Re: [TLS] DTLS Handshake race condition
Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Mon, 12 August 2013 11:39 UTC
Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FDA321F8C66 for <tls@ietfa.amsl.com>; Mon, 12 Aug 2013 04:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooaDPqO6zgfr for <tls@ietfa.amsl.com>; Mon, 12 Aug 2013 04:39:18 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by ietfa.amsl.com (Postfix) with ESMTP id ACCFB21F9B53 for <tls@ietf.org>; Mon, 12 Aug 2013 03:58:21 -0700 (PDT)
Received: from [192.168.1.200] (p508F2769.dip0.t-ipconnect.de [80.143.39.105]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id 317FF1C0C069F; Mon, 12 Aug 2013 12:58:05 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <A34A16A6-6D79-4A8B-A4A9-CF05B5C4C5F7@lurchi.franken.de>
Date: Mon, 12 Aug 2013 12:57:42 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE729DF9-0F66-4758-8A89-891297222C0A@lurchi.franken.de>
References: <1CBCCCAF-163A-474B-8DD0-6634460644C1@lurchi.franken.de> <CAL2p+8QvmiH-L0WYWDdtAirgQ8i_VoaJQUDfNw4dXDZ1xOzq=w@mail.gmail.com> <1F5455F5-439B-4215-9D92-1FDC2FDFBDE7@lurchi.franken.de> <CAL2p+8QiEdGD9inixnPH4U1MjNa-errq6Um5VMHtB1UkjSgBcA@mail.gmail.com> <A34A16A6-6D79-4A8B-A4A9-CF05B5C4C5F7@lurchi.franken.de>
To: Andy Wilson <andrewgwilson@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: tls@ietf.org
Subject: Re: [TLS] DTLS Handshake race condition
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 11:39:19 -0000
On Aug 12, 2013, at 12:46 PM, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote: > > On Aug 12, 2013, at 12:28 PM, Andy Wilson <andrewgwilson@gmail.com> wrote: > >> Section 4.2.2 states: >> >> The first message each side transmits in each handshake always has >> message_seq = 0. Whenever each new message is generated, the >> message_seq value is incremented by one. Note that in the case of a >> rehandshake, this implies that the HelloRequest will have message_seq >> = 0 and the ServerHello will have message_seq = 1 >> >> This would imply that the client WOULD process the ServerHello with seq==1 as this is a re-handshake. >> >> That's the way i'm reading the spec.. > Me too. > > I think the RFC does cover the race condition I'm referring to... ... I meant "does NOT cover" > What if the HelloRequest(message_seq=0) is lost and the client sends > a ClientHello(message_seq=0) on its own (since the local user initates > a re-handshake). The server accepts the ClientHello and responds with > a ServerHello(message_seq=1). The client however expects a > ServerHello(message_seq=0), since it never saw the HelloRequest. > The HelloRequest is also not retransmitted, since the server considers > it acked by the ClientHello. > > It is only the collision case I'm considering and I think which is > not covered by the RFC. > > Best regards > Michael >> >> >> >> >> On 12 August 2013 05:08, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote: >> On Aug 11, 2013, at 4:19 PM, Andy Wilson <andrewgwilson@gmail.com> wrote: >> >>> After looking over the RFC a bit, wouldn't the client be expecting a HelloVerifyRequest after its ClientHello? >> I don't think this is necessary, since the client and the server have already >> a relation. So there is no need to use the cookie mechanism. >> >> However, the question is the same. In your case >> * The server sends a HelloRequest(MsgSeqNo = 0) and starts the retransmission >> timer, since this is a flight. >> * The HelloRequest is dropped by the network. >> * The client sends a ClientHello(MsgSeqNo = 0) and start a retransmission timer, >> since it is its first flight. >> * The server sends a HelloVerifyRequest(MsgSeqNo = 1) >> * The client doesn't process the ServerHello, since it expects the >> MsgSeqNo == 0. >> >> Therefore, the server retransmits the flight consisting of the HelloVerifyRequest >> and the client retransmits the flight containing the ClientHello. >> So the solution would be that the client accepts >> * ServerHellos with MsgSeqNo=0 and MsgSeqNo=1. >> * HelloVerifyRequest with MsgSeqNo=0 and MsgSeqNo=1. >> >> Am I missing something? >> >> Best regards >> Michael >>> >>> On 12 August 2013 01:17, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote: >>> Dear all, >>> >>> while fixing a bug in OpenSSL regarding the DTLS handshake, I thought about >>> the following scenario (both sides decide to renegotiate at about the same >>> time): >>> >>> * A DTLS connection is established. >>> * The server sends a HelloRequest(MsgSeqNo = 0) and starts the retransmission >>> timer, since this is a flight. >>> * The HelloRequest is dropped by the network. >>> * The client sends a ClientHello(MsgSeqNo = 0) and start a retransmission timer, >>> since it is its first flight. >>> * The server receives the ClientHello, stops the retransmission timer >>> and sends the next flight starting with ServerHello(MsgSeqNo = 1) >>> since it considers the received ClientHello as an ack for the flight. >>> * The client doesn't process the ServerHello, since it expects the >>> MsgSeqNo == 0. >>> >>> Therefore the client retransmits its ClientHello and the server retransmits >>> its flight containing the ServerHello. Am I missing something? >>> >>> The problem is that the server has no way to figure out if the received >>> ClientHello is a reaction to a HelloRequest or not. >>> The only way out I see is that the client accepts ServerHellos with >>> MsgSeqNo=0 and MsgSeqNo=1. >>> I don't think this is covered in http://tools.ietf.org/html/rfc6347 >>> >>> Any opinions? >>> >>> Best regards >>> Michael >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >>> >>> >>> -- >>> Regards >>> >>> Andy >> >> >> >> >> -- >> Regards >> >> Andy >
- [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Andy Wilson
- Re: [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Andy Wilson
- Re: [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Martin Rex
- Re: [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Martin Rex