[quicwg/base-drafts] Handshake failure after Retry (#1784)

Tatsuhiro Tsujikawa <notifications@github.com> Fri, 21 September 2018 14:29 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7F57E129619 for <quic-issues@ietfa.amsl.com>; Fri, 21 Sep 2018 07:29:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.009
X-Spam-Status: No, score=-8.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ZI4z7m2To0Gi for <quic-issues@ietfa.amsl.com>; Fri, 21 Sep 2018 07:29:36 -0700 (PDT)
Received: from out-3.smtp.github.com (out-3.smtp.github.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5B9812777C for <quic-issues@ietf.org>; Fri, 21 Sep 2018 07:29:36 -0700 (PDT)
Date: Fri, 21 Sep 2018 07:29:35 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1537540175; bh=Zzkx22L1/hqDFQ2/qlNx4ucE4Na8RPyaOInAYkvk2OY=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=NJgcM12vN8/yC7RweKD/ROa7fWNGH805gVtGYmWrwMq4GsMuvAPNt7B7AtsUsWRPd GnVtKolZHv06JDyb9gs9O04qvjBWzGuW1vV5Dhy/hIkiiAgfzKcJpVVwCE3h79hMWb 13jiiqHDkHmKyPiHj4m2CiLT/Xq3VIfgNQaW1Z1w=
From: Tatsuhiro Tsujikawa <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abb60ca5d463392d9ddb2496acec6666031e4f5d6192cf0000000117bcc24f92a169ce159d75ca@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1784@github.com>
Subject: [quicwg/base-drafts] Handshake failure after Retry (#1784)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ba5004f80fa8_596d3fdd15ad45bc40274"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: tatsuhiro-t
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/3dTdTIVCh3ugvDlFxyC6IGz6nyc>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2018 14:29:38 -0000

I found that there is a corner case that handshake fails after Retry.
The current specification allows server not to change its SCID in Retry packet.  In other words, server is allowed to set client chosen CID in SCID field of Retry packet.
The spec also allows client to create fresh TLS context each time it receives Retry packet.
If they are used, there is a case that handshake fails after Retry packet.
Here is the possible scenario.

1. client sends Initial to server with TLS context T0: Initial SCID=A DCID=B
2. client resends Initial to server with TLS context T0: Initial SCID=A DCID=B
3. client receives Retry from server: Retry SCID=B DCID=A ODCID=B
4. in response to Retry(3), client sends Initial to server with TLS context T1: Initial SCID=A DCID=B
5. client receives Retry from server (in response to client Initial(2)): Retry SCID=B DCID=A ODCID=B ODCID=B
6. in response to Retry(5), client sends Initial to server with TLS context T2: Initial SCID=A DCID=B
7. client receives Initial from server (in response to client Initial(4), thus using TLS context T1): Initial SCID=C DCID=A
8. client receives Handshake from server (which uses TLS context T1): Handshake SCID=C DCID=A

client cannot decrypt Handshake packet from server because client uses TLS context T2 meanwhile server uses TLS context T1.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: