[openssl-dev] s3_clnt.c changes regarding external pre-shared secret seem to break EAP-FAST

John Foley (foleyj) foleyj at cisco.com
Tue Mar 24 00:20:55 UTC 2015 

We've found a way to recreate the scenario using s_client/s_server.  We're using the -no_ticket option on the server.  Therefore, the ServerHello doesn't contain the session ticket extension.  It also doesn't send the NewSessionTicket message.  

To summarize the problem, when the client side is using SSL_set_session_secret_cb() and including a valid ticket in the ClintHello, then the logic in ssl3_get_server_hello() assumes the server is doing session resumption.  This puts the client-side state machine into the SSL3_ST_CR_FINISHED_A.  However, since the server side is configured to not do resumption via the -no_ticket option, the server continues with a normal handshake by sending the Certificate message.  The client aborts the handshake when it receives the Certificate message while in the SSL3_ST_CR_FINISHED_A state.


As Erik identified earlier in the thread, the cause of this appears to be the addition of setting s->hit in the following code:

    if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
        SSL_CIPHER *pref_cipher = NULL;
        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length,
                                     NULL, &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {
            s->session->cipher = pref_cipher ?
                pref_cipher : ssl_get_cipher_by_char(s, p + j);
            s->hit = 1;
        }
    }

Why does the client-side now assume the server is doing session resumption simply because the session secret callback facility is being used?
________________________________________
From: openssl-dev [openssl-dev-bounces at openssl.org] on behalf of Dr. Stephen Henson [steve at openssl.org]
Sent: Thursday, March 19, 2015 11:49 AM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] s3_clnt.c changes regarding external pre-shared secret seem to break EAP-FAST

On Thu, Mar 19, 2015, Erik Tkal wrote:

>
> If I do not send a sessionID in the clientHello but do send a valid
> sessionTicket extension, the server goes straight to changeCipherSpec and
> the client generates an UnexpectedMessage alert.
>

Does the server send back an empty session ticket extension?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

More information about the openssl-dev mailing list