IETF Logo Mail Archive

Re: [TLS] Fwd: Clarification on interleaving app data and handshake records

Hubert Kario <hkario@redhat.com> Sun, 06 December 2015 15:50 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 303691ACEDE for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 07:50:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCc68M4cXemi for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 07:50:39 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D97381ACED8 for <tls@ietf.org>; Sun, 6 Dec 2015 07:50:39 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 2125DC0A8047; Sun, 6 Dec 2015 15:50:39 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-27.ams2.redhat.com [10.36.112.27]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB6FoYMZ012222 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 6 Dec 2015 10:50:38 -0500
From: Hubert Kario <hkario@redhat.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Sun, 06 Dec 2015 16:50:28 +0100
Message-ID: <2024935.xrVgKcrptC@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.10 (Linux/4.2.6-201.fc22.x86_64; KDE/4.14.14; x86_64; ; )
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B9B3DA@uxcn10-5.UoA.auckland.ac.nz>
References: <20151015130040.9F1BB1A2EF@ld9781.wdf.sap.corp> <2348468.lpGyMim7ub@pintsize.usersys.redhat.com> <9A043F3CF02CD34C8E74AC1594475C73F4B9B3DA@uxcn10-5.UoA.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1617483.uhfFOxBrrD"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3LSC-NhES3HEl99K3CJkGMyBsnI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: Clarification on interleaving app data and handshake records
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 15:50:41 -0000

On Saturday 05 December 2015 23:54:25 Peter Gutmann wrote:
> Hubert Kario <hkario@redhat.com> writes:
> >miTLS does accept Application Data when it is send between Client
> >Hello and Client Key Exchange and rejects it when it is sent between
> >Change Cipher Spec and Finished.
> 
> Given that miTLS is a formally verified implementation, would this
> imply that there's a problem with the verification?  "Beware of bugs
> in the above code; I have only proved it correct, not tried it"?

This behaviour is dictated by the TLS 1.2 RFC, although partially 
indirectly:
 - the acceptance of application data during subsequent handshakes is 
   explicit
 - the no application data between CCS and Finished is implicit, as it
   is only stated that the Finished MUST be the next message directly
   following CCS. And since CCS and Finished have different content 
   types, that means that the limitation is cross-content type, unlike 
   for other handshake messages

So on the face of it, behaviour of miTLS is correct.

Now, as we've discussed on the OpenSSL bug tracker. This does cause 
problems if we have certificate based client authentication and the TLS 
library returns client authentication data from *new* handshake while it 
still has not received and processed Finished message. If that is the 
case, then the attacker may force the server to process messages under 
authority it still didn't verify.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email