head 1.2; access; symbols perseant-exfatfs-base-20250801:1.2 perseant-exfatfs-base-20240630:1.2 perseant-exfatfs:1.2.0.16 perseant-exfatfs-base:1.2 cjep_sun2x:1.2.0.14 cjep_sun2x-base:1.2 cjep_staticlib_x-base1:1.2 cjep_staticlib_x:1.2.0.12 cjep_staticlib_x-base:1.2 phil-wifi-20200421:1.2 phil-wifi-20200411:1.2 phil-wifi-20200406:1.2 pgoyette-compat-merge-20190127:1.2 pgoyette-compat-20190127:1.2 pgoyette-compat-20190118:1.2 pgoyette-compat-1226:1.2 pgoyette-compat-1126:1.2 pgoyette-compat-1020:1.2 pgoyette-compat-0930:1.2 pgoyette-compat-0906:1.2 netbsd-7-2-RELEASE:1.1.1.1.6.1 pgoyette-compat-0728:1.2 pgoyette-compat-0625:1.2 pgoyette-compat-0521:1.2 pgoyette-compat-0502:1.2 pgoyette-compat-0422:1.2 pgoyette-compat-0415:1.2 pgoyette-compat-0407:1.2 pgoyette-compat-0330:1.2 pgoyette-compat-0322:1.2 pgoyette-compat-0315:1.2 netbsd-7-1-2-RELEASE:1.1.1.1.6.1 pgoyette-compat:1.2.0.10 pgoyette-compat-base:1.2 netbsd-7-1-1-RELEASE:1.1.1.1.6.1 perseant-stdc-iso10646:1.2.0.8 perseant-stdc-iso10646-base:1.2 prg-localcount2-base3:1.2 prg-localcount2-base2:1.2 prg-localcount2-base1:1.2 prg-localcount2:1.2.0.6 prg-localcount2-base:1.2 pgoyette-localcount-20170426:1.2 bouyer-socketcan-base1:1.2 pgoyette-localcount-20170320:1.2 netbsd-7-1:1.1.1.1.6.1.0.4 netbsd-7-1-RELEASE:1.1.1.1.6.1 netbsd-7-1-RC2:1.1.1.1.6.1 bouyer-socketcan:1.2.0.4 bouyer-socketcan-base:1.2 pgoyette-localcount-20170107:1.2 netbsd-7-1-RC1:1.1.1.1.6.1 pgoyette-localcount-20161104:1.2 netbsd-7-0-2-RELEASE:1.1.1.1.6.1 localcount-20160914:1.2 pgoyette-localcount-20160806:1.2 pgoyette-localcount-20160726:1.2 pgoyette-localcount:1.2.0.2 pgoyette-localcount-base:1.2 netbsd-7-0-1-RELEASE:1.1.1.1.6.1 netbsd-7-0:1.1.1.1.6.1.0.2 netbsd-7-0-RELEASE:1.1.1.1.6.1 netbsd-7-0-RC3:1.1.1.1.6.1 netbsd-7-0-RC2:1.1.1.1.6.1 netbsd-7-0-RC1:1.1.1.1.6.1 tls-maxphys-base:1.1.1.1 tls-maxphys:1.1.1.1.0.8 netbsd-7:1.1.1.1.0.6 netbsd-7-base:1.1.1.1 yamt-pagecache:1.1.1.1.0.4 yamt-pagecache-base9:1.1.1.1 tls-earlyentropy:1.1.1.1.0.2 tls-earlyentropy-base:1.1.1.1 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.1.1.1 riastradh-drm2-base3:1.1.1.1 v2_0:1.1.1.1 MALINEN:1.1.1; locks; strict; comment @# @; 1.2 date 2014.10.16.19.29.29; author christos; state dead; branches; next 1.1; commitid 0eF3hIMAvI9hDsUx; 1.1 date 2014.01.03.02.05.37; author christos; state Exp; branches 1.1.1.1; next ; commitid UzsktaU3uSYx2Cjx; 1.1.1.1 date 2014.01.03.02.05.37; author christos; state Exp; branches 1.1.1.1.4.1 1.1.1.1.6.1 1.1.1.1.8.1; next ; commitid UzsktaU3uSYx2Cjx; 1.1.1.1.4.1 date 2014.01.03.02.05.37; author yamt; state dead; branches; next 1.1.1.1.4.2; commitid B5sATmssHsox9yBx; 1.1.1.1.4.2 date 2014.05.22.15.51.38; author yamt; state Exp; branches; next ; commitid B5sATmssHsox9yBx; 1.1.1.1.6.1 date 2015.04.29.20.28.35; author snj; state dead; branches; next ; commitid aqsfGoFQny3sFwjy; 1.1.1.1.8.1 date 2014.01.03.02.05.37; author tls; state dead; branches; next 1.1.1.1.8.2; commitid jTnpym9Qu0o4R1Nx; 1.1.1.1.8.2 date 2014.08.19.23.52.16; author tls; state Exp; branches; next ; commitid jTnpym9Qu0o4R1Nx; desc @@ 1.2 log @merge conflicts. @ text @This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). OpenSSL 0.9.8x does not enable TLS extension support by default, so it will need to be enabled by adding enable-tlsext to config script command line. diff -upr openssl-0.9.8x.orig/ssl/s3_clnt.c openssl-0.9.8x/ssl/s3_clnt.c --- openssl-0.9.8x.orig/ssl/s3_clnt.c 2011-12-26 21:38:28.000000000 +0200 +++ openssl-0.9.8x/ssl/s3_clnt.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -757,6 +757,21 @@@@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s->session->master_key_length=sizeof(s->session->master_key); + if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + NULL, &pref_cipher, s->tls_session_secret_cb_arg)) + { + s->session->cipher=pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s,p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { @@@@ -2725,11 +2740,8 @@@@ int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of - * a non-zero session length would never reach here) it cannot be a - * resumed session. - */ - if (!s->session->tlsext_tick || s->session->session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s->session->tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ diff -upr openssl-0.9.8x.orig/ssl/s3_srvr.c openssl-0.9.8x/ssl/s3_srvr.c --- openssl-0.9.8x.orig/ssl/s3_srvr.c 2012-02-16 17:21:17.000000000 +0200 +++ openssl-0.9.8x/ssl/s3_srvr.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -1009,6 +1009,59 @@@@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this + * handshake for not reused session only. We need to generate + * server_random before calling tls_session_secret_cb in order to allow + * SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s->s3->server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s->session->master_key_length=sizeof(s->session->master_key); + if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) + { + s->hit=1; + s->session->ciphers=ciphers; + s->session->verify_result=X509_V_OK; + + ciphers=NULL; + + /* check if some cipher was preferred by call back */ + pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); + if (pref_cipher == NULL) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); + goto f_err; + } + + s->session->cipher=pref_cipher; + + if (s->cipher_list) + sk_SSL_CIPHER_free(s->cipher_list); + + if (s->cipher_list_by_id) + sk_SSL_CIPHER_free(s->cipher_list_by_id); + + s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); + s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); + } + } #endif /* Worst case, we will use the NULL compression, but if we have other * options, we will now look for them. We have i-1 compression @@@@ -1147,16 +1200,22 @@@@ int ssl3_send_server_hello(SSL *s) unsigned char *buf; unsigned char *p,*d; int i,sl; - unsigned long l,Time; + unsigned long l; +#ifdef OPENSSL_NO_TLSEXT + unsigned long Time; +#endif if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf=(unsigned char *)s->init_buf->data; +#ifdef OPENSSL_NO_TLSEXT p=s->s3->server_random; + /* Generate server_random if it was not needed previously */ Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) return -1; +#endif /* Do the message type and length last */ d=p= &(buf[4]); diff -upr openssl-0.9.8x.orig/ssl/ssl_err.c openssl-0.9.8x/ssl/ssl_err.c --- openssl-0.9.8x.orig/ssl/ssl_err.c 2012-03-12 16:50:55.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl_err.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -264,6 +264,7 @@@@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, +{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, {0,NULL} }; diff -upr openssl-0.9.8x.orig/ssl/ssl.h openssl-0.9.8x/ssl/ssl.h --- openssl-0.9.8x.orig/ssl/ssl.h 2012-03-12 16:50:55.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl.h 2012-07-07 10:46:31.501140621 +0300 @@@@ -344,6 +344,7 @@@@ extern "C" { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; +typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; /* used to hold info on the particular ciphers used */ typedef struct ssl_cipher_st @@@@ -362,6 +363,9 @@@@ typedef struct ssl_cipher_st DECLARE_STACK_OF(SSL_CIPHER) +typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg); +typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { @@@@ -1050,6 +1054,18 @@@@ struct ssl_st /* RFC4507 session ticket expected to be received or sent */ int tlsext_ticket_expected; + + /* TLS Session Ticket extension override */ + TLS_SESSION_TICKET_EXT *tlsext_session_ticket; + + /* TLS Session Ticket extension callback */ + tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; + void *tls_session_ticket_ext_cb_arg; + + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn tls_session_secret_cb; + void *tls_session_secret_cb_arg; + SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ #define session_ctx initial_ctx #else @@@@ -1663,6 +1679,15 @@@@ void *SSL_COMP_get_compression_methods(v int SSL_COMP_add_compression_method(int id,void *cm); #endif +/* TLS extensions functions */ +int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); + +int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, + void *arg); + +/* Pre-shared secret session resumption functions */ +int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@@@ -1866,6 +1891,7 @@@@ void ERR_load_SSL_strings(void); #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 +#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff -upr openssl-0.9.8x.orig/ssl/ssl_sess.c openssl-0.9.8x/ssl/ssl_sess.c --- openssl-0.9.8x.orig/ssl/ssl_sess.c 2010-02-01 18:48:40.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl_sess.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -712,6 +712,61 @@@@ long SSL_CTX_get_timeout(const SSL_CTX * return(s->session_timeout); } +#ifndef OPENSSL_NO_TLSEXT +int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) + { + if (s == NULL) return(0); + s->tls_session_secret_cb = tls_session_secret_cb; + s->tls_session_secret_cb_arg = arg; + return(1); + } + +int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, + void *arg) + { + if (s == NULL) return(0); + s->tls_session_ticket_ext_cb = cb; + s->tls_session_ticket_ext_cb_arg = arg; + return(1); + } + +int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) + { + if (s->version >= TLS1_VERSION) + { + if (s->tlsext_session_ticket) + { + OPENSSL_free(s->tlsext_session_ticket); + s->tlsext_session_ticket = NULL; + } + + s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); + if (!s->tlsext_session_ticket) + { + SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (ext_data) + { + s->tlsext_session_ticket->length = ext_len; + s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; + memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); + } + else + { + s->tlsext_session_ticket->length = 0; + s->tlsext_session_ticket->data = NULL; + } + + return 1; + } + + return 0; + } +#endif /* OPENSSL_NO_TLSEXT */ + typedef struct timeout_param_st { SSL_CTX *ctx; diff -upr openssl-0.9.8x.orig/ssl/t1_lib.c openssl-0.9.8x/ssl/t1_lib.c --- openssl-0.9.8x.orig/ssl/t1_lib.c 2012-01-04 16:25:10.000000000 +0200 +++ openssl-0.9.8x/ssl/t1_lib.c 2012-07-07 10:47:31.153140501 +0300 @@@@ -106,6 +106,12 @@@@ int