IETF Logo Mail Archive

Re: [TLS] rfc7366: is encrypt-then-mac implemented?

Manuel Pégourié-Gonnard <mpg@polarssl.org> Wed, 29 October 2014 15:20 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B440E1A19E9 for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 08:20:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pw2Eo_50iVC for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 08:20:31 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B630E1A0636 for <tls@ietf.org>; Wed, 29 Oct 2014 08:20:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=Q5iv0yzTi0w3HSeDge3ZO8TZ4j6KuKLdLtQVozk/gDE=; b=WrU3REIuCxq0nTAxwTr+A2LjXyQ64ubQ8SWlWsoMVMUnDkuy9hN4VJ3uUpKe1qIn7Hhvz9Ms9CRazeCmLH3ljU9HJOmGFOMVhS076U5t9D0gmY/CF0kFgIla58Ltmeoo1j/yrzPqS1VA7Y1E3Zd44qnt/AAakNvy8PGh1zwrHgE=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XjV2X-0001Xc-87; Wed, 29 Oct 2014 16:20:01 +0100
Message-ID: <545105A5.9060704@polarssl.org>
Date: Wed, 29 Oct 2014 16:20:05 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB35D@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9DB35D@uxcn10-5.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ewE7hWBhi3s1Xc3LqB1QsJQ7NK8
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 15:20:36 -0000

On 29/10/2014 15:38, Peter Gutmann wrote:
> Manuel Pégourié-Gonnard <mpg@polarssl.org> writes:
> 
>> What I'm doing to get this is interpret TLSCipherText.length exactly as it is
>> defined in RFC 5246 (6.2.3.2, page 22):
>>
>>   The encrypted data length (TLSCiphertext.length) is one more than the
>>   sum of SecurityParameters.block_length, TLSCompressed.length,
>>   SecurityParameters.mac_length, and padding_length.
>>
>> Apparently to interoperate with the implementation at eid.vx4.net (and with
>> OpenSSL 1.1.0-dev) one needs to rather interpret it as excluding
>> SecurityParameters.mac_length. I couldn't find this explicitly stated
>> anywhere.
> 
> Section 3 of RFC 7366 says:
> 
>   In [2] notation the overall packet is then:
> 
>    struct {
>           ContentType type;
>           ProtocolVersion version;
>           uint16 length;
>           GenericStream/BlockCipher fragment;
>           opaque MAC;
>           } TLSCiphertext;
> 
>    This is identical to the existing TLS layout with the only difference
>    being that the MAC value is moved outside the encrypted data.
> 
Precisely. The *only* difference is (something that doesn't involve the
definition of length), so the definition of the length is unchanged, therefore
it's the one from RFC 5246.

Anyway, let's take it from another angle: TLSCipherText.length is what goes on
the wire, right? So:
1. It has to include the (length of the) MAC.
2. The eid server is contradiction with RFC 7366, since using the length that
goes on the wire to compute/check the MAC makes interop with it fail.

It doesn't get any simpler: is the length used in the MAC the same as the one
going on the wire?

Manuel.

v2.23.0 | Report a Bug | By Email