[openssl-dev] State machine rewrite

[Matt Caswell]

On 14/09/15 13:27, Matt Caswell wrote:
> Hmmm. There does seem to be a couple of problems here.
> 
> 1) The logic around skipping SKE has changed very recently in master due
> to the introduction of new PSK ciphersuites. I think there is a merge
> error in reflecting these changes in the state-machine-rewrite branch.
> In particular I think the condition in key_exchange_skip_allowed should
> read:
> 
>     if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK)) {
>         return 0;
>     }
> 
> In other words there are more ephemeral ciphersuites that must not skip SKE.
> 
> 2) In tls_process_key_exchange there is a check to ensure that if an SKE
> has been sent for an RSA ciphersuite then it must be an export
> ciphersuite. This is inherited from the existing master code. However
> that check (whilst technically correct) is inconsistent with how the new
> state machine code works. It should be moved into
> key_exchange_skip_allowed. Similarly for checking non export RSA
> ciphersuites.
> 
> I think it is correct that if PSK is selected that an SKE is allowed
> since this can contain the identity hint.
> 
> I will add a new commit to address the above issues.

Right - new commit added. So hopefully this covers the following logic:

An SKE is required if:
- The ciphersuite is DHE, ECDHE, DHEPSK, ECDHEPSK or SRP based
- We have an export ciphersuite (must be RSA) and the key length in the
server certificate is greater than the maximum allowed.

An SKE is optional if:
- The ciphersuite is any PSK ciphersuite where the SKE is not mandatory

An SKE must not be sent:
- In any other circumstance

Matt