RFC 5077 ticket key derivation

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Mar 31 19:09:55 CEST 2015 

/** Generate a new session ticket
 *
 * Signs the administrator configured key, using the private key associated with the
 * SSL context, then hashes the signature to get a key of an appropriate length,
 * which is fed to the hmac and encryption contexts for the session ticket.
 *
 * @param out Where to write the derived session ticket key.
 * @param pkey used to the create the signature.
 * @param key to be signed using the private key, then hashed.
 * @param keylen length of key to be signed.
 * @return 0 on success, -1 on failure.
 */
static int tls_session_ticket_key(uint8_t out[SHA256_DIGEST_LENGTH], EVP_PKEY *pkey, uint8_t const *key, size_t keylen)
{
	int		ret;
	const EVP_MD	*md = EVP_sha256();
	EVP_MD_CTX	mdctx;
	unsigned int	outlen;
	uint8_t		*sig;

	EVP_MD_CTX_init(&mdctx);

	ret = EVP_DigestInit(&mdctx, md);
	if (ret != 1) {
		ERROR("Failed initialising digest: %s", ERR_error_string(ERR_get_error(), NULL));
		return -1;
	}

	ret = EVP_SignInit(&mdctx, md);
	if (ret != 1) {
		ERROR("Failed initialising signing context: %s", ERR_error_string(ERR_get_error(), NULL));
	error:
		EVP_MD_CTX_cleanup(&mdctx);
		return -1;
	}

	ret = EVP_SignUpdate(&mdctx, key, keylen);
	if (ret != 1) {
		ERROR("Failed signing key: %s", ERR_error_string(ERR_get_error(), NULL));
		goto error;
	}

	ret = EVP_SignFinal(&mdctx, NULL, &outlen, pkey);
	if (ret != 1) {
		ERROR("Failed finalising digest signature: %s", ERR_error_string(ERR_get_error(), NULL));
		goto error;
	}

	MEM(sig = talloc_array(NULL, uint8_t, outlen));

	ret = EVP_SignFinal(&mdctx, sig, &outlen, pkey);
	if (ret != 1) {
		ERROR("Failed finalising digest signature: %s", ERR_error_string(ERR_get_error(), NULL));
		goto error;
	}

	EVP_MD_CTX_cleanup(&mdctx);
	EVP_MD_CTX_init(&mdctx);

	ret = EVP_DigestInit(&mdctx, md);
	if (ret != 1) {
		ERROR("Failed initialising digest: %s", ERR_error_string(ERR_get_error(), NULL));
		talloc_free(sig);
		goto error;
	}

	ret = EVP_DigestUpdate(&mdctx, sig, outlen);
	if (ret != 1) {
		ERROR("Failed updating digest: %s", ERR_error_string(ERR_get_error(), NULL));
		talloc_free(sig);
		goto error;
	}

	ret = EVP_DigestFinal(&mdctx, out, NULL);
	talloc_free(sig);
	if (ret != 1) {
		ERROR("Failed updating digest: %s", ERR_error_string(ERR_get_error(), NULL));
		goto error;
	}

	return 0;
}

Anyone have opinions on this? The idea is to allow multiple RADIUS servers to calculate the same key
independently without a common store, and to ensure that the derived keys are sufficiently complex,
regardless of what the administrator configures.

There's no standard for this that i've seen, nor is there a situation that I can see where deploying
heterogeneous RADIUS servers in a HA cluster is useful.

RFC5077 recommends periodic key rotations, which is possible, as 'key', is the result of a template
expansion, which could be an xlat, attr ref or exec.

I've confirmed that if an incorrect key is provided via the SSL_CTX_set_tlsext_ticket_key_cb that auth
continues normally as if no ticket had been presented, and a new ticket is generated.

-Arran

Tue Mar 31 05:57:15 2015 : Debug: (5) eap_peap: New session ticket: 0x6e8b68c6803654c78bf7e6db15d7ea00
Tue Mar 31 05:57:15 2015 : Debug: (5) eap_peap: Session ticket key: 0x35
Tue Mar 31 05:57:15 2015 : Debug: (5) eap_peap: Session ticket key (derived): 0x11ab45219b8ebafac633475ac0a9be597055b26a27c4d196ff542fa6834a860b
Tue Mar 31 05:57:15 2015 : Debug: (5) eap_peap: TLS_accept: SSLv3 write session ticket A
Tue Mar 31 05:57:15 2015 : Debug: (13) eap_peap: Got session ticket: 0x6e8b68c6803654c78bf7e6db15d7ea00
Tue Mar 31 05:57:15 2015 : Debug: (13) eap_peap: Session ticket key: 0x3133
Tue Mar 31 05:57:15 2015 : Debug: (13) eap_peap: Session ticket key (derived): 0x9a12beeaf8d3a9ed30d50e065c21e2260a62f9bbabd16616873f3923cb8e90a1
Tue Mar 31 05:57:15 2015 : Debug: (16) eap_peap: New session ticket: 0x6928501f7ea2e7cfddc26da251f6d7f2
Tue Mar 31 05:57:15 2015 : Debug: (16) eap_peap: Session ticket key: 0x3136
Tue Mar 31 05:57:15 2015 : Debug: (16) eap_peap: Session ticket key (derived): 0x5979e02312c1b500bd32f3a5ad785c19e4a9f1d0ba4b4c8083b39252ea216ce9
Tue Mar 31 05:57:15 2015 : Debug: (16) eap_peap: TLS_accept: SSLv3 write session ticket A
Tue Mar 31 05:57:15 2015 : Debug: (24) eap_peap: Got session ticket: 0x6928501f7ea2e7cfddc26da251f6d7f2
Tue Mar 31 05:57:15 2015 : Debug: (24) eap_peap: Session ticket key: 0x3234
Tue Mar 31 05:57:15 2015 : Debug: (24) eap_peap: Session ticket key (derived): 0x31e2bb458f5d9ef76d0a7d63696e3b33d1f57d1e4ef5a3f2f6d880d6135b8b4a
Tue Mar 31 05:57:15 2015 : Debug: (27) eap_peap: New session ticket: 0x62a418806a4c58025628864c5b3a8af0
Tue Mar 31 05:57:15 2015 : Debug: (27) eap_peap: Session ticket key: 0x3237
Tue Mar 31 05:57:15 2015 : Debug: (27) eap_peap: Session ticket key (derived): 0x6c09a944a07cece8fef510427b41041d831f2dd8d8430e9be49e9bb1233ad32f
Tue Mar 31 05:57:15 2015 : Debug: (27) eap_peap: TLS_accept: SSLv3 write session ticket A

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20150331/c5f4b6b0/attachment.sig>

More information about the Freeradius-Devel mailing list