Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fixed fallback to full handshake when server rejects PAC-Opaque

The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
Jouni Malinen 17 years ago
parent
d4092763cf
commit
fe2b7dda02
2 changed files with 22 additions and 36 deletions
Split View Show Diff Stats
  1. 20 36
      patches/openssl-0.9.8g-tls-extensions.patch
  2. 2 0
      wpa_supplicant/ChangeLog

+ 20 - 36
patches/openssl-0.9.8g-tls-extensions.patch
View File 

@@ -1,4 +1,4 @@
 
-This patch adds support for TLS SessionTicket extension (RFC 4507) for
 
+This patch adds support for TLS SessionTicket extension (RFC 5077) for
 
 the parts used by EAP-FAST (RFC 4851).
 
 
 This is based on the patch from Alexey Kobozev <akobozev@cisco.com>
 
@@ -10,25 +10,14 @@ command line.
 
 
 
 diff -upr openssl-0.9.8g.orig/ssl/s3_clnt.c openssl-0.9.8g/ssl/s3_clnt.c
 
---- openssl-0.9.8g.orig/ssl/s3_clnt.c	2007-08-30 17:28:51.000000000 -0700
 
-+++ openssl-0.9.8g/ssl/s3_clnt.c	2007-11-01 20:08:08.000000000 -0700
 
-@@ -660,7 +660,7 @@ int ssl3_get_server_hello(SSL *s)
 
- 	STACK_OF(SSL_CIPHER) *sk;
 
- 	SSL_CIPHER *c;
 
- 	unsigned char *p,*d;
 
--	int i,al,ok;
 
-+	int i,al,ok,pre_shared;
 
- 	unsigned int j;
 
- 	long n;
 
- #ifndef OPENSSL_NO_COMP
 
-@@ -727,7 +727,26 @@ int ssl3_get_server_hello(SSL *s)
 
+--- openssl-0.9.8g.orig/ssl/s3_clnt.c	2007-08-31 03:28:51.000000000 +0300
 
++++ openssl-0.9.8g/ssl/s3_clnt.c	2008-04-15 17:11:46.000000000 +0300
 
+@@ -727,6 +727,20 @@ int ssl3_get_server_hello(SSL *s)
 
  		goto f_err;
 
  		}
 
  
--	if (j != 0 && j == s->session->session_id_length
 
-+	/* check if we want to resume the session based on external pre-shared secret */
 
-+	pre_shared = 0;
 
 +#ifndef OPENSSL_NO_TLSEXT
 
++	/* check if we want to resume the session based on external pre-shared secret */
 
 +	if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
 
 +	{
 
 +		SSL_CIPHER *pref_cipher=NULL;
 
@@ -36,22 +25,17 @@ diff -upr openssl-0.9.8g.orig/ssl/s3_clnt.c openssl-0.9.8g/ssl/s3_clnt.c
 
 +		if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
 
 +			NULL, &pref_cipher, s->tls_session_secret_cb_arg))
 
 +		{
 
-+			s->hit=1;
 
 +			s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j);
 
-+			s->session->session_id_length = j;
 
-+			memcpy(s->session->session_id, p, j);
 
-+			pre_shared = 1;
 
 +		}
 
 +	}
 
 +#endif /* OPENSSL_NO_TLSEXT */
 
 +
 
-+	if ((pre_shared || j != 0) && j == s->session->session_id_length
 
+ 	if (j != 0 && j == s->session->session_id_length
 
  	    && memcmp(p,s->session->session_id,j) == 0)
 
  	    {
 
- 	    if(s->sid_ctx_length != s->session->sid_ctx_length
 
 diff -upr openssl-0.9.8g.orig/ssl/s3_srvr.c openssl-0.9.8g/ssl/s3_srvr.c
 
---- openssl-0.9.8g.orig/ssl/s3_srvr.c	2007-09-30 11:55:59.000000000 -0700
 
-+++ openssl-0.9.8g/ssl/s3_srvr.c	2007-11-02 19:24:20.000000000 -0700
 
+--- openssl-0.9.8g.orig/ssl/s3_srvr.c	2007-09-30 21:55:59.000000000 +0300
 
++++ openssl-0.9.8g/ssl/s3_srvr.c	2008-04-15 17:10:37.000000000 +0300
 
 @@ -928,6 +928,59 @@ int ssl3_get_client_hello(SSL *s)
 
  			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
 
  			goto err;
 
@@ -137,8 +121,8 @@ diff -upr openssl-0.9.8g.orig/ssl/s3_srvr.c openssl-0.9.8g/ssl/s3_srvr.c
 
  		d=p= &(buf[4]);
 
  
 diff -upr openssl-0.9.8g.orig/ssl/ssl.h openssl-0.9.8g/ssl/ssl.h
 
---- openssl-0.9.8g.orig/ssl/ssl.h	2007-10-19 00:42:38.000000000 -0700
 
-+++ openssl-0.9.8g/ssl/ssl.h	2007-11-01 20:08:08.000000000 -0700
 
+--- openssl-0.9.8g.orig/ssl/ssl.h	2007-10-19 10:42:38.000000000 +0300
 
++++ openssl-0.9.8g/ssl/ssl.h	2008-04-15 17:10:37.000000000 +0300
 
 @@ -342,6 +342,7 @@ extern "C" {
 
   * 'struct ssl_st *' function parameters used to prototype callbacks
 
   * in SSL_CTX. */
 
@@ -193,8 +177,8 @@ diff -upr openssl-0.9.8g.orig/ssl/ssl.h openssl-0.9.8g/ssl/ssl.h
 
