Re: [openssl-dev] EAP-FAST and OpenSSL 1.1.x with new client TLS state machine

Fri, 04 Dec 2015 02:28:18 -0800 


On 03/12/15 23:09, Jouni Malinen wrote:
> Any idea what happened with these OpenSSL client state machine changes
> and how to get this fixed to restore EAP-FAST functionality?

EAP-FAST is very strange. Normally you know whether you are resuming a
session or not based on the session id returned from the server. However
that's not the case with EAP-FAST - you have to wait to see what message
the server sends you next to determine what's happening (which is really
horrible).

The new state machine code waits until a message is received from the
peer and then checks it against its allowed list of transitions based on
its current state. If its not allowed then you get an unexpected message
alert. It looks like the check for the EAP-FAST session resumption case
is missing from the new code.

Please can you try the attached patch and see if that resolves the
issue? Let me know how you get on.

Thanks

Matt


From 07315256ab0a97e1172304a098c262a845833206 Mon Sep 17 00:00:00 2001
From: Matt Caswell <[email protected]>
Date: Fri, 4 Dec 2015 10:18:01 +0000
Subject: [PATCH] Fix EAP FAST in the new state machine

The new state machine code missed an allowed transition when resuming a
session via EAP FAST. This commits adds the missing check for the
transition.
---
 ssl/statem/statem_clnt.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 527101b..b49f498 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -283,6 +283,19 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
             if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
                 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
                 return 1;
+            } else if (s->version >= TLS1_VERSION
+                    && s->tls_session_secret_cb != NULL
+                    && s->session->tlsext_tick != NULL
+                    && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+                /*
+                 * Normally, we can tell if the server is resuming the session
+                 * from the session ID. EAP-FAST (RFC 4851), however, relies on
+                 * the next server message after the ServerHello to determine if
+                 * the server is resuming.
+                 */
+                s->hit = 1;
+                st->hand_state = TLS_ST_CR_CHANGE;
+                return 1;
             } else if (!(s->s3->tmp.new_cipher->algorithm_auth
                         & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
                 if (mt == SSL3_MT_CERTIFICATE) {
-- 
2.5.0


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to