OpenSSL and EAP-FAST (ClientHello ext and no certificates)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL and EAP-FAST (ClientHello ext and no certificates)

Jouni Malinen
EAP-FAST has some additional requirements for TLS that do not seem to be
currently supported in OpenSSL. EAP-FAST uses ClientHello extension (RFC
3546, Section 3.1) and it does not use certificates in TLS handshake;
instead, TLS pre-master-secret is set based on PAC-Key (shared secret
from EAP-FAST provisioning).

I have made a proof-of-concept type of patch for OpenSSL to allow
testing EAP-FAST implementation in wpa_supplicant. This seems to be
enough to make EAP-FAST interoperate with Cisco ACS. However, the
changes to OpenSSL are not very clean and may very well be completely
incorrect. Consequently, I would be interested in finding out whether
someone with better understanding of OpenSSL than I have would be
interested in commenting the changes, or even better, in actually making
such changes to OpenSSL distribution.

I've attached the patch file showing the changes I needed to get
EAP-FAST authentication completed. This adds a simple way of adding
ClientHello extensions (RFC 3546, Section 3.1). More generic support for
TLS extensions would of course be ok for this, too. Rest of the patch is
very quick hack to allow TLS handshake to be completed without
certificates; I just changed number of functions to skip certificate
request and validation during the handshake. This is clearly not
suitable to be applied as-is, but I hope it would be enough to generate
some comments on how this should be done correctly.

--
Jouni Malinen                                            PGP id EFC895FA

openssl-tls-extensions.patch (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL and EAP-FAST (ClientHello ext and no certificates)

Alexey Kobozev

Hi Jouni!

I've checked your patch and seems like you're not fully aware of what
actually needed to support EAP-FAST in OpenSSL. There are actually
two things:
1. TLS client hello extension support
2. Ability to perform the TLS session resume based on externally
negotiated pre-shared key material.

There are two phases in EAP-FAST: PAC provisioning and authentication.
PAC provisioning requires anonymous Diffie-Hellman TLS handshake, which doesn't
involve certificates. This feature doesn't require any code change in OpenSSL.
The authentication phase involves use of TLS client hello extension and
TLS session resume based on pre-shared secret extracted from PAC received
in client hello extension.

Attached is the patch made for OpenSSL 0.9.8 beta 2, which includes the
following modifications and updates for both server and client:

- Client can attach additional data (PAC) to client hello using the newly added
SSL_set_hello_extension() function.

- Server can process the client hello extension by registering the extension handler
callback using SSL_set_hello_extension_cb() function (this callback can decrypt
PAC and extract pre-shared secret from it).

- Client and server can register the callback, which will be called while creating
TLS session. This callback provides the pre-shared secret for TLS session.
This callback has cipher suites input and output parameters, which can be used
to affect the cipher suite choice.

Basically my patch isn't done to explicitly support EAP-FAST protocol, but all the
things needed to support it are in there.

I can provide some examples of using this newly added functionality by request.

P.S. I'd like this patch (with some modifications maybe) to be considered for committing
it to current or future versions of OpenSSL.

Comments/questions/etc are welcomed.

Thanks!
Best regards,
Alexey


> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Jouni Malinen
> Sent: Monday, May 23, 2005 7:51 PM
> To: [hidden email]
> Subject: OpenSSL and EAP-FAST (ClientHello ext and no certificates)

[skip]

openssl-0.9.8-beta2.patch.zip (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL and EAP-FAST (ClientHello ext and no certificates)

Jouni Malinen
On Tue, Jun 07, 2005 at 03:40:58PM +0300, Alexey Kobozev wrote:

> I've checked your patch and seems like you're not fully aware of what
> actually needed to support EAP-FAST in OpenSSL. There are actually
> two things:
> 1. TLS client hello extension support
> 2. Ability to perform the TLS session resume based on externally
> negotiated pre-shared key material.

Unfortunately, I missed your email to the mailing list and it took this
long to finally notice it.

I was doing the same part of copying s->session->master_key, but not as
a callback. This made me miss the part of setting s->hit and having to
workaround the other parts of the message processing. Your patch was
quite helpful in understanding how this can be done properly.