tls1_new(SSL *s) void tls1_free(SSL *s) { +#ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_session_ticket) + { + OPENSSL_free(s->tlsext_session_ticket); + } +#endif ssl3_free(s); } @@@@ -206,8 +212,23 @@@@ unsigned char *ssl_add_clienthello_tlsex int ticklen; if (!s->new_session && s->session && s->session->tlsext_tick) ticklen = s->session->tlsext_ticklen; + else if (s->session && s->tlsext_session_ticket && + s->tlsext_session_ticket->data) + { + ticklen = s->tlsext_session_ticket->length; + s->session->tlsext_tick = OPENSSL_malloc(ticklen); + if (!s->session->tlsext_tick) + return NULL; + memcpy(s->session->tlsext_tick, + s->tlsext_session_ticket->data, + ticklen); + s->session->tlsext_ticklen = ticklen; + } else ticklen = 0; + if (ticklen == 0 && s->tlsext_session_ticket && + s->tlsext_session_ticket->data == NULL) + goto skip_ext; /* Check for enough room 2 for extension type, 2 for len * rest for ticket */ @@@@ -221,6 +242,7 @@@@ unsigned char *ssl_add_clienthello_tlsex ret += ticklen; } } + skip_ext: if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && s->version != DTLS1_VERSION) @@@@ -486,6 +508,15 @@@@ int ssl_parse_clienthello_tlsext(SSL *s, return 0; renegotiate_seen = 1; } + else if (type == TLSEXT_TYPE_session_ticket) + { + if (s->tls_session_ticket_ext_cb && + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + } else if (type == TLSEXT_TYPE_status_request && s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) { @@@@ -663,6 +694,12 @@@@ int ssl_parse_serverhello_tlsext(SSL *s, } else if (type == TLSEXT_TYPE_session_ticket) { + if (s->tls_session_ticket_ext_cb && + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { @@@@ -920,6 +957,15 @@@@ int tls1_process_ticket(SSL *s, unsigned s->tlsext_ticket_expected = 1; return 0; /* Cache miss */ } + if (s->tls_session_secret_cb) + { + /* Indicate cache miss here and instead of + * generating the session from ticket now, + * trigger abbreviated handshake based on + * external mechanism to calculate the master + * secret later. */ + return 0; + } return tls_decrypt_ticket(s, p, size, session_id, len, ret); } diff -upr openssl-0.9.8x.orig/ssl/tls1.h openssl-0.9.8x/ssl/tls1.h --- openssl-0.9.8x.orig/ssl/tls1.h 2009-11-08 16:51:54.000000000 +0200 +++ openssl-0.9.8x/ssl/tls1.h 2012-07-07 10:46:31.501140621 +0300 @@@@ -401,6 +401,13 @@@@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ #endif +/* TLS extension struct */ +struct tls_session_ticket_ext_st + { + unsigned short length; + void *data; + }; + #ifdef __cplusplus } #endif diff -upr openssl-0.9.8x.orig/util/ssleay.num openssl-0.9.8x/util/ssleay.num --- openssl-0.9.8x.orig/util/ssleay.num 2008-06-05 13:57:21.000000000 +0300 +++ openssl-0.9.8x/util/ssleay.num 2012-07-07 10:46:31.505140623 +0300 @@@@ -242,3 +242,5 @@@@ SSL_set_SSL_CTX SSL_get_servername 291 EXIST::FUNCTION:TLSEXT SSL_get_servername_type 292 EXIST::FUNCTION:TLSEXT SSL_CTX_set_client_cert_engine 293 EXIST::FUNCTION:ENGINE +SSL_set_session_ticket_ext 306 EXIST::FUNCTION:TLSEXT +SSL_set_session_secret_cb 307 EXIST::FUNCTION:TLSEXT @ 1.1 log @Initial revision @ text @@ 1.1.1.1 log @import v2_0: 2013-01-12 - v2.0 * removed Qt3-based wpa_gui (obsoleted by wpa_qui-qt4) * removed unmaintained driver wrappers broadcom, iphone, osx, ralink, hostap, madwifi (hostap and madwifi remain available for hostapd; their wpa_supplicant functionality is obsoleted by wext) * improved debug logging (human readable event names, interface name included in more entries) * changed AP mode behavior to enable WPS only for open and WPA/WPA2-Personal configuration * improved P2P concurrency operations - better coordination of concurrent scan and P2P search operations - avoid concurrent remain-on-channel operation requests by canceling previous operations prior to starting a new one - reject operations that would require multi-channel concurrency if the driver does not support it - add parameter to select whether STA or P2P connection is preferred if the driver cannot support both at the same time - allow driver to indicate channel changes - added optional delay= parameter for p2p_find to avoid taking all radio resources - use 500 ms p2p_find search delay by default during concurrent operations - allow all channels in GO Negotiation if the driver supports multi-channel concurrency * added number of small changes to make it easier for static analyzers to understand the implementation * fixed number of small bugs (see git logs for more details) * nl80211: number of updates to use new cfg80211/nl80211 functionality - replace monitor interface with nl80211 commands for AP mode - additional information for driver-based AP SME - STA entry authorization in RSN IBSS * EAP-pwd: - fixed KDF for group 21 and zero-padding - added support for fragmentation - increased maximum number of hunting-and-pecking iterations * avoid excessive Probe Response retries for broadcast Probe Request frames (only with drivers using wpa_supplicant AP mode SME/MLME) * added "GET country" ctrl_iface command * do not save an invalid network block in wpa_supplicant.conf to avoid problems reading the file on next start * send STA connected/disconnected ctrl_iface events to both the P2P group and parent interfaces * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) * added "SET pno <1/0>" ctrl_iface command to start/stop preferred network offload with sched_scan driver command * merged in number of changes from Android repository for P2P, nl80211, and build parameters * changed P2P GO mode configuration to use driver capabilities to automatically enable HT operations when supported * added "wpa_cli status wps" command to fetch WPA2-Personal passhrase for WPS use cases in AP mode * EAP-AKA: keep pseudonym identity across EAP exchanges to match EAP-SIM behavior * improved reassociation behavior in cases where association is rejected or when an AP disconnects us to handle common load balancing mechanisms - try to avoid extra scans when the needed information is available * added optional "join" argument for p2p_prov_disc ctrl_iface command * added group ifname to P2P-PROV-DISC-* events * added P2P Device Address to AP-STA-DISCONNECTED event and use p2p_dev_addr parameter name with AP-STA-CONNECTED * added workarounds for WPS PBC overlap detection for some P2P use cases where deployed stations work incorrectly * optimize WPS connection speed by disconnecting prior to WPS scan and by using single channel scans when AP channel is known * PCSC and SIM/USIM improvements: - accept 0x67 (Wrong length) as a response to READ RECORD to fix issues with some USIM cards - try to read MNC length from SIM/USIM - build realm according to 3GPP TS 23.003 with identity from the SIM - allow T1 protocol to be enabled * added more WPS and P2P information available through D-Bus * improve P2P negotiation robustness - extra waits to get ACK frames through - longer timeouts for cases where deployed devices have been identified have issues meeting the specification requirements - more retries for some P2P frames - handle race conditions in GO Negotiation start by both devices - ignore unexpected GO Negotiation Response frame * added support for libnl 3.2 and newer * added P2P persistent group info to P2P_PEER data * maintain a list of P2P Clients for persistent group on GO * AP: increased initial group key handshake retransmit timeout to 500 ms * added optional dev_id parameter for p2p_find * added P2P-FIND-STOPPED ctrl_iface event * fixed issues in WPA/RSN element validation when roaming with ap_scan=1 and driver-based BSS selection * do not expire P2P peer entries while connected with the peer in a group * fixed WSC element inclusion in cases where P2P is disabled * AP: added a WPS workaround for mixed mode AP Settings with Windows 7 * EAP-SIM: fixed AT_COUNTER_TOO_SMALL use * EAP-SIM/AKA: append realm to pseudonym identity * EAP-SIM/AKA: store pseudonym identity in network configuration to allow it to persist over multiple EAP sessions and wpa_supplicant restarts * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this breaks interoperability with older versions * added support for WFA Hotspot 2.0 - GAS/ANQP to fetch network information - credential configuration and automatic network selections based on credential match with ANQP information * limited PMKSA cache entries to be used only with the network context that was used to create them * improved PMKSA cache expiration to avoid unnecessary disconnections * adjusted bgscan_simple fast-scan backoff to avoid too frequent background scans * removed ctrl_iface event on P2P PD Response in join-group case * added option to fetch BSS table entry based on P2P Device Address ("BSS p2p_dev_addr=") * added BSS entry age to ctrl_iface BSS command output * added optional MASK=0xH option for ctrl_iface BSS command to select which fields are included in the response * added optional RANGE=ALL|N1-N2 option for ctrl_iface BSS command to fetch information about several BSSes in one call * simplified licensing terms by selecting the BSD license as the only alternative * added "P2P_SET disallow_freq " ctrl_iface command to disable channels from P2P use * added p2p_pref_chan configuration parameter to allow preferred P2P channels to be specified * added support for advertising immediate availability of a WPS credential for P2P use cases * optimized scan operations for P2P use cases (use single channel scan for a specific SSID when possible) * EAP-TTLS: fixed peer challenge generation for MSCHAPv2 * SME: do not use reassociation after explicit disconnection request (local or a notification from an AP) * added support for sending debug info to Linux tracing (-T on command line) * added support for using Deauthentication reason code 3 as an indication of P2P group termination * added wps_vendor_ext_m1 configuration parameter to allow vendor specific attributes to be added to WPS M1 * started using separate TLS library context for tunneled TLS (EAP-PEAP/TLS, EAP-TTLS/TLS, EAP-FAST/TLS) to support different CA certificate configuration between Phase 1 and Phase 2 * added optional "auto" parameter for p2p_connect to request automatic GO Negotiation vs. join-a-group selection * added disabled_scan_offload parameter to disable automatic scan