IETF Logo Mail Archive

Re: [Emu] WGLC completed for for draft-ietf-emu-eap-tls13-05

Jouni Malinen <j@w1.fi> Fri, 12 July 2019 21:08 UTC

Return-Path: <j@w1.fi>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 069C512030D for <emu@ietfa.amsl.com>; Fri, 12 Jul 2019 14:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KlFG1Jd64sDG for <emu@ietfa.amsl.com>; Fri, 12 Jul 2019 14:08:27 -0700 (PDT)
Received: from li674-96.members.linode.com (mail.w1.fi [212.71.239.96]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB2BB1202E0 for <emu@ietf.org>; Fri, 12 Jul 2019 14:08:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by li674-96.members.linode.com (Postfix) with ESMTP id 6702911B4E; Fri, 12 Jul 2019 21:08:23 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at w1.fi
Received: from li674-96.members.linode.com ([127.0.0.1]) by localhost (mail.w1.fi [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5KecovlH1Rv; Fri, 12 Jul 2019 21:08:21 +0000 (UTC)
Received: by jm (sSMTP sendmail emulation); Sat, 13 Jul 2019 00:08:19 +0300
Date: Sat, 13 Jul 2019 00:08:19 +0300
From: Jouni Malinen <j@w1.fi>
To: Joseph Salowey <joe@salowey.net>
Cc: emu@ietf.org
Message-ID: <20190712210819.GA26853@w1.fi>
References: <CAOgPGoCB7VOzjo+ckDhNiApa6ozCDr3zfj6pMVG3ZRfV4RP6mQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAOgPGoCB7VOzjo+ckDhNiApa6ozCDr3zfj6pMVG3ZRfV4RP6mQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/WA8OREhTsF8JEPvaixGoCwmd1qY>
Subject: Re: [Emu] WGLC completed for for draft-ietf-emu-eap-tls13-05
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 21:08:31 -0000

On Wed, Jun 26, 2019 at 09:16:19PM -0700, Joseph Salowey wrote:
> The Working Group last call has completed with no comments for
> draft-ietf-emu-eap-tls13-05.  I would like to confirm that some working
> group members have reviewed the draft.  If you have reviewed the draft
> please respond to this thread.

While the current design may work in theory, the use of an "empty TLS
record" looks problematic from implementation and deployment view point.
That terms itself is quite a bit confusing term since this is not really
talking about an empty TLS record in the EAP-TLS message, but about a
zero length TLSPlaintext structure that gets encrypted into a _non_-zero
length TLSCiphertext structure that gets encoded in the TLS record that
goes over EAP-TLS (and that is not empty since all ciphers add something
to the payload length in practice).

The main problem here is that at least OpenSSL is not willing to send
such an empty TLSPlaintext structure. SSL_write() has following to say
about this:
https://www.openssl.org/docs/man1.1.1/man3/SSL_write.html
"You should not call SSL_write() with num=0, it will return an error.
SSL_write_ex() can be called with num=0, but will not send application
data to the peer."

In other words, there does not seem to be any convenient way of
implementing this with the current version of one of the most commonly
used TLS libraries. I can make this work by sending out a one-octet
(0x00) TLSPlaintext as a workaround, but it does not look like I could
make the implementation comply with the draft without changing the TLS
library which is close to a complete showstopper for quick deployment.

It would seem to make sense to me to allow the EAP-TLS 1.3 server to
send out either an empty plaintext or a one octet plaintext to avoid
this issue in a straightforward manner.

This is referring to the following areas in the draft (-05):

2.1.1.

   In the case where EAP-TLS with mutual authentication is successful,
   the conversation will appear as shown in Figure 1.  The EAP server
   commits to not send any more handshake messages by sending an empty
   TLS record, see Section 2.5.

(that confusing use of "empty TLS record" and "TLS empty record" in the
message exchange figures)


2.5.
   When an EAP server has sent its last handshake message (Finished or a
   Post-Handshake), it commits to not sending any more handshake
   messages by appending an empty application data record (i.e. a TLS
   record with TLSPlaintext.type = application_data and
   TLSPlaintext.length = 0) to the last handshake record.  After sending
   an empty application data record, the EAP server may only send an
   EAP-Success, an EAP-Failure, or an EAP-Request with a TLS Alert
   Message.

(this is where that TLSPlaintext.length = 0 should also allow 1 to make
this easier to implement and deploy)

-- 
Jouni Malinen                                            PGP id EFC895FA

v2.23.0 | Report a Bug | By Email