[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method

Jouni Malinen j at w1.fi
Mon Jul 27 21:51:26 UTC 2015 

On Mon, Jul 27, 2015 at 05:03:45PM +0100, Matt Caswell wrote:
> I have just committed a fix for this issue:
> https://github.com/openssl/openssl/commit/f0348c842e75a77f643e7d34cb88609145b2d320

> The above links are for the 1.0.2 commits. Equivalent commits have also
> been pushed for 1.0.1. For master I have only added the test as the bug
> did not exist in master (the version negotiation rewrite fixed it).

Thanks! I can confirm that the 1.0.2 changes allow me to remove the
EAP-FAST workaround (force TLSv1_method() to be used).

I had not yet been able to test EAP-FAST with the master branch snapshot
since there were number of API changes that broke the mechanism I used
for key derivation. Now that I took a new look at this, most of the
needed accessors have apparently be added. I think I still may need
something to be able to figure out the keyblock size to be able to skip
over it in EAP-FAST key derivation. Anyway, this was sufficiently close
to be able to run some more tests. With couple more fixes and hardcoded
keyblock size for testing purposes, it looks like EAP-FAST with
authenticated provisioning worked. Unauthenticated provisioning case was
failing due to "ssl3_client_hello:no ciphers available", but I'd assume
that to be caused by some change in the enabled ciphers (this mode is
trying to use ADH-AES128-SHA).


While this is somewhat beyond the scope of this thread, I'd appreciate
any guidance on how to figure out keyblock size from the current
negotiation with the master branch OpenSSL snapshot. I used to use
ssl->s3->tmp.new_mac_secret_size and EVP_CIPHER_{key,iv}_length(). The
latter are still present, the former is not. Though,
ssl->enc_read_ctx->cipher is not available for EVP_CIPHER_*().
Alternative version used EVP_MD_CTX_md(ssl->read_hash) followed by
EVP_MD_size(). That is not available either.

A more flexible version of SSL_export_keying_material() would be another
(and likely cleaner) alternative for this. The addition need for couple
of EAP methods is in being able to request server random to be used used
before client random (i.e., the reverse order of the standard
implementation) and to be able to skip key block length number of bytes
from the beginning of the PRF output.

For that key block skipping part, though, it would also hit an issue
with memcmp against TLS_MD_KEY_EXPANSION_CONST, i.e., something
completely different may be needed to be able to derive the EAP-FAST
session_key_seed (see RFC 4851 Section 5.1 for details and RFC 5422
Section 3.3 shows yet another EAP-FAST case where session_key_seed and
ServerChallenge + ClientChallenge needs to be derived similarly after
the key_block). It would be nice to be able to get those out from
OpenSSL without having to implement the PRF for this externally (and
without exporting the master key for that matter).

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the openssl-dev mailing list