[openssl-dev] s3_clnt.c changes regarding external pre-shared secret seem to break EAP-FAST
Emilia Käsper
emilia at openssl.org
Tue Mar 24 01:17:59 UTC 2015
On Tue, Mar 24, 2015 at 1:20 AM, John Foley (foleyj) <foleyj at cisco.com>
wrote:
> We've found a way to recreate the scenario using s_client/s_server. We're
> using the -no_ticket option on the server. Therefore, the ServerHello
> doesn't contain the session ticket extension. It also doesn't send the
> NewSessionTicket message.
>
> To summarize the problem, when the client side is using
> SSL_set_session_secret_cb() and including a valid ticket in the ClintHello,
> then the logic in ssl3_get_server_hello() assumes the server is doing
> session resumption. This puts the client-side state machine into the
> SSL3_ST_CR_FINISHED_A. However, since the server side is configured to not
> do resumption via the -no_ticket option, the server continues with a normal
> handshake by sending the Certificate message. The client aborts the
> handshake when it receives the Certificate message while in the
> SSL3_ST_CR_FINISHED_A state.
>
>
> As Erik identified earlier in the thread, the cause of this appears to be
> the addition of setting s->hit in the following code:
>
> if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
> SSL_CIPHER *pref_cipher = NULL;
> s->session->master_key_length = sizeof(s->session->master_key);
> if (s->tls_session_secret_cb(s, s->session->master_key,
> &s->session->master_key_length,
> NULL, &pref_cipher,
> s->tls_session_secret_cb_arg)) {
> s->session->cipher = pref_cipher ?
> pref_cipher : ssl_get_cipher_by_char(s, p + j);
> s->hit = 1;
> }
> }
>
> Why does the client-side now assume the server is doing session resumption
> simply because the session secret callback facility is being used?
>
Because a developer (me) introduced a bug. With OpenSSL client behaviour,
peeking ahead is only required for EAP-FAST. I got rid of the peeking while
tightening up the ChangeCipherSpec handling and in the process, got it
wrong for EAP-FAST. Anyway, apologies, I see the problem and am working on
a patch.
While we're at it, you may be able to help me with the following question:
how should the client handle callback failure? The old code (pre my
refactoring which introduced the bug) did this
#ifndef OPENSSL_NO_TLSEXT
/* check if we want to resume the session based on external
pre-shared secret */
if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
{
SSL_CIPHER *pref_cipher=NULL;
s->session->master_key_length=sizeof(s->session->master_key);
if (s->tls_session_secret_cb(s, s->session->master_key,
&s->session->master_key_length,
NULL, &pref_cipher,
s->tls_session_secret_cb_arg))
{
s->session->cipher = pref_cipher ?
pref_cipher : ssl_get_cipher_by_char(s, p+j);
}
}
#endif /* OPENSSL_NO_TLSEXT */
This is surely wrong as it's just ignoring the failure?
Thanks,
Emilia
________________________________________
> From: openssl-dev [openssl-dev-bounces at openssl.org] on behalf of Dr.
> Stephen Henson [steve at openssl.org]
> Sent: Thursday, March 19, 2015 11:49 AM
> To: openssl-dev at openssl.org
> Subject: Re: [openssl-dev] s3_clnt.c changes regarding external pre-shared
> secret seem to break EAP-FAST
>
> On Thu, Mar 19, 2015, Erik Tkal wrote:
>
> >
> > If I do not send a sessionID in the clientHello but do send a valid
> > sessionTicket extension, the server goes straight to changeCipherSpec and
> > the client generates an UnexpectedMessage alert.
> >
>
> Does the server send back an empty session ticket extension?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150324/5a75056a/attachment-0001.html>
More information about the openssl-dev
mailing list