offloading (sched_scan) * added optional persistent= parameter for p2p_connect to allow forcing of a specific SSID/passphrase for GO Negotiation * added support for OBSS scan requests and 20/40 BSS coexistence reports * reject PD Request for unknown group * removed scripts and notes related to Windows binary releases (which have not been used starting from 1.x) * added initial support for WNM operations - Keep-alive based on BSS max idle period - WNM-Sleep Mode - minimal BSS Transition Management processing * added autoscan module to control scanning behavior while not connected - autoscan_periodic and autoscan_exponential modules * added new WPS NFC ctrl_iface mechanism - added initial support NFC connection handover - removed obsoleted WPS_OOB command (including support for deprecated UFD config_method) * added optional framework for external password storage ("ext:") * wpa_cli: added optional support for controlling wpa_supplicant remotely over UDP (CONFIG_CTRL_IFACE=udp-remote) for testing purposes * wpa_cli: extended tab completion to more commands * changed SSID output to use printf-escaped strings instead of masking of non-ASCII characters - SSID can now be configured in the same format: ssid=P"abc\x00test" * removed default ACM=1 from AC_VO and AC_VI * added optional "ht40" argument for P2P ctrl_iface commands to allow 40 MHz channels to be requested on the 5 GHz band * added optional parameters for p2p_invite command to specify channel when reinvoking a persistent group as the GO * improved FIPS mode builds with OpenSSL - "make fips" with CONFIG_FIPS=y to build wpa_supplicant with the OpenSSL FIPS object module - replace low level OpenSSL AES API calls to use EVP - use OpenSSL keying material exporter when possible - do not export TLS keys in FIPS mode - remove MD5 from CONFIG_FIPS=y builds - use OpenSSL function for PKBDF2 passphrase-to-PSK - use OpenSSL HMAC implementation - mix RAND_bytes() output into random_get_bytes() to force OpenSSL DRBG to be used in FIPS mode - use OpenSSL CMAC implementation * added mechanism to disable TLS Session Ticket extension - a workaround for servers that do not support TLS extensions that was enabled by default in recent OpenSSL versions - tls_disable_session_ticket=1 - automatically disable TLS Session Ticket extension by default when using EAP-TLS/PEAP/TTLS (i.e., only use it with EAP-FAST) * changed VENDOR-TEST EAP method to use proper private enterprise number (this will not interoperate with older versions) * disable network block temporarily on authentication failures * improved WPS AP selection during WPS PIN iteration * added support for configuring GCMP cipher for IEEE 802.11ad * added support for Wi-Fi Display extensions - WFD_SUBELEMENT_SET ctrl_iface command to configure WFD subelements - SET wifi_display <0/1> to disable/enable WFD support - WFD service discovery - an external program is needed to manage the audio/video streaming and codecs * optimized scan result use for network selection - use the internal BSS table instead of raw scan results - allow unnecessary scans to be skipped if fresh information is available (e.g., after GAS/ANQP round for Interworking) * added support for 256-bit AES with internal TLS implementation * allow peer to propose channel in P2P invitation process for a persistent group * added disallow_aps parameter to allow BSSIDs/SSIDs to be disallowed from network selection * re-enable the networks disabled during WPS operations * allow P2P functionality to be disabled per interface (p2p_disabled=1) * added secondary device types into P2P_PEER output * added an option to disable use of a separate P2P group interface (p2p_no_group_iface=1) * fixed P2P Bonjour SD to match entries with both compressed and not compressed domain name format and support multiple Bonjour PTR matches for the same key * use deauthentication instead of disassociation for all disconnection operations; this removes the now unused disassociate() wpa_driver_ops callback * optimized PSK generation on P2P GO by caching results to avoid multiple PBKDF2 operations * added okc=1 global configuration parameter to allow OKC to be enabled by default for all network blocks * added a workaround for WPS PBC session overlap detection to avoid interop issues with deployed station implementations that do not remove active PBC indication from Probe Request frames properly * added basic support for 60 GHz band * extend EAPOL frames processing workaround for roaming cases (postpone processing of unexpected EAPOL frame until association event to handle reordered events) @ text @@ 1.1.1.1.6.1 log @Pull up following revision(s) (requested by christos in ticket #720): doc/3RDPARTY: patch external/bsd/wpa/bin/hostapd/Makefile: up to 1.8 external/bsd/wpa/bin/wpa_passphrase/Makefile: up to 1.3 external/bsd/wpa/bin/wpa_supplicant/Makefile: up to 1.5 external/bsd/wpa/dist/CONTRIBUTIONS: up to 1.1.1.2 external/bsd/wpa/dist/COPYING: up to 1.1.1.3 external/bsd/wpa/dist/README: up to 1.1.1.5 external/bsd/wpa/dist/hostapd/Android.mk: up to 1.1.1.4 external/bsd/wpa/dist/hostapd/ChangeLog: up to 1.1.1.7 external/bsd/wpa/dist/hostapd/Makefile: up to 1.1.1.6 external/bsd/wpa/dist/hostapd/README: up to 1.1.1.5 external/bsd/wpa/dist/hostapd/README-WPS: up to 1.1.1.6 external/bsd/wpa/dist/hostapd/android.config: up to 1.1.1.3 external/bsd/wpa/dist/hostapd/config_file.c: up to 1.1.1.5 external/bsd/wpa/dist/hostapd/ctrl_iface.c: up to 1.1.1.6 external/bsd/wpa/dist/hostapd/defconfig: up to 1.1.1.5 external/bsd/wpa/dist/hostapd/dump_state.c: delete external/bsd/wpa/dist/hostapd/dump_state.h: delete external/bsd/wpa/dist/hostapd/eap_register.c: up to 1.1.1.4 external/bsd/wpa/dist/hostapd/hapd_module_tests.c: up to 1.1.1.1 external/bsd/wpa/dist/hostapd/hlr_auc_gw.c: up to 1.1.1.6 external/bsd/wpa/dist/hostapd/hostapd.8: up to 1.1.1.2 external/bsd/wpa/dist/hostapd/hostapd.conf: up to 1.1.1.6 external/bsd/wpa/dist/hostapd/hostapd.eap_user: up to 1.1.1.3 external/bsd/wpa/dist/hostapd/hostapd.eap_user_sqlite: up to 1.1.1.2 external/bsd/wpa/dist/hostapd/hostapd_cli.c: up to 1.7 external/bsd/wpa/dist/hostapd/main.c: up to 1.1.1.5 external/bsd/wpa/dist/hostapd/wps-ap-nfc.py: up to 1.1.1.1 external/bsd/wpa/dist/hs20/client/Android.mk: up to 1.1.1.2 external/bsd/wpa/dist/hs20/client/Makefile: up to 1.1.1.1 external/bsd/wpa/dist/hs20/client/devdetail.xml: up to 1.1.1.1 external/bsd/wpa/dist/hs20/client/devinfo.xml: up to 1.1.1.1 external/bsd/wpa/dist/hs20/client/est.c: up to 1.1.1.1 external/bsd/wpa/dist/hs20/client/oma_dm_client.c: up to 1.1.1.2 external/bsd/wpa/dist/hs20/client/osu_client.c: up to 1.1.1.2 external/bsd/wpa/dist/hs20/client/osu_client.h: up to 1.1.1.1 external/bsd/wpa/dist/hs20/client/spp_client.c: up to 1.1.1.1 external/bsd/wpa/dist/patches/openssl-0.9.8-tls-extensions.patch: delete external/bsd/wpa/dist/patches/openssl-0.9.8d-tls-extensions.patch: delete external/bsd/wpa/dist/patches/openssl-0.9.8e-tls-extensions.patch: delete external/bsd/wpa/dist/patches/openssl-0.9.8g-tls-extensions.patch: delete external/bsd/wpa/dist/patches/openssl-0.9.8h-tls-extensions.patch: delete external/bsd/wpa/dist/patches/openssl-0.9.8i-tls-extensions.patch: delete external/bsd/wpa/dist/patches/openssl-0.9.8x-tls-extensions.patch: delete external/bsd/wpa/dist/patches/openssl-0.9.8za-tls-extensions.patch: up to 1.1.1.2 external/bsd/wpa/dist/patches/openssl-0.9.9-session-ticket.patch: delete external/bsd/wpa/dist/src/Makefile: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/accounting.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/acs.c: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/acs.h: up to 1.1.1.1 external/bsd/wpa/dist/src/ap/ap_config.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/ap_config.h: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/ap_drv_ops.c: up to 1.3 external/bsd/wpa/dist/src/ap/ap_drv_ops.h: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/ap_list.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/ap_list.h: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/ap_mlme.c: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/authsrv.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/beacon.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/beacon.h: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/bss_load.c: up to 1.1.1.1 external/bsd/wpa/dist/src/ap/bss_load.h: up to 1.1.1.1 external/bsd/wpa/dist/src/ap/ctrl_iface_ap.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/ctrl_iface_ap.h: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/dfs.c: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/dfs.h: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/dhcp_snoop.c: up to 1.1.1.1 external/bsd/wpa/dist/src/ap/dhcp_snoop.h: up to 1.1.1.1 external/bsd/wpa/dist/src/ap/drv_callbacks.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/eap_user_db.c: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/gas_serv.c: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/gas_serv.h: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/hostapd.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/hostapd.h: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/hs20.c: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/hs20.h: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/hw_features.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/hw_features.h: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/iapp.c: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/ieee802_11.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/ieee802_11.h: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/ieee802_11_auth.c: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/ieee802_11_ht.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/ieee802_11_shared.c: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/ieee802_11_vht.c: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/ieee802_1x.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/ieee802_1x.h: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/ndisc_snoop.c: up to 1.1.1.1 external/bsd/wpa/dist/src/ap/ndisc_snoop.h: up to 1.1.1.1 external/bsd/wpa/dist/src/ap/p2p_hostapd.c: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/peerkey_auth.