Re: [openssl-dev] 1.1 release being delayed
On Mon, May 23, 2016 at 01:15:45PM +, Salz, Rich wrote: > ... in case you haven't noticed :) Our announced release date for 1.1 has > come and gone. > > We want to close many more bugs before we release it. In the meantime, > please test against master or a daily snapshot or the last beta release. It has now been a month from this announcement and there does not seem to be any updates to the release strategy (*) which is still claiming the "current plan" to be to release 1.1.0 12th May 2016.. While it is obviously fine to push out the release to get more fixes in, it would be nice to get some more details on the updated release plan and especially on whether there is going to be another beta release ("beta 3?") before the public release. I'd like to make sure I run my tests against a snapshot that is close to the release to check for any late regressions. However, I don't want to be doing this on daily basis until some unknown point in time. Would it be possible to either make the beta 3 release before the actual 1.1.0 public release or alternatively, provide some kind of early warning couple of weeks before the public release so that it would be easier to check for last minute regressions? And as far as regressions after beta 2 release are concerned, it looks like there was a change in the API that is not backwards compatible. I was hoping this would not happen after the "Beta 2 - Opaque work complete". Did I misunderstand what that note means? The non-compatible change (this actually broke wpa_supplicant build..) is this one: commit fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327 Constify the parameter getters for RSA, DSA and DH -void DH_get0_key(const DH *dh, BIGNUM **pub_key, BIGNUM **priv_key) +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) Is there a clear point in time after which the OpenSSL 1.1.0 API is expected to be fully frozen for the release (well, other than the final public release showing up)? (*) https://www.openssl.org/policies/releasestrat.html -- Jouni MalinenPGP id EFC895FA -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value
Was the SSL_get_version() behavior changed on purpose in the Beta 1 release? This function used to return "TLSv1" when TLS v1.0 was used while it is now in Beta 1 returning "TLSv1.0" for that case. This type of unexpected change in the API can break existing users of the function. As an example, wpa_supplicant exposes this string to external components to allow them to do things based on which TLS version is used. It is unknown to me whether there are any such component that could fail due to this change, but at least this broke one of the regression test cases due to the unexpected value. The commit 7d65007238e86e59fcf31d23fcefa01e3b30cc37 ('Make function to convert version to string') seems to claim to be more or less cleanup to use a shared function for doing the conversion. However, it changes the return value for TLS1_VERSION for both SSL_get_version() and SSL_SESSION_print(). In addition to that, it seems to be changing DTL1_BAD_VER value for SSL_SESSION_print(). It should also be noted that the new implementation does not match the man page for SSL_get_version(): https://www.openssl.org/docs/manmaster/ssl/SSL_get_version.html -- Jouni MalinenPGP id EFC895FA -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] OpenSSL 1.1.0 and OCSP stapling with status_request_v2 (RFC 6961)
It looks like there are some upcoming use cases that would need to be able to use OCSP stapling to verify both the server certificate and the intermediate CA certificate that issued that server certificate. This would require support for RFC 6961 extensions to OCSP stapling. Since the actual OCSP stapling processing is currently done outside the OpenSSL library, the changes to allow this to be used on the TLS client side would be pretty minimal for the library. The current API does not allow this to be done since the SSL_set_tlsext_status_type() function allows only one value (TLSEXT_STATUSTYPE_ocsp = 1) to be used. It would be nice if OpenSSL 1.1.0 would make it possible to use the ocsp_multi(2) value in status_request_v2(17) ClientHello extension. Other than the different extension type and status type values (and listing both ocsp and ocsp_multi types), the contents on that extension is identical to the existing status_request case. Since the OCSP stapling response is processed outside the library handshake processing, a minimal support for this within OpenSSL would not need other changes there than just accepting ocsp_multi(2) in addition to the current TLSEXT_STATUSTYPE_ocsp(1). More could obviously be added later to help parsing in applications, but that is not critical for OpenSSL 1.1.0 to enable this functionality. Would there be interest in getting at least the minimal changes in place before the beta release so that OpenSSL 1.1.0 could be used to implement ocsp_multi support for TLS client? As far as the TLS messages are concerned, these are the changes needed for the use cases I'm thinking of: Building ClientHello: Add status_request_v2 extension with minimal contents: 00 11 00 07 00 05 02 00 00 00 00 This is very similar to status_request extension that can currently be added: 00 05 00 05 01 00 00 00 00 Parsing ServerHello: Accept status_request_v2 extension Parsing CertificateStatus: Accept certificate status type ocsp_multi(2) -- Jouni MalinenPGP id EFC895FA -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 3 published
On Mon, Feb 15, 2016 at 10:17:15PM +, Matt Caswell wrote: > Maybe EVP_cleanup() and other similar explicit deinit functions should > be deprecated, and do nothing in 1.1.0? The auto-deinit capability > should handle it. That way you would not need to do anything "special" > for 1.1.0 with "#ifdef" etc. What do you think? That may be a reasonable approach to avoid unexpected failures with existing users. As far as wpa_supplicant is concerned, I ran quite a bit of valgrind testing with the OpenSSL init/deinit calls commented out. While I did find some memory leaks, those were not caused by the OpenSSL library itself. As such, I've already added the #ifdef based on OpenSSL version. This has the additional benefit of marking up code for cleanup once OpenSSL 1.0.2 support terminates in the future. -- Jouni MalinenPGP id EFC895FA -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 3 published
On Mon, Feb 15, 2016 at 09:34:33PM +, Matt Caswell wrote: > On 15/02/16 21:25, Jouni Malinen wrote: > > Is this change in OpenSSL behavior expected? Is it not allowed to call > > EVP_cleanup() and then re-initialize OpenSSL digests with > > SSL_library_init()? > > Correct, you cannot reinit once you have deinit. OK.. That used to work, though, so it would be good to mention this clearly in the release notes since this can cause a difficult to find issues for existing programs. Luckily I happened to have automated test cases that found this now with wpa_supplicant. > You should not need to explicitly init or deinit at all. Try removing > all such calls. If you are getting memory leaks not caused by your > application then that is a bug in OpenSSL. I agree with the "should not need" part, but there is a reason why I added those calls in the first place, i.e., these were needed with older OpenSSL releases (well, all releases so far since 1.1.0 has not been released). I guess I can remove these calls with #ifdef OPENSSL_VERSION_NUMBER < 0x1010L to maintain support for older versions. I'd also recommend updating EVP_cleanup man page to be clearer about EVP_cleanup() being something that must not be called if there is going to be any future calls to OpenSSL before the process exits. -- Jouni MalinenPGP id EFC895FA -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 3 published
On Mon, Feb 15, 2016 at 10:52:27PM +0200, Jouni Malinen wrote: > On Mon, Feb 15, 2016 at 07:04:20PM +, OpenSSL wrote: > >OpenSSL version 1.1.0 pre release 3 (alpha) > It looks like something in pre release 3 has changed behavior in a way > that results in SSL_CTX_new(SSLv23_method()) failing in some cases. I've > never seen this with earlier releases. It looks like the error within > SSL_CTX_new() is in EVP_get_digestbyname("ssl3-md5") returning NULL > suddenly after a process has called SSL_CTX_new() and SSL_CTX_free() > multiple times. Found the trigger.. When adding and removing a network interface, wpa_supplicant ends up going through OpenSSL library init and deinit. One part of that deinit is a call to EVP_cleanup(). Init on the other hand is calling SSL_library_init(). The difference between pre release 2 and 3 is in the SSL_library_init() call after EVP_cleanup() call not adding back the needed digest registration. Is this change in OpenSSL behavior expected? Is it not allowed to call EVP_cleanup() and then re-initialize OpenSSL digests with SSL_library_init()? I can "fix" this by removing the EVP_cleanup() call in wpa_supplicant, but that does not sound like the best thing to do here since it was needed to avoid leaving allocated memory behind during process deinit (i.e., getting memory leak reports from valgrind). The way the ossl_init_ssl_base() function is "hidden" within ssl_init.c, the application cannot even call it again, so other than duplicating the contents of that function after that EVP_cleanup() call, I don't see how this could be fixed cleanly without an OpenSSL change. -- Jouni MalinenPGP id EFC895FA -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 3 published
