[TLS] Allow KeyShare in HelloRetry if not advertised in ClientHello?

Roelof Du Toit <Roelof_Dutoit@symantec.com> Tue, 07 March 2017 17:44 UTC

Return-Path: <Roelof_Dutoit@symantec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D0C71295BF for <tls@ietfa.amsl.com>; Tue, 7 Mar 2017 09:44:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sqjIFba0IxYx for <tls@ietfa.amsl.com>; Tue, 7 Mar 2017 09:44:43 -0800 (PST)
Received: from asbsmtoutape01.symantec.com (asbsmtoutape01.symantec.com [155.64.138.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B74B91295D0 for <tls@ietf.org>; Tue, 7 Mar 2017 09:44:43 -0800 (PST)
Received: from asbsmtmtaapi02.symc.symantec.com (asb1-f5-symc-ext-prd-snat4.net.symantec.com [10.90.75.4]) by asbsmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id 2B.FA.36325.A81FEB85; Tue, 7 Mar 2017 17:44:42 +0000 (GMT)
X-AuditID: 0a5af819-428639a000008de5-36-58bef18a45a5
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat5.net.symantec.com [10.90.75.5]) by asbsmtmtaapi02.symc.symantec.com (Symantec Messaging Gateway) with SMTP id 3B.CF.09705.981FEB85; Tue, 7 Mar 2017 17:44:42 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Tue, 7 Mar 2017 09:44:40 -0800
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.44.128.10) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Tue, 7 Mar 2017 09:44:40 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=XF1VuAu2tQUfFP5niE8EMkS2jCq5S1d4blq4oVIFoIE=; b=3i2q8mkkyryuWA4i3eTjODe7yfFs95zVE454E6x/fsHEVyiRQNVEZOwnoTJe3nD3e+xMI4nKjSBdlI89Uatwny5OYrWxH2ZM8PhHLQXzLyZrDMFiDPTjc96eEOrafQd7lKd00/Q00lYBjcHnkWAXfsse7KXmHCODT1z0v4/BdKU=
Received: from DM5PR16MB1834.namprd16.prod.outlook.com (10.172.45.9) by DM5PR16MB1835.namprd16.prod.outlook.com (10.172.45.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12; Tue, 7 Mar 2017 17:44:39 +0000
Received: from DM5PR16MB1834.namprd16.prod.outlook.com ([10.172.45.9]) by DM5PR16MB1834.namprd16.prod.outlook.com ([10.172.45.9]) with mapi id 15.01.0947.020; Tue, 7 Mar 2017 17:44:39 +0000
From: Roelof Du Toit <Roelof_Dutoit@symantec.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Allow KeyShare in HelloRetry if not advertised in ClientHello?
Thread-Index: AQHSl2p+vyKS4/mfNkq7sGwa67WGLQ==
Date: Tue, 7 Mar 2017 17:44:39 +0000
Message-ID: <B6B302EF-6836-4E50-B916-D9260C16D25B@symantec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=symantec.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [72.23.5.194]
x-ms-office365-filtering-correlation-id: a7f9d290-fa56-490a-f2b9-08d46581a123
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM5PR16MB1835;
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1835; 7:9bs5uCwGQvUbFctV/4yk9T/4G+lnVw+u0c+C6EuYG6SQ2Fh7Vd6mSk0UoUOLBKdpvNMKxcMhwGmL4ty6gN+nTN8pWIG1k5zAflVRPLH4zeeHijnyoLn4/ds4H8SJ4QNpaDPZtBNVgeZi453oStYYpDq4fxa4YcgvO0tp4VovyumeuPOS6bG42vHQ/o6gObxhWaWlWKhkR/dsc6SEtMXgESrwfOPkDx1W7HJ4RDDaOtEYikeyoZ0lU4kwPDzuX9lm+D5yE0VNwMNiur7ffS+jb8GNyS36bLgRT9Fy5yJq38OItzrvGR/Udg2g2Jrq2Zpbb3ru+rFw5ZieWj6a5r+W1Q==
x-microsoft-antispam-prvs: <DM5PR16MB1835962C52EED57A49FD4AF8FA2F0@DM5PR16MB1835.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123562025)(20161123558025)(20161123564025)(20161123555025)(20161123560025)(6072148); SRVR:DM5PR16MB1835; BCL:0; PCL:0; RULEID:; SRVR:DM5PR16MB1835;
