Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Tue, Nov 11, 2008 at 12:09:55PM +0100, Stephen Henson via RT wrote:
OK, we'd need the generic extension part of the patch modified to only
override the session ticket extension.
I replaced SSL_set_hello_extension() function with
SSL_set_session_ticket_ext() and renamed the related structures to use
less generic names. Please note that I left SSL_set_hello_extension()
into this version as a simple wrapper to make it easier to test this
with the current wpa_supplicant/hostapd implementation, but that can
obviously be removed when the patch goes in and I'll change
wpa_supplicant/hostapd to use OpenSSL version to select which calls to
use.
A companion callback to supply the details of the ticket extension would
be appropriate instead of using the debugging interface.
Are you referring to the use of SSL_set_tlsext_debug_callback() in the
EAP-FAST server implementation? This was originally done with a new
SSL_set_hello_extension_cb(), but I removed the extra code when session
ticket code was added to OpenSSL. Would you like to get the
SSL_set_hello_extension_cb() and related call from
ssl3_get_client_hello() to be included in the patch?
The indentation in that patch is also inconsistent with the rest of OpenSSL.
The attached version should clean up indentation to match with rest of
the code.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 5077) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev [EMAIL PROTECTED]
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
Index: openssl-SNAP-2008/ssl/s3_clnt.c
===
--- openssl-SNAP-2008.orig/ssl/s3_clnt.c
+++ openssl-SNAP-2008/ssl/s3_clnt.c
@@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* check if we want to resume the session based on external pre-shared
secret */
+ if (s-version = TLS1_VERSION s-tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s-session-master_key_length=sizeof(s-session-master_key);
+ if (s-tls_session_secret_cb(s, s-session-master_key,
+s-session-master_key_length,
+NULL, pref_cipher,
+s-tls_session_secret_cb_arg))
+ {
+ s-session-cipher = pref_cipher ?
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
+ }
+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
if (j != 0 j == s-session-session_id_length
memcmp(p,s-session-session_id,j) == 0)
{
@@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s)
{
int ok;
long n;
- /* If we have no ticket or session ID is non-zero length (a match of
-* a non-zero session length would never reach here) it cannot be a
-* resumed session.
-*/
- if (!s-session-tlsext_tick || s-session-session_id_length)
+ /* If we have no ticket it cannot be a resumed session. */
+ if (!s-session-tlsext_tick)
return 1;
/* this function is called when we really expect a Certificate
* message, so permit appropriate message length */
Index: openssl-SNAP-2008/ssl/s3_srvr.c
===
--- openssl-SNAP-2008.orig/ssl/s3_srvr.c
+++ openssl-SNAP-2008/ssl/s3_srvr.c
@@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
+
+ /* Check if we want to use external pre-shared secret for this
+* handshake for not reused session only. We need to generate
+* server_random before calling tls_session_secret_cb in order to allow
+* SessionTicket processing to use it in key derivation. */
+ {
+ unsigned long Time;
+ unsigned char *pos;
+ Time=(unsigned long)time(NULL); /* Time */
+ pos=s-s3-server_random;
+ l2n(Time,pos);
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0)
+ {
+ al=SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ }
+
+ if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s-session-master_key_length=sizeof(s-session-master_key);
+ if(s-tls_session_secret_cb(s, s-session-master_key,
s-session-master_key_length,
+
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Tue, Nov 11, 2008 at 12:09:55PM +0100, Stephen Henson via RT wrote:
OK, we'd need the generic extension part of the patch modified to only
override the session ticket extension.
I replaced SSL_set_hello_extension() function with
SSL_set_session_ticket_ext() and renamed the related structures to use
less generic names. Please note that I left SSL_set_hello_extension()
into this version as a simple wrapper to make it easier to test this
with the current wpa_supplicant/hostapd implementation, but that can
obviously be removed when the patch goes in and I'll change
wpa_supplicant/hostapd to use OpenSSL version to select which calls to
use.
A companion callback to supply the details of the ticket extension would
be appropriate instead of using the debugging interface.
