From 415c00bdbad6498137300230bfb9597c70ff288e Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Tue, 17 May 2016 13:24:43 -0400
Subject: [PATCH 2/2] OpenSSL: Don't implement tls_connection_get_eap_fast_key
 if EAP-FAST is disabled.

This avoids internal access of structs and also removes the dependency on the
reimplemented TLS PRF functions when EAP-FAST support is not enabled. Notably,
BoringSSL doesn't support EAP-FAST, so there is no need access its internals
with openssl_get_keyblock_size.

Signed-Off-By: David Benjamin <davidben@google.com>
---
 src/crypto/tls_openssl.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e53cf9d..f880ea7 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3087,8 +3087,9 @@ int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,
 	return 0;
 }
 
-
-#ifndef CONFIG_FIPS
+#if !defined(CONFIG_FIPS) ||                             \
+    (!defined(EAP_FAST) && !defined(EAP_FAST_DYNAMIC) && \
+     !defined(EAP_SERVER_FAST))
 static int openssl_get_keyblock_size(SSL *ssl)
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
@@ -3143,7 +3144,7 @@ static int openssl_get_keyblock_size(SSL *ssl)
 		    EVP_CIPHER_iv_length(c));
 #endif
 }
-#endif /* CONFIG_FIPS */
+#endif /* CONFIG_FIPS || !EAP_FAST */
 
 
 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
@@ -3162,11 +3163,13 @@ int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 				    u8 *out, size_t out_len)
 {
-#ifdef CONFIG_FIPS
+#if !defined(EAP_FAST) && !defined(EAP_FAST_DYNAMIC) && !defined(EAP_SERVER_FAST)
+	return -1;
+#elif defined(CONFIG_FIPS)
 	wpa_printf(MSG_ERROR, "OpenSSL: TLS keys cannot be exported in FIPS "
 		   "mode");
 	return -1;
-#else /* CONFIG_FIPS */
+#else
 	SSL *ssl;
 	SSL_SESSION *sess;
 	u8 *rnd;
@@ -3235,7 +3238,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
 	bin_clear_free(tmp_out, skip);
 
 	return ret;
-#endif /* CONFIG_FIPS */
+#endif
 }
 
 
-- 
2.8.0.rc3.226.g39d4020