
|
||||||
|
STACK_OF(SSL_CIPHER) *peer_ciphers,
|
||||||
|
const SSL_CIPHER **cipher, void *arg)
|
||||||
|
#else /* OPENSSL_IS_BORINGSSL */
|
||||||
static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
|
static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
|
||||||
STACK_OF(SSL_CIPHER) *peer_ciphers,
|
STACK_OF(SSL_CIPHER) *peer_ciphers,
|
||||||
SSL_CIPHER **cipher, void *arg)
|
SSL_CIPHER **cipher, void *arg)
|
||||||
|
#endif /* OPENSSL_IS_BORINGSSL */
|
||||||
{
|
{
|
||||||
struct tls_connection *conn = arg;
|
struct tls_connection *conn = arg;
|
||||||
int ret;
|
int ret;
|
||||||
|
@ -106,9 +106,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||||||
case 21:
|
case 21:
|
||||||
nid = NID_secp521r1;
|
nid = NID_secp521r1;
|
||||||
break;
|
break;
|
||||||
|
#ifndef OPENSSL_IS_BORINGSSL
|
||||||
case 25:
|
case 25:
|
||||||
nid = NID_X9_62_prime192v1;
|
nid = NID_X9_62_prime192v1;
|
||||||
break;
|
break;
|
||||||
|
#endif /* OPENSSL_IS_BORINGSSL */
|
||||||
case 26:
|
case 26:
|
||||||
nid = NID_secp224r1;
|
nid = NID_secp224r1;
|
||||||
break;
|
break;
|
||||||
|
Loading…
Reference in New Issue
Block a user