[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method

[Matt Caswell]

On 28/07/15 15:09, Jouni Malinen wrote:
> The remaining issue for EAP-FAST server is in the
> SSL_set_session_secret_cb() callback not having access to the correct
> server_random through SSL_get_server_random(). In earlier OpenSSL
> versions, I could fetch this from ssl->s3->server_random. However,
> SSL_get_server_random() seems to return some bogus data at this point in
> the sequence (_before_ the ServerHello has actually been written). The
> correct server_random becomes available later, but that's too late to be
> able to derive the correct master_secret in the session secret
> callback..

Is this still a problem? From looking at the code it seems to me that
the server random is set prior to calling the callback:

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
        SSL_CIPHER *pref_cipher = NULL;

        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length,
ciphers,
                                     &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {


Checking the commit logs this seems to have been put in by this commit
responding to one of your tickets!

commit 12bf56c017a34bd0d5fc6d817564ae49d0a9e861
Author:     Dr. Stephen Henson <steve at openssl.org>
AuthorDate: Sat Nov 15 17:18:12 2008 +0000
Commit:     Dr. Stephen Henson <steve at openssl.org>
CommitDate: Sat Nov 15 17:18:12 2008 +0000

    PR: 1574
    Submitted by: Jouni Malinen <j at w1.fi>
    Approved by: steve at openssl.org

    Ticket override support for EAP-FAST.


You seem to imply that you can get the server_random through
ssl->s3->server_random but not through SSL_get_server_random(). Looking
at the code I can't see an obvious reason why that would be the case.
Here is SSL_get_server_random():

size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t
outlen)
{
    if (outlen == 0)
        return sizeof(ssl->s3->server_random);
    if (outlen > sizeof(ssl->s3->server_random))
        outlen = sizeof(ssl->s3->server_random);
    memcpy(out, ssl->s3->server_random, outlen);
    return outlen;
}


Matt