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/pmksa_cache_auth.c: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/pmksa_cache_auth.h: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/sta_info.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/sta_info.h: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/tkip_countermeasures.c: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/vlan_init.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/vlan_init.h: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/wmm.c: up to 1.1.1.4 external/bsd/wpa/dist/src/ap/wmm.h: up to 1.1.1.2 external/bsd/wpa/dist/src/ap/wnm_ap.c: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/wnm_ap.h: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/wpa_auth.c: up to 1.8 external/bsd/wpa/dist/src/ap/wpa_auth.h: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/wpa_auth_ft.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/wpa_auth_glue.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/wpa_auth_i.h: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/wpa_auth_ie.c: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/wpa_auth_ie.h: up to 1.1.1.3 external/bsd/wpa/dist/src/ap/wps_hostapd.c: up to 1.1.1.6 external/bsd/wpa/dist/src/ap/wps_hostapd.h: up to 1.1.1.5 external/bsd/wpa/dist/src/ap/x_snoop.c: up to 1.1.1.1 external/bsd/wpa/dist/src/ap/x_snoop.h: up to 1.1.1.1 external/bsd/wpa/dist/src/common/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/common/common_module_tests.c: up to 1.1.1.1 external/bsd/wpa/dist/src/common/defs.h: up to 1.1.1.5 external/bsd/wpa/dist/src/common/eapol_common.h: up to 1.1.1.3 external/bsd/wpa/dist/src/common/hw_features_common.c: up to 1.1.1.1 external/bsd/wpa/dist/src/common/hw_features_common.h: up to 1.1.1.1 external/bsd/wpa/dist/src/common/ieee802_11_common.c: up to 1.1.1.5 external/bsd/wpa/dist/src/common/ieee802_11_common.h: up to 1.1.1.5 external/bsd/wpa/dist/src/common/ieee802_11_defs.h: up to 1.1.1.5 external/bsd/wpa/dist/src/common/ieee802_1x_defs.h: up to 1.1.1.1 external/bsd/wpa/dist/src/common/privsep_commands.h: up to 1.1.1.3 external/bsd/wpa/dist/src/common/qca-vendor-attr.h: up to 1.1.1.1 external/bsd/wpa/dist/src/common/qca-vendor.h: up to 1.1.1.2 external/bsd/wpa/dist/src/common/sae.c: up to 1.1.1.2 external/bsd/wpa/dist/src/common/sae.h: up to 1.1.1.2 external/bsd/wpa/dist/src/common/tnc.h: up to 1.1.1.1 external/bsd/wpa/dist/src/common/version.h: up to 1.1.1.7 external/bsd/wpa/dist/src/common/wpa_common.c: up to 1.1.1.5 external/bsd/wpa/dist/src/common/wpa_common.h: up to 1.1.1.5 external/bsd/wpa/dist/src/common/wpa_ctrl.c: up to 1.1.1.5 external/bsd/wpa/dist/src/common/wpa_ctrl.h: up to 1.1.1.6 external/bsd/wpa/dist/src/common/wpa_helpers.c: up to 1.1.1.1 external/bsd/wpa/dist/src/common/wpa_helpers.h: up to 1.1.1.1 external/bsd/wpa/dist/src/crypto/Makefile: up to 1.1.1.5 external/bsd/wpa/dist/src/crypto/aes-ccm.c: up to 1.1.1.2 external/bsd/wpa/dist/src/crypto/aes-eax.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/aes-gcm.c: up to 1.1.1.2 external/bsd/wpa/dist/src/crypto/aes-omac1.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/aes-siv.c: up to 1.1.1.1 external/bsd/wpa/dist/src/crypto/aes-unwrap.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/aes-wrap.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/aes_siv.h: up to 1.1.1.1 external/bsd/wpa/dist/src/crypto/aes_wrap.h: up to 1.1.1.4 external/bsd/wpa/dist/src/crypto/crypto.h: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/crypto_internal-rsa.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/crypto_module_tests.c: up to 1.1.1.1 external/bsd/wpa/dist/src/crypto/crypto_nss.c: delete external/bsd/wpa/dist/src/crypto/crypto_openssl.c: up to 1.1.1.5 external/bsd/wpa/dist/src/crypto/dh_groups.c: up to 1.1.1.5 external/bsd/wpa/dist/src/crypto/dh_groups.h: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/fips_prf_cryptoapi.c: delete external/bsd/wpa/dist/src/crypto/fips_prf_gnutls.c: delete external/bsd/wpa/dist/src/crypto/fips_prf_nss.c: delete external/bsd/wpa/dist/src/crypto/md5.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/milenage.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/ms_funcs.c: up to 1.1.1.4 external/bsd/wpa/dist/src/crypto/random.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/sha1-internal.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/sha1-prf.c: up to 1.1.1.2 external/bsd/wpa/dist/src/crypto/sha1.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/sha256-kdf.c: up to 1.1.1.1 external/bsd/wpa/dist/src/crypto/sha256-prf.c: up to 1.1.1.3 external/bsd/wpa/dist/src/crypto/sha256.h: up to 1.1.1.4 external/bsd/wpa/dist/src/crypto/sha384.h: up to 1.1.1.1 external/bsd/wpa/dist/src/crypto/tls.h: up to 1.1.1.5 external/bsd/wpa/dist/src/crypto/tls_gnutls.c: up to 1.1.1.5 external/bsd/wpa/dist/src/crypto/tls_internal.c: up to 1.1.1.5 external/bsd/wpa/dist/src/crypto/tls_none.c: up to 1.1.1.4 external/bsd/wpa/dist/src/crypto/tls_nss.c: delete external/bsd/wpa/dist/src/crypto/tls_openssl.c: up to 1.1.1.6 external/bsd/wpa/dist/src/crypto/tls_schannel.c: up to 1.1.1.4 external/bsd/wpa/dist/src/drivers/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/drivers/android_drv.h: up to 1.1.1.2 external/bsd/wpa/dist/src/drivers/driver.h: up to 1.1.1.5 external/bsd/wpa/dist/src/drivers/driver_atheros.c: up to 1.1.1.6 external/bsd/wpa/dist/src/drivers/driver_bsd.c: up to 1.11 external/bsd/wpa/dist/src/drivers/driver_common.c: up to 1.1.1.4 external/bsd/wpa/dist/src/drivers/driver_hostap.c: up to 1.1.1.4 external/bsd/wpa/dist/src/drivers/driver_macsec_qca.c: up to 1.1.1.2 external/bsd/wpa/dist/src/drivers/driver_madwifi.c: delete external/bsd/wpa/dist/src/drivers/driver_ndis.c: up to 1.1.1.4 external/bsd/wpa/dist/src/drivers/driver_nl80211.c: up to 1.1.1.6 external/bsd/wpa/dist/src/drivers/driver_nl80211.h: up to 1.1.1.1 external/bsd/wpa/dist/src/drivers/driver_nl80211_android.c: up to 1.1.1.1 external/bsd/wpa/dist/src/drivers/driver_nl80211_capa.c: up to 1.1.1.1 external/bsd/wpa/dist/src/drivers/driver_nl80211_event.c: up to 1.1.1.1 external/bsd/wpa/dist/src/drivers/driver_nl80211_monitor.c: up to 1.1.1.1 external/bsd/wpa/dist/src/drivers/driver_nl80211_scan.c: up to 1.1.1.1 external/bsd/wpa/dist/src/drivers/driver_none.c: up to 1.1.1.3 external/bsd/wpa/dist/src/drivers/driver_openbsd.c: up to 1.1.1.1 external/bsd/wpa/dist/src/drivers/driver_privsep.c: up to 1.1.1.3 external/bsd/wpa/dist/src/drivers/driver_roboswitch.c: up to 1.1.1.5 external/bsd/wpa/dist/src/drivers/driver_test.c: delete external/bsd/wpa/dist/src/drivers/driver_wext.c: up to 1.1.1.5 external/bsd/wpa/dist/src/drivers/driver_wext.h: up to 1.1.1.4 external/bsd/wpa/dist/src/drivers/driver_wired.c: up to 1.1.1.5 external/bsd/wpa/dist/src/drivers/drivers.c: up to 1.1.1.5 external/bsd/wpa/dist/src/drivers/drivers.mak: up to 1.1.1.5 external/bsd/wpa/dist/src/drivers/drivers.mk: up to 1.1.1.4 external/bsd/wpa/dist/src/drivers/linux_defines.h: up to 1.1.1.1 external/bsd/wpa/dist/src/drivers/linux_ioctl.c: up to 1.1.1.4 external/bsd/wpa/dist/src/drivers/linux_wext.h: up to 1.1.1.2 external/bsd/wpa/dist/src/drivers/netlink.c: up to 1.1.1.5 external/bsd/wpa/dist/src/drivers/nl80211_copy.h: up to 1.1.1.5 external/bsd/wpa/dist/src/drivers/priv_netlink.h: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_common/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/eap_common/eap_common.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_common.h: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_defs.h: up to 1.1.1.6 external/bsd/wpa/dist/src/eap_common/eap_eke_common.c: up to 1.1.1.1 external/bsd/wpa/dist/src/eap_common/eap_eke_common.h: up to 1.1.1.1 external/bsd/wpa/dist/src/eap_common/eap_fast_common.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_fast_common.h: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_gpsk_common.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_gpsk_common.h: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_ikev2_common.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_ikev2_common.h: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_pax_common.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_pax_common.h: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_pwd_common.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_common/eap_pwd_common.h: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/eap_sim_common.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_common/eap_sim_common.h: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_common/ikev2_common.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_common/ikev2_common.h: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/eap_peer/eap.c: up to 1.1.1.6 external/bsd/wpa/dist/src/eap_peer/eap.h: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_aka.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_config.h: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_eke.c: up to 1.1.1.1 external/bsd/wpa/dist/src/eap_peer/eap_fast.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_fast_pac.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_gpsk.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_i.h: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_ikev2.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_leap.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_methods.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_methods.h: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_mschapv2.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_pax.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_peap.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_proxy.h: up to 1.1.1.1 external/bsd/wpa/dist/src/eap_peer/eap_proxy_dummy.c: up to 1.1.1.1 external/bsd/wpa/dist/src/eap_peer/eap_psk.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_pwd.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_sake.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_sim.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_tls.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_peer/eap_tls_common.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_peer/eap_tnc.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_peer/eap_ttls.