  /* Reason codes. */
 
  #define SSL_R_APP_DATA_IN_HANDSHAKE			 100
 
 diff -upr openssl-0.9.8g.orig/ssl/ssl_err.c openssl-0.9.8g/ssl/ssl_err.c
 
---- openssl-0.9.8g.orig/ssl/ssl_err.c	2007-10-11 07:36:59.000000000 -0700
 
-+++ openssl-0.9.8g/ssl/ssl_err.c	2007-11-01 20:08:08.000000000 -0700
 
+--- openssl-0.9.8g.orig/ssl/ssl_err.c	2007-10-11 17:36:59.000000000 +0300
 
++++ openssl-0.9.8g/ssl/ssl_err.c	2008-04-15 17:10:37.000000000 +0300
 
 @@ -250,6 +250,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 
  {ERR_FUNC(SSL_F_TLS1_ENC),	"TLS1_ENC"},
 
  {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),	"TLS1_SETUP_KEY_BLOCK"},
 
@@ -204,8 +188,8 @@ diff -upr openssl-0.9.8g.orig/ssl/ssl_err.c openssl-0.9.8g/ssl/ssl_err.c
 
  	};
 
  
 diff -upr openssl-0.9.8g.orig/ssl/ssl_sess.c openssl-0.9.8g/ssl/ssl_sess.c
 
---- openssl-0.9.8g.orig/ssl/ssl_sess.c	2007-10-19 00:36:34.000000000 -0700
 
-+++ openssl-0.9.8g/ssl/ssl_sess.c	2007-11-01 20:08:08.000000000 -0700
 
+--- openssl-0.9.8g.orig/ssl/ssl_sess.c	2007-10-19 10:36:34.000000000 +0300
 
++++ openssl-0.9.8g/ssl/ssl_sess.c	2008-04-15 17:10:37.000000000 +0300
 
 @@ -704,6 +704,52 @@ long SSL_CTX_get_timeout(const SSL_CTX *
 
  	return(s->session_timeout);
 
  	}
 
@@ -260,8 +244,8 @@ diff -upr openssl-0.9.8g.orig/ssl/ssl_sess.c openssl-0.9.8g/ssl/ssl_sess.c
 
  	{
 
  	SSL_CTX *ctx;
 
 diff -upr openssl-0.9.8g.orig/ssl/t1_lib.c openssl-0.9.8g/ssl/t1_lib.c
 
---- openssl-0.9.8g.orig/ssl/t1_lib.c	2007-10-19 00:44:10.000000000 -0700
 
-+++ openssl-0.9.8g/ssl/t1_lib.c	2007-11-01 20:08:08.000000000 -0700
 
+--- openssl-0.9.8g.orig/ssl/t1_lib.c	2007-10-19 10:44:10.000000000 +0300
 
++++ openssl-0.9.8g/ssl/t1_lib.c	2008-04-15 17:10:37.000000000 +0300
 
 @@ -105,6 +105,12 @@ int tls1_new(SSL *s)
 
  
  void tls1_free(SSL *s)
 
@@ -318,8 +302,8 @@ diff -upr openssl-0.9.8g.orig/ssl/t1_lib.c openssl-0.9.8g/ssl/t1_lib.c
 
  									ret);
 
  			}
 
 diff -upr openssl-0.9.8g.orig/ssl/tls1.h openssl-0.9.8g/ssl/tls1.h
 
---- openssl-0.9.8g.orig/ssl/tls1.h	2007-08-27 18:12:44.000000000 -0700
 
-+++ openssl-0.9.8g/ssl/tls1.h	2007-11-01 20:08:08.000000000 -0700
 
+--- openssl-0.9.8g.orig/ssl/tls1.h	2007-08-28 04:12:44.000000000 +0300
 
++++ openssl-0.9.8g/ssl/tls1.h	2008-04-15 17:10:37.000000000 +0300
 
 @@ -365,6 +365,14 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SER
 
  #define TLS_MD_MASTER_SECRET_CONST    "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"  /*master secret*/
 
  #endif
 
@@ -336,8 +320,8 @@ diff -upr openssl-0.9.8g.orig/ssl/tls1.h openssl-0.9.8g/ssl/tls1.h
 
  }
 
  #endif
 
 diff -upr openssl-0.9.8g.orig/util/ssleay.num openssl-0.9.8g/util/ssleay.num
 
---- openssl-0.9.8g.orig/util/ssleay.num	2007-08-12 15:31:16.000000000 -0700
 
-+++ openssl-0.9.8g/util/ssleay.num	2007-11-01 20:08:08.000000000 -0700
 
+--- openssl-0.9.8g.orig/util/ssleay.num	2007-08-13 01:31:16.000000000 +0300
 
++++ openssl-0.9.8g/util/ssleay.num	2008-04-15 17:10:37.000000000 +0300
 
 @@ -241,3 +241,5 @@ SSL_CTX_sess_get_remove_cb              
  SSL_set_SSL_CTX                         290	EXIST::FUNCTION:
 
  SSL_get_servername                      291	EXIST::FUNCTION:TLSEXT

+ 2 - 0
wpa_supplicant/ChangeLog
View File 

@@ -5,6 +5,8 @@ ChangeLog for wpa_supplicant
 
 	* added support for using TNC with EAP-FAST
 
 	* added driver_ps3 for the PS3 Linux wireless driver
 
 	* added support for optional cryptobinding with PEAPv0
 
+	* fixed the OpenSSL patches (0.9.8g and 0.9.9) for EAP-FAST to
 
+	  allow fallback to full handshake if server rejects PAC-Opaque
 
 
 2008-02-22 - v0.6.3
 
 	* removed 'nai' and 'eappsk' network configuration variables that were