[openssl-dev] Extended master secret goober in s3_srvr.c

Dr. Stephen Henson steve at openssl.org
Fri Jun 12 20:23:30 UTC 2015


On Fri, Jun 12, 2015, Bill Cox wrote:

> Here's some code in master starting at line 594 in s3_srvr.c:
> 
>                 if (!s->s3->handshake_buffer) {
>                     SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
>                     return -1;
>                 }
>                 /*
>                  * For sigalgs freeze the handshake buffer. If we support
>                  * extms we've done this already.
>                  */
>                 if (!(s->s3->flags & SSL_SESS_FLAG_EXTMS)) {
>                     s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
>                     if (!ssl3_digest_cached_records(s))
>                         return -1;
>                 }
> 
> The goober is that s->s3->flags does not have a flag for
> SSL_SESS_FLAG_EXTMS.  This flag is defined for s->session->flags, not
> s->s3->flags.  What happens is that s->s3->flags generally has bit 0 clear,
> because this iis the flag for SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
> Therefore, this generally runs, and we set TLS1_FLAGS_KEEP_HANDSHAKE even
> if we have extended master secret support enabled.
> 
> I haven't figured out yet what this does in the code.  If it were really
> bad, we would have heard about it already.  What was this code supposed to
> do, and how should it get fixed?
> 

Nice catch. That code only gets called when TLS 1.2 client authentication is
used: I think it just means we digest cached records twice instead of once.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


More information about the openssl-dev mailing list