[openssl-dev] State machine rewrite

Matt Caswell matt at openssl.org
Mon Sep 14 12:27:02 UTC 2015 


On 14/09/15 11:27, Karthikeyan Bhargavan wrote:
> [Could you forward to openssl-dev? I don’t seem to have permissions to post over there :(]

You need to be subscribed with the same email address that you are
posting from otherwise your posts will be rejected.

openssl-dev:  email from Karthik below along with my response.

> 
> From a superficial look at the new state machine code, it seems to be missing a few boolean conditions.
> 
> E.g. in statem_clnt.c after receiving a server CERTIFICATE, the client uses the function key_exchange_skip_allowed 
> to check whether the next message must be a SERVER_KEY_EXCHANGE or not.
> In particular, if the kex is DHE or ECDHE, skipping SKE is allowed, otherwise not.
> 
> However, this means that 
> (a) If the kex is RSA or PSK, the peer is still allowed to send SKE
> (b) if the kex is RSA_EXPORT, the peer is allowed to skip SKE 
> 
> Do I have this right?
> 
> I will continue my code inspection before trying to set automated tests for this state machnine
> 
> Best,
> Karthik
> 

Hmmm. There does seem to be a couple of problems here.

1) The logic around skipping SKE has changed very recently in master due
to the introduction of new PSK ciphersuites. I think there is a merge
error in reflecting these changes in the state-machine-rewrite branch.
In particular I think the condition in key_exchange_skip_allowed should
read:

    if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK)) {
        return 0;
    }

In other words there are more ephemeral ciphersuites that must not skip SKE.

2) In tls_process_key_exchange there is a check to ensure that if an SKE
has been sent for an RSA ciphersuite then it must be an export
ciphersuite. This is inherited from the existing master code. However
that check (whilst technically correct) is inconsistent with how the new
state machine code works. It should be moved into
key_exchange_skip_allowed. Similarly for checking non export RSA
ciphersuites.

I think it is correct that if PSK is selected that an SKE is allowed
since this can contain the identity hint.

I will add a new commit to address the above issues.

Matt

More information about the openssl-dev mailing list