Re: [TLS] TLS Handshake message length too long

Hubert Kario <hkario@redhat.com> Mon, 17 August 2015 14:20 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B13CC1A03E1 for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 07:20:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K01T2zeR6N6o for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 07:20:20 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB08F1A1A57 for <tls@ietf.org>; Mon, 17 Aug 2015 07:20:19 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 90CBE19C300; Mon, 17 Aug 2015 14:20:19 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-27.ams2.redhat.com [10.36.112.27]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t7HEKEf2014641 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Aug 2015 10:20:18 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Mon, 17 Aug 2015 16:20:06 +0200
Message-ID: <1535886.1YJU6XDILK@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.1.4-200.fc22.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <55C7668F.1040105@gmail.com>
References: <55C7668F.1040105@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart6131060.RchrRLDOKc"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/gQ7H2VO5CFs5U-WQy6mcj46-b9Q>
Cc: "dottomi@gmail.com" <dottomi@gmail.com>
Subject: Re: [TLS] TLS Handshake message length too long
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 14:20:21 -0000

On Sunday 09 August 2015 16:41:19 dottomi@gmail.com wrote:
> I have a question regarding the handshake message length.
> 
> The 'decode_error' alert in TLS 1.2 is defined as:
> 
>    decode_error
>       A message could not be decoded because some field was out of the
>       specified range or the length of the message was incorrect. (...)
> 
> It says that the message "could not be decoded". What should happen
> if the specified message length is longer than needed? I.e. the message
> was successfully decoded, but the length of the message was incorrect:
> there is still some unknown data after the defined structure.

that is definitely error for the case of a "length of a field is longer than 
expected" or "there's more data in message than the length specifies"
 
> For example, a Finished message has a length of 40 bytes,
> but the 'verify_data' array has 32 bytes and there are 8 unknown bytes
> remaining in the received message. The 40 bytes I talk about here
> is the length specified in the Handshake message header.
> 
> Is this also a fatal error?

yes, always

> Should the implementation just drop those bytes and proceed?

definitely not, it should send a fatal alert, close connection and mark 
session as non resumable

> On the other hand, there is the 'illegal_parameter' alert:
> 
>    illegal_parameter
>       A field in the handshake was out of range or inconsistent with
>       other fields.  This message is always fatal.
> 
> Is this alert suitable for the described scenario?

no, it's for values that are explicitly bound to some specific range (e.g. 
client_random length tag always needs to be 32)

verify_data has no range specified (it's opaque data), the negotiatied 
ciphersuite defines what length it has
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic