[openssl-dev] s3_clnt.c changes regarding external pre-shared secret seem to break EAP-FAST

Erik Tkal etksubs at gmail.com
Tue Mar 17 17:53:36 UTC 2015 

In upgrading from 1.0.1i to 1.0.1l I found an issue in the behaviour of a non-resumed EAP-FAST session.

RFC 4851 indicates that the server can go straight from the serverHello to changeCipherSpec to resume a session but can also fall back to a full handshake.  With 1.0.1l the client ends up issuing an unexpected message alert if the server continues with its certificate message.

I traced this to the following change:

    Set s->hit when resuming from external pre-shared secret.

    https://github.com/openssl/openssl/commit/7b3ba508af5c86afe43e28174aa3c53a0a24f4d9 <https://github.com/openssl/openssl/commit/7b3ba508af5c86afe43e28174aa3c53a0a24f4d9>

When processing the serverHello s->tls_session_secret_cb() is called to see if the client has a session secret, and if so the old code would set the flag that a CCS was acceptable at that point.  However, the above change now also sets s->hit, which then “requires* that a finished message is expected next, triggering the alert otherwise.

Also, another change is suspect in that the latest code no longer sets the flag that a CCS is acceptable at that point:

    Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset

    https://github.com/openssl/openssl/commit/e94a6c0ede623960728415b68650a595e48f5a43 <https://github.com/openssl/openssl/commit/e94a6c0ede623960728415b68650a595e48f5a43>

In order for EAP-FAST to work it seems that if the client does have a tls_session_secret that s->hit must NOT be set since there is no indication in the serverHello as to whether the session_ticket sent by the client is accepted by the server (the sessionTicket extension is not sent by the server in EAP-FAST), and that SSL3_FLAGS_CCS_OK has to be set since the server MAY continue immediately with a changeCipherSpec.

  Thanks,
  Erik

....................................
Erik Tkal
etkal at cisco.com <mailto:etkal at cisco.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150317/79df9d96/attachment.html>

More information about the openssl-dev mailing list