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(39450400003)(3846002)(2900100001)(80792005)(189998001)(5660300001)(102836003)(36756003)(6116002)(25786008)(2351001)(7906003)(5640700003)(7736002)(83716003)(1730700003)(66066001)(122556002)(86362001)(81166006)(6916009)(8936002)(3280700002)(82746002)(2906002)(33656002)(2501003)(50986999)(236005)(8676002)(54356999)(10290500002)(54896002)(6512007)(6306002)(3660700001)(6506006)(6436002)(606005)(38730400002)(110136004)(6486002)(77096006)(106116001)(99286003)(53936002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1835; H:DM5PR16MB1834.namprd16.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_B6B302EF68364E50B916D9260C16D25Bsymanteccom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 17:44:39.3350 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1835
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTURjHO/fezetocZorH02YzpLMd+qDRGhv0Ewloz7YIOo2bynOF7Zp GhKzWbRZS0Sk1FLXMpRM6EVNhrpZkYqspDLFqNRGJfiSpO5D2bx3gl8Ov+f5/87heeDQpKRT EEhn5epYTS6jlgtFlEiZTEWZ5rvTY2+6/OJ/O01oP1JYrW4iDSlF+zJYdVYhq4lJOCvKvD7Z ROZXHi6yNhsoPao9aEK+NOA9UGe4LzQhES3B8wiutI8L1oKJ0UbEB4sIjE6Xt+hDMPO2keCL Hwj6+xq4hMJGEqZ73Nx9Ca4kYKosiLfsCGbLrnGBEMeBu7eSYykOgc4P5T6r7IePQGnrsLef AtUPbATP0TAwa+YcCm+H+qUqtMpinAgPlwY5RngrLA084nwS+8PYVD3BL4HBanOSPG+Bn5P/ BKsDIVyO4LmtB/FBJAyNTHlZBl++D3o5FcYdr4g1Xhia53YGfIOEjr/NXikbzPp+LydDx8AI xUs1BNjH33nGpj1FELxw7+b7ZgEsTI4R/MqB8Pm9EVWgiJp1k/Osgp7aUUENt+lm6L8zRdV4 niJxOLR1xfBKCFSVf/PheSdcrbvrZQX8utcuXO80ILoFBTPac9ocXV6BjslnY+OitcU5qtWD 8fwmVbQqL+cJ4v7TckAnevkmxYEwjeQbxVkT3ekSAVPoMR0IaFIuFYcOe1riDKb4EqvJO6Mp ULNaB9pGU3J/8YyrNV2CLzA6Nptl81nNWkrQvoF6lKjIVofrHg/K6Tl7hcveYj8WWVqCcm2G oltdCfoyfGiDTUx+XPEPm1tsLZYc7TWFyioDL7c9zVHInITrpNBwu+H88TTLnxMQ4bIkvn52 Sr9DxibttUVJM0v0qQHxkk/SsAOnzZv8VIYJi9JiXEmunk5aDnZfHC1sGlN+DZFT2kwmbhep 0TL/AcQGG79LAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDKsWRmVeSWpSXmKPExsXCFeXNqtv1cV+EwY153BafzncxOjB6LFny kymAMYrLJiU1J7MstUjfLoEro+PxMuaCSS4VS1Y2szQwznbqYuTkkBAwkXh0cyFjFyMXh5DA N0aJzvPPoJzDjBLvLixkgnBeMEqcPLwALMMi0Mks8Xr/T1aQfiGBSUwST1pkIKoOMkq8b2kD S7AJGEr8PDAJzBYRUJTYcbWbHcQWFnCXaFx7CSruIzFt6R4mCFtP4tT7PrAaFgEVifnfpzCC 2LwC9hLLv58GsxkFxCS+n1oDVs8sIC5x68l8JognBCSW7DnPDGGLSrx8/I8V5CBGgW5Gia17 9jNCJHQkzl5/AmXLS9x/ehrK9pW4c+goE4z9+exHsJ8lBHqYJbb/XQlVlC3R13ASyvaW2H7q OgtE0SwmiYN3LgKdzQHkyEjs/GkMEe9jlfj8+BYTxMtSEnevdDJC2DISL+7sZYV4IVli/+yb rBMY1Wch+WgWktQscAgISpyc+YRlFtAKZgFNifW79CFKFCWmdD9kh7A1JFrnzIWyPSRezdvG hqxmASPHKkaFxOKk4tyS3JLExIJMAyO94srcZBCRCExMyXrJ+bmbGMHJ6bf4DsZzf3wOMQpw MCrx8G64uy9CiDWxDKjyEKM0B4uSOO8Nw00RQgLpiSWp2ampBalF8UWlOanFhxiZODilGhh1 rrWt67yXIbaWm9upQOla7o1yfXbR0G0uqcbNClWM3doBfd1ewvonp07++zBkW3rzBRfZ1k1r XD6J/X0uKHtpt42s9c+8lP+z/aKvH+h6UJ6wr2f9fc6st4H9yTlv6zzZbhqqcQX4l86MOVD0 dY5fjmHB06fSp5LTN/iwsCoJpFUfj29Zp8RSnJFoqMVcVJwIACD8skAvAwAA
X-CFilter-Loop: ASB03
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8MaVuArweTg2XHd7O0LhLotkPPE>
Subject: [TLS] Allow KeyShare in HelloRetry if not advertised in ClientHello?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 17:44:50 -0000

All,

The current language in https://tlswg.github.io/tls13-spec/#rfc.section.4.1.4 states:
As with ServerHello, a HelloRetryRequest MUST NOT contain any extensions that were not first offered by the client in its ClientHello, with the exception of optionally the “cookie” (see Section 4.2.2<https://tlswg.github.io/tls13-spec/#cookie>) extension.

I am analyzing the following message flow:
ClientHello
+ early_data
+ psk_key_exchange_modes = psk_ke
+ pre_shared_key --------->
(Early Data) ---------> *reject*
<--------- HelloRetryRequest (not allowed to add key_share)
ClientHello
+ supported_groups
+ key_share ---------> *not supported*

At that point in the flow the server is not allowed to send another HelloRetryRequest.  To avoid that the client would need some hints in the HelloRetryRequest.
Would it be possible to allow an exception to send key_share and/or supported_groups in a HelloRetryRequest if not offered in ClientHello?

Roelof du Toit