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/eap_vendor_test.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_peer/eap_wsc.c: up to 1.1.1.6 external/bsd/wpa/dist/src/eap_peer/ikev2.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_peer/mschapv2.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_peer/tncc.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/eap_server/eap.h: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_i.h: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_methods.h: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/eap_server.c: up to 1.2 external/bsd/wpa/dist/src/eap_server/eap_server_aka.c: up to 1.1.1.6 external/bsd/wpa/dist/src/eap_server/eap_server_eke.c: up to 1.1.1.1 external/bsd/wpa/dist/src/eap_server/eap_server_fast.c: up to 1.1.1.6 external/bsd/wpa/dist/src/eap_server/eap_server_gpsk.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_server_gtc.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_server/eap_server_identity.c: up to 1.1.1.3 external/bsd/wpa/dist/src/eap_server/eap_server_ikev2.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_server_md5.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/eap_server_methods.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/eap_server_mschapv2.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_server_pax.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_server_peap.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_server_psk.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_server_pwd.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/eap_server_sake.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_server_sim.c: up to 1.1.1.6 external/bsd/wpa/dist/src/eap_server/eap_server_tls.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/eap_server_tls_common.c: up to 1.6 external/bsd/wpa/dist/src/eap_server/eap_server_tnc.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/eap_server_ttls.c: up to 1.1.1.6 external/bsd/wpa/dist/src/eap_server/eap_server_wsc.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eap_server/eap_sim_db.c: up to 1.1.1.6 external/bsd/wpa/dist/src/eap_server/eap_tls_common.h: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/ikev2.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eap_server/tncs.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eapol_auth/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/eapol_auth/eapol_auth_dump.c: up to 1.1.1.4 external/bsd/wpa/dist/src/eapol_auth/eapol_auth_sm.c: up to 1.1.1.5 external/bsd/wpa/dist/src/eapol_auth/eapol_auth_sm.h: up to 1.1.1.5 external/bsd/wpa/dist/src/eapol_auth/eapol_auth_sm_i.h: up to 1.1.1.4 external/bsd/wpa/dist/src/eapol_supp/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/eapol_supp/eapol_supp_sm.c: up to 1.1.1.6 external/bsd/wpa/dist/src/eapol_supp/eapol_supp_sm.h: up to 1.1.1.5 external/bsd/wpa/dist/src/l2_packet/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/l2_packet/l2_packet.h: up to 1.1.1.3 external/bsd/wpa/dist/src/l2_packet/l2_packet_freebsd.c: up to 1.5 external/bsd/wpa/dist/src/l2_packet/l2_packet_linux.c: up to 1.1.1.4 external/bsd/wpa/dist/src/l2_packet/l2_packet_ndis.c: up to 1.1.1.4 external/bsd/wpa/dist/src/l2_packet/l2_packet_none.c: up to 1.1.1.4 external/bsd/wpa/dist/src/l2_packet/l2_packet_pcap.c: up to 1.1.1.3 external/bsd/wpa/dist/src/l2_packet/l2_packet_privsep.c: up to 1.1.1.3 external/bsd/wpa/dist/src/l2_packet/l2_packet_winpcap.c: up to 1.1.1.3 external/bsd/wpa/dist/src/lib.rules: up to 1.1.1.2 external/bsd/wpa/dist/src/p2p/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/p2p/p2p.c: up to 1.2 external/bsd/wpa/dist/src/p2p/p2p.h: up to 1.1.1.4 external/bsd/wpa/dist/src/p2p/p2p_build.c: up to 1.1.1.4 external/bsd/wpa/dist/src/p2p/p2p_dev_disc.c: up to 1.1.1.3 external/bsd/wpa/dist/src/p2p/p2p_go_neg.c: up to 1.1.1.5 external/bsd/wpa/dist/src/p2p/p2p_group.c: up to 1.1.1.4 external/bsd/wpa/dist/src/p2p/p2p_i.h: up to 1.1.1.5 external/bsd/wpa/dist/src/p2p/p2p_invitation.c: up to 1.1.1.5 external/bsd/wpa/dist/src/p2p/p2p_parse.c: up to 1.1.1.4 external/bsd/wpa/dist/src/p2p/p2p_pd.c: up to 1.1.1.5 external/bsd/wpa/dist/src/p2p/p2p_sd.c: up to 1.1.1.4 external/bsd/wpa/dist/src/p2p/p2p_utils.c: up to 1.1.1.4 external/bsd/wpa/dist/src/pae/Makefile: up to 1.1.1.1 external/bsd/wpa/dist/src/pae/ieee802_1x_cp.c: up to 1.1.1.1 external/bsd/wpa/dist/src/pae/ieee802_1x_cp.h: up to 1.1.1.1 external/bsd/wpa/dist/src/pae/ieee802_1x_kay.c: up to 1.1.1.2 external/bsd/wpa/dist/src/pae/ieee802_1x_kay.h: up to 1.1.1.1 external/bsd/wpa/dist/src/pae/ieee802_1x_kay_i.h: up to 1.1.1.1 external/bsd/wpa/dist/src/pae/ieee802_1x_key.c: up to 1.1.1.1 external/bsd/wpa/dist/src/pae/ieee802_1x_key.h: up to 1.1.1.1 external/bsd/wpa/dist/src/pae/ieee802_1x_secy_ops.c: up to 1.1.1.1 external/bsd/wpa/dist/src/pae/ieee802_1x_secy_ops.h: up to 1.1.1.1 external/bsd/wpa/dist/src/radius/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/radius/radius.c: up to 1.1.1.5 external/bsd/wpa/dist/src/radius/radius.h: up to 1.1.1.4 external/bsd/wpa/dist/src/radius/radius_client.c: up to 1.1.1.5 external/bsd/wpa/dist/src/radius/radius_das.c: up to 1.4 external/bsd/wpa/dist/src/radius/radius_das.h: up to 1.1.1.3 external/bsd/wpa/dist/src/radius/radius_server.c: up to 1.1.1.5 external/bsd/wpa/dist/src/radius/radius_server.h: up to 1.1.1.5 external/bsd/wpa/dist/src/rsn_supp/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/rsn_supp/peerkey.c: up to 1.1.1.5 external/bsd/wpa/dist/src/rsn_supp/peerkey.h: up to 1.1.1.4 external/bsd/wpa/dist/src/rsn_supp/pmksa_cache.c: up to 1.1.1.6 external/bsd/wpa/dist/src/rsn_supp/pmksa_cache.h: up to 1.1.1.5 external/bsd/wpa/dist/src/rsn_supp/preauth.c: up to 1.1.1.5 external/bsd/wpa/dist/src/rsn_supp/preauth.h: up to 1.1.1.3 external/bsd/wpa/dist/src/rsn_supp/tdls.c: up to 1.1.1.4 external/bsd/wpa/dist/src/rsn_supp/wpa.c: up to 1.1.1.7 external/bsd/wpa/dist/src/rsn_supp/wpa.h: up to 1.1.1.5 external/bsd/wpa/dist/src/rsn_supp/wpa_ft.c: up to 1.1.1.5 external/bsd/wpa/dist/src/rsn_supp/wpa_i.h: up to 1.1.1.5 external/bsd/wpa/dist/src/rsn_supp/wpa_ie.c: up to 1.1.1.5 external/bsd/wpa/dist/src/rsn_supp/wpa_ie.h: up to 1.1.1.4 external/bsd/wpa/dist/src/tls/asn1.c: up to 1.1.1.4 external/bsd/wpa/dist/src/tls/asn1.h: up to 1.1.1.3 external/bsd/wpa/dist/src/tls/libtommath.c: up to 1.1.1.4 external/bsd/wpa/dist/src/tls/pkcs1.c: up to 1.1.1.3 external/bsd/wpa/dist/src/tls/pkcs1.h: up to 1.1.1.3 external/bsd/wpa/dist/src/tls/rsa.c: up to 1.1.1.3 external/bsd/wpa/dist/src/tls/rsa.h: up to 1.1.1.3 external/bsd/wpa/dist/src/tls/tlsv1_client.c: up to 1.1.1.5 external/bsd/wpa/dist/src/tls/tlsv1_client_read.c: up to 1.1.1.5 external/bsd/wpa/dist/src/tls/tlsv1_client_write.c: up to 1.1.1.5 external/bsd/wpa/dist/src/tls/tlsv1_common.c: up to 1.1.1.4 external/bsd/wpa/dist/src/tls/tlsv1_common.h: up to 1.1.1.4 external/bsd/wpa/dist/src/tls/tlsv1_record.c: up to 1.1.1.4 external/bsd/wpa/dist/src/tls/tlsv1_server.c: up to 1.1.1.5 external/bsd/wpa/dist/src/tls/tlsv1_server.h: up to 1.1.1.3 external/bsd/wpa/dist/src/tls/tlsv1_server_i.h: up to 1.1.1.3 external/bsd/wpa/dist/src/tls/tlsv1_server_read.c: up to 1.1.1.5 external/bsd/wpa/dist/src/tls/tlsv1_server_write.c: up to 1.1.1.4 external/bsd/wpa/dist/src/tls/x509v3.c: up to 1.1.1.6 external/bsd/wpa/dist/src/utils/Makefile: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/base64.c: up to 1.1.1.4 external/bsd/wpa/dist/src/utils/bitfield.c: up to 1.1.1.2 external/bsd/wpa/dist/src/utils/bitfield.h: up to 1.1.1.1 external/bsd/wpa/dist/src/utils/browser-android.c: up to 1.1.1.2 external/bsd/wpa/dist/src/utils/browser-system.c: up to 1.1.1.2 external/bsd/wpa/dist/src/utils/browser-wpadebug.c: up to 1.1.1.2 external/bsd/wpa/dist/src/utils/browser.c: up to 1.1.1.1 external/bsd/wpa/dist/src/utils/browser.h: up to 1.1.1.1 external/bsd/wpa/dist/src/utils/build_config.h: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/common.c: up to 1.1.1.5 external/bsd/wpa/dist/src/utils/common.h: up to 1.1.1.5 external/bsd/wpa/dist/src/utils/edit.c: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/edit_readline.c: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/edit_simple.c: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/eloop.c: up to 1.6 external/bsd/wpa/dist/src/utils/eloop.h: up to 1.1.1.4 external/bsd/wpa/dist/src/utils/eloop_none.c: delete external/bsd/wpa/dist/src/utils/eloop_win.c: up to 1.1.1.4 external/bsd/wpa/dist/src/utils/ext_password_test.c: up to 1.1.1.2 external/bsd/wpa/dist/src/utils/http-utils.h: up to 1.1.1.1 external/bsd/wpa/dist/src/utils/http_curl.c: up to 1.1.1.2 external/bsd/wpa/dist/src/utils/ip_addr.c: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/ip_addr.h: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/list.h: up to 1.1.1.4 external/bsd/wpa/dist/src/utils/os.h: up to 1.6 external/bsd/wpa/dist/src/utils/os_internal.c: up to 1.1.1.5 external/bsd/wpa/dist/src/utils/os_none.c: up to 1.1.1.5 external/bsd/wpa/dist/src/utils/os_unix.c: up to 1.3 external/bsd/wpa/dist/src/utils/os_win32.c: up to 1.1.1.5 external/bsd/wpa/dist/src/utils/pcsc_funcs.c: up to 1.1.1.5 external/bsd/wpa/dist/src/utils/pcsc_funcs.h: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/platform.h: up to 1.1.1.1 external/bsd/wpa/dist/src/utils/radiotap.c: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/radiotap.h: up to 1.4 external/bsd/wpa/dist/src/utils/radiotap_iter.h: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/trace.c: up to 1.1.1.4 external/bsd/wpa/dist/src/utils/trace.h: up to 1.4 external/bsd/wpa/dist/src/utils/utils_module_tests.c: up to 1.1.1.2 external/bsd/wpa/dist/src/utils/uuid.c: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/wpa_debug.c: up to 1.1.1.5 external/bsd/wpa/dist/src/utils/wpa_debug.h: up to 1.1.1.5 external/bsd/wpa/dist/src/utils/wpabuf.c: up to 1.1.1.3 external/bsd/wpa/dist/src/utils/wpabuf.h: up to 1.1.1.4 external/bsd/wpa/dist/src/utils/xml-utils.c: up to 1.1.1.1 external/bsd/wpa/dist/src/utils/xml-utils.h: up to 1.1.1.1 external/bsd/wpa/dist/src/utils/xml_libxml2.c: up to 1.1.1.1 external/bsd/wpa/dist/src/wps/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/src/wps/http_client.c: up to 1.1.1.4 external/bsd/wpa/dist/src/wps/http_server.c: up to 1.1.1.3 external/bsd/wpa/dist/src/wps/httpread.c: up to 1.1.1.3 external/bsd/wpa/dist/src/wps/ndef.c: up to 1.1.1.3 external/bsd/wpa/dist/src/wps/wps.c: up to 1.1.1.6 external/bsd/wpa/dist/src/wps/wps.h: up to 1.1.1.6 external/bsd/wpa/dist/src/wps/wps_attr_build.c: up to 1.1.1.5 external/bsd/wpa/dist/src/wps/wps_attr_parse.c: up to 1.1.1.5 external/bsd/wpa/dist/src/wps/wps_attr_parse.h: up to 1.1.1.2 external/bsd/wpa/dist/src/wps/wps_attr_process.c: up to 1.1.1.5 external/bsd/wpa/dist/src/wps/wps_common.c: up to 1.1.1.6 external/bsd/wpa/dist/src/wps/wps_defs.h: up to 1.1.1.6 external/bsd/wpa/dist/src/wps/wps_dev_attr.c: up to 1.1.1.4 external/bsd/wpa/dist/src/wps/wps_dev_attr.h: up to 1.1.1.4 external/bsd/wpa/dist/src/wps/wps_enrollee.c: up to 1.1.1.7 external/bsd/wpa/dist/src/wps/wps_er.c: up to 1.1.1.5 external/bsd/wpa/dist/src/wps/wps_er.h: up to 1.1.1.5 external/bsd/wpa/dist/src/wps/wps_er_ssdp.c: up to 1.1.1.4 external/bsd/wpa/dist/src/wps/wps_i.h: up to 1.1.1.5 external/bsd/wpa/dist/src/wps/wps_module_tests.c: up to 1.1.1.1 external/bsd/wpa/dist/src/wps/wps_registrar.c: up to 1.1.1.7 external/bsd/wpa/dist/src/wps/wps_upnp.c: up to 1.1.1.6 external/bsd/wpa/dist/src/wps/wps_upnp_ap.c: up to 1.1.1.4 external/bsd/wpa/dist/src/wps/wps_upnp_i.h: up to 1.1.1.4 external/bsd/wpa/dist/src/wps/wps_upnp_ssdp.c: up to 1.1.1.5 external/bsd/wpa/dist/src/wps/wps_upnp_web.c: up to 1.1.1.4 external/bsd/wpa/dist/src/wps/wps_validate.