> Attached is the patch made for OpenSSL 0.9.8 beta 2, which includes the
> following modifications and updates for both server and client:
>
> - Client can attach additional data (PAC) to client hello using the newly added
> SSL_set_hello_extension() function.

This worked nicely and is certainly more generic way of doing this than
the quick test version I was using.

> - Client and server can register the callback, which will be called while creating
> TLS session. This callback provides the pre-shared secret for TLS session.
> This callback has cipher suites input and output parameters, which can be used
> to affect the cipher suite choice.

I needed to modify this part a bit to get EAP-FAST working. First, I was
triggering a segfault since my callback function did not set pref_cipher
to NULL and the variable happened to get non-NULL value.. I changed your
code for the client case to set pref_cipher=NULL before calling the
callback. Actually, this was already done in the server case.

After this, I was hitting a problem where the server was setting Session
ID length to zero and s->hit was cleared immediately after having been
set after successful tls_session_secret_cb call. ssl3_get_server_hello()
seems to be requiring that Session ID length is non-zero (j != 0 after
the tls_session_secret_cb). I don't know whether the EAP server was
supposed to set this to non-zero, but at least it did not seem to do
this in my tests, so I added some more code to allow s->hit being set
even if Session ID length is zero, but tls_session_secret_cb is
completed successfully. This allowed me to complete EAP-FAST
authentication. I changed wpa_supplicant to use this patch.

> P.S. I'd like this patch (with some modifications maybe) to be considered for committing
> it to current or future versions of OpenSSL.

I'd second this. The attached patch is a combination of your separate
t1_ext.c file and the other changes with the small modifications
mentioned above. This is against OpenSSL 0.9.8 beta 6.

--
Jouni Malinen                                            PGP id EFC895FA

openssl-098b6-ext.patch (15K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL and EAP-FAST (ClientHello ext and no certificates)

Alexey Kobozev
 
Hi Jouni,

That's great. So now we have fixed, working and verified patch that can
be proposed as contribution to OpenSSL.

Do you know what needs to be done to put this patch for consideration
of making it to be a part of OpenSSL?

Thanks!

[skip]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL and EAP-FAST (ClientHello ext and no certificates)

Jouni Malinen
On Mon, Jul 04, 2005 at 11:39:26AM +0300, Alexey Kobozev wrote:

> That's great. So now we have fixed, working and verified patch that can
> be proposed as contribution to OpenSSL.

One additional change makes the features easier to use: allow extension
to be removed. The attached patch does this for the case where ext_data
for SSL_set_hello_extension() is NULL. In addition, this is diffed
against 0.9.8, not a beta version.

> Do you know what needs to be done to put this patch for consideration
> of making it to be a part of OpenSSL?

README file has information on how to contribute to OpenSSL. If you are
outside US, it looks like the only missing part would be in adding
string "[PATCH]" to the subject line when sending the patch to this
mailing list.

--
Jouni Malinen                                            PGP id EFC895FA

openssl-098-ext.patch (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL and EAP-FAST (ClientHello ext and no certificates)

Alexey Kobozev

Hi Jouni!

I'll send the patch with explanations a bit later.
Thanks for your time and information.

> -----Original Message-----
> From: Jouni Malinen [mailto:[hidden email]] On Behalf Of Jouni Malinen
> Sent: Wednesday, July 20, 2005 6:38 AM
> To: Alexey Kobozev
> Cc: [hidden email]
> Subject: Re: OpenSSL and EAP-FAST (ClientHello ext and no
> certificates)
>
> On Mon, Jul 04, 2005 at 11:39:26AM +0300, Alexey Kobozev wrote:
>
> > That's great. So now we have fixed, working and verified patch that
> > can be proposed as contribution to OpenSSL.
>
> One additional change makes the features easier to use: allow
> extension to be removed. The attached patch does this for the
> case where ext_data for SSL_set_hello_extension() is NULL. In
> addition, this is diffed against 0.9.8, not a beta version.
>
> > Do you know what needs to be done to put this patch for
> consideration
> > of making it to be a part of OpenSSL?
>
> README file has information on how to contribute to OpenSSL.
> If you are outside US, it looks like the only missing part
> would be in adding string "[PATCH]" to the subject line when
> sending the patch to this mailing list.
>
> --
> Jouni Malinen                                            PGP
> id EFC895FA
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]