IETF Logo Mail Archive

Re: [TLS] TLS grammar checker?

mrex@sap.com (Martin Rex) Fri, 21 June 2013 23:33 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF82621F9E5C for <tls@ietfa.amsl.com>; Fri, 21 Jun 2013 16:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.469
X-Spam-Level:
X-Spam-Status: No, score=-9.469 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8, SARE_OBFU_ALL=0.751]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNifupzYs8wg for <tls@ietfa.amsl.com>; Fri, 21 Jun 2013 16:33:34 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 03FB721F9D1E for <tls@ietf.org>; Fri, 21 Jun 2013 16:33:32 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r5LNXQDJ019794 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 22 Jun 2013 01:33:26 +0200 (MEST)
In-Reply-To: <CAK3OfOj82obkjVipLxsn_yfwA_YnT-J1n0orJj9p00X5s3v26g@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Date: Sat, 22 Jun 2013 01:33:25 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130621233326.03E831A842@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS grammar checker?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jun 2013 23:33:38 -0000

Nico Williams wrote:
> On Tue, Jun 18, 2013 at 7:05 PM, Bill Frantz <frantz@pwpconsult.com> wrote:
> > uri@ll.mit.edu (Blumenthal, Uri - 0558 - MITLL) wrote:
> >>
> >> Having written my share of ASN.1 stuff (including parser/encoder with no
> >> known vulnerabilities :), I agree with Nico's assessment of ASN.1.
> >
> > No known vulnerabilities is a good start. Unfortunately a lot of software is
> > released with no know vulnerabilities but doesn't hold up under attack. It
> > is nice to hear of software that has survived attack with no known
> > vulnerabilities.
> 
> Automatic tooling is a better start.  I.e., ASN.1, XDR, IDL, ... compilers.
> 
> Ad-hoc syntaxes don't lend themselves to automatic tooling, so they
> tend to result in lots of error-prone hand-coding.

Syntax that is so complicated that it needs tooling is a problem by itself.
ASN.1 is squarely part of the problem space, not part of the solution space.

If you believe you can parse or encode X.509/PKIX just by using an
ASN.1 compiler tooling, then you probably have never even looked
at X.509/PKIX.  The devil is in the comments sprinkeled all over the
place where you have to tweak the compiler output in so many ways and
so many places that writing everything by yourself becomes quite a
viable alternative, and one that is free of hidden eastereggs.

While there exist a canonical ASN.1 DER encoding, decoding and re-encoding
Certificates and CRLs may often result in digital signature verification
failures.

Dealing e.g. with the Version field of CRLs in particularly entertaining:

   TBSCertList  ::=  SEQUENCE  {
        version                 Version OPTIONAL,
                                     -- if present, MUST be v2


Look at what rfc5280 says about the CRL version field:

 http://tools.ietf.org/html/rfc5280#section-5.1.2.1

   5.1.2.1. Version

   This optional field describes the version of the encoded CRL.  When
   extensions are used, as required by this profile, this field MUST be
   present and MUST specify version 2 (the integer value is 1).

and then check the real world what today's CRLs look like:

 o The CRL from the CRL-DP of the Google Internet Authority
   (the CA that signs Google's Server certs, including https://www.google.com)
   http://crl.geotrust.com/crls/secureca.crl

   no Version field (and no CRL extensions)

 o The CRL from the CRL-DP of the VeriSign Class3 EV SSL SGC CA
   (the CA that signed https://www.verisign.com/)

   http://EVSecure-crl.verisign.com/pca3-g5.crl

   no Version field (and no CRL extensions)

 o The CRL from the CRL-DP of the Godaddy Secure CA
   (the CA that signed https://www.godaddy.com/)

   http://certificates.godaddy.com/repository/gdroot.crl

   no Version field (and no CRL extensions)


Now the question for the implementor what to accept:

  1) reject (=soft fail and ignore) all three CRLs above ?
  2) reject all CRLs that have an explicit Version v1 (0) ?
  3) reject all CRLs that have no Version field,
     but non-critical CRL extensions (this is explicitly allowed by X.509!!)

ASN.1 is more than enough rope to hang yourself, and a number of existing
specs that use ASN.1, hang themselves in more than one place.


-Martin

v2.23.0 | Report a Bug | By Email