Re: [TLS] Draft 18 review : Extensions and message reuse
Eric Rescorla <ekr@rtfm.com> Tue, 22 November 2016 21:19 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF827129576 for <tls@ietfa.amsl.com>; Tue, 22 Nov 2016 13:19:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFhNj47CoXJj for <tls@ietfa.amsl.com>; Tue, 22 Nov 2016 13:19:52 -0800 (PST)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82BE912941C for <tls@ietf.org>; Tue, 22 Nov 2016 13:19:52 -0800 (PST)
Received: by mail-yw0-x229.google.com with SMTP id t125so25640342ywc.1 for <tls@ietf.org>; Tue, 22 Nov 2016 13:19:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=d9p5XA1gjPKwwsaCLXWwu+JliU2W48EdSGzhSUhSjNI=; b=THsN7j3FQ0E/JITYY69giUiH9cFNiGj6pYmvGWn+4t5ZEucgiqaG85H6z0K/+FCrUv gkbc5GnPBZZGMY9g5PeDLQarH+Sk1vZIyMu14tGHbZIgOPHo5EGtQmETyQ8w9b4Xha4j VwK7hwgPOF5MAwoBIs9+XvCVVgdTc8HXv6VHoksaFRraTB7QKww8kuA9Ae2SEX+g+gz+ rzRbY0jNsq9dqfV5HNHZugiamvYltgwf8jp0Gshl+vqa7Pin9SGfDze9TgBkcmU5/hsb 5uFhFNml5ZMdGDrbop78tI/r+UF85uIM+M9pxpUozs3yjAyILVsTA/BUlsxKaWq29t3j ZX0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=d9p5XA1gjPKwwsaCLXWwu+JliU2W48EdSGzhSUhSjNI=; b=QU+nSjctCeJdsQYP9kEL+8nLtoM25opo8bqA2kPShXmrZ3H0lWRQqe24+oL3IApMAG mwEk1GmsGOazhJh4eLvclwZA/4DyuBdFlXT7r0McPdridHVZXp+o8RO5Y6AixQ3g3yRE vraCx9gUzGBTOgnY7VWkflNDzXrG6ya6vluY0dOVwJJUb0XPl4qMWJBVZ9kDeyZ5ha9N iHqfhvODHHJWU0k82QbxOrlUpgwUv9ZuPhzaRHzHqPep17rjbAzw0p4GvA/gbRvbrKt9 igeWQtEdI+tK+dToOYrg14bjYkrTQX+OnOGZqrsFdzej7rDT1BAUMJTk0GxdptrxhgBg J58Q==
X-Gm-Message-State: AKaTC01/pPLRm+2UCpOL+NOXjwvSUS3dmNDpdzUB9skcym/2lnWzCuc40cjrAiORu5AnfqYKpyIXw85rONlCcw==
X-Received: by 10.129.108.216 with SMTP id h207mr23183791ywc.52.1479849591759; Tue, 22 Nov 2016 13:19:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.159.141 with HTTP; Tue, 22 Nov 2016 13:19:11 -0800 (PST)
In-Reply-To: <20161122190158.GB19978@neoplankton.picty.org>
References: <20161122190158.GB19978@neoplankton.picty.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 22 Nov 2016 13:19:11 -0800
Message-ID: <CABcZeBNdAyvