Re: [TLS] Malformed Finished handling

Hubert Kario <hkario@redhat.com> Mon, 09 July 2018 11:55 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982F2130DEE for <tls@ietfa.amsl.com>; Mon, 9 Jul 2018 04:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level:
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfvPjLKwcS5A for <tls@ietfa.amsl.com>; Mon, 9 Jul 2018 04:55:47 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 528F412D7F8 for <tls@ietf.org>; Mon, 9 Jul 2018 04:55:47 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9001083207; Mon, 9 Jul 2018 11:38:45 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-200-16.brq.redhat.com [10.40.200.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9836A2156889; Mon, 9 Jul 2018 11:38:44 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Date: Mon, 09 Jul 2018 13:38:43 +0200
Message-ID: <15164129.iB2ZhdnDRk@pintsize.usersys.redhat.com>
In-Reply-To: <CABkgnnW0L+T8X7T4_SbLggJFVODC-VQ53i_DK_TrHbTPk_3JqQ@mail.gmail.com>
References: <2069745.MLjj786GGa@pintsize.usersys.redhat.com> <CABkgnnW0L+T8X7T4_SbLggJFVODC-VQ53i_DK_TrHbTPk_3JqQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1597638.mVuHIr1vSW"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Mon, 09 Jul 2018 11:38:45 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Mon, 09 Jul 2018 11:38:45 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/L4YH897UMjWzhsaQbr0lEKhIdsU>
Subject: Re: [TLS] Malformed Finished handling
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 11:55:49 -0000

On Thursday, 5 July 2018 02:06:45 CEST Martin Thomson wrote:
> On Wed, Jul 4, 2018 at 7:55 PM Hubert Kario <hkario@redhat.com> wrote:
> > Despite this, is it correct to terminate a connection with
> > "illegal_parameter" upon receiving a Finished handshake message with a
> > 100 byte payload? or a 20 byte payload? My opinion is that it is not,
> > "decode_error" is more specific so it should be used instead.
> 
> When there are multiple problems with a message, why do we need to
> accept just one of the possible alerts?  That assumes either a very
> particular order of processing, or a strict precedence order for
> errors.  Like Rich says, there is a degree of imprecision in our error
> reporting, but - for me - that's OK.

but there are no multiple problems with the message in question

no part of the TLS standards states that the implementation should check if 
the length of the handshake message lies within expected bounds

but there *is* a section that explicitly calls out that the implementation 
needs to verify if the handshake message matches the header, *after* parsing

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic