Re: [TLS] DTLS Handshake race condition

Andy Wilson <andrewgwilson@gmail.com> Mon, 12 August 2013 11:23 UTC

Return-Path: <andrewgwilson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87B1A11E81BF for <tls@ietfa.amsl.com>; Mon, 12 Aug 2013 04:23:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPKkEdF1sdWB for <tls@ietfa.amsl.com>; Mon, 12 Aug 2013 04:23:44 -0700 (PDT)
Received: from mail-bk0-x230.google.com (mail-bk0-x230.google.com [IPv6:2a00:1450:4008:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id A285121F999B for <tls@ietf.org>; Mon, 12 Aug 2013 03:29:19 -0700 (PDT)
Received: by mail-bk0-f48.google.com with SMTP id my13so1769626bkb.7 for <tls@ietf.org>; Mon, 12 Aug 2013 03:28:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/PK8rvd2hKpR1D37kuY/IwHfxvmuWYH0KHHJ/xK8fn4=; b=sM/ozqv8SEMq63XmumzegZ8Vj1yn9UngqMYUS2Y7Tq4ifdMq7hiA55aJBzBTdmGdO1 yj9KXSYLPfEcDpU4/BtoPywvmdUcAaju6lXfRM4hqFXSMRy4e9c9Y7JRw7qI0E7k1bHa tTpgjBw8gkA/L5Xy6UEfAYn/GKzKh3q5SoYhDFg4yzpfRvlCwhM10T97F0g0nTk1xyME oKDaNIlqY7hmId0KNfJxX4zyM7BgzWTCRXUkN6TOIEQiJKxPiFdt9aXExW0pO7fuB9vh SNUIbyX4VRkDDZi4opucPkSqd6cK4syfMDTVu2pQdWgJoJICxQRppSAnWlWuxrZmpBDq OtMg==
MIME-Version: 1.0
X-Received: by 10.204.187.196 with SMTP id cx4mr3361180bkb.118.1376303336947; Mon, 12 Aug 2013 03:28:56 -0700 (PDT)
Received: by 10.205.115.141 with HTTP; Mon, 12 Aug 2013 03:28:56 -0700 (PDT)
In-Reply-To: <1F5455F5-439B-4215-9D92-1FDC2FDFBDE7@lurchi.franken.de>
References: <1CBCCCAF-163A-474B-8DD0-6634460644C1@lurchi.franken.de> <CAL2p+8QvmiH-L0WYWDdtAirgQ8i_VoaJQUDfNw4dXDZ1xOzq=w@mail.gmail.com> <1F5455F5-439B-4215-9D92-1FDC2FDFBDE7@lurchi.franken.de>
Date: Mon, 12 Aug 2013 22:28:56 +1200
Message-ID: <CAL2p+8QiEdGD9inixnPH4U1MjNa-errq6Um5VMHtB1UkjSgBcA@mail.gmail.com>
From: Andy Wilson <andrewgwilson@gmail.com>
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
Content-Type: multipart/alternative; boundary=20cf302acee280c18704e3bd9705
Cc: tls@ietf.org
Subject: Re: [TLS] DTLS Handshake race condition
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 11:23:49 -0000

Section 4.2.2 states:

The first message each side transmits in each handshake always has
   message_seq = 0.  Whenever each new message is generated, the
   message_seq value is incremented by one.  Note that in the case of a
   rehandshake, this implies that the HelloRequest will have message_seq
   = 0 and the ServerHello will have message_seq = 1

This would imply that the client WOULD process the ServerHello with seq==1
as this is a re-handshake.

That's the way i'm reading the spec..




On 12 August 2013 05:08, Michael Tuexen <Michael.Tuexen@lurchi.franken.de>wrote;wrote:

> On Aug 11, 2013, at 4:19 PM, Andy Wilson <andrewgwilson@gmail.com> wrote:
>
> > After looking over the RFC a bit, wouldn't the client be expecting a
> HelloVerifyRequest after its ClientHello?
> I don't think this is necessary, since the client and the server have
> already
> a relation. So there is no need to use the cookie mechanism.
>
> However, the question is the same. In your case
> * The server sends a HelloRequest(MsgSeqNo = 0) and starts the
> retransmission
>   timer, since this is a flight.
> * The HelloRequest is dropped by the network.
> * The client sends a ClientHello(MsgSeqNo = 0) and start a retransmission
> timer,
>   since it is its first flight.
> * The server sends a HelloVerifyRequest(MsgSeqNo = 1)
> * The client doesn't process the ServerHello, since it expects the
>   MsgSeqNo == 0.
>
> Therefore, the server retransmits the flight consisting of the
> HelloVerifyRequest
> and the client retransmits the flight containing the ClientHello.
> So the solution would be that the client accepts
> * ServerHellos with MsgSeqNo=0 and MsgSeqNo=1.
> * HelloVerifyRequest with MsgSeqNo=0 and MsgSeqNo=1.
>
> Am I missing something?
>
> Best regards
> Michael
> >
> > On 12 August 2013 01:17, Michael Tuexen <
> Michael.Tuexen@lurchi.franken.de> wrote:
> > Dear all,
> >
> > while fixing a bug in OpenSSL regarding the DTLS handshake, I thought
> about
> > the following scenario (both sides decide to renegotiate at about the
> same
> > time):
> >
> > * A DTLS connection is established.
> > * The server sends a HelloRequest(MsgSeqNo = 0) and starts the
> retransmission
> >   timer, since this is a flight.
> > * The HelloRequest is dropped by the network.
> > * The client sends a ClientHello(MsgSeqNo = 0) and start a
> retransmission timer,
> >   since it is its first flight.
> > * The server receives the ClientHello, stops the retransmission timer
> >   and sends the next flight starting with ServerHello(MsgSeqNo = 1)
> >   since it considers the received ClientHello as an ack for the flight.
> > * The client doesn't process the ServerHello, since it expects the
> >   MsgSeqNo == 0.
> >
> > Therefore the client retransmits its ClientHello and the server
> retransmits
> > its flight containing the ServerHello. Am I missing something?
> >
> > The problem is that the server has no way to figure out if the received
> > ClientHello is a reaction to a HelloRequest or not.
> > The only way out I see is that the client accepts ServerHellos with
> > MsgSeqNo=0 and MsgSeqNo=1.
> > I don't think this is covered in http://tools.ietf.org/html/rfc6347
> >
> > Any opinions?
> >
> > Best regards
> > Michael
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
> >
> >
> > --
> > Regards
> >
> > Andy
>
>


-- 
Regards

Andy