On Mon, Feb 15, 2016 at 07:04:20PM +, OpenSSL wrote: >OpenSSL version 1.1.0 pre release 3 (alpha) > >OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 3 has now >been made available. For details of changes and known issues see the >release notes at: > > http://www.openssl.org/news/openssl-1.1.0-notes.html It looks like something in pre release 3 has changed behavior in a way that results in SSL_CTX_new(SSLv23_method()) failing in some cases. I've never seen this with earlier releases. It looks like the error within SSL_CTX_new() is in EVP_get_digestbyname("ssl3-md5") returning NULL suddenly after a process has called SSL_CTX_new() and SSL_CTX_free() multiple times. Based on a git bisect between OpenSSL_1_1_0-pre2 and OpenSSL_1_1_0-pre3 tags, it looks like the different behavior was triggered by commit 7fa792d14d06cdaca18f225b1d2d8daf8ed24fd7 ('Auto init/de-init libssl'). That does add a call to OPENSSL_INIT_ssl_library_start(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL) within SSL_CTX_new(), so I guess this is somehow messing up the registered digests. The program in question (wpa_supplicant) calls SSL_load_error_strings(), SSL_library_init(), EVP_add_digest(EVP_sha256()), EVP_add_cipher(EVP_rc2_40_cbc()), and PKCS12_PBE_add(), but commenting these out did not change anything for the issue. I could not find anything related to this in the release notes either. Is this a bug somewhere in pre release 3 or is there supposed to be some changes needed in applications using OpenSSL to work with this auto init/de-init libssl change? -- Jouni MalinenPGP id EFC895FA -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Thu, Jan 14, 2016 at 03:35:48PM -0500, Viktor Dukhovni wrote: > Thanks for the prompt error report. If you're willing to share your > test chains, and if it is likely to be not too difficult to include > them with the OpenSSL bundled tests, that might be worth looking into. All the test case I use with hostapd/wpa_supplicant hwsim testing are available in the public git://w1.fi/hostap.git repository under the tests/hwsim directory. Most cases that are of interest to OpenSSL are in these files: http://w1.fi/cgit/hostap/plain/tests/hwsim/test_ap_eap.py http://w1.fi/cgit/hostap/plain/tests/hwsim/test_suite_b.py The certificates used in the tests are in this directory: http://w1.fi/cgit/hostap/tree/tests/hwsim/auth_serv For the time being, all the certificates are from the repository, but some of the OCSP responses used in the test cases are created dynamically when executing the test cases. > We definitely need more chain verification test cases, and yours failed > with the unpatched "openssl verify" when used just right: > > $ openssl verify -trusted ca-incorrect.pem -untrusted ca.pem \ > -purpose sslserver server.pem > > The untrusted ca.pem came up trusted incorrectly. The new DANE-specific > chain tests are much more comprehensive at this time than the non-DANE > ones, we'll need to address that before the final release. Ah, I didn't even think of the possibility of the CA certificate sent by the server getting trusted, so I just ran openssl verify with -CAfile.. I have been mainly focusing on different areas for EAP-TLS/TTLS/PEAP/FAST testing, so the number of chain verification tests that depend on internal OpenSSL functionality is still quite small. I'm hoping to increase this, but it will take quite a bit of time and effort to get that done.. I have higher priority on covering the additional constraints for validation based on the steps that wpa_supplicant can do on top of the OpenSSL chain validation (e.g., checking specific domain suffix and other subject/altsubject information and OCSP) and handling different formats of certificate and private key encoding. Based on a quick search through the test cases, these are the trivial combinations that can be executed with openssl verify. This assumes the commands are run within that tests/hwsim/auth_server directory. OPENSSL=openssl echo "Should succeed" $OPENSSL verify -trusted ca.pem -purpose sslserver server.pem $OPENSSL verify -trusted ca.pem -untrusted ca.pem -purpose sslserver server.pem $OPENSSL verify -trusted ca.pem -purpose sslclient user.pem $OPENSSL verify -trusted iCA-user/ca-and-root.pem -untrusted iCA-server/cacert.pem -purpose sslserver iCA-server/server.pem $OPENSSL verify -trusted iCA-server/ca-and-root.pem -untrusted iCA-user/cacert.pem -purpose sslclient iCA-user/user.pem $OPENSSL verify -trusted ca.pem -purpose sslserver server-eku-client-server.pem $OPENSSL verify -trusted ca.pem -purpose sslserver server-long-duration.pem $OPENSSL verify -trusted sha512-ca.pem -purpose sslserver sha512-server.pem $OPENSSL verify -trusted sha512-ca.pem -purpose sslserver sha384-server.pem $OPENSSL verify -trusted sha512-ca.pem -purpose sslclient sha512-user.pem $OPENSSL verify -trusted sha512-ca.pem -purpose sslclient sha384-user.pem $OPENSSL verify -trusted ec-ca.pem -purpose sslserver ec-server.pem $OPENSSL verify -trusted ec-ca.pem -purpose sslclient ec-user.pem $OPENSSL verify -trusted ec2-ca.pem -purpose sslserver ec2-server.pem $OPENSSL verify -trusted ec2-ca.pem -purpose sslclient ec2-user.pem echo "Should fail" $OPENSSL verify -trusted ca-incorrect.pem -untrusted ca.pem -purpose sslserver server.pem $OPENSSL verify -trusted ca-incorrect.pem -purpose sslserver server.pem $OPENSSL verify -trusted ca-incorrect.pem -untrusted ca.pem -purpose sslclient user.pem $OPENSSL verify -trusted ca-incorrect.pem -purpose sslclient user.pem $OPENSSL verify -trusted ca.pem -purpose sslserver server-eku-client.pem $OPENSSL verify -trusted ca.pem -purpose sslserver server-expired.pem -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Thu, Jan 14, 2016 at 03:44:18PM +0100, Richard Levitte wrote: >OpenSSL version 1.1.0 pre release 2 (alpha) >OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 2 has now >been made available. For details of changes and known issues see the >release notes at: > > http://www.openssl.org/news/openssl-1.1.0-notes.html I needed to do following updates to hostapd/wpa_supplicant to build against this (to a snapshot that worked with 1.1.0 pre release 1): - use EVP_CIPHER_CTX_new() and dynamic allocation instead of having EVP_CIPHER_CTX ctx on stack and using EVP_CIPHER_CTX_init() (I guess this was an expected change, but for some reason, pre release 1 did not force this) - replace "SSL_CIPHER **cipher" with "const SSL_CIPHER **cipher" in the SSL_set_session_secret_cb() callback function (I did not notice any comment about this in the changelog; was there supposed to be something? This broke API compatibility.. The change itself is fine and I already had to do some with BoringSSL, but it would be nice to get this type of incompatible API changes noted clearly) As far as functionality is concerned, I did see number of new issues when running through my automated test setup and especially the EAP test cases. I haven't yet looked at what exactly caused these, but these did not look exactly good, so that's why a quick note here first to see if anything sounds familiar and someone would already know why the behavior changed between pre release 1 and 2. Many of the negative test cases that verify that server certificate chain validation works by using mismatching trust roots (i.e., server certificate is not issued by any of the trusted CA certificates) are failing. OpenSSL allows the TLS handshake to be completed with the verify callback (set with SSL_set_verify(ssl, SSL_VERIFY_PEER, func)) reports preverify_ok=1 and err=0 for the root CA and the server certificate even though the client side has not configured that root CA as trusted. This worked fine with pre release 1, so I'm quite concerned about the change in behavior when nothing in the application side changed and an untrusted server certificate suddenly became trusted by OpenSSL update.. Is there really an intentional change in OpenSSL requiring something additional to be done to configure peer certificate validation to result in failure with the latest pre release? EAP server side is crashing (segmentation fault) in a pretty strange way when using CRL validation as part of the TLS handshake. This is my test case ap_wpa2_eap_tls_check_crl which shows following in valgrind for the hostapd process that went through the TLS server side exchange. It looks like a crash in OpenSSL check_revocation(), but I guess I'll need to enable more debug symbols somewhere to get bit more helpful output. This same test case worked fine with pre release 1. The test case ends up using a code path that executes cs = SSL_CTX_get_cert_store() and X509_STORE_set_flags(cs, X509_V_FLAG_CRL_CHECK). ==627== Conditional jump or move depends on uninitialised value(s) ==627==at 0x6174D5: check_revocation (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0x618280: verify_chain (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0x55782F: ssl_add_cert_chain (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0x575157: ssl3_output_cert_chain (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0x569D3C: ossl_statem_server_construct_message (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0x56461D: state_machine (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0x5513BB: SSL_accept (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0x50AF9C: openssl_handshake (tls_openssl.c:3180) ==627==by 0x50AF9C: openssl_connection_handshake (tls_openssl.c:3273) ==627==by 0x508A21: eap_server_tls_phase1 (eap_server_tls_common.c:316) ==627==by 0x4C41B1: eap_tls_process_msg (eap_server_tls.c:247) ==627==by 0x508C6B: eap_server_tls_process (eap_server_tls_common.c:468) ==627==by 0x4C40C3: eap_tls_process (eap_server_tls.c:259) ==627== ==627== Use of uninitialised value of size 8 ==627==at 0x61742D: check_revocation (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0x662C55F: ??? ==627==by 0xE: ??? ==627==by 0x654653F: ??? ==627== vex amd64->IR: unhandled instruction bytes: 0x6E 0x6F 0x6E 0x65 0x0 0x52 0x53 0x41 vex amd64->IR: REX=0 REX.W=0 REX.R=0 REX.X=0 REX.B=0 vex amd64->IR: VEX=0 VEX.L=0 VEX.n=0x0 ESC=NONE vex amd64->IR: PFX.66=0 PFX.F2=0 PFX.F3=0 ==627== Invalid read of size 4 ==627==at 0x75FFEA: ??? (in /home/jm/Git/hostap/hostapd/hostapd) ==627==by 0xFFF00038F: ??? ==627==by 0x20441A6D1E48C1FF: ??? ==627==by 0xFFF00038F: ??? ==627==by 0xFFF00038F: ??? ==627==by 0x1: ??? ==627==by 0x654653F: ??? ==627== Address 0x1003029407 is not stack'd
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Thu, Jan 14, 2016 at 03:15:12PM -0500, Viktor Dukhovni wrote: > > > On Jan 14, 2016, at 2:38 PM, Viktor Dukhovni <openssl-us...@dukhovni.org> > > wrote: > > > > Thanks. That's enough info. Patch below. > > Or pull the master branch from github. Thanks! I confirmed that both the patch on top of pre-rel 2 (+ CRL fix) and the current master branch snapshot fixed all the test cases that I saw failing previously. -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Thu, Jan 14, 2016 at 05:39:39PM +, Viktor Dukhovni wrote: > See patch just posted, and also pushed to github. This will likely fix > the CRL issue. > > commit 311f27852a18fb9c10f0c1283b639f12eea06de2 > Author: Viktor Dukhovni <openssl-us...@dukhovni.org> > Date: Thu Jan 14 12:23:35 2016 -0500 > > Always initialize X509_STORE_CTX get_crl pointer Thanks! This applied on top of pre-rel 2 does indeed resolve the CRL issue I saw. -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Thu, Jan 14, 2016 at 12:08:06PM -0500, Viktor Dukhovni wrote: > Well I rewrote the certificate chain verification code, perhaps some more > polish is needed. Please, if possible, send the chain being verified > (the leaf and and "untrusted" certs), plus the trusted roots (clearly > marked as such), and I'll look into it. I'm not sure this is going to be helpful since this is a very basic case and I cannot reproduce this with openssl verify. Anyway, the incorrect CA and the only certificate that was configured as trusted on the client was this one: http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/ca-incorrect.pem while the server used this certificate: http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/server.pem and this issuer: http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/ca.pem Not even the issue subject name match here.. Still, I'm getting this with pre-rel 2 on the client: SSL: SSL_connect:SSLv3/TLS read server hello OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate) TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=FI/O=w1.fi/CN=Root CA' TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=FI/O=w1.fi/CN=server.w1.fi' And TLS handshake completes successfully. With OpenSSL 1.0.2d, this fails (as expected): SSL: SSL_connect:SSLv3 read server hello A OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate) TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 1 for '/C=FI/O=w1.fi/CN=Root CA' So this has to be something with how the chain verification code gets configured.. I'll see if I can find the commit that changed the behavior to make it a bit more easier to figure out what exactly may have happened. -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] EAP-FAST and OpenSSL 1.1.x with new client TLS state machine
On Fri, Dec 04, 2015 at 10:27:48AM +, Matt Caswell wrote: > EAP-FAST is very strange. Normally you know whether you are resuming a > session or not based on the session id returned from the server. However > that's not the case with EAP-FAST - you have to wait to see what message > the server sends you next to determine what's happening (which is really > horrible). Indeed. EAP-FAST is a good example of what can happen if a company designs a new EAP method and pushes that to the market without going through proper IETF review.. This part here is not the only difficult item in supporting EAP-FAST. :( > The new state machine code waits until a message is received from the > peer and then checks it against its allowed list of transitions based on > its current state. If its not allowed then you get an unexpected message > alert. It looks like the check for the EAP-FAST session resumption case > is missing from the new code. > > Please can you try the attached patch and see if that resolves the > issue? Let me know how you get on. Thanks! That fixes the issue. With this applied on top of the current master branch snapshot, I was able to pass all my EAP regression tests. -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
On Fri, Jul 31, 2015 at 08:36:46PM +0100, Matt Caswell wrote: https://github.com/openssl/openssl/commit/e1e088ec7f2f33c4c4ad31312d62c536441d4358 Thanks! With this, all my EAP test cases are now passing with the OpenSSL master branch snapshot. -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
On Thu, Jul 30, 2015 at 11:00:45AM +0100, Matt Caswell wrote: On 28/07/15 15:09, Jouni Malinen wrote: The remaining issue for EAP-FAST server is in the SSL_set_session_secret_cb() callback not having access to the correct server_random through SSL_get_server_random(). Is this still a problem? From looking at the code it seems to me that the server random is set prior to calling the callback: It is a problem with the current master branch snapshot, but not with older versions, i.e., a regression of some sort.. /* * Check if we want to use external pre-shared secret for this handshake * for not reused session only. We need to generate server_random before * calling tls_session_secret_cb in order to allow SessionTicket * processing to use it in key derivation. */ { unsigned char *pos; pos = s-s3-server_random; if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) = 0) { This is indeed the server_random I see in the tls_session_secret_cb, but that is not the server_random that gets used in the negotiation.. Checking the commit logs this seems to have been put in by this commit responding to one of your tickets! commit 12bf56c017a34bd0d5fc6d817564ae49d0a9e861 It was indeed and that commit worked.. Please note that it uses #ifdef OPENSSL_NO_TLSEXT to avoid having ssl3_send_server_hello() override the previously selected server_random. You seem to imply that you can get the server_random through ssl-s3-server_random but not through SSL_get_server_random(). Looking at the code I can't see an obvious reason why that would be the case. Here is SSL_get_server_random(): size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen) { if (outlen == 0) return sizeof(ssl-s3-server_random); if (outlen sizeof(ssl-s3-server_random)) outlen = sizeof(ssl-s3-server_random); memcpy(out, ssl-s3-server_random, outlen); return outlen; } I had not checked what this does, but yes, that's indeed identical to the mechanism I use with older OpenSSL version. In other words, the issue is in ssl3_send_server_hello(). It looks like commit e481f9b90b164fd1053015d1c4e0a0d92076d7a8 (Remove support for OPENSSL_NO_TLSEXT) broke this. It is deleting number of #ifndef OPENSSL_NO_TLSEXT lines correctly, but it is also deleting one #ifdef OPENSSL_NO_TLSEXT without removing the block of code that should have also been removed from ssl3_send_server_hello(). Because of that, server_random gets replaced after the call to tls_session_secret_cb which breaks the EAP-FAST use case. This is the relevant part of that commit: @@ -1602,13 +1585,13 @@ int ssl3_send_server_hello(SSL *s) if (s-state == SSL3_ST_SW_SRVR_HELLO_A) { buf = (unsigned char *)s-init_buf-data; -#ifdef OPENSSL_NO_TLSEXT + p = s-s3-server_random; if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) = 0) { s-state = SSL_ST_ERR; return -1; } -#endif + /* Do the message type and length last */ d = p = ssl_handshake_start(s); That ssl_fill_hello_random() call needs to be deleted to fix this issue. Based on a quick test, that does indeed fix the EAP-FAST server issue I saw. -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
On Mon, Jul 27, 2015 at 11:28:09PM +0100, Matt Caswell wrote: The master branch implements security levels. The default security level does not allow anon ciphersuites. I suspect this may be your problem. Indeed. SSL_set_security_level(ssl, 0) for this special EAP-FAST case resolved this. Can you use: __owur const SSL_CIPHER *SSL_get_current_cipher(const SSL *s); and int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); to then call: EVP_MD_size(EVP_get_digestbynid(nid)); Thanks! This does indeed work fine and is significantly cleaner design than the one I had to use with earlier OpenSSL versions. It looks like things are getting very close to complete now. I was able to get all EAP-FAST test cases passing with the current snapshot of 1.0.2 and using TLSv1.2. With the current snapshot of the master branch, there is an issue on the TLS server side, though. All the EAP-FAST peer functionality worked with the master branch version. The remaining issue for EAP-FAST server is in the SSL_set_session_secret_cb() callback not having access to the correct server_random through SSL_get_server_random(). In earlier OpenSSL versions, I could fetch this from ssl-s3-server_random. However, SSL_get_server_random() seems to return some bogus data at this point in the sequence (_before_ the ServerHello has actually been written). The correct server_random becomes available later, but that's too late to be able to derive the correct master_secret in the session secret callback.. Any idea what could be causing this? Would it be possible to modify the sequence of operations here in a way that the real server_random were available through SSL_get_server_random() from the SSL_set_session_secret_cb() handler on the TLS server side as well as on the client side (where it seems to work now). -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
On Mon, Jul 27, 2015 at 05:03:45PM +0100, Matt Caswell wrote: I have just committed a fix for this issue: https://github.com/openssl/openssl/commit/f0348c842e75a77f643e7d34cb88609145b2d320 The above links are for the 1.0.2 commits. Equivalent commits have also been pushed for 1.0.1. For master I have only added the test as the bug did not exist in master (the version negotiation rewrite fixed it). Thanks! I can confirm that the 1.0.2 changes allow me to remove the EAP-FAST workaround (force TLSv1_method() to be used). I had not yet been able to test EAP-FAST with the master branch snapshot since there were number of API changes that broke the mechanism I used for key derivation. Now that I took a new look at this, most of the needed accessors have apparently be added. I think I still may need something to be able to figure out the keyblock size to be able to skip over it in EAP-FAST key derivation. Anyway, this was sufficiently close to be able to run some more tests. With couple more fixes and hardcoded keyblock size for testing purposes, it looks like EAP-FAST with authenticated provisioning worked. Unauthenticated provisioning case was failing due to ssl3_client_hello:no ciphers available, but I'd assume that to be caused by some change in the enabled ciphers (this mode is trying to use ADH-AES128-SHA). While this is somewhat beyond the scope of this thread, I'd appreciate any guidance on how to figure out keyblock size from the current negotiation with the master branch OpenSSL snapshot. I used to use ssl-s3-tmp.new_mac_secret_size and EVP_CIPHER_{key,iv}_length(). The latter are still present, the former is not. Though, ssl-enc_read_ctx-cipher is not available for EVP_CIPHER_*(). Alternative version used EVP_MD_CTX_md(ssl-read_hash) followed by EVP_MD_size(). That is not available either. A more flexible version of SSL_export_keying_material() would be another (and likely cleaner) alternative for this. The addition need for couple of EAP methods is in being able to request server random to be used used before client random (i.e., the reverse order of the standard implementation) and to be able to skip key block length number of bytes from the beginning of the PRF output. For that key block skipping part, though, it would also hit an issue with memcmp against TLS_MD_KEY_EXPANSION_CONST, i.e., something completely different may be needed to be able to derive the EAP-FAST session_key_seed (see RFC 4851 Section 5.1 for details and RFC 5422 Section 3.3 shows yet another EAP-FAST case where session_key_seed and ServerChallenge + ClientChallenge needs to be derived similarly after the key_block). It would be nice to be able to get those out from OpenSSL without having to implement the PRF for this externally (and without exporting the master key for that matter). -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
