IETF Logo Mail Archive

[TLS] Exporter compatibility pitfall between (D)TLS 1.2 and 1.3

David Benjamin <davidben@chromium.org> Mon, 10 March 2025 20:18 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 001079B8B06 for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 13:18:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -9.939
X-Spam-Level:
X-Spam-Status: No, score=-9.939 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.442, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdGu8Qp89wbd for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 13:18:22 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AFAE49B8AFF for <tls@ietf.org>; Mon, 10 Mar 2025 13:18:22 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-ac0b6e8d96cso701469666b.0 for <tls@ietf.org>; Mon, 10 Mar 2025 13:18:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1741637900; x=1742242700; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=REBkrMfmU9VSOuaPUTMBbyqH3t/b199aA9fcJb/GSSs=; b=NvQfeQlBPrxyJSdOcsg+oUpc+GQBhlD4dF1cn/Zj4O5AoipLOX6kTO0O2QBm37O5fS 20DJJDbBKXT3+H1YfxU5CCNyiuZF4MqpYpxaU1QZTYGB1xSrUIJ0eAwPSShEQv5nXJZO Ty9aEoHOlZmBME8fvWX1abTGiIq7DgQk1qaW8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741637900; x=1742242700; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=REBkrMfmU9VSOuaPUTMBbyqH3t/b199aA9fcJb/GSSs=; b=K7503Hrtas57QnH4DcYD/dcfnDvqEPQ20vSVg4wkT/od6uCT5xrp8BtQQn4AGKxuZd 3VHIpjUH+rWcyaBP+SoKjfGpleUBIrVMUF++RkS37jymMEVKFxUiQ8XiWiC1xJp6jtCB S3xnYj+aaGRGRA61lCOdQ2lYlnLu7J8zsAF+47XuXTPYjCzb2sSf8/Uh1J3UOASh/twB t0EBiex1+EsND6OalnC0eAw8WcrBFwa1XmcKAAXZevQvDmbww/81JPKXC2LAEuPvQsZb FgiMBgOf1dqZAcxZrySNESHN6GAsC2P0o6JFoRAdaRgb9xUIJFOf1/QEtdkbHoWWYGRm dLDg==
X-Gm-Message-State: AOJu0YzbjE5KrMZd7fN+eTceYuYqgeTMulbF/oS4bsOnIC36KlSOpYNU uH3N1S72GFGN+OomFww0BsP12QZbqf4oSD8aIXO90hRBRJ7/3fONUvE7/mdo8pOqpt3M8M7flpX V/ENsmnDox7KzfQDErqZFLqNqVg2WrD4hw+Az2HM3KRbv2w1j7hI=
X-Gm-Gg: ASbGnctewyXIKNGmWTPSYhkuT8BjKQrjM7XSueLmYrmyZ8sR3XHjcBDuVxfF4LKC06Q EzdQ6aoe49YpysjvwPy+m/8ek+2BaWUQos8gRlMBAY7cmfhLErSS9GR+LORkdoyQO/16sUoR52K nPcsfZcqzEQe4HpkZK4YDKbDiG
X-Google-Smtp-Source: AGHT+IHDAL7cXpAeDerNBI4WRfaUV4AuSMjmY5UxJOm+S9K18ww9j5dbr/Yplv8VWhAsYmTW2j0tfIYmMZ/2tFb/j10=
X-Received: by 2002:a17:907:93c6:b0:abf:5778:f949 with SMTP id a640c23a62f3a-ac2b9ea163bmr95630766b.42.1741637900281; Mon, 10 Mar 2025 13:18:20 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Mon, 10 Mar 2025 16:18:03 -0400
X-Gm-Features: AQ5f1JoaAIbFnBVki0k3Cbnn5sZV636N_lWmoHWHH3E6Snzdw8GYNFjupzw0mq8
Message-ID: <CAF8qwaAqfFMeGFLFaG8Lz=2HtGP5BMBXGX=irFP3vFRQOBFZ5Q@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000060418a063002ac93"
Message-ID-Hash: 6GYG7WSABBONX6JHEAJBIJCVNIE4LDQP
X-Message-ID-Hash: 6GYG7WSABBONX6JHEAJBIJCVNIE4LDQP
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Exporter compatibility pitfall between (D)TLS 1.2 and 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QrIpfXNRiIoKoO8gTXvnM2MhjMA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi all,

I recently spent some time debugging an interop issue between WebRTC + DTLS
1.3 in Chrome and WebRTC + DTLS 1.3 in Firefox. The cause of the issue was
a minor but interesting incompatibility between (D)TLS 1.2 and (D)TLS 1.3
that doesn't seem to have been flagged in RFC 8446 anywhere. Nothing
actionable for this group, apart from maybe a last minute sentence to add
to 8446bis (way too late to change how exporters work), but I thought I
would pass it along for general awareness.

WebRTC uses DTLS-SRTP, which uses export keying material to generate some
specified number of bytes of data:
https://www.rfc-editor.org/rfc/rfc5764.html#section-4.2

It turns out Firefox exported the maximum key+salt length and then only
used a prefix of the output, rather than exporting the length as specified
in RFC 5764. Back in 1.2, this was just fine and gave the right output. The
requested length didn't figure into the derivation. But 1.3 incorporates
the requested length into the derivation, so now this computes the wrong
value.

This means, starting with 1.3, applications must be sure to pass in exactly
the length specified by the protocol they're implementing. Applications
that relied on this 1.2 property will silently do the wrong thing when
upgrading to 1.3.

David

v2.29.0 | Report a Bug | By Email | System Status