[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
Jouni Malinen
j at w1.fi
Fri Jul 31 17:51:43 UTC 2015
On Thu, Jul 30, 2015 at 11:00:45AM +0100, Matt Caswell wrote:
> On 28/07/15 15:09, Jouni Malinen wrote:
> > The remaining issue for EAP-FAST server is in the
> > SSL_set_session_secret_cb() callback not having access to the correct
> > server_random through SSL_get_server_random().
> Is this still a problem? From looking at the code it seems to me that
> the server random is set prior to calling the callback:
It is a problem with the current master branch snapshot, but not with
older versions, i.e., a regression of some sort..
> /*
> * Check if we want to use external pre-shared secret for this handshake
> * for not reused session only. We need to generate server_random before
> * calling tls_session_secret_cb in order to allow SessionTicket
> * processing to use it in key derivation.
> */
> {
> unsigned char *pos;
> pos = s->s3->server_random;
> if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
This is indeed the server_random I see in the tls_session_secret_cb, but
that is not the server_random that gets used in the negotiation..
> Checking the commit logs this seems to have been put in by this commit
> responding to one of your tickets!
>
> commit 12bf56c017a34bd0d5fc6d817564ae49d0a9e861
It was indeed and that commit worked.. Please note that it uses #ifdef
OPENSSL_NO_TLSEXT to avoid having ssl3_send_server_hello() override the
previously selected server_random.
> You seem to imply that you can get the server_random through
> ssl->s3->server_random but not through SSL_get_server_random(). Looking
> at the code I can't see an obvious reason why that would be the case.
> Here is SSL_get_server_random():
>
> size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t
> outlen)
> {
> if (outlen == 0)
> return sizeof(ssl->s3->server_random);
> if (outlen > sizeof(ssl->s3->server_random))
> outlen = sizeof(ssl->s3->server_random);
> memcpy(out, ssl->s3->server_random, outlen);
> return outlen;
> }
I had not checked what this does, but yes, that's indeed identical to
the mechanism I use with older OpenSSL version. In other words, the
issue is in ssl3_send_server_hello().
It looks like commit e481f9b90b164fd1053015d1c4e0a0d92076d7a8
("Remove support for OPENSSL_NO_TLSEXT") broke this. It is deleting
number of "#ifndef OPENSSL_NO_TLSEXT" lines correctly, but it is also
deleting one "#ifdef OPENSSL_NO_TLSEXT" without removing the block of
code that should have also been removed from ssl3_send_server_hello().
Because of that, server_random gets replaced after the call to
tls_session_secret_cb which breaks the EAP-FAST use case.
This is the relevant part of that commit:
@@ -1602,13 +1585,13 @@ int ssl3_send_server_hello(SSL *s)
if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
buf = (unsigned char *)s->init_buf->data;
-#ifdef OPENSSL_NO_TLSEXT
+
p = s->s3->server_random;
if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) {
s->state = SSL_ST_ERR;
return -1;
}
-#endif
+
/* Do the message type and length last */
d = p = ssl_handshake_start(s);
That ssl_fill_hello_random() call needs to be deleted to fix this issue.
Based on a quick test, that does indeed fix the EAP-FAST server issue I
saw.
--
Jouni Malinen PGP id EFC895FA
More information about the openssl-dev
mailing list