Re: [TLS] DTLS Handshake race condition

Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Sun, 11 August 2013 17:15 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6940121F9A18 for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 10:15:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DzafZF1-2mt for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 10:15:31 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by ietfa.amsl.com (Postfix) with ESMTP id 37FFE11E80E0 for <tls@ietf.org>; Sun, 11 Aug 2013 10:08:54 -0700 (PDT)
Received: from [192.168.1.200] (p508F2769.dip0.t-ipconnect.de [80.143.39.105]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id E37F01C0C0692; Sun, 11 Aug 2013 19:08:50 +0200 (CEST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <CAL2p+8QvmiH-L0WYWDdtAirgQ8i_VoaJQUDfNw4dXDZ1xOzq=w@mail.gmail.com>
Date: Sun, 11 Aug 2013 19:08:56 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <1F5455F5-439B-4215-9D92-1FDC2FDFBDE7@lurchi.franken.de>
References: <1CBCCCAF-163A-474B-8DD0-6634460644C1@lurchi.franken.de> <CAL2p+8QvmiH-L0WYWDdtAirgQ8i_VoaJQUDfNw4dXDZ1xOzq=w@mail.gmail.com>
To: Andy Wilson <andrewgwilson@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: tls@ietf.org
Subject: Re: [TLS] DTLS Handshake race condition
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 17:15:32 -0000

On Aug 11, 2013, at 4:19 PM, Andy Wilson <andrewgwilson@gmail.com> wrote:

> After looking over the RFC a bit, wouldn't the client be expecting a HelloVerifyRequest after its ClientHello?
I don't think this is necessary, since the client and the server have already
a relation. So there is no need to use the cookie mechanism.

However, the question is the same. In your case
* The server sends a HelloRequest(MsgSeqNo = 0) and starts the retransmission
  timer, since this is a flight.
* The HelloRequest is dropped by the network.
* The client sends a ClientHello(MsgSeqNo = 0) and start a retransmission timer,
  since it is its first flight.
* The server sends a HelloVerifyRequest(MsgSeqNo = 1)
* The client doesn't process the ServerHello, since it expects the
  MsgSeqNo == 0.

Therefore, the server retransmits the flight consisting of the HelloVerifyRequest
and the client retransmits the flight containing the ClientHello.
So the solution would be that the client accepts
* ServerHellos with MsgSeqNo=0 and MsgSeqNo=1.
* HelloVerifyRequest with MsgSeqNo=0 and MsgSeqNo=1.

Am I missing something?

Best regards
Michael
> 
> On 12 August 2013 01:17, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote:
> Dear all,
> 
> while fixing a bug in OpenSSL regarding the DTLS handshake, I thought about
> the following scenario (both sides decide to renegotiate at about the same
> time):
> 
> * A DTLS connection is established.
> * The server sends a HelloRequest(MsgSeqNo = 0) and starts the retransmission
>   timer, since this is a flight.
> * The HelloRequest is dropped by the network.
> * The client sends a ClientHello(MsgSeqNo = 0) and start a retransmission timer,
>   since it is its first flight.
> * The server receives the ClientHello, stops the retransmission timer
>   and sends the next flight starting with ServerHello(MsgSeqNo = 1)
>   since it considers the received ClientHello as an ack for the flight.
> * The client doesn't process the ServerHello, since it expects the
>   MsgSeqNo == 0.
> 
> Therefore the client retransmits its ClientHello and the server retransmits
> its flight containing the ServerHello. Am I missing something?
> 
> The problem is that the server has no way to figure out if the received
> ClientHello is a reaction to a HelloRequest or not.
> The only way out I see is that the client accepts ServerHellos with
> MsgSeqNo=0 and MsgSeqNo=1.
> I don't think this is covered in http://tools.ietf.org/html/rfc6347
> 
> Any opinions?
> 
> Best regards
> Michael
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> 
> 
> -- 
> Regards
> 
> Andy