We've found a way to recreate the scenario using s_client/s_server.  We're 
using the -no_ticket option on the server.  Therefore, the ServerHello doesn't 
contain the session ticket extension.  It also doesn't send the 
NewSessionTicket message.  

To summarize the problem, when the client side is using 
SSL_set_session_secret_cb() and including a valid ticket in the ClintHello, 
then the logic in ssl3_get_server_hello() assumes the server is doing session 
resumption.  This puts the client-side state machine into the 
SSL3_ST_CR_FINISHED_A.  However, since the server side is configured to not do 
resumption via the -no_ticket option, the server continues with a normal 
handshake by sending the Certificate message.  The client aborts the handshake 
when it receives the Certificate message while in the SSL3_ST_CR_FINISHED_A 
state.


As Erik identified earlier in the thread, the cause of this appears to be the 
addition of setting s->hit in the following code:

    if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
        SSL_CIPHER *pref_cipher = NULL;
        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length,
                                     NULL, &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {
            s->session->cipher = pref_cipher ?
                pref_cipher : ssl_get_cipher_by_char(s, p + j);
            s->hit = 1;
        }
    }

Why does the client-side now assume the server is doing session resumption 
simply because the session secret callback facility is being used?
________________________________________
From: openssl-dev [openssl-dev-boun...@openssl.org] on behalf of Dr. Stephen 
Henson [st...@openssl.org]
Sent: Thursday, March 19, 2015 11:49 AM
To: openssl-dev@openssl.org
Subject: Re: [openssl-dev] s3_clnt.c changes regarding external pre-shared 
secret seem to break EAP-FAST

On Thu, Mar 19, 2015, Erik Tkal wrote:

>
> If I do not send a sessionID in the clientHello but do send a valid
> sessionTicket extension, the server goes straight to changeCipherSpec and
> the client generates an UnexpectedMessage alert.
>

Does the server send back an empty session ticket extension?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to