Re: Question for LibreSSL hackers (was: Update: wpa_supplicant 2.6)

Wed, 05 Oct 2016 06:15:11 -0700 

On 2016/10/05 14:20, David Coppa wrote:
> 
> On Mon, Oct 3, 2016 at 1:22 PM, Edd Barrett <e...@theunixzoo.co.uk> wrote:
> 
> > Testing against eduroam:
> >
> > ---8<---
> > $ doas wpa_supplicant -i iwn0 -c /etc/wpa_supplicant.conf
> > Successfully initialized wpa_supplicant
> > SSL: Failed to initialize TLS context.
> > Failed to initialize EAPOL state machines.
> > --->8---
> >
> 
> On Tue, 04 Oct 2016, Laurence Tratt wrote:
> 
> > On Tue, Oct 04, 2016 at 02:09:30PM +0200, David Coppa wrote:
> > 
> > Hello David,
> > 
> > I'll give this a try on Thursday (which is the next time I'm around such a
> > network) and let you know.
> > 
> > 
> > Laurie
> 
> Hi again,
> 
> I finally got access to a proper 802.1x LAN and I was able to
> reproduce and fix this issue.
> 
> New diff below.
> 
> But now I have a question for the LibreSSL hackers...
> 
> I suspect all the 
> 
> #if OPENSSL_VERSION_NUMBER < 0x10100000L
> 
> conditionals should be:
> 
> #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> 
> Is this true?

It is true for some but not necessarily others... Some of these are to do
with APIs which we may or may not have added (and then it may change later).
Others are for bug workarounds.

> Changing two of these #if statements fixed the problem reported by
> Edd and Laurie, but I could find them quite easily by diffing between
> wpa_supplicant-2.5 and wpa_supplicant-2.6.
> 
> Can you have a look at the attached tls_openssl.c file and tell me
> if my analysis is correct and which
> "#if OPENSSL_VERSION_NUMBER < 0x10100000L"
> conditional should be changed?
> 
> I'm particularly interested in this one (line 3979 of 4333):
> 
> ---8<---
> #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
> #if OPENSSL_VERSION_NUMBER < 0x10100000L
>       if (params->flags & TLS_CONN_EAP_FAST) {
>               wpa_printf(MSG_DEBUG,
>                       "OpenSSL: Use TLSv1_method() for EAP-FAST");
>               if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
>                       tls_show_errors(MSG_INFO, __func__,
>                               "Failed to set TLSv1_method() for EAP-FAST");
>                       return -1;
>               }
>       }
> #endif
> #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
> ---8<---
> 
> Because it was the same even in wpa_supplicant-2.5, and I cannot
> fully understand this chunk of code.

This is a workaround for an OpenSSL bug affecting EAP-FAST.

https://mta.openssl.org/pipermail/openssl-dev/2015-July/002191.html

Reply via email to