[PATCH] NSS: Fix build with NSS

Wed Nov 21 05:22:49 PST 2012

I will use NSS 3.14 for SSL. But compilation failed because of
SSL_ExportKeyingMaterial() prototype was changed. So I made this patch.

But I got error messages below ont the TTLS/MSCHAPv2 connection.
------------
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
NSS: TODO - tls_connection_set_params
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
NSS: Bad Server Certificate (sec err 20)
NSS: Peer certificate subject='(deleted)'
wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
------------
I will do more fix. Is there any advice for this ?


Signed-hostap: Masashi Honma <masashi.honma at gmail.com>

diff --git a/src/crypto/tls_nss.c b/src/crypto/tls_nss.c
index c53c192..d7fba20 100644
--- a/src/crypto/tls_nss.c
+++ b/src/crypto/tls_nss.c
@@ -293,15 +293,15 @@ static SECStatus nss_bad_cert_cb(void *arg,
PRFileDesc *fd)

 	err = PR_GetError();
 	if (IS_SEC_ERROR(err))
-		wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (sec err "
+		wpa_printf(MSG_ERROR, "NSS: Bad Server Certificate (sec err "
 			   "%d)", err - SEC_ERROR_BASE);
 	else
-		wpa_printf(MSG_DEBUG, "NSS: Bad Server Certificate (err %d)",
+		wpa_printf(MSG_ERROR, "NSS: Bad Server Certificate (err %d)",
 			   err);
 	cert = SSL_PeerCertificate(fd);
 	subject = CERT_NameToAscii(&cert->subject);
 	issuer = CERT_NameToAscii(&cert->issuer);
-	wpa_printf(MSG_DEBUG, "NSS: Peer certificate subject='%s' issuer='%s'",
+	wpa_printf(MSG_ERROR, "NSS: Peer certificate subject='%s' issuer='%s'",
 		   subject, issuer);
 	CERT_DestroyCertificate(cert);
 	PR_Free(subject);
@@ -426,15 +426,16 @@ int tls_connection_prf(void *tls_ctx, struct
tls_connection *conn,
 		       u8 *out, size_t out_len)
 {
 	if (conn == NULL || server_random_first) {
-		wpa_printf(MSG_INFO, "NSS: Unsupported PRF request "
+		wpa_printf(MSG_ERROR, "NSS: Unsupported PRF request "
 			   "(server_random_first=%d)",
 			   server_random_first);
 		return -1;
 	}

-	if (SSL_ExportKeyingMaterial(conn->fd, label, NULL, 0, out, out_len) !=
-	    SECSuccess) {
-		wpa_printf(MSG_INFO, "NSS: Failed to use TLS extractor "
+	if (SSL_ExportKeyingMaterial(conn->fd, label, os_strlen(label),
+				     PR_FALSE, NULL, 0, out, out_len) !=
+				     SECSuccess) {
+		wpa_printf(MSG_ERROR, "NSS: Failed to use TLS extractor "
 			   "(label='%s' out_len=%d", label, (int) out_len);
 		return -1;
 	}


Regards,
Masashi Honma.