Are you referring to the use of SSL_set_tlsext_debug_callback() in the
EAP-FAST server implementation? This was originally done with a new
SSL_set_hello_extension_cb(), but I removed the extra code when session
ticket code was added to OpenSSL. Would you like to get the
SSL_set_hello_extension_cb() and related call from
ssl3_get_client_hello() to be included in the patch?
The indentation in that patch is also inconsistent with the rest of OpenSSL.
The attached version should clean up indentation to match with rest of
the code.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 5077) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev [EMAIL PROTECTED]
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
Index: openssl-SNAP-2008/ssl/s3_clnt.c
===
--- openssl-SNAP-2008.orig/ssl/s3_clnt.c
+++ openssl-SNAP-2008/ssl/s3_clnt.c
@@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* check if we want to resume the session based on external pre-shared
secret */
+ if (s-version = TLS1_VERSION s-tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s-session-master_key_length=sizeof(s-session-master_key);
+ if (s-tls_session_secret_cb(s, s-session-master_key,
+s-session-master_key_length,
+NULL, pref_cipher,
+s-tls_session_secret_cb_arg))
+ {
+ s-session-cipher = pref_cipher ?
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
+ }
+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
if (j != 0 j == s-session-session_id_length
memcmp(p,s-session-session_id,j) == 0)
{
@@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s)
{
int ok;
long n;
- /* If we have no ticket or session ID is non-zero length (a match of
-* a non-zero session length would never reach here) it cannot be a
-* resumed session.
-*/
- if (!s-session-tlsext_tick || s-session-session_id_length)
+ /* If we have no ticket it cannot be a resumed session. */
+ if (!s-session-tlsext_tick)
return 1;
/* this function is called when we really expect a Certificate
* message, so permit appropriate message length */
Index: openssl-SNAP-2008/ssl/s3_srvr.c
===
--- openssl-SNAP-2008.orig/ssl/s3_srvr.c
+++ openssl-SNAP-2008/ssl/s3_srvr.c
@@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
+
+ /* Check if we want to use external pre-shared secret for this
+* handshake for not reused session only. We need to generate
+* server_random before calling tls_session_secret_cb in order to allow
+* SessionTicket processing to use it in key derivation. */
+ {
+ unsigned long Time;
+ unsigned char *pos;
+ Time=(unsigned long)time(NULL); /* Time */
+ pos=s-s3-server_random;
+ l2n(Time,pos);
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0)
+ {
+ al=SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ }
+
+ if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s-session-master_key_length=sizeof(s-session-master_key);
+ if(s-tls_session_secret_cb(s, s-session-master_key,
s-session-master_key_length,
+
[openssl.org #1784] PATCH: trivial error in RFC 3779 i2r code
i2r_address() doesn't handle the all-zeros IPv6 address correctly (prints : when should print ::). Trivial fix, to be applied to both 0.9.8 branch and HEAD, please. --- crypto/x509v3/v3_addr.c.~1~ 2008-10-14 16:00:15.0 -0400 +++ crypto/x509v3/v3_addr.c 2008-11-11 18:26:02.0 -0500 @@ -183,20 +183,22 @@ BIO_printf(out, %d.%d.%d.%d, addr[0], addr[1], addr[2], addr[3]); break; case IANA_AFI_IPV6: addr_expand(addr, bs, 16, fill); for (n = 16; n 1 addr[n-1] == 0x00 addr[n-2] == 0x00; n -= 2) ; for (i = 0; i n; i += 2) BIO_printf(out, %x%s, (addr[i] 8) | addr[i+1], (i 14 ? : : )); if (i 16) BIO_puts(out, :); +if (i == 0) + BIO_puts(out, :); break; default: for (i = 0; i bs-length; i++) BIO_printf(out, %s%02x, (i 0 ? : : ), bs-data[i]); BIO_printf(out, [%d], (int) (bs-flags 7)); break; } return 1; } __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