On Thu, Jul 23, 2015 at 11:09:40PM +, Viktor Dukhovni wrote: Any chance you have a standalone test program that works with TLSv1_client_method(), but not with SSLv23_client_method() (and SSLv2 disabled). Such code if added to make test might ensure the problem does not come back after is is fixed. What would be excellent is a program that is both the client and the server (talking to itself over a socketpair perhaps, though that might not be portable to Windows, but perhaps it suffices for the test to run on Unix-like systems...). While I do have a fully automated test setup (http://buildbot.w1.fi/hwsim/) that runs on a single server and can be used with OpenSSL 0.9.8 through 1.0.2, it would be quite a stretch to claim that to be standalone in this context.. :-) I do have an example program that comes much closer, though. eap_example in hostap.git is a single process that runs EAP server and peer and runs through one authentication round. By default, it is not built with OpenSSL or for EAP-FAST, but it is straightforward to modify that to do so. Here's a step-by-step example of running this test: git clone git://w1.fi/hostap.git cd hostap/ wget http://w1.fi/p/eap-example-openssl-eap-fast.patch patch -p1 eap-example-openssl-eap-fast.patch cd eap_example/ make ./eap_example run1 ls -l eap-fast.pac ./eap_example run2 grep SessionTicket run2 The eap-example-openssl-eap-fast.patch comments out the EAP-FAST workaround where I force TLSv1_method() to be used. In other words, with this patch, SSLv23_method() is used instead. The workaround can be re-enabled by reverting the change in src/crypto/tls_openssl.c (#if 0 -- #if 1). The first execution of eap_example goes through the EAP-FAST provisioning step. This works with SSLv23_method() since no SessionTicket is used here. As a result of that provisioning round, eap-fast.pac file is created with the information that the peer can use to establishing connections afterwards. On the second run (and all following runs with the PAC file present for that matter), we'll hit the issue with SSLv23_method(). That grep for SessionTicket in run2 shows this type of output in the failed case: OpenSSL: ClientHello SessionTicket extension - hexdump(len=0): EAP-FAST: SessionTicket callback EAP-FAST: SessionTicket (PAC-Opaque) - hexdump(len=0): EAP-FAST: Ignore invalid SessionTicket EAP-FAST: SessionTicket callback EAP-FAST: SessionTicket - hexdump(len=0): [NULL] OpenSSL: ClientHello SessionTicket extension - hexdump(len=0): While the workaround with TLSv1_method() shows this: OpenSSL: ClientHello SessionTicket extension - hexdump(len=60): 00 02 00 38 93 ac a7 0f 32 75 a3 88 dc b1 e4 b0 83 84 04 bd 63 ed 55 a5 37 0d 69 c9 05 a2 b4 1c f0 43 b4 d5 9b e2 2c 67 74 cf c9 3d bc 82 56 97 79 1d 03 59 5e 86 d3 e3 bd d7 a4 ca EAP-FAST: SessionTicket callback EAP-FAST: SessionTicket (PAC-Opaque) - hexdump(len=60): 00 02 00 38 93 ac a7 0f 32 75 a3 88 dc b1 e4 b0 83 84 04 bd 63 ed 55 a5 37 0d 69 c9 05 a2 b4 1c f0 43 b4 d5 9b e2 2c 67 74 cf c9 3d bc 82 56 97 79 1d 03 59 5e 86 d3 e3 bd d7 a4 ca EAP-FAST: SessionTicket callback EAP-FAST: SessionTicket - hexdump(len=0): [NULL] This may still be quite a bit too much for OpenSSL make test purposes, i.e., something without the full EAP-FAST implementation is likely to be sufficient there. I don't have such an example available, though. Anyway, I hope this eap_example code is useful for anyone who might be able to make SSLv23_method() case in OpenSSL support this use case. I'm trying to run the full hostapd/wpa_supplicant test suite with all OpenSSL releases, so I should at least notice regressions in the relevant areas pretty quickly. In theory, I could also do this on snapshot builds (or repository snapshots in general). -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
On Thu, Jul 23, 2015 at 08:21:11PM +, Viktor Dukhovni wrote: Postfix happily sends session tickets and resuming sessions even though it is using SSLv23_client_method(), and there is no server-side session cache (I made sure the client connets to a different server process between the initial handshake and the resumption, and that there is no external cache configured.) Output summary: I'd assume this is with the more standard TLS SessionTicket which is not what EAP-FAST is.. The order of events is: /* Once only */ ctx = SSL_CTX_new(SSLv23_client_method()); /* Per connection */ ssl = SSL_new(ctx); /* Protocol support varies per server, so not set via global context */ SSL_set_options(...); This is all same.. /* restore appropriate session from the client cache */ session = ... ; if (session) SSL_set_session(ssl, session); SSL_connect(ssl); While this is not. What are you doing to associate a previous session with a new SSL connection? With EAP-FAST, I don't really have a cached session in this sense for deriving the keys and information for ClientHello. Instead of SSL_set_session(), I'm only calling SSL_set_session_ticket_ext() before SSL_connect() to provide the externally (to OpenSSL) stored SessionTicket data. With TLSv1_method(), this data goes out in ClientHello; with SSLv23_method() it does not (only an empty request for standard session ticket included, not the SessionTicket from EAP-FAST PAC data). If I were to store the TLS session during which the EAP-FAST PAC was provisioned and then issue SSL_set_session() with it here, I would indeed get abbreviated handshake with that session (non-empty Session ID in ClientHello), but that's not how EAP-FAST works. The Session ID is supposed to be empty here and instead of the standard session ticket mechanism, the keys get from SSL_set_session_secret_cb() registered callback function which derives the secret in EAP-FAST specific way (master_secret = T-PRF(PAC-Key, PAC to master secret label hash, server_random + client_random, 48)). -- Jouni MalinenPGP id EFC895FA ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl.org #2128] PKCS12_PBE_add is a noop but maybe it should add the algorithms?
On Tue, Dec 15, 2009 at 10:18 AM, Tomas Mraz via RT r...@openssl.org wrote: If you call just SSL_library_init() and PKCS12_PBE_add some pkcs12 files will not be loadable and moreover the openssl will crash due to missing checks for ciphers not found. I've reported the crash in a separate report. Perhaps the PKCS12_PBE_add should add the algorithms which are not added in the SSL_library_init() call but which are used in the static PBE algorithms table? It looks like this behaviorwith PKCS12_PBE_add() changed in this commit: (date: 2006-05-15 20:34:35 +0300; author: steve; state: Exp; lines: +0 -2; commitid: AaVb4NIRWO7LR8xr;) | crypto/evp/c_allc.c:1.12, CHANGES:1.1316, crypto/pkcs12/p12_crpt.c:1.20, | crypto/evp/evp_pbe.c:1.21, crypto/evp/p5_crpt.c:1.21 ` Change builting PBE to use static table. Add entries for HMAC and MD5, GOST. Neither the commit log nor the CHANGES file entry state clearly that this removed some ciphers from being registered with PKCS12_PBE_add() call. As far as PKCS#12 files are concerned, the disappearance of EVP_rc2_40_cbc() is especially unfortunate. Was this removed on purpose, i.e., was it understood that this will require changes in applications that do not register all ciphers by default? I used to call SSL_library_init() (i.e., add SSL ciphers/digests) and PKCS12_PBE_add() (to get whatever else would be needed for PKCS#12 files), but that does not work anymore with OpenSSL 1.0.0-beta4. For now, I'm adding EVP_add_cipher(EVP_rc2_40_cbc()) call to get the behavior closer to what it used to be. While there is a note saying that typical applications will call OpenSSL_add_all_algorithms() (which would avoid this issue), it could be worth documenting the difference in behavior between 0.9.8 and 1.0.0 more explicitly as far as PKCS12_PBE_add() is concerned. - Jouni __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-0.9.8d-tls-extensions.patch is not in the latest openssl-0.9.8k.tar.gz
On Tue, Apr 28, 2009 at 05:40:04PM -0700, Debbie (Yue) Xu wrote: I need the openssl-0.9.8d-tls-extensions.patch in order to get the support for all the functionality needed for EAP-FAST in wpa-supplicant. But I found that even the latest openssl-0.9.8k.tar.gz doesn't include the patch. Can anybody tell me where to download the patch? it's not in the http://www.openssl.org/source/, nor in the http://www.openssl.org/contrib/. The changes for EAP-FAST were only merged into the OpenSSL 0.9.9 (now 1.0.0 beta) tree. As far as 0.9.8k is concerned, you can get an updated patch for OpenSSL in the latest wpa_supplicant release (openssl-0.9.8i-tls-extensions.patch applies to OpenSSL 0.9.8k). -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
Here's a backport version of the session ticket override patch against OpenSSL 0.9.8i. This provides the same API that was committed into 0.9.9 tree and it can be used with the current development snapshot of wpa_supplicant/hostapd 0.6.x for EAP-FAST. -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). OpenSSL 0.9.8i does not enable TLS extension support by default, so it will need to be enabled by adding enable-tlsext to config script command line. Index: openssl-0.9.8i/ssl/s3_clnt.c === --- openssl-0.9.8i.orig/ssl/s3_clnt.c 2008-06-16 19:56:41.0 +0300 +++ openssl-0.9.8i/ssl/s3_clnt.c2008-11-23 20:39:40.0 +0200 @@ -759,6 +759,21 @@ goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + NULL, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-session-cipher=pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s,p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { @@ -2701,11 +2716,8 @@ { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of -* a non-zero session length would never reach here) it cannot be a -* resumed session. -*/ - if (!s-session-tlsext_tick || s-session-session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s-session-tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ Index: openssl-0.9.8i/ssl/s3_srvr.c === --- openssl-0.9.8i.orig/ssl/s3_srvr.c 2008-09-14 21:16:09.0 +0300 +++ openssl-0.9.8i/ssl/s3_srvr.c2008-11-23 20:37:40.0 +0200 @@ -959,6 +959,59 @@ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this +* handshake for not reused session only. We need to generate +* server_random before calling tls_session_secret_cb in order to allow +* SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s-s3-server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s-session-master_key_length=sizeof(s-session-master_key); + if(s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + ciphers, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-hit=1; + s-session-ciphers=ciphers; + s-session-verify_result=X509_V_OK; + + ciphers=NULL; + + /* check if some cipher was preferred by call back */ + pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s-session-ciphers, SSL_get_ciphers(s)); + if (pref_cipher == NULL) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); + goto f_err; + } + + s-session-cipher=pref_cipher; + + if (s-cipher_list) + sk_SSL_CIPHER_free(s-cipher_list