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/Android.mk: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/ChangeLog: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/Makefile: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/README: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/README-HS20: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/README-P2P: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/README-WPS: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/android.config: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/ap.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/ap.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/bgscan.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/bgscan.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/bgscan_learn.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/bgscan_simple.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/bss.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/bss.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/config.c: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/config.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/config_file.c: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/config_none.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/config_ssid.h: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/config_winreg.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/ctrl_iface.c: up to 1.3 external/bsd/wpa/dist/wpa_supplicant/ctrl_iface.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/ctrl_iface_named_pipe.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/ctrl_iface_udp.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/ctrl_iface_unix.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/dbus/Makefile: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_common.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_dict_helpers.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_dict_helpers.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new.c: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers.c: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers.h: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers_p2p.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers_p2p.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers_wps.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_helpers.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_helpers.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_introspect.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_old.c: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_old.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_old_handlers.c: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_old_handlers.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_old_handlers_wps.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/defconfig: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/Makefile: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/eapol_test.8: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/eapol_test.sgml: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_background.8: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_background.sgml: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_cli.8: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_cli.sgml: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_gui.8: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_gui.sgml: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_passphrase.8: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_passphrase.sgml: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_priv.8: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_priv.sgml: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_supplicant.8: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_supplicant.conf.5: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_supplicant.sgml: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/driver_i.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/eap_proxy_dummy.mak: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/eap_proxy_dummy.mk: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/eap_register.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/eapol_test.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/events.c: up to 1.3 external/bsd/wpa/dist/wpa_supplicant/examples/p2p-action.sh: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/examples/p2p-nfc.py: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/examples/wps-ap-cli: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/examples/wps-nfc.py: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/gas_query.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/gas_query.h: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/hs20_supplicant.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/hs20_supplicant.h: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/ibss_rsn.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/ibss_rsn.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/interworking.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/interworking.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/main.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/main_none.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/main_winmain.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/main_winsvc.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/mesh.c: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/mesh.h: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/mesh_mpm.c: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/mesh_mpm.h: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/mesh_rsn.c: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/mesh_rsn.h: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/notify.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/notify.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/offchannel.c: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/p2p_supplicant.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/p2p_supplicant.h: up to 1.1.1.4 external/bsd/wpa/dist/wpa_supplicant/preauth_test.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/scan.c: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/scan.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/sme.c: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/sme.h: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/systemd/wpa_supplicant.service.arg.in: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/tests/test_wpa.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/todo.txt: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/wifi_display.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/wifi_display.h: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/wmm_ac.c: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/wmm_ac.h: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/wnm_sta.c: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/wnm_sta.h: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/wpa_cli.c: up to 1.6 external/bsd/wpa/dist/wpa_supplicant/wpa_gui-qt4/scanresults.cpp: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/wpa_gui-qt4/scanresultsitem.cpp: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/wpa_gui-qt4/scanresultsitem.h: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/wpa_gui-qt4/wpagui.cpp: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/wpa_gui-qt4/wpagui.h: up to 1.1.1.3 external/bsd/wpa/dist/wpa_supplicant/wpa_priv.c: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant.c: up to 1.3 external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant.conf: up to 1.1.1.5 external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant_i.h: up to 1.1.1.7 external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant_template.conf: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/wpas_glue.c: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/wpas_kay.c: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/wpas_kay.h: up to 1.1.1.1 external/bsd/wpa/dist/wpa_supplicant/wpas_module_tests.c: up to 1.1.1.2 external/bsd/wpa/dist/wpa_supplicant/wps_supplicant.c: up to 1.1.1.6 external/bsd/wpa/dist/wpa_supplicant/wps_supplicant.h: up to 1.1.1.5 Update wpa_supplicant/hostapd to 2.4. @ text @@ 1.1.1.1.8.1 log @file openssl-0.9.8x-tls-extensions.patch was added on branch tls-maxphys on 2014-08-19 23:52:16 +0000 @ text @d1 396 @ 1.1.1.1.8.2 log @Rebase to HEAD as of a few days ago. @ text @a0 396 This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). OpenSSL 0.9.8x does not enable TLS extension support by default, so it will need to be enabled by adding enable-tlsext to config script command line. diff -upr openssl-0.9.8x.orig/ssl/s3_clnt.c openssl-0.9.8x/ssl/s3_clnt.c --- openssl-0.9.8x.orig/ssl/s3_clnt.c 2011-12-26 21:38:28.000000000 +0200 +++ openssl-0.9.8x/ssl/s3_clnt.