Something does seem suspect here. Maybe I'm misusing the API, but when
using the attached patch for s_server, the client side does reject the
NewSessionTicket message from the server. This only happens when using
SSL_set_session_secret_cb() on the server side. When using this
callback facility, the server changes the order of the handshake messages.
The order without using SSL_set_session_secret_cb() is:
<-ServerHello
<-Certificate
<-ServerKeyExchange
<-ServerHelloDone
->ClientKeyExchange
->ChangeCipherSpec
<-NewSessionTicket
<-ChangeCipherSpec
The order when using SSL_set_session_secret_cb() is:
<-ServerHello
<-NewSessionTicket
<-ChangeCipherSpec
->Alert
The session ticket extension in the ClientHello is empty in both cases.
It appears the server thinks it's using a valid session ticket and
proceeds directly to the ChangeCipherSpec.
On 03/17/2015 04:16 PM, Erik Tkal wrote:
> I don’t disagree, but I’m looking for independent confirmation that
> the changes are not correct. They do not appear to specifically have
> been made for any vulnerabilities.
>
> In looking at RFC 5077 (the generic non-EAP-FAST scenario) section 3.1
> shows that the server may send a certificate message to continue the
> handshake after receiving a sessionTicket from the client. With the
> first change I noted below the possession of a tls_session_secret now
> implies by the setting of s->hit on the client that the session *will*
> be resumed, which is not the case. The resumption requires
> determination of the next message. In the case of a pure sessionID
> resumption that is the case since the server confirms it in the
> serverHello, but not when using the sessionTicket extension.
>
> Erik
>
>
>> On 17 Mar 2015, at 2:59 PM, Karthikeyan Bhargavan
>> <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> I would be very careful about this code. When we ran our tests on
>> OpenSSL (www.smacktls.com <http://www.smacktls.com/>), we found a
>> bunch of issues that were narrowly prevented by a combination of
>> flags (s->hit, SSL3_FLAGS_OK, s->s3->change_cipher_spec).
>>
>> Let’s carefully test any change here, so we do not
>> re-enable CVE-2014-0224 (Early CCS Attack)
>>
>>
>> On 17 Mar 2015, at 18:53, Erik Tkal <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>> In upgrading from 1.0.1i to 1.0.1l I found an issue in the behaviour
>>> of a non-resumed EAP-FAST session.
>>>
>>> RFC 4851 indicates that the server can go straight from the
>>> serverHello to changeCipherSpec to resume a session but can also
>>> fall back to a full handshake. With 1.0.1l the client ends up
>>> issuing an unexpected message alert if the server continues with its
>>> certificate message.
>>>
>>> I traced this to the following change:
>>>
>>> Set s->hit when resuming from external pre-shared secret.
>>>
>>>
>>>
>>> https://github.com/openssl/openssl/commit/7b3ba508af5c86afe43e28174aa3c53a0a24f4d9
>>>
>>> When processing the serverHello s->tls_session_secret_cb() is called
>>> to see if the client has a session secret, and if so the old code
>>> would set the flag that a CCS was acceptable at that point.
>>> However, the above change now also sets s->hit, which then
>>> “requires* that a finished message is expected next, triggering the
>>> alert otherwise.
>>>
>>> Also, another change is suspect in that the latest code no longer
>>> sets the flag that a CCS is acceptable at that point:
>>>
>>> Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS)
>>> is reset
>>>
>>>
>>>
>>> https://github.com/openssl/openssl/commit/e94a6c0ede623960728415b68650a595e48f5a43
>>>
>>> In order for EAP-FAST to work it seems that if the client does have
>>> a tls_session_secret that s->hit must NOT be set since there is no
>>> indication in the serverHello as to whether the session_ticket sent
>>> by the client is accepted by the server (the sessionTicket extension
>>> is not sent by the server in EAP-FAST), and that SSL3_FLAGS_CCS_OK
>>> has to be set since the server MAY continue immediately with a
>>> changeCipherSpec.
>>>
>>> Thanks,
>>> Erik
>>>
>>> ....................................
>>> Erik Tkal
>>> [email protected] <mailto:[email protected]>
>>>
>>> _______________________________________________
>>> openssl-dev mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>>
>> _______________________________________________
>> openssl-dev mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
diff --git a/apps/s_server.c b/apps/s_server.c
index bcf5c33..c221e9f 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -206,6 +206,23 @@ typedef unsigned int u_int;
# include <fcntl.h>
#endif
+static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
+STACK_OF(SSL_CIPHER) *peer_ciphers,
+SSL_CIPHER **cipher, void *arg)
+{
+ unsigned char dum_secret[48] = {
+ 0xa0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0xf7,
+ 0xb0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0xe7,
+ 0xc0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0xd7,
+ 0xd0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0xc7,
+ 0xe0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0xb7,
+ 0xf0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0xa7
+ };
+ *secret_len = 48;
+ memcpy(secret, dum_secret,*secret_len);
+}
+
+
#ifndef OPENSSL_NO_RSA
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
#endif
@@ -1546,6 +1563,20 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx, 1);
+
+ unsigned char md[EVP_MAX_MD_SIZE] = {
+ 0x0, 0xa1, 0x2, 0x3, 0x4, 0x5, 0xf6, 0x7,
+ 0x0, 0xb1, 0x2, 0x3, 0x4, 0x5, 0xe6, 0x7,
+ 0x0, 0xc1, 0x2, 0x3, 0x4, 0x5, 0xd6, 0x7,
+ 0x0, 0xd1, 0x2, 0x3, 0x4, 0x5, 0xc6, 0x7,
+ 0x0, 0xe1, 0x2, 0x3, 0x4, 0x5, 0xb6, 0x7,
+ 0x0, 0xf1, 0x2, 0x3, 0x4, 0x5, 0xa6, 0x7
+ };
+ if (!SSL_CTX_set_tlsext_ticket_keys(ctx, md, 48)) {
+ BIO_printf(bio_err, "unable to set session ticket key\n");
+ exit(-1);
+ }
+
if (bugs)
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (hack)
@@ -1958,6 +1989,12 @@ static int sv_body(char *hostname, int s, unsigned char *context)
if (con == NULL) {
con = SSL_new(ctx);
+#if 1
+ if (SSL_set_session_secret_cb(con, tls_sess_sec_cb, NULL) != 1) {
+ BIO_printf(bio_err, "unable to set session secret cb\n");
+ exit(-1);
+ }
+#endif
#ifndef OPENSSL_NO_TLSEXT
if (s_tlsextdebug) {
SSL_set_tlsext_debug_callback(con, tlsext_cb);
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