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Sat, Nov 15, 2008 at 06:20:08PM +0100, Stephen Henson via RT wrote: You patch has now been applied to HEAD. Thank you for the contribution. Let me know of any problems. Thank you! I updated wpa_supplicant and hostapd to use the new API when building against OpenSSL 0.9.9. This seems to be working fine and will make it much easier for distributions to include EAP-FAST support in the future. -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Sat, Nov 15, 2008 at 06:20:08PM +0100, Stephen Henson via RT wrote: You patch has now been applied to HEAD. Thank you for the contribution. Let me know of any problems. Thank you! I updated wpa_supplicant and hostapd to use the new API when building against OpenSSL 0.9.9. This seems to be working fine and will make it much easier for distributions to include EAP-FAST support in the future. -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Tue, Nov 11, 2008 at 12:09:55PM +0100, Stephen Henson via RT wrote: OK, we'd need the generic extension part of the patch modified to only override the session ticket extension. I replaced SSL_set_hello_extension() function with SSL_set_session_ticket_ext() and renamed the related structures to use less generic names. Please note that I left SSL_set_hello_extension() into this version as a simple wrapper to make it easier to test this with the current wpa_supplicant/hostapd implementation, but that can obviously be removed when the patch goes in and I'll change wpa_supplicant/hostapd to use OpenSSL version to select which calls to use. A companion callback to supply the details of the ticket extension would be appropriate instead of using the debugging interface. Are you referring to the use of SSL_set_tlsext_debug_callback() in the EAP-FAST server implementation? This was originally done with a new SSL_set_hello_extension_cb(), but I removed the extra code when session ticket code was added to OpenSSL. Would you like to get the SSL_set_hello_extension_cb() and related call from ssl3_get_client_hello() to be included in the patch? The indentation in that patch is also inconsistent with the rest of OpenSSL. The attached version should clean up indentation to match with rest of the code. -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). Index: openssl-SNAP-2008/ssl/s3_clnt.c === --- openssl-SNAP-2008.orig/ssl/s3_clnt.c +++ openssl-SNAP-2008/ssl/s3_clnt.c @@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, +s-session-master_key_length, +NULL, pref_cipher, +s-tls_session_secret_cb_arg)) + { + s-session-cipher = pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s, p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { @@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of -* a non-zero session length would never reach here) it cannot be a -* resumed session. -*/ - if (!s-session-tlsext_tick || s-session-session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s-session-tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ Index: openssl-SNAP-2008/ssl/s3_srvr.c === --- openssl-SNAP-2008.orig/ssl/s3_srvr.c +++ openssl-SNAP-2008/ssl/s3_srvr.c @@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this +* handshake for not reused session only. We need to generate +* server_random before calling tls_session_secret_cb in order to allow +* SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s-s3-server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s-session-master_key_length=sizeof(s-session-master_key); + if(s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Tue, Nov 11, 2008 at 12:09:55PM +0100, Stephen Henson via RT wrote: OK, we'd need the generic extension part of the patch modified to only override the session ticket extension. I replaced SSL_set_hello_extension() function with SSL_set_session_ticket_ext() and renamed the related structures to use less generic names. Please note that I left SSL_set_hello_extension() into this version as a simple wrapper to make it easier to test this with the current wpa_supplicant/hostapd implementation, but that can obviously be removed when the patch goes in and I'll change wpa_supplicant/hostapd to use OpenSSL version to select which calls to use. A companion callback to supply the details of the ticket extension would be appropriate instead of using the debugging interface. Are you referring to the use of SSL_set_tlsext_debug_callback() in the EAP-FAST server implementation? This was originally done with a new SSL_set_hello_extension_cb(), but I removed the extra code when session ticket code was added to OpenSSL. Would you like to get the SSL_set_hello_extension_cb() and related call from ssl3_get_client_hello() to be included in the patch? The indentation in that patch is also inconsistent with the rest of OpenSSL. The attached version should clean up indentation to match with rest of the code. -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). Index: openssl-SNAP-2008/ssl/s3_clnt.c === --- openssl-SNAP-2008.orig/ssl/s3_clnt.c +++ openssl-SNAP-2008/ssl/s3_clnt.c @@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, +s-session-master_key_length, +NULL, pref_cipher, +s-tls_session_secret_cb_arg)) + { + s-session-cipher = pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s, p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { @@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of -* a non-zero session length would never reach here) it cannot be a -* resumed session. -*/ - if (!s-session-tlsext_tick || s-session-session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s-session-tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ Index: openssl-SNAP-2008/ssl/s3_srvr.c === --- openssl-SNAP-2008.orig/ssl/s3_srvr.c +++ openssl-SNAP-2008/ssl/s3_srvr.c @@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this +* handshake for not reused session only. We need to generate +* server_random before calling tls_session_secret_cb in order to allow +* SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s-s3-server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s-session-master_key_length=sizeof(s-session-master_key); + if(s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Wed, Nov 12, 2008 at 07:07:56PM +0100, Stephen Henson via RT wrote: Well I'm assuming that there needs to be a way to obtain the ticket value the peer has sent. Although it is possible to use the debugging interface for that it then prevents it being used for anything else. Something like an SSL_set_session_ticket_cb() function which would call the supplied callback with the received ticket extension value. The attached version adds SSL_set_session_ticket_ext_cb() to register a callback that will be called whenever a Session Ticket extension is received in ServerHello or ClientHello. EAP-FAST will only use this from the ClientHello, but I added the same code for ServerHello should anyone else have need for that in a client. I also removed the extra SSL_set_hello_extension() wrapper to clean up the patch. I have run a quick test with this version and hostapd/wpa_supplicant, but I haven't committed the matching changes yet into my repository since I did not want to change the API use there before the modified version gets into the OpenSSL repository. -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). Index: openssl-SNAP-2008/ssl/s3_clnt.c === --- openssl-SNAP-2008.orig/ssl/s3_clnt.c +++ openssl-SNAP-2008/ssl/s3_clnt.c @@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, +s-session-master_key_length, +NULL, pref_cipher, +s-tls_session_secret_cb_arg)) + { + s-session-cipher = pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s, p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { @@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of -* a non-zero session length would never reach here) it cannot be a -* resumed session. -*/ - if (!s-session-tlsext_tick || s-session-session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s-session-tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ Index: openssl-SNAP-2008/ssl/s3_srvr.c === --- openssl-SNAP-2008.orig/ssl/s3_srvr.c +++ openssl-SNAP-2008/ssl/s3_srvr.c @@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this +* handshake for not reused session only. We need to generate +* server_random before calling tls_session_secret_cb in order to allow +* SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s-s3-server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s-session-master_key_length=sizeof(s-session-master_key); + if(s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + ciphers, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-hit=1; + s-session-ciphers=ciphers; + s-session-verify_result=X509_V_OK
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Wed, Nov 12, 2008 at 07:07:56PM +0100, Stephen Henson via RT wrote: Well I'm assuming that there needs to be a way to obtain the ticket value the peer has sent. Although it is possible to use the debugging interface for that it then prevents it being used for anything else. Something like an SSL_set_session_ticket_cb() function which would call the supplied callback with the received ticket extension value. The attached version adds SSL_set_session_ticket_ext_cb() to register a callback that will be called whenever a Session Ticket extension is received in ServerHello or ClientHello. EAP-FAST will only use this from the ClientHello, but I added the same code for ServerHello should anyone else have need for that in a client. I also removed the extra SSL_set_hello_extension() wrapper to clean up the patch. I have run a quick test with this version and hostapd/wpa_supplicant, but I haven't committed the matching changes yet into my repository since I did not want to change the API use there before the modified version gets into the OpenSSL repository. -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). Index: openssl-SNAP-2008/ssl/s3_clnt.c === --- openssl-SNAP-2008.orig/ssl/s3_clnt.c +++ openssl-SNAP-2008/ssl/s3_clnt.c @@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, +s-session-master_key_length, +NULL, pref_cipher, +s-tls_session_secret_cb_arg)) + { + s-session-cipher = pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s, p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { @@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of -* a non-zero session length would never reach here) it cannot be a -* resumed session. -*/ - if (!s-session-tlsext_tick || s-session-session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s-session-tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ Index: openssl-SNAP-2008/ssl/s3_srvr.c === --- openssl-SNAP-2008.orig/ssl/s3_srvr.c +++ openssl-SNAP-2008/ssl/s3_srvr.c @@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this +* handshake for not reused session only. We need to generate +* server_random before calling tls_session_secret_cb in order to allow +* SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s-s3-server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s-session-master_key_length=sizeof(s-session-master_key); + if(s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + ciphers, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-hit=1; + s-session-ciphers=ciphers; + s-session-verify_result=X509_V_OK
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Wed, Oct 22, 2008 at 01:19:53PM +0200, Stephen Henson via RT wrote: I've had an initial look at this patch. Is there some reason you need to be able to generate generic extensions rather than just being able to override the session ticket extension? Not really. This just remains from the initial patch that was done before the session ticket support was added to OpenSSL. In practice, SSL_set_hello_extension() is only used to replace the SessionTicket extension (ext_type=35) and any mechanism that allows this to be done would be fine. -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
On Wed, Oct 22, 2008 at 01:19:53PM +0200, Stephen Henson via RT wrote: I've had an initial look at this patch. Is there some reason you need to be able to generate generic extensions rather than just being able to override the session ticket extension? Not really. This just remains from the initial patch that was done before the session ticket support was added to OpenSSL. In practice, SSL_set_hello_extension() is only used to replace the SessionTicket extension (ext_type=35) and any mechanism that allows this to be done would be fine. -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
Update the OpenSSL patch for EAP-FAST support to work with the current OpenSSL snapshot. The ssl/s3_srvr.c change from 03-Sep-2008 (rev 1.163) seemed to have reverted some earlier changes and because of this, the extra call to ssl3_digest_cached_records() that was added in the previous EAP-FAST patch update must be removed from the patch. This version was tested with openssl-SNAP-20080928.tar.gz. -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). Index: openssl-SNAP-20080928/ssl/s3_clnt.c === --- openssl-SNAP-20080928.orig/ssl/s3_clnt.c +++ openssl-SNAP-20080928/ssl/s3_clnt.c @@ -788,6 +788,20 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + NULL, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-session-cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { @@ -2927,11 +2941,8 @@ static int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of -* a non-zero session length would never reach here) it cannot be a -* resumed session. -*/ - if (!s-session-tlsext_tick || s-session-session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s-session-tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ Index: openssl-SNAP-20080928/ssl/s3_srvr.c === --- openssl-SNAP-20080928.orig/ssl/s3_srvr.c +++ openssl-SNAP-20080928/ssl/s3_srvr.c @@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this +* handshake for not reused session only. We need to generate +* server_random before calling tls_session_secret_cb in order to allow +* SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s-s3-server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s-session-master_key_length=sizeof(s-session-master_key); + if(s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + ciphers, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-hit=1; + s-session-ciphers=ciphers; + s-session-verify_result=X509_V_OK; + + ciphers=NULL; + + /* check if some cipher was preferred by call back */ + pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s-session-ciphers, SSL_get_ciphers(s)); + if (pref_cipher == NULL) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); + goto f_err; + } + + s-session-cipher=pref_cipher; + + if (s-cipher_list) + sk_SSL_CIPHER_free(s-cipher_list); + + if (s-cipher_list_by_id) + sk_SSL_CIPHER_free(s-cipher_list_by_id); + + s-cipher_list = sk_SSL_CIPHER_dup
[openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
The attached patch is an updated version of the EAP-FAST (RFC 4851) specific changes to TLS SessionTicket (RFC 5077) processing. This updates the patch to work with the current 0.9.9 snapshots. The original patch for making it possible to use OpenSSL for EAP-FAST implementation was posted more than three years ago. So far, there has been next to no comments from the OpenSSL team on the changes. I would really appreciate getting some feedback on the proposed changes and feasibility of finally getting them included into the OpenSSL releases. Maintaining an external patch for a standard system component makes it much harder for users and distributions to handle the current situation if they need EAP-FAST support. Getting the changes, or something else providing similar functionality, included in the OpenSSL would be very helpful in avoiding these issues. Any advice on how to contribute to OpenSSL development as someone outside the core development team would also be appreciated if no one in the core team is interested in looking into this or providing comments. -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). Index: openssl-SNAP-20080822/ssl/s3_clnt.c === --- openssl-SNAP-20080822.orig/ssl/s3_clnt.c +++ openssl-SNAP-20080822/ssl/s3_clnt.c @@ -788,6 +788,20 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + NULL, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-session-cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { @@ -2927,11 +2941,8 @@ static int ssl3_check_finished(SSL *s) { int ok; long n; - /* If we have no ticket or session ID is non-zero length (a match of -* a non-zero session length would never reach here) it cannot be a -* resumed session. -*/ - if (!s-session-tlsext_tick || s-session-session_id_length) + /* If we have no ticket it cannot be a resumed session. */ + if (!s-session-tlsext_tick) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ Index: openssl-SNAP-20080822/ssl/s3_srvr.c === --- openssl-SNAP-20080822.orig/ssl/s3_srvr.c +++ openssl-SNAP-20080822/ssl/s3_srvr.c @@ -1004,6 +1004,61 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this +* handshake for not reused session only. We need to generate +* server_random before calling tls_session_secret_cb in order to allow +* SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s-s3-server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s-session-master_key_length=sizeof(s-session-master_key); + if(s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + ciphers, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-hit=1; + s-session-ciphers=ciphers; + s-session-verify_result=X509_V_OK; + + ciphers=NULL; + + /* check if some cipher was preferred by call back */ + pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s-session-ciphers
Session ticket and Session ID validation change in 0.9.8h
Session ID validation for the case where a session ticket is used was changed in 0.9.8h. To be more exact, ssl3_check_finished() function in ssl/s3_clnt.c was modified (CVS rev 1.88.2.13) to return 1 if session ID has non-zero length. It looks like this change broke the EAP-FAST functionality for client side (using an external patch I maintain for allowing EAP-FAST to be used with OpenSSL). I'm trying to understand the reason for this change, but cannot fully see why it would be needed. RFC 5077 chapter 3.4 allows the server to reply with a non-empty Session ID even when session ticket is used. Why would the client reject this case of session ticket use based on just the ServerHello? The last couple of sentences in RFC 5077, 3.4 describe this with: Alternatively, the client MAY include an empty Session ID in the ClientHello. In this case, the client ignores the Session ID sent in the ServerHello and determines if the server is resuming a session by the subsequent handshake messages. and this is the part that I think the CVS rev 1.88.2.13 change prevents from happening properly. If the client uses a zero-length session ID in ClientHello and server replies with non-empty Session ID in ServerHello (which is what seems to happen here when using OpenSSL for EAP-FAST), ssl3_check_finished() in 0.9.8h returns 1 whereas 0.9.8g returns 2. As the end result, 0.9.8h expects Certificate to follow ServerHello, but it does not in this case since session ticket is used and abbreviated handshake continues with ChangeCipherSpec. 0.9.8g allows this case to be handled since ssl3_connect() has special processing for the case where ssl3_check_finished() returns 2. 0.9.8h ends up rejecting the handshake with bad message type error (unexpected_message fatal alert). Am I missing something here or should the CVS rev 1.88.2.13 for ssl/s3_clnt.c be reverted? I'm going to be doing that at least for the EAP-FAST patch, so that the latest OpenSSL version can still be used for EAP-FAST authentication. However, I would like to understand better the reason for this particular change and would welcome any recommendations on how to handle this issue for EAP-FAST (RFC 4851). -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
The attached patch is an updated version of the EAP-FAST specific submission for OpenSSL 0.9.9. This fixes fallback to full TLS handshake in case the server rejects PAC-Opaque from the client. This change cleans up the modifications to ssl3_get_server_hello() that were leftover from the old patch (that was made before TLS SessionTicket support was added to OpenSSL). The new version uses the ssl3_check_finished() function to allow the state machine to handle PAC-Opaque -based abbreviated handshake. I haven't received much comments on the EAP-FAST support from OpenSSL developers, but I would really appreciate getting this type of functionality included with OpenSSL in order to get rid of the need to maintain an external patch for OpenSSL (the original patch was submitted almost three years ago). Consequently, any comments on how to get this (or something similar) merged into OpenSSL would be very helpful. -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 5077) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). diff -upr openssl-SNAP-20080415.orig/ssl/s3_clnt.c openssl-SNAP-20080415/ssl/s3_clnt.c --- openssl-SNAP-20080415.orig/ssl/s3_clnt.c2008-01-06 00:00:33.0 +0200 +++ openssl-SNAP-20080415/ssl/s3_clnt.c 2008-04-15 16:58:39.0 +0300 @@ -785,6 +785,20 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } +#ifndef OPENSSL_NO_TLSEXT + /* check if we want to resume the session based on external pre-shared secret */ + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + NULL, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-session-cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j); + } + } +#endif /* OPENSSL_NO_TLSEXT */ + if (j != 0 j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { diff -upr openssl-SNAP-20080415.orig/ssl/s3_srvr.c openssl-SNAP-20080415/ssl/s3_srvr.c --- openssl-SNAP-20080415.orig/ssl/s3_srvr.c2007-10-26 16:00:29.0 +0300 +++ openssl-SNAP-20080415/ssl/s3_srvr.c 2008-04-15 16:32:08.0 +0300 @@ -992,6 +992,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret for this +* handshake for not reused session only. We need to generate +* server_random before calling tls_session_secret_cb in order to allow +* SessionTicket processing to use it in key derivation. */ + { + unsigned long Time; + unsigned char *pos; + Time=(unsigned long)time(NULL); /* Time */ + pos=s-s3-server_random; + l2n(Time,pos); + if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) = 0) + { + al=SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + if (!s-hit s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + + s-session-master_key_length=sizeof(s-session-master_key); + if(s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + ciphers, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-hit=1; + s-session-ciphers=ciphers; + s-session-verify_result=X509_V_OK; + + ciphers=NULL; + + /* check if some cipher was preferred by call back */ + pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s-session-ciphers, SSL_get_ciphers(s)); + if (pref_cipher == NULL) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); + goto f_err; + } + + s-session-cipher=pref_cipher; + + if (s-cipher_list) + sk_SSL_CIPHER_free(s-cipher_list); + + if (s-cipher_list_by_id) + sk_SSL_CIPHER_free(s-cipher_list_by_id