[EMAIL PROTECTED] - Wed Nov 12 14:46:47 2008]: On Tue, Nov 11, 2008 at 12:09:55PM +0100, Stephen Henson via RT wrote: OK, we'd need the generic extension part of the patch modified to only override the session ticket extension. I replaced SSL_set_hello_extension() function with SSL_set_session_ticket_ext() and renamed the related structures to use less generic names. Please note that I left SSL_set_hello_extension() into this version as a simple wrapper to make it easier to test this with the current wpa_supplicant/hostapd implementation, but that can obviously be removed when the patch goes in and I'll change wpa_supplicant/hostapd to use OpenSSL version to select which calls to use. OK, thanks. A companion callback to supply the details of the ticket extension would be appropriate instead of using the debugging interface. Are you referring to the use of SSL_set_tlsext_debug_callback() in the EAP-FAST server implementation? This was originally done with a new SSL_set_hello_extension_cb(), but I removed the extra code when session ticket code was added to OpenSSL. Would you like to get the SSL_set_hello_extension_cb() and related call from ssl3_get_client_hello() to be included in the patch? Well I'm assuming that there needs to be a way to obtain the ticket value the peer has sent. Although it is possible to use the debugging interface for that it then prevents it being used for anything else. Something like an SSL_set_session_ticket_cb() function which would call the supplied callback with the received ticket extension value. Functionally doing the same as the debug callback but for the ticket extension only. The indentation in that patch is also inconsistent with the rest of OpenSSL. The attached version should clean up indentation to match with rest of the code. Thank you. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1780] OSCP_REQUEST name collision between ossl_typ.h and Wincrypt.h using Windows Platform SDK 6.0a in openssl-0.9.8h and openssl-0.9.8i
Duplicate, see lists for solutions. Roumen __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1785] 0.9.9 HEAD: possible coredump in DSA; fix included
When the malloc() fails, the original code would still try to access
the (invalid) pointer.
--- \\Debbie\ger\prj\1original\openssl\openssl\crypto\dsa\dsa_asn1.c
2008-11-12
20:36:01.0 +-0100
+++ \\Debbie\ger\prj\3actual\openssl\crypto\dsa\dsa_asn1.c 2008-11-12
21:29:50.0 +-0100
@@ -66,16 +66,19 @@
static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg)
{
if(operation == ASN1_OP_NEW_PRE) {
DSA_SIG *sig;
sig = OPENSSL_malloc(sizeof(DSA_SIG));
+ if (!sig) /* [i_a] */
+ {
+ DSAerr(DSA_F_SIG_CB, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
sig-r = NULL;
sig-s = NULL;
*pval = (ASN1_VALUE *)sig;
- if(sig) return 2;
- DSAerr(DSA_F_SIG_CB, ERR_R_MALLOC_FAILURE);
- return 0;
+ return 2;
}
return 1;
}
--
Met vriendelijke groeten / Best regards,
Ger Hobbelt
--
web:http://www.hobbelt.com/
http://www.hebbut.net/
mail: [EMAIL PROTECTED]
mobile: +31-6-11 120 978
--
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Expected cert-path validation behavior
Hi Patrick and Steve, Just to confirm one last thing about the NIST/RFC3280 discussion below again: if there is no CRL present at all for a given CA and we are doing string revocation information checking, then we fail the associated request? Or in other words, is absence of a CRL for a given CA not good enough to allow the request using that CA to pass through? If the answer to this is yes then I do not see any test-case in NIST test-suite that covers this simple test-case: use a CA with no CRL and expect path validation for that CA to fail. And if that is indeed the case (absence of this test-case), then doesn't this mean then that all NIST tests pass regardless of whether we successfully validate CA paths with no associated CRLs? Vineet On Wed, Oct 15, 2008 at 1:51 PM, Patrick Patterson [EMAIL PROTECTED] wrote: Vineet Kumar wrote: Yes, but it looks like if openssl has to conform to JITC tests then in order to accept an EE, a CRL **signed by EE's CA** better be present. It doesn't matter if a CRL is present but signed by some other CA in the