[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
Matt Caswell
matt at openssl.org
Thu Jul 30 10:00:45 UTC 2015
On 28/07/15 15:09, Jouni Malinen wrote:
> The remaining issue for EAP-FAST server is in the
> SSL_set_session_secret_cb() callback not having access to the correct
> server_random through SSL_get_server_random(). In earlier OpenSSL
> versions, I could fetch this from ssl->s3->server_random. However,
> SSL_get_server_random() seems to return some bogus data at this point in
> the sequence (_before_ the ServerHello has actually been written). The
> correct server_random becomes available later, but that's too late to be
> able to derive the correct master_secret in the session secret
> callback..
Is this still a problem? From looking at the code it seems to me that
the server random is set prior to calling the callback:
/*
* Check if we want to use external pre-shared secret for this handshake
* for not reused session only. We need to generate server_random before
* calling tls_session_secret_cb in order to allow SessionTicket
* processing to use it in key derivation.
*/
{
unsigned char *pos;
pos = s->s3->server_random;
if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
goto f_err;
}
}
if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
SSL_CIPHER *pref_cipher = NULL;
s->session->master_key_length = sizeof(s->session->master_key);
if (s->tls_session_secret_cb(s, s->session->master_key,
&s->session->master_key_length,
ciphers,
&pref_cipher,
s->tls_session_secret_cb_arg)) {
Checking the commit logs this seems to have been put in by this commit
responding to one of your tickets!
commit 12bf56c017a34bd0d5fc6d817564ae49d0a9e861
Author: Dr. Stephen Henson <steve at openssl.org>
AuthorDate: Sat Nov 15 17:18:12 2008 +0000
Commit: Dr. Stephen Henson <steve at openssl.org>
CommitDate: Sat Nov 15 17:18:12 2008 +0000
PR: 1574
Submitted by: Jouni Malinen <j at w1.fi>
Approved by: steve at openssl.org
Ticket override support for EAP-FAST.
You seem to imply that you can get the server_random through
ssl->s3->server_random but not through SSL_get_server_random(). Looking
at the code I can't see an obvious reason why that would be the case.
Here is SSL_get_server_random():
size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t
outlen)
{
if (outlen == 0)
return sizeof(ssl->s3->server_random);
if (outlen > sizeof(ssl->s3->server_random))
outlen = sizeof(ssl->s3->server_random);
memcpy(out, ssl->s3->server_random, outlen);
return outlen;
}
Matt
More information about the openssl-dev
mailing list