[openssl.org #1574] Session Ticket in OpenSSL 0.9.9 and EAP-FAST
I was pleased to note that support for SessionTicket (RFC 4507) was added into the OpenSSL 0.9.9 tree couple of weeks ago. This implementation seems to include session ticket use as specified in RFC 4507 which alone is not enough for supporting EAP-FAST (RFC 4851) since EAP-FAST takes care of SessionTicket generation and processing in the EAP method (i.e., NewSessionTicket handshake message is not used and decoding of the session ticket is done outside the TLS implementation). Based on the changes in OpenSSL, I tried to update the patch I maintain to allow EAP-FAST to be implemented with OpenSSL. This allowed parts of the changes to be removed since the code in the main OpenSSL repository can now be used instead. I was now able to remove the new callback that was used to notify about the reception of TLS hello extension. This was replaced with the new SSL_set_tlsext_debug_{callback,arg}) and it is used to allow the EAP-FAST server implementation to receive and process the SessionTicket extension from ClientHello. Similarly, I was able to do small changes to allow the addition of SessionTicket extension to ClientHello to share the code used in OpenSSL at the peer side of EAP-FAST. Though, this is still using a new function (SSL_set_hello_extension) since the current OpenSSL code did not seem to have a mechanism for overriding the session ticket. Lastly, the callback for updating session secret (SSL_set_session_secret_cb) is still needed to allow the EAP-FAST implementation to set the session secret during the TLS handshake since this is also done differently from RFC 4507. This callback is also requiring bit more changes in server side processing to allow the server random to be made available early enough. I've attached my current patch to allow EAP-FAST to be implemented with OpenSSL (0.9.9 snapshots). The EAP-FAST server and peer implementations are available as part of the hostapd/wpa_supplicant Git tree from http://w1.fi/ if anyone is interested in more details how the added functions in OpenSSL are used. I'm sure the changes could be cleaned up a bit, but at least the patch should show what kind of additional functionality is needed. I would welcome any comments on the patch and on how it (or similar functionality) could be integrated into OpenSSL. Is someone else looking into changing the current OpenSSL SessionTicket implementation to be used with EAP-FAST? -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 4507) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). diff -upr openssl-SNAP-20070821.orig/ssl/s3_clnt.c openssl-SNAP-20070821/ssl/s3_clnt.c --- openssl-SNAP-20070821.orig/ssl/s3_clnt.c2007-08-11 17:02:20.0 -0700 +++ openssl-SNAP-20070821/ssl/s3_clnt.c 2007-08-22 20:15:55.0 -0700 @@ -690,7 +690,7 @@ int ssl3_get_server_hello(SSL *s) STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; unsigned char *p,*d; - int i,al,ok; + int i,al,ok,pre_shared; unsigned int j; long n; #ifndef OPENSSL_NO_COMP @@ -757,7 +757,26 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } - if (j != 0 j == s-session-session_id_length + /* check if we want to resume the session based on external pre-shared secret */ + pre_shared = 0; +#ifndef OPENSSL_NO_TLSEXT + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + NULL, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-hit=1; + s-session-cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j); + s-session-session_id_length = j; + memcpy(s-session-session_id, p, j); + pre_shared = 1; + } + } +#endif /* OPENSSL_NO_TLSEXT */ + + if ((pre_shared || j != 0) j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { if(s-sid_ctx_length != s-session-sid_ctx_length diff -upr openssl-SNAP-20070821.orig/ssl/s3_srvr.c openssl-SNAP-20070821/ssl/s3_srvr.c --- openssl-SNAP-20070821.orig/ssl/s3_srvr.c2007-08-20 06:01:59.0 -0700 +++ openssl-SNAP-20070821/ssl/s3_srvr.c 2007-08-21 18:45:07.0 -0700 @@ -963,6 +963,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret
Session Ticket in OpenSSL 0.9.9 and EAP-FAST
I was pleased to note that support for SessionTicket (RFC 4507) was added into the OpenSSL 0.9.9 tree couple of weeks ago. This implementation seems to include session ticket use as specified in RFC 4507 which alone is not enough for supporting EAP-FAST (RFC 4851) since EAP-FAST takes care of SessionTicket generation and processing in the EAP method (i.e., NewSessionTicket handshake message is not used and decoding of the session ticket is done outside the TLS implementation). Based on the changes in OpenSSL, I tried to update the patch I maintain to allow EAP-FAST to be implemented with OpenSSL. This allowed parts of the changes to be removed since the code in the main OpenSSL repository can now be used instead. I was now able to remove the new callback that was used to notify about the reception of TLS hello extension. This was replaced with the new SSL_set_tlsext_debug_{callback,arg}) and it is used to allow the EAP-FAST server implementation to receive and process the SessionTicket extension from ClientHello. Similarly, I was able to do small changes to allow the addition of SessionTicket extension to ClientHello to share the code used in OpenSSL at the peer side of EAP-FAST. Though, this is still using a new function (SSL_set_hello_extension) since the current OpenSSL code did not seem to have a mechanism for overriding the session ticket. Lastly, the callback for updating session secret (SSL_set_session_secret_cb) is still needed to allow the EAP-FAST implementation to set the session secret during the TLS handshake since this is also done differently from RFC 4507. This callback is also requiring bit more changes in server side processing to allow the server random to be made available early enough. I've attached my current patch to allow EAP-FAST to be implemented with OpenSSL (0.9.9 snapshots). The EAP-FAST server and peer implementations are available as part of the hostapd/wpa_supplicant Git tree from http://w1.fi/ if anyone is interested in more details how the added functions in OpenSSL are used. I'm sure the changes could be cleaned up a bit, but at least the patch should show what kind of additional functionality is needed. I would welcome any comments on the patch and on how it (or similar functionality) could be integrated into OpenSSL. Is someone else looking into changing the current OpenSSL SessionTicket implementation to be used with EAP-FAST? -- Jouni MalinenPGP id EFC895FA This patch adds support for TLS SessionTicket extension (RFC 4507) for the parts used by EAP-FAST (RFC 4851). This is based on the patch from Alexey Kobozev [EMAIL PROTECTED] (sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300). diff -upr openssl-SNAP-20070821.orig/ssl/s3_clnt.c openssl-SNAP-20070821/ssl/s3_clnt.c --- openssl-SNAP-20070821.orig/ssl/s3_clnt.c2007-08-11 17:02:20.0 -0700 +++ openssl-SNAP-20070821/ssl/s3_clnt.c 2007-08-22 20:15:55.0 -0700 @@ -690,7 +690,7 @@ int ssl3_get_server_hello(SSL *s) STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; unsigned char *p,*d; - int i,al,ok; + int i,al,ok,pre_shared; unsigned int j; long n; #ifndef OPENSSL_NO_COMP @@ -757,7 +757,26 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } - if (j != 0 j == s-session-session_id_length + /* check if we want to resume the session based on external pre-shared secret */ + pre_shared = 0; +#ifndef OPENSSL_NO_TLSEXT + if (s-version = TLS1_VERSION s-tls_session_secret_cb) + { + SSL_CIPHER *pref_cipher=NULL; + s-session-master_key_length=sizeof(s-session-master_key); + if (s-tls_session_secret_cb(s, s-session-master_key, s-session-master_key_length, + NULL, pref_cipher, s-tls_session_secret_cb_arg)) + { + s-hit=1; + s-session-cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j); + s-session-session_id_length = j; + memcpy(s-session-session_id, p, j); + pre_shared = 1; + } + } +#endif /* OPENSSL_NO_TLSEXT */ + + if ((pre_shared || j != 0) j == s-session-session_id_length memcmp(p,s-session-session_id,j) == 0) { if(s-sid_ctx_length != s-session-sid_ctx_length diff -upr openssl-SNAP-20070821.orig/ssl/s3_srvr.c openssl-SNAP-20070821/ssl/s3_srvr.c --- openssl-SNAP-20070821.orig/ssl/s3_srvr.c2007-08-20 06:01:59.0 -0700 +++ openssl-SNAP-20070821/ssl/s3_srvr.c 2007-08-21 18:45:07.0 -0700 @@ -963,6 +963,59 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } + + /* Check if we want to use external pre-shared secret
TLS SessionTicket (RFC 4507) and EAP-FAST (RFC 4851)
@@ int tls1_new(SSL *s) void tls1_free(SSL *s) { + if(s-tls_extension) + { + OPENSSL_free(s-tls_extension); + } ssl3_free(s); } @@ -196,6 +200,24 @@ unsigned char *ssl_add_clienthello_tlsex ret+=size_str; } + + if (s-version = TLS1_VERSION s-tls_extension) + { + /* Add TLS SessionTicket to the ClientHello message */ + long lenmax; + + if ((lenmax = limit - p - 4) 0 + || s-tls_extension-length (unsigned long)lenmax) + return NULL; + + /* extension type and length */ + s2n(s-tls_extension-type, ret); + s2n(s-tls_extension-length, ret); + + memcpy(ret, s-tls_extension-data, s-tls_extension-length); + ret+=s-tls_extension-length; + } + #ifndef OPENSSL_NO_EC if (s-tlsext_ecpointformatlist != NULL) { @@ -415,6 +437,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, } + else if (type == TLSEXT_TYPE_session_ticket +s-tls_extension_cb) + { + TLS_EXTENSION tls_ext; + tls_ext.type = type; + tls_ext.length = size; + tls_ext.data = data; + + /* returns an alert code or 0 */ + *al = s-tls_extension_cb(s, tls_ext, s-tls_extension_cb_arg); + if (*al != 0) + { + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,SSL_R_PEER_ERROR); + return 0; + } + } + #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { diff -uprN openssl-SNAP-20070610.orig/ssl/tls1.h openssl-SNAP-20070610/ssl/tls1.h --- openssl-SNAP-20070610.orig/ssl/tls1.h 2007-06-04 11:01:49.0 -0700 +++ openssl-SNAP-20070610/ssl/tls1.h2007-06-11 12:35:33.0 -0700 @@ -192,6 +192,8 @@ extern C { #define TLSEXT_TYPE_status_request 5 #define TLSEXT_TYPE_elliptic_curves10 #define TLSEXT_TYPE_ec_point_formats 11 +/* ExtensionType value from RFC 4507 */ +#define TLSEXT_TYPE_session_ticket 35 /* NameType value from RFC 3546 */ #define TLSEXT_NAMETYPE_host_name 0 @@ -456,6 +458,14 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SER #define TLS_MD_MASTER_SECRET_CONST \x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74 /*master secret*/ #endif +/* TLS extension struct */ +struct tls_extension_st +{ + unsigned short type; + unsigned short length; + void *data; +}; + #ifdef __cplusplus } #endif diff -uprN openssl-SNAP-20070610.orig/util/ssleay.num openssl-SNAP-20070610/util/ssleay.num --- openssl-SNAP-20070610.orig/util/ssleay.num 2006-11-30 06:01:18.0 -0800 +++ openssl-SNAP-20070610/util/ssleay.num 2007-06-11 12:35:33.0 -0700 @@ -249,3 +249,6 @@ SSL_get_servername SSL_get_servername_type 298EXIST::FUNCTION:TLSEXT SSL_CTX_set_psk_server_callback 299EXIST::FUNCTION:PSK SSL_get_psk_identity300EXIST::FUNCTION:PSK +SSL_set_hello_extension301 EXIST::FUNCTION:TLSEXT +SSL_set_hello_extension_cb 302 EXIST::FUNCTION:TLSEXT +SSL_set_session_secret_cb 303 EXIST::FUNCTION:TLSEXT -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1276] [PATCH] TLS Extensions - RFC 3546 (Try 2)
