Skip to content

Commit

Permalink
Merge pull request #196 from chrisburr/fix-tls-1.3-session-tickets
Browse files Browse the repository at this point in the history 
Don't assume that TLS 1.3 returns exactly two session tickets
  • Loading branch information
@ellert
ellert authored May 20, 2022
2 parents 538dbfd + 175fb4c commit 7ba3e29
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 69 deletions.
1 change: 1 addition & 0 deletions gsi/gss_assist/source/test/gss-assist-auth-test.pl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ sub basic_func
close(CLIENT);
close(SERVER);

print $errors;
ok(($errors eq "" && !$expect_failure) || $expect_failure, $test_name)
}

Expand Down
2 changes: 0 additions & 2 deletions gsi/gssapi/source/library/globus_gsi_gss_constants.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,8 +97,6 @@ typedef enum {
*/
typedef enum {
GSS_CON_ST_HANDSHAKE = 0,
GSS_CON_ST_TOKEN1,
GSS_CON_ST_TOKEN2,
GSS_CON_ST_FLAGS,
GSS_CON_ST_REQ,
GSS_CON_ST_CERT,
Expand Down
7 changes: 7 additions & 0 deletions gsi/gssapi/source/library/globus_i_gsi_gss_utils.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2365,6 +2365,13 @@ globus_i_gsi_gssapi_init_ssl_context(
}
#endif

#if OPENSSL_VERSION_NUMBER >= 0x10101000L
/* When using TLS 1.3 OpenSSL sends two tickets after the handshake is
* complete. As this isn't useful here and can break the gsi authentication
* flow disable them entirely. */
SSL_CTX_set_num_tickets(cred_handle->ssl_context, 0);
#endif

SSL_CTX_set_cert_verify_callback(cred_handle->ssl_context,
globus_gsi_callback_X509_verify_cert,
NULL);
Expand Down
67 changes: 0 additions & 67 deletions gsi/gssapi/source/library/init_sec_context.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,6 @@ GSS_CALLCONV gss_init_sec_context(
OM_uint32 local_major_status;
globus_result_t local_result;
int rc;
#if defined(TLS1_3_VERSION)
unsigned char * tbuf = NULL;
size_t tlen = 0;
#endif
char cbuf[1];
gss_OID actual_mech = GSS_C_NO_OID;
globus_gsi_cert_utils_cert_type_t cert_type;
Expand Down Expand Up @@ -368,69 +364,6 @@ GSS_CALLCONV gss_init_sec_context(
}
# if LINK_WITH_INTERNAL_OPENSSL_API
context->ret_flags |= GSS_C_TRANS_FLAG;
# endif

/*
* TLS v1.3 sends 2 session tokens after the handshake is completed.
* If we are using a token source that sends one SSL token at a time
* (e.g. the file based token source in globus-gss-assist)
* these session tokens will not be seen by BIO_do_handshake before
* the handshake is completed.
* We need to recieve them before continuing with the GSI proxy.
*/

# if defined(TLS1_3_VERSION)
if (SSL_version(context->gss_ssl) >= TLS1_3_VERSION)
{
// Compute the length of the first token in the last input
// If it matches the total length we are using a token source
// that only provide single tokens.
tbuf = input_token->value;
tlen = ((unsigned int)tbuf[3] << 8) + (unsigned int)tbuf[4];
if (input_token->length == tlen + 5) {
context->gss_state = GSS_CON_ST_TOKEN1;
break;
}
}

goto flags;

case(GSS_CON_ST_TOKEN1):

tbuf = input_token->value;
tlen = ((unsigned int)tbuf[3] << 8) + (unsigned int)tbuf[4];

if (input_token->length != tlen + 5)
{
major_status = GSS_S_UNAUTHORIZED;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL,
(_GGSL("Failed identifying TLS session token 1")));
context->gss_state = GSS_CON_ST_DONE;
break;
}
context->gss_state = GSS_CON_ST_TOKEN2;
break;

case(GSS_CON_ST_TOKEN2):

tbuf = input_token->value;
tlen = ((unsigned int)tbuf[3] << 8) + (unsigned int)tbuf[4];

if (input_token->length != tlen + 5)
{
major_status = GSS_S_UNAUTHORIZED;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_TOKEN_FAIL,
(_GGSL("Failed identifying TLS session token 2")));
context->gss_state = GSS_CON_ST_DONE;
break;
}

flags:

# endif

/*
Expand Down

0 comments on commit 7ba3e29

Please sign in to comment.