Re: [TLS] padding bug

mrex@sap.com (Martin Rex) Wed, 25 September 2013 22:18 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A30821F9D0D for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 15:18:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.17
X-Spam-Level:
X-Spam-Status: No, score=-10.17 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4iY4h-yIAcmE for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 15:17:56 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 43D9C21F9E02 for <tls@ietf.org>; Wed, 25 Sep 2013 15:17:52 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r8PMHmpl009838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 26 Sep 2013 00:17:48 +0200 (MEST)
In-Reply-To: <424e01ceba03$f7d7b420$e7871c60$@briansmith.org>
To: Brian Smith <brian@briansmith.org>
Date: Thu, 26 Sep 2013 00:17:48 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130925221748.54BC01A9A7@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 22:18:01 -0000

Brian Smith wrote:
>
> Regarding the particulars of the ID:
> 
> Section 3.1. (Rehandshake Issues) seems overly complex. I think this
> extension should be connection-level, not session-level.

The reason why this draft needs to be complex, is that the TLS
protocol is signficantly underspecified for rehandshakes (aka renegotiation).
rfc5746 fixes only the renegotiation security vulnerability,
it does not remove all of the underspecifed areas.

When a paricular PDU content change is part of a TLS cipher suite
and negotiated through the cipher suite ID, then the PDU change
from current to new will happen with "ChangeCipherSpec" (seperate
for each direction of the communication).

PDU changes based on TLS protocol version and based on TLS extensions,
however, usually apply to ServerHello already.  There currently
is also no distinction between changes to Handshake message PDUs
(or addition, insertion or reording of Handshake message PDUs),
and changes to the Record Layer PDU -- the latter being subject of
Peter's proposal to fix the mac-pad-encrypt for Blockciphers with CBC.

Personally, I since believe it would be sensible to specify/define at
the TLS protocol level that any changes to the record layer PDU,
_independent_ of how they're negotiated (cipher suite, compression algs,
TLS extension) ought to universally apply to the first message following
ChangeCipherSpec.

Currently, this is undefined/unspecified in TLS.

Question to implementors:  The GenericBlockCipher PDU for TLSv1.0
and TLSv1.1 differs.  Do you know what your implementation currently
does should the TLS protocol version changes on a rehandshake/renegotiation
between TLSv1.0 and TLSv1.1 (up or down), why it behaves like it does,
and where this is specified?  ;-)


-Martin