On Tue, Jan 31, 2006 at 09:00:04PM +0100, Dr. Stephen Henson wrote: As has happened previously the functionality in the HEAD is not set in stone and may be subject to change. I'm aware of the 0.9.9 TLS extension efforts but I'm not currently actively involved with them. I have a shed load of other things to do. It looks like the current implementation is going more towards adding each TLS extension as a separate implementation whereas the patch that wpa_supplicant is using for EAP-FAST support has a more generic mechanism that allows arbitrary TLS extensions to be added to ClientHello without having to modify OpenSSL for each new type. Current CVS HEAD includes support for servername and host_name extensions. EAP-FAST is using PAC-Opaque extension, so it would need additional code to add that into the ClientHello. This would likely be something similar to the way setting host_name extension is done. Before starting to port the patch I've used with OpenSSL 0.9.8 to 0.9.9, I would like to get a better understanding on the desired design for TLS extensions and to find out whether someone else is working on implementing additional extensions at the moment. Is the current design of separate implementation without generic support for arbitrary extensions the preferred way of doing this (i.e., is it likely to remain in 0.9.9)? CHANGES file is marking most of the TLS extension code with subject to change. If separate implementation is desired, it would probably be a combination of adding the PAC-Opaque extension (a.k.a. SessionTicket TLS extension) and taking care of a callback for fetching pre-shared secret for session resumption. -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1276] [PATCH] TLS Extensions - RFC 3546 (Try 2)
On Fri, Jan 27, 2006 at 03:23:32PM +0100, Stephen Henson via RT wrote: This patch is adding support for TLS hello extensions and externally generated pre-shared key material to OpenSSL 0.9.8. Note that some TLS extension code has recently been committed to the HEAD (0.9.9-dev). So if this is to be included into OpenSSL it would have to work with that. That's nice to hear. I'll need to take a look at that and see how much of the functionality needed for EAP-FAST is already included. The other part would be to have support for session resumption using draft-salowey-tls-ticket-07.txt. Has anyone taken a look at that and are there plans on adding support for it in 0.9.9-dev? The patch mentioned above includes at least the parts of this that are needed for peer side implementation of EAP-FAST. tls-ticket draft may include somewhat more generic mechanism, though. -- Jouni MalinenPGP id EFC895FA __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and EAP-FAST (ClientHello ext and no certificates)
On Mon, Jul 04, 2005 at 11:39:26AM +0300, Alexey Kobozev wrote: That's great. So now we have fixed, working and verified patch that can be proposed as contribution to OpenSSL. One additional change makes the features easier to use: allow extension to be removed. The attached patch does this for the case where ext_data for SSL_set_hello_extension() is NULL. In addition, this is diffed against 0.9.8, not a beta version. Do you know what needs to be done to put this patch for consideration of making it to be a part of OpenSSL? README file has information on how to contribute to OpenSSL. If you are outside US, it looks like the only missing part would be in adding string [PATCH] to the subject line when sending the patch to this mailing list. -- Jouni MalinenPGP id EFC895FA diff -uprN openssl-0.9.8.orig/include/openssl/ssl.h openssl-0.9.8/include/openssl/ssl.h --- openssl-0.9.8.orig/include/openssl/ssl.h2005-06-10 12:51:16.0 -0700 +++ openssl-0.9.8/include/openssl/ssl.h 2005-07-19 20:02:15.0 -0700 @@ -340,6 +340,7 @@ extern C { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; +typedef struct tls_extension_st TLS_EXTENSION; /* used to hold info on the particular ciphers used */ typedef struct ssl_cipher_st @@ -361,6 +362,8 @@ DECLARE_STACK_OF(SSL_CIPHER) typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; +typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { @@ -968,6 +971,15 @@ struct ssl_st int first_packet; int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ + + /* TLS externsions */ + TLS_EXTENSION *tls_extension; + int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg); + void *tls_extension_cb_arg; + + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn tls_session_secret_cb; + void *tls_session_secret_cb_arg; }; #ifdef __cplusplus @@ -1533,6 +1545,13 @@ void *SSL_COMP_get_compression_methods(v int SSL_COMP_add_compression_method(int id,void *cm); #endif +/* TLS extensions functions */ +int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len); +int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg); + +/* Pre-shared secret session resumption functions */ +int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -1714,6 +1733,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 +#define SSL_F_SSL_SET_HELLO_EXTENSION 213 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff -uprN openssl-0.9.8.orig/include/openssl/tls1.h openssl-0.9.8/include/openssl/tls1.h --- openssl-0.9.8.orig/include/openssl/tls1.h 2003-07-22 05:34:21.0 -0700 +++ openssl-0.9.8/include/openssl/tls1.h2005-07-19 20:02:15.0 -0700 @@ -282,6 +282,14 @@ extern C { #define TLS_MD_MASTER_SECRET_CONST \x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74 /*master secret*/ #endif +/* TLS extension struct */ +struct tls_extension_st +{ + unsigned short type; + unsigned short length; + void *data; +}; + #ifdef __cplusplus } #endif diff -uprN openssl-0.9.8.orig/ssl/Makefile openssl-0.9.8/ssl/Makefile --- openssl-0.9.8.orig/ssl/Makefile 2005-05-30 16:20:30.0 -0700 +++ openssl-0.9.8/ssl/Makefile 2005-07-19 20:02:15.0 -0700 @@ -24,7 +24,7 @@ LIBSRC= \ s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \ s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \ - t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \ + t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c t1_ext.c \ d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \ d1_both.c d1_enc.c \ ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ @@ -35,7 +35,7 @@ LIBOBJ= \ s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \ - t1_meth.o t1_srvr.o t1_clnt.o
Re: OpenSSL and EAP-FAST (ClientHello ext and no certificates)
On Tue, Jun 07, 2005 at 03:40:58PM +0300, Alexey Kobozev wrote: I've checked your patch and seems like you're not fully aware of what actually needed to support EAP-FAST in OpenSSL. There are actually two things: 1. TLS client hello extension support 2. Ability to perform the TLS session resume based on externally negotiated pre-shared key material. Unfortunately, I missed your email to the mailing list and it took this long to finally notice it. I was doing the same part of copying s-session-master_key, but not as a callback. This made me miss the part of setting s-hit and having to workaround the other parts of the message processing. Your patch was quite helpful in understanding how this can be done properly. Attached is the patch made for OpenSSL 0.9.8 beta 2, which includes the following modifications and updates for both server and client: - Client can attach additional data (PAC) to client hello using the newly added SSL_set_hello_extension() function. This worked nicely and is certainly more generic way of doing this than the quick test version I was using. - Client and server can register the callback, which will be called while creating TLS session. This callback provides the pre-shared secret for TLS session. This callback has cipher suites input and output parameters, which can be used to affect the cipher suite choice. I needed to modify this part a bit to get EAP-FAST working. First, I was triggering a segfault since my callback function did not set pref_cipher to NULL and the variable happened to get non-NULL value.. I changed your code for the client case to set pref_cipher=NULL before calling the callback. Actually, this was already done in the server case. After this, I was hitting a problem where the server was setting Session ID length to zero and s-hit was cleared immediately after having been set after successful tls_session_secret_cb call. ssl3_get_server_hello() seems to be requiring that Session ID length is non-zero (j != 0 after the tls_session_secret_cb). I don't know whether the EAP server was supposed to set this to non-zero, but at least it did not seem to do this in my tests, so I added some more code to allow s-hit being set even if Session ID length is zero, but tls_session_secret_cb is completed successfully. This allowed me to complete EAP-FAST authentication. I changed wpa_supplicant to use this patch. P.S. I'd like this patch (with some modifications maybe) to be considered for committing it to current or future versions of OpenSSL. I'd second this. The attached patch is a combination of your separate t1_ext.c file and the other changes with the small modifications mentioned above. This is against OpenSSL 0.9.8 beta 6. -- Jouni MalinenPGP id EFC895FA diff -uprN openssl-0.9.8-beta6.orig/include/openssl/ssl.h openssl-0.9.8-beta6/include/openssl/ssl.h --- openssl-0.9.8-beta6.orig/include/openssl/ssl.h 2005-06-10 12:51:16.0 -0700 +++ openssl-0.9.8-beta6/include/openssl/ssl.h 2005-06-29 22:17:29.0 -0700 @@ -340,6 +340,7 @@ extern C { * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; +typedef struct tls_extension_st TLS_EXTENSION; /* used to hold info on the particular ciphers used */ typedef struct ssl_cipher_st @@ -361,6 +362,8 @@ DECLARE_STACK_OF(SSL_CIPHER) typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; +typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { @@ -968,6 +971,15 @@ struct ssl_st int first_packet; int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ + + /* TLS externsions */ + TLS_EXTENSION *tls_extension; + int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg); + void *tls_extension_cb_arg; + + /* TLS pre-shared secret session resumption */ + tls_session_secret_cb_fn tls_session_secret_cb; + void *tls_session_secret_cb_arg; }; #ifdef __cplusplus @@ -1533,6 +1545,13 @@ void *SSL_COMP_get_compression_methods(v int SSL_COMP_add_compression_method(int id,void *cm); #endif +/* TLS extensions functions */ +int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len); +int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg); + +/* Pre-shared secret session resumption functions */ +int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run