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -757,6 +757,21 @@@@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s->session->master_key_length=sizeof(s->session->master_key); + if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + NULL, &pref_cipher, s->tls_session_secret_cb_arg)) + { + s->session->cipher=pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s,p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { @@@@ -2725,11 +2740,8 @@@@ int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of - * a non-zero session length would never reach here) it cannot be a - * resumed session. - */ - if (!s->session->tlsext_tick || s->session->session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s->session->tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ diff -upr openssl-0.9.8x.orig/ssl/s3_srvr.c openssl-0.9.8x/ssl/s3_srvr.c --- openssl-0.9.8x.orig/ssl/s3_srvr.c 2012-02-16 17:21:17.000000000 +0200 +++ openssl-0.9.8x/ssl/s3_srvr.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -1009,6 +1009,59 @@@@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this + * handshake for not reused session only. We need to generate + * server_random before calling tls_session_secret_cb in order to allow + * SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s->s3->server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s->session->master_key_length=sizeof(s->session->master_key); + if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) + { + s->hit=1; + s->session->ciphers=ciphers; + s->session->verify_result=X509_V_OK; + + ciphers=NULL; + + /* check if some cipher was preferred by call back */ + pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); + if (pref_cipher == NULL) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); + goto f_err; + } + + s->session->cipher=pref_cipher; + + if (s->cipher_list) + sk_SSL_CIPHER_free(s->cipher_list); + + if (s->cipher_list_by_id) + sk_SSL_CIPHER_free(s->cipher_list_by_id); + + s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); + s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); + } + } #endif /* Worst case, we will use the NULL compression, but if we have other * options, we will now look for them. We have i-1 compression @@@@ -1147,16 +1200,22 @@@@ int ssl3_send_server_hello(SSL *s) unsigned char *buf; unsigned char *p,*d; int i,sl; - unsigned long l,Time; + unsigned long l; +#ifdef OPENSSL_NO_TLSEXT + unsigned long Time; +#endif if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf=(unsigned char *)s->init_buf->data; +#ifdef OPENSSL_NO_TLSEXT p=s->s3->server_random; + /* Generate server_random if it was not needed previously */ Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) return -1; +#endif /* Do the message type and length last */ d=p= &(buf[4]); diff -upr openssl-0.9.8x.orig/ssl/ssl_err.c openssl-0.9.8x/ssl/ssl_err.c --- openssl-0.9.8x.orig/ssl/ssl_err.c 2012-03-12 16:50:55.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl_err.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -264,6 +264,7 @@@@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, +{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, {0,NULL} }; diff -upr openssl-0.9.8x.orig/ssl/ssl.h openssl-0.9.8x/ssl/ssl.h --- openssl-0.9.8x.orig/ssl/ssl.h 2012-03-12 16:50:55.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl.h 2012-07-07 10:46:31.501140621 +0300 @@@@ -344,6 +344,7 @@@@ extern "C" { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; +typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; /* used to hold info on the particular ciphers used */ typedef struct ssl_cipher_st @@@@ -362,6 +363,9 @@@@ typedef struct ssl_cipher_st DECLARE_STACK_OF(SSL_CIPHER) +typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg); +typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { @@@@ -1050,6 +1054,18 @@@@ struct ssl_st /* RFC4507 session ticket expected to be received or sent */ int tlsext_ticket_expected; + + /* TLS Session Ticket extension override */ + TLS_SESSION_TICKET_EXT *tlsext_session_ticket; + + /* TLS Session Ticket extension callback */ + tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; + void *tls_session_ticket_ext_cb_arg; + + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn tls_session_secret_cb; + void *tls_session_secret_cb_arg; + SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ #define session_ctx initial_ctx #else @@@@ -1663,6 +1679,15 @@@@ void *SSL_COMP_get_compression_methods(v int SSL_COMP_add_compression_method(int id,void *cm); #endif +/* TLS extensions functions */ +int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); + +int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, + void *arg); + +/* Pre-shared secret session resumption functions */ +int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@@@ -1866,6 +1891,7 @@@@ void ERR_load_SSL_strings(void); #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 +#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff -upr openssl-0.9.8x.orig/ssl/ssl_sess.c openssl-0.9.8x/ssl/ssl_sess.c --- openssl-0.9.8x.orig/ssl/ssl_sess.c 2010-02-01 18:48:40.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl_sess.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -712,6 +712,61 @@@@ long SSL_CTX_get_timeout(const SSL_CTX * return(s->session_timeout); } +#ifndef OPENSSL_NO_TLSEXT +int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) + { + if (s == NULL) return(0); + s->tls_session_secret_cb = tls_session_secret_cb; + s->tls_session_secret_cb_arg = arg; + return(1); + } + +int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, + void *arg) + { + if (s == NULL) return(0); + s->tls_session_ticket_ext_cb = cb; + s->tls_session_ticket_ext_cb_arg = arg; + return(1); + } + +int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) + { + if (s->version >= TLS1_VERSION) + { + if (s->tlsext_session_ticket) + { + OPENSSL_free(s->tlsext_session_ticket); + s->tlsext_session_ticket = NULL; + } + + s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); + if (!s->tlsext_session_ticket) + { + SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (ext_data) + { + s->tlsext_session_ticket->length = ext_len; + s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; + memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); + } + else + { + s->tlsext_session_ticket->length = 0; + s->tlsext_session_ticket->data = NULL; + } + + return 1; + } + + return 0; + } +#endif /* OPENSSL_NO_TLSEXT */ + typedef struct timeout_param_st { SSL_CTX *ctx; diff -upr openssl-0.9.8x.orig/ssl/t1_lib.c openssl-0.9.8x/ssl/t1_lib.c --- openssl-0.9.8x.orig/ssl/t1_lib.c 2012-01-04 16:25:10.000000000 +0200 +++ openssl-0.9.8x/ssl/t1_lib.c 2012-07-07 10:47:31.153140501 +0300 @@@@ -106,6 +106,12 @@@@ int tls1_new(SSL *s) void tls1_free(SSL *s) { +#ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_session_ticket) + { + OPENSSL_free(s->tlsext_session_ticket); + } +#endif ssl3_free(s); } @@@@ -206,8 +212,23 @@@@ unsigned char *ssl_add_clienthello_tlsex int ticklen; if (!s->new_session && s->session && s->session->tlsext_tick) ticklen = s->session->tlsext_ticklen; + else if (s->session && s->tlsext_session_ticket && + s->tlsext_session_ticket->data) + { + ticklen = s->tlsext_session_ticket->length; + s->session->tlsext_tick = OPENSSL_malloc(ticklen); + if (!s->session->tlsext_tick) + return NULL; + memcpy(s->session->tlsext_tick, + s->tlsext_session_ticket->data, + ticklen); + s->session->tlsext_ticklen = ticklen; + } else ticklen = 0; + if (ticklen == 0 && s->tlsext_session_ticket && + s->tlsext_session_ticket->data == NULL) + goto skip_ext; /* Check for enough room 2 for extension type, 2 for len * rest for ticket */ @@@@ -221,6 +242,7 @@@@ unsigned char *ssl_add_clienthello_tlsex ret += ticklen; } } + skip_ext: if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && s->version != DTLS1_VERSION) @@@@ -486,6 +508,15 @@@@ int ssl_parse_clienthello_tlsext(SSL *s, return 0; renegotiate_seen = 1; } + else if (type == TLSEXT_TYPE_session_ticket) + { + if (s->tls_session_ticket_ext_cb && + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + } else if (type == TLSEXT_TYPE_status_request && s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) { @@@@ -663,6 +694,12 @@@@ int ssl_parse_serverhello_tlsext(SSL *s, } else if (type == TLSEXT_TYPE_session_ticket) { + if (s->tls_session_ticket_ext_cb && + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { @@@@ -920,6 +957,15 @@@@ int tls1_process_ticket(SSL *s, unsigned s->tlsext_ticket_expected = 1; return 0; /* Cache miss */ } + if (s->tls_session_secret_cb) + { + /* Indicate cache miss here and instead of + * generating the session from ticket now, + * trigger abbreviated handshake based on + * external mechanism to calculate the master + * secret later. */ + return 0; + } return tls_decrypt_ticket(s, p, size, session_id, len, ret); } diff -upr openssl-0.9.8x.orig/ssl/tls1.h openssl-0.9.8x/ssl/tls1.h --- openssl-0.9.8x.orig/ssl/tls1.h 2009-11-08 16:51:54.000000000 +0200 +++ openssl-0.9.8x/ssl/tls1.h 2012-07-07 10:46:31.501140621 +0300 @@@@ -401,6 +401,13 @@@@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ #endif +/* TLS extension struct */ +struct tls_session_ticket_ext_st + { + unsigned short length; + void *data; + }; + #ifdef __cplusplus } #endif diff -upr openssl-0.9.8x.orig/util/ssleay.num openssl-0.9.8x/util/ssleay.num --- openssl-0.9.8x.orig/util/ssleay.num 2008-06-05 13:57:21.000000000 +0300 +++ openssl-0.9.8x/util/ssleay.num 2012-07-07 10:46:31.505140623 +0300 @@@@ -242,3 +242,5 @@@@ SSL_set_SSL_CTX SSL_get_servername 291 EXIST::FUNCTION:TLSEXT SSL_get_servername_type 292 EXIST::FUNCTION:TLSEXT SSL_CTX_set_client_cert_engine 293 EXIST::FUNCTION:ENGINE +SSL_set_session_ticket_ext 306 EXIST::FUNCTION:TLSEXT +SSL_set_session_secret_cb 307 EXIST::FUNCTION:TLSEXT @ 1.1.1.1.4.1 log @file openssl-0.9.8x-tls-extensions.patch was added on branch yamt-pagecache on 2014-05-22 15:51:38 +0000 @ text @d1 396 @ 1.1.1.1.4.2 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @a0 396 This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). OpenSSL 0.9.8x does not enable TLS extension support by default, so it will need to be enabled by adding enable-tlsext to config script command line. diff -upr openssl-0.9.8x.orig/ssl/s3_clnt.c openssl-0.9.8x/ssl/s3_clnt.c --- openssl-0.9.8x.orig/ssl/s3_clnt.c 2011-12-26 21:38:28.000000000 +0200 +++ openssl-0.9.8x/ssl/s3_clnt.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -757,6 +757,21 @@@@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s->session->master_key_length=sizeof(s->session->master_key); + if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + NULL, &pref_cipher, s->tls_session_secret_cb_arg)) + { + s->session->cipher=pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s,p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { @@@@ -2725,11 +2740,8 @@@@ int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of - * a non-zero session length would never reach here) it cannot be a - * resumed session. - */ - if (!s->session->tlsext_tick || s->session->session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s->session->tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ diff -upr openssl-0.9.8x.orig/ssl/s3_srvr.c openssl-0.9.8x/ssl/s3_srvr.c --- openssl-0.9.8x.orig/ssl/s3_srvr.c 2012-02-16 17:21:17.000000000 +0200 +++ openssl-0.9.8x/ssl/s3_srvr.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -1009,6 +1009,59 @@@@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this + * handshake for not reused session only. We need to generate + * server_random before calling tls_session_secret_cb in order to allow + * SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s->s3->server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s->session->master_key_length=sizeof(s->session->master_key); + if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, + ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) + { + s->hit=1; + s->session->ciphers=ciphers; + s->session->verify_result=X509_V_OK; + + ciphers=NULL; + + /* check if some cipher was preferred by call back */ + pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); + if (pref_cipher == NULL) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); + goto f_err; + } + + s->session->cipher=pref_cipher; + + if (s->cipher_list) + sk_SSL_CIPHER_free(s->cipher_list); + + if (s->cipher_list_by_id) + sk_SSL_CIPHER_free(s->cipher_list_by_id); + + s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); + s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); + } + } #endif /* Worst case, we will use the NULL compression, but if we have other * options, we will now look for them. We have i-1 compression @@@@ -1147,16 +1200,22 @@@@ int ssl3_send_server_hello(SSL *s) unsigned char *buf; unsigned char *p,*d; int i,sl; - unsigned long l,Time; + unsigned long l; +#ifdef OPENSSL_NO_TLSEXT + unsigned long Time; +#endif if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf=(unsigned char *)s->init_buf->data; +#ifdef OPENSSL_NO_TLSEXT p=s->s3->server_random; + /* Generate server_random if it was not needed previously */ Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) return -1; +#endif /* Do the message type and length last */ d=p= &(buf[4]); diff -upr openssl-0.9.8x.orig/ssl/ssl_err.c openssl-0.9.8x/ssl/ssl_err.c --- openssl-0.9.8x.orig/ssl/ssl_err.c 2012-03-12 16:50:55.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl_err.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -264,6 +264,7 @@@@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, +{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, {0,NULL} }; diff -upr openssl-0.9.8x.orig/ssl/ssl.h openssl-0.9.8x/ssl/ssl.h --- openssl-0.9.8x.orig/ssl/ssl.h 2012-03-12 16:50:55.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl.h 2012-07-07 10:46:31.501140621 +0300 @@@@ -344,6 +344,7 @@@@ extern "C" { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; +typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; /* used to hold info on the particular ciphers used */ typedef struct ssl_cipher_st @@@@ -362,6 +363,9 @@@@ typedef struct ssl_cipher_st DECLARE_STACK_OF(SSL_CIPHER) +typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg); +typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { @@@@ -1050,6 +1054,18 @@@@ struct ssl_st /* RFC4507 session ticket expected to be received or sent */ int tlsext_ticket_expected; + + /* TLS Session Ticket extension override */ + TLS_SESSION_TICKET_EXT *tlsext_session_ticket; + + /* TLS Session Ticket extension callback */ + tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; + void *tls_session_ticket_ext_cb_arg; + + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn tls_session_secret_cb; + void *tls_session_secret_cb_arg; + SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ #define session_ctx initial_ctx #else @@@@ -1663,6 +1679,15 @@@@ void *SSL_COMP_get_compression_methods(v int SSL_COMP_add_compression_method(int id,void *cm); #endif +/* TLS extensions functions */ +int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); + +int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, + void *arg); + +/* Pre-shared secret session resumption functions */ +int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@@@ -1866,6 +1891,7 @@@@ void ERR_load_SSL_strings(void); #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 +#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff -upr openssl-0.9.8x.orig/ssl/ssl_sess.c openssl-0.9.8x/ssl/ssl_sess.c --- openssl-0.9.8x.orig/ssl/ssl_sess.c 2010-02-01 18:48:40.000000000 +0200 +++ openssl-0.9.8x/ssl/ssl_sess.c 2012-07-07 10:46:31.501140621 +0300 @@@@ -712,6 +712,61 @@@@ long SSL_CTX_get_timeout(const SSL_CTX * return(s->session_timeout); } +#ifndef OPENSSL_NO_TLSEXT +int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) + { + if (s == NULL) return(0); + s->tls_session_secret_cb = tls_session_secret_cb; + s->tls_session_secret_cb_arg = arg; + return(1); + } + +int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, + void *arg) + { + if (s == NULL) return(0); + s->tls_session_ticket_ext_cb = cb; + s->tls_session_ticket_ext_cb_arg = arg; + return(1); + } + +int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) + { + if (s->version >= TLS1_VERSION) + { + if (s->tlsext_session_ticket) + { + OPENSSL_free(s->tlsext_session_ticket); + s->tlsext_session_ticket = NULL; + } + + s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); + if (!s->tlsext_session_ticket) + { + SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (ext_data) + { + s->tlsext_session_ticket->length = ext_len; + s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; + memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); + } + else + { + s->tlsext_session_ticket->length = 0; + s->tlsext_session_ticket->data = NULL; + } + + return 1; + } + + return 0; + } +#endif /* OPENSSL_NO_TLSEXT */ + typedef struct timeout_param_st { SSL_CTX *ctx; diff -upr openssl-0.9.8x.orig/ssl/t1_lib.c openssl-0.9.8x/ssl/t1_lib.c --- openssl-0.9.8x.orig/ssl/t1_lib.c 2012-01-04 16:25:10.000000000 +0200 +++ openssl-0.9.8x/ssl/t1_lib.c 2012-07-07 10:47:31.153140501 +0300 @@@@ -106,6 +106,12 @@@@ int tls1_new(SSL *s) void tls1_free(SSL *s) { +#ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_session_ticket) + { + OPENSSL_free(s->tlsext_session_ticket); + } +#endif ssl3_free(s); } @@@@ -206,8 +212,23 @@@@ unsigned char *ssl_add_clienthello_tlsex int ticklen; if (!s->new_session && s->session && s->session->tlsext_tick) ticklen = s->session->tlsext_ticklen; + else if (s->session && s->tlsext_session_ticket && + s->tlsext_session_ticket->data) + { + ticklen = s->tlsext_session_ticket->length; + s->session->tlsext_tick = OPENSSL_malloc(ticklen); + if (!s->session->tlsext_tick) + return NULL; + memcpy(s->session->tlsext_tick, + s->tlsext_session_ticket->data, + ticklen); + s->session->tlsext_ticklen = ticklen; + } else ticklen = 0; + if (ticklen == 0 && s->tlsext_session_ticket && + s->tlsext_session_ticket->data == NULL) + goto skip_ext; /* Check for enough room 2 for extension type, 2 for len * rest for ticket */ @@@@ -221,6 +242,7 @@@@ unsigned char *ssl_add_clienthello_tlsex ret += ticklen; } } + skip_ext: if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && s->version != DTLS1_VERSION) @@@@ -486,6 +508,15 @@@@ int ssl_parse_clienthello_tlsext(SSL *s, return 0; renegotiate_seen = 1; } + else if (type == TLSEXT_TYPE_session_ticket) + { + if (s->tls_session_ticket_ext_cb && + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + } else if (type == TLSEXT_TYPE_status_request && s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) { @@@@ -663,6 +694,12 @@@@ int ssl_parse_serverhello_tlsext(SSL *s, } else if (type == TLSEXT_TYPE_session_ticket) { + if (s->tls_session_ticket_ext_cb && + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) { @@@@ -920,6 +957,15 @@@@ int tls1_process_ticket(SSL *s, unsigned s->tlsext_ticket_expected = 1; return 0; /* Cache miss */ } + if (s->tls_session_secret_cb) + { + /* Indicate cache miss here and instead of + * generating the session from ticket now, + * trigger abbreviated handshake based on + * external mechanism to calculate the master + * secret later. */ + return 0; + } return tls_decrypt_ticket(s, p, size, session_id, len, ret); } diff -upr openssl-0.9.8x.orig/ssl/tls1.h openssl-0.9.8x/ssl/tls1.h --- openssl-0.9.8x.orig/ssl/tls1.h 2009-11-08 16:51:54.000000000 +0200 +++ openssl-0.9.8x/ssl/tls1.h 2012-07-07 10:46:31.501140621 +0300 @@@@ -401,6 +401,13 @@@@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ #endif +/* TLS extension struct */ +struct tls_session_ticket_ext_st + { + unsigned short length; + void *data; + }; + #ifdef __cplusplus } #endif diff -upr openssl-0.9.8x.orig/util/ssleay.num openssl-0.9.8x/util/ssleay.num --- openssl-0.9.8x.orig/util/ssleay.num 2008-06-05 13:57:21.000000000 +0300 +++ openssl-0.9.8x/util/ssleay.num 2012-07-07 10:46:31.505140623 +0300 @@@@ -242,3 +242,5 @@@@ SSL_set_SSL_CTX SSL_get_servername 291 EXIST::FUNCTION:TLSEXT SSL_get_servername_type 292 EXIST::FUNCTION:TLSEXT SSL_CTX_set_client_cert_engine 293 EXIST::FUNCTION:ENGINE +SSL_set_session_ticket_ext 306 EXIST::FUNCTION:TLSEXT +SSL_set_session_secret_cb 307 EXIST::FUNCTION:TLSEXT @