Re: [TLS] Malformed Finished handling

Martin Thomson <martin.thomson@gmail.com> Thu, 05 July 2018 00:06 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2C23130E75 for <tls@ietfa.amsl.com>; Wed, 4 Jul 2018 17:06:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsEMbS05FatE for <tls@ietfa.amsl.com>; Wed, 4 Jul 2018 17:06:58 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54754130E6B for <tls@ietf.org>; Wed, 4 Jul 2018 17:06:58 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id c6-v6so13507888oiy.0 for <tls@ietf.org>; Wed, 04 Jul 2018 17:06:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kd9+3+IG9DIXBJz+R7FpZqnnLeF5usO+2ieK53Sib7c=; b=GjfxYr5k+D1k+vr+60ha1LSgnlQ8hwMlPPmm2sQ3JkW6vnUoZ6Gs9AR6yGPjYvJMrD 8caYT2uW06aa3UIYOIRllwMBPKU3EKOLKZBe3df+VjoVxH8Qdn284moHG7I1VI+fI+Cc ezLG64NdcZNUVr5G9rXCGQazlf9TlYO/A4Mdkw8+cxDJ/ckCybt0CAtMuHBAfQ0ouqok P2ixQyBP9p37qxiC+CVRkaQ3ua0lCD27UUb/4htMz55WckiG7t8SUCmNbDUR91S6aQji JrfiXHgRGloBHxNG2G0K4bhkIvoxul/f8X3onPeMHAs45z/b8WwX+Di8NIeiwUTHgWTo XITA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kd9+3+IG9DIXBJz+R7FpZqnnLeF5usO+2ieK53Sib7c=; b=b+vOt/gnWCJpPprUWFLtB4KbIDMLR8FVLSPht2tayUAogZcRC/sc/eZ743xsqPkWIe 4QxriuD7TDtvqtw1jCR2WHbkmQhzd/8R+uMDfau6WmT2wEOd2Hmrj10zhcK2tP4UwlLi DPnGVgkwQienZ4S4RC+miZICr9KM4iZB7cwtKKGRh8k+oqLCtteflhVygMQv7Wf0NmGu yz+mFAK4iRVJKAG+HW4+OqQeW2+eNaGRoyOW5ibva/FjN1T1WE4Dh5BrmgtIs27sfcjj xJfBItSLRIHQiV9hYlwKS1BseCc+AHAUjAifVhW61elJ/EEX/BupAAAVcx4QVMv1ltIw xA0w==
X-Gm-Message-State: APt69E2jCZgEgq9mN7M/+tY9hsSKR7Y3FVBofksrseIZ5P3s2KvErBSE 9ufCXpZNH3jzeuEefUoLHjVPcNhbjfIf2k1UjtM=
X-Google-Smtp-Source: AAOMgpfqRhyB2ndJpOcGo0fuJJW3yFOKtdPPM30Dn+6lP53qdT/Si7arN4PL3ARxsRt7ot+phgKbgv7D+FP7D52aQU8=
X-Received: by 2002:aca:3954:: with SMTP id g81-v6mr4638530oia.215.1530749217534; Wed, 04 Jul 2018 17:06:57 -0700 (PDT)
MIME-Version: 1.0
References: <2069745.MLjj786GGa@pintsize.usersys.redhat.com>
In-Reply-To: <2069745.MLjj786GGa@pintsize.usersys.redhat.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 05 Jul 2018 10:06:45 +1000
Message-ID: <CABkgnnW0L+T8X7T4_SbLggJFVODC-VQ53i_DK_TrHbTPk_3JqQ@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B8m2fEYSmOXaj2cDiJ1lU9LvDnA>
Subject: Re: [TLS] Malformed Finished handling
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 00:07:00 -0000

On Wed, Jul 4, 2018 at 7:55 PM Hubert Kario <hkario@redhat.com> wrote:
> Despite this, is it correct to terminate a connection with "illegal_parameter"
> upon receiving a Finished handshake message with a 100 byte payload? or a 20
> byte payload? My opinion is that it is not, "decode_error" is more specific so
> it should be used instead.

When there are multiple problems with a message, why do we need to
accept just one of the possible alerts?  That assumes either a very
particular order of processing, or a strict precedence order for
errors.  Like Rich says, there is a degree of imprecision in our error
reporting, but - for me - that's OK.