cert-chain, no? This strictness of who the CRL's signer should be can make sense in real world but it doesn't look like openssl has any flag to conform to such rules. Pl. correct me if I am wrong. The case where the CRL is signed by someone other than the certificate's signer is the reason that the CRL Issuer field of the CRL Distribution point is available. From RFC3280: If the certificate issuer is not the CRL issuer, then the cRLIssuer field MUST be present and contain the Name of the CRL issuer. This makes it VERY unambiguous - the CRL for a given certificate must be signed by it's immediate issuer. Consequently, that is why the NIST test that you mentioned before fails. It is not good enough to have some CRL signed by some other CA in the Cert Chain. Absent the CRLIssuer field, the CRL *MUST* be signed by the same CA as that which signed the End Certificate. Have fun. Patrick. Vineet On Wed, Oct 15, 2008 at 1:26 PM, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Wed, Oct 15, 2008, Vineet Kumar wrote: It doesn't look like cert_crl() in openssl code follows what you refer to as strict revocation check. Neither does the RFC. Is there a doc/RFC that outlines strict revocation criteria? Am I right in saying that openssl does not do that? OpenSSL has several options relating to CRL checking. It can perform no checking, checking of just the EE cert and the whole chain. The RFC3280 behaviour in the absence of a CRL is determined by the last paragraph of 6.3.3 where the status is UNDETERMINED. It has to be this way or an attacker could block the downloading of a CRL and allow a revoked certificate to be used. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] __ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Wed, Nov 12, 2008 at 07:07:56PM +0100, Stephen Henson via RT wrote:
Well I'm assuming that there needs to be a way to obtain the ticket
value the peer has sent. Although it is possible to use the debugging
interface for that it then prevents it being used for anything else.
Something like an SSL_set_session_ticket_cb() function which would call
the supplied callback with the received ticket extension value.
The attached version adds SSL_set_session_ticket_ext_cb() to register a
callback that will be called whenever a Session Ticket extension is
received in ServerHello or ClientHello. EAP-FAST will only use this from
the ClientHello, but I added the same code for ServerHello should anyone
else have need for that in a client.
I also removed the extra SSL_set_hello_extension() wrapper to clean up
the patch. I have run a quick test with this version and
hostapd/wpa_supplicant, but I haven't committed the matching changes yet
into my repository since I did not want to change the API use there
before the modified version gets into the OpenSSL repository.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 5077) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev [EMAIL PROTECTED]
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
Index: openssl-SNAP-2008/ssl/s3_clnt.c
===
--- openssl-SNAP-2008.orig/ssl/s3_clnt.c
+++ openssl-SNAP-2008/ssl/s3_clnt.c
@@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* check if we want to resume the session based on external pre-shared
secret */
+ if (s-version = TLS1_VERSION s-tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s-session-master_key_length=sizeof(s-session-master_key);
+ if (s-tls_session_secret_cb(s, s-session-master_key,
+s-session-master_key_length,
+NULL, pref_cipher,
+s-tls_session_secret_cb_arg))
+ {
+ s-session-cipher = pref_cipher ?
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
+ }
+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
if (j != 0 j == s-session-session_id_length
memcmp(p,s-session-session_id,j) == 0)
{
@@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s)
{
int ok;
long n;
- /* If we have no ticket or session ID is non-zero length (a match of
-* a non-zero session length would never reach here) it cannot be a
-* resumed session.
-*/
- if (!s-session-tlsext_tick || s-session-session_id_length)
+ /* If we have no ticket it cannot be a resumed session. */
+ if (!s-session-tlsext_tick)
return 1;
/* this function is called when we really expect a Certificate
* message, so permit appropriate message length */
Index: openssl-SNAP-2008/ssl/s3_srvr.c
===
--- openssl-SNAP-2008.orig/ssl/s3_srvr.c
+++ openssl-SNAP-2008/ssl/s3_srvr.c
@@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
+
+ /* Check if we want to use external pre-shared secret for this
+* handshake for not reused session only. We need to generate
+* server_random before calling tls_session_secret_cb in order to allow
+* SessionTicket processing to use it in key derivation. */
+ {
+ unsigned long Time;
+ unsigned char *pos;
+ Time=(unsigned long)time(NULL); /* Time */
+ pos=s-s3-server_random;
+ l2n(Time,pos);
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0)
+ {
+ al=SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ }
+
+ if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s-session-master_key_length=sizeof(s-session-master_key);
+ if(s-tls_session_secret_cb(s, s-session-master_key,
s-session-master_key_length,
+ ciphers, pref_cipher, s-tls_session_secret_cb_arg))
+ {
+ s-hit=1;
+ s-session-ciphers=ciphers;
+ s-session-verify_result=X509_V_OK;
+
+
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Wed, Nov 12, 2008 at 07:07:56PM +0100, Stephen Henson via RT wrote:
Well I'm assuming that there needs to be a way to obtain the ticket
value the peer has sent. Although it is possible to use the debugging
interface for that it then prevents it being used for anything else.
Something like an SSL_set_session_ticket_cb() function which would call
the supplied callback with the received ticket extension value.
The attached version adds SSL_set_session_ticket_ext_cb() to register a
callback that will be called whenever a Session Ticket extension is
received in ServerHello or ClientHello. EAP-FAST will only use this from
the ClientHello, but I added the same code for ServerHello should anyone
else have need for that in a client.
I also removed the extra SSL_set_hello_extension() wrapper to clean up
the patch. I have run a quick test with this version and
hostapd/wpa_supplicant, but I haven't committed the matching changes yet
into my repository since I did not want to change the API use there
before the modified version gets into the OpenSSL repository.
--
Jouni MalinenPGP id EFC895FA
This patch adds support for TLS SessionTicket extension (RFC 5077) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev [EMAIL PROTECTED]
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
Index: openssl-SNAP-2008/ssl/s3_clnt.c
===
--- openssl-SNAP-2008.orig/ssl/s3_clnt.c
+++ openssl-SNAP-2008/ssl/s3_clnt.c
@@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* check if we want to resume the session based on external pre-shared
secret */
+ if (s-version = TLS1_VERSION s-tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s-session-master_key_length=sizeof(s-session-master_key);
+ if (s-tls_session_secret_cb(s, s-session-master_key,
+s-session-master_key_length,
+NULL, pref_cipher,
+s-tls_session_secret_cb_arg))
+ {
+ s-session-cipher = pref_cipher ?
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
+ }
+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
if (j != 0 j == s-session-session_id_length
memcmp(p,s-session-session_id,j) == 0)
{
@@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s)
{
int ok;
long n;
- /* If we have no ticket or session ID is non-zero length (a match of
-* a non-zero session length would never reach here) it cannot be a
-* resumed session.
-*/
- if (!s-session-tlsext_tick || s-session-session_id_length)
+ /* If we have no ticket it cannot be a resumed session. */
+ if (!s-session-tlsext_tick)
return 1;
/* this function is called when we really expect a Certificate
* message, so permit appropriate message length */
Index: openssl-SNAP-2008/ssl/s3_srvr.c
===
--- openssl-SNAP-2008.orig/ssl/s3_srvr.c
+++ openssl-SNAP-2008/ssl/s3_srvr.c
@@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
+
+ /* Check if we want to use external pre-shared secret for this
+* handshake for not reused session only. We need to generate
+* server_random before calling tls_session_secret_cb in order to allow
+* SessionTicket processing to use it in key derivation. */
+ {
+ unsigned long Time;
+ unsigned char *pos;
+ Time=(unsigned long)time(NULL); /* Time */
+ pos=s-s3-server_random;
+ l2n(Time,pos);
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0)
+ {
+ al=SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ }
+
+ if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s-session-master_key_length=sizeof(s-session-master_key);
+ if(s-tls_session_secret_cb(s, s-session-master_key,
s-session-master_key_length,
+ ciphers, pref_cipher, s-tls_session_secret_cb_arg))
+ {
+ s-hit=1;
+ s-session-ciphers=ciphers;
+ s-session-verify_result=X509_V_OK;
+
+
