Re: [TLS] Possible TLS 1.3 erratum
David Benjamin <davidben@chromium.org> Thu, 15 July 2021 14:53 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD5CC3A14C5 for <tls@ietfa.amsl.com>; Thu, 15 Jul 2021 07:53:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.949
X-Spam-Level:
X-Spam-Status: No, score=-9.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yXaAeWJKas2 for <tls@ietfa.amsl.com>; Thu, 15 Jul 2021 07:53:20 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60BFC3A14C2 for <tls@ietf.org>; Thu, 15 Jul 2021 07:53:20 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id y4so5469407pfi.9 for <tls@ietf.org>; Thu, 15 Jul 2021 07:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qiEZ5zqu9fXa1cYWwBHDshQDJsMT1US5FaM7FbiSrMo=; b=Ku2+rRbbedviOKU93K+03Xhq9+2H8JIIPoZ1Gs5HuWwHSJLtvoAPkkhcKFBntm/eeB iYl3ss2PDMXqSrwixCexSvqSpX0MdKbHLM8Qn0LzCJp1dXsJ5nLQzliFwGFaooxYDhq7 ArBjaV7kLvWf0CFGTuoC0PwNod7J430YUmXps=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qiEZ5zqu9fXa1cYWwBHDshQDJsMT1US5FaM7FbiSrMo=; b=dqHFkJlMS9bDeo5P2zUKINkoAGmMc/XRUKS9JDIUWpuWONwbpMPHb6pvSoQAU1Tgp+ rw6KZOVwbC5ZllStCJ/sJ0Ufqb6sSEluz5867C65DyTJeTWtH1N1F2Wwkr88NZxQNeI7 ZIf6xb7I4c91oVAkjEX3+hIemWpOmZAEtsTiSujprNXTieCYYoc/WeG3SEmeFD4ntm1B N+R0sO1ARcH5Trwt+BV/BPUSmmDmfxKeTT8lsemxlMvtyihLS4niONkvgB+AbMZoYDG1 13r7TZSDPrqvo8V6nyFxBM0CmGf7xa5VPcp3540Nvg3M4ybtEsdbSKL6eqoTQ9L6Nm9m GyeQ==
X-Gm-Message-State: AOAM532qU5RUCL/R27DBcH6MUTrFx23AgHdeFYkzEPVOB5dAsPQp4HEJ RiEhff40xiuFDRgWiRjV5Fay1TixJ4HUbLtZHd1s
X-Google-Smtp-Source: ABdhPJw9pyxwcqep6wEzCB87aRYjZdcauigNvZo38VaMBlb40I2TfxCs+prwJ/5xIl4Wtp59EiAL1w26CI7zd0ecn08=
X-Received: by 2002:a63:f916:: with SMTP id h22mr5001245pgi.6.1626360798708; Thu, 15 Jul 2021 07:53:18 -0700 (PDT)
MIME-Version: 1.0
References: <ME3PR01MB624282F25AA6983F9CEFDCD2EE129@ME3PR01MB6242.ausprd01.prod.outlook.com> <CABcZeBNajvtG8pebcrD2dgmP+Pb4+gTQMfB6NDOMH7hpqNSS-w@mail.gmail.com>
In-Reply-To: <CABcZeBNajvtG8pebcrD2dgmP+Pb4+gTQMfB6NDOMH7hpqNSS-w@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 15 Jul 2021 10:53:02 -0400
Message-ID: <CAF8qwaD=0tHLrtbqYv2gZ35V24yy_mbdov1Rj-TJR7xrBPJhBA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000afb98505c72aa15b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KFDazc3PhdCJsvm70jtXRum-KwM>
Subject: Re: [TLS] Possible TLS 1.3 erratum
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 14:53:27 -0000
The SignatureScheme change was perhaps overly clever, but the intent is
that you can process them the same at both versions and backport
the single-enum interpretation. (That's what we do.) The key observation is
that TLS 1.3's allocations will never overlap with a defined TLS 1.2 hash
or signature value. So an old implementation will never send a value that
overlaps with TLS 1.3. More importantly, it will interpret any new TLS 1.3
value as {unknown hash, unknown algorithm} and ignore it, which is what we
want it to do anyway.
That means an old implementation will interop just fine with new values,
and we can freely recast the whole extension as SignatureSchemes in new
implementations.
On Thu, Jul 15, 2021 at 9:02 AM Eric Rescorla <ekr@rtfm.com> wrote:
> As we are currently working on a 8446-bis, the best thing to do would be
> to file a PR at:
> https://github.com/tlswg/tls13-spec
>
> Thanks,
> -Ekr
>
>
> On Thu, Jul 15, 2021 at 3:56 AM Peter Gutmann <pgut001@cs.auckland.ac.nz>
> wrote:
>
>> I've got some code that dumps TLS diagnostic info and realised it was
>> displaying garbage values for some signature_algorithms entries. Section
>> 4.2.3 of the RFC says:
>>
>> In TLS 1.2, the extension contained hash/signature pairs. The
>> pairs are encoded in two octets, so SignatureScheme values have
>> been allocated to align with TLS 1.2's encoding.
>>
>> However, they don't align with TLS 1.2's encoding (apart from being 16-bit
>> values), the values are encoded backwards compared to TLS 1.2, so where
>> 1.2
>> uses { hash, sig } 1.3 uses values equivalent to { sig, hash }. In
>> particular
>> to decode them you need to know whether you're looking at a 1.2 value or
>> a 1.3
>> value, and a 1.2-compliant decoder that's looking at what it thinks are
>> { hash, sig } pairs will get very confused.
>>
>> Should I submit an erratum changing the above text to point out that the
>> encoding is incompatible and signature_algorithms needs to be decoded
>> differently depending on whether it's coming from a 1.2 or 1.3 client?
>> At the
>> moment the text is misleading since it implies that it's possible to
>> process
>> the extension with a 1.2-compliant decoder when in fact all the 1.3 ones
>> can't
>> be decoded like that.
>>
>> Peter.
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
- [TLS] Possible TLS 1.3 erratum Peter Gutmann
- Re: [TLS] Possible TLS 1.3 erratum Eric Rescorla
- Re: [TLS] Possible TLS 1.3 erratum David Benjamin
- Re: [TLS] Possible TLS 1.3 erratum Nick Harper
- Re: [TLS] Possible TLS 1.3 erratum Peter Gutmann
- Re: [TLS] Possible TLS 1.3 erratum Ilari Liusvaara
- Re: [TLS] Possible TLS 1.3 erratum Peter Gutmann
- Re: [TLS] Possible TLS 1.3 erratum Hubert Kario
- Re: [TLS] Possible TLS 1.3 erratum Martin Thomson
- Re: [TLS] Possible TLS 1.3 erratum Peter Gutmann
- Re: [TLS] Possible TLS 1.3 erratum Hubert Kario
- Re: [TLS] Possible TLS 1.3 erratum Peter Gutmann
- Re: [TLS] Possible TLS 1.3 erratum Ryan Sleevi
- Re: [TLS] Possible TLS 1.3 erratum Peter Gutmann
- Re: [TLS] Possible TLS 1.3 erratum Ryan Sleevi
- Re: [TLS] Possible TLS 1.3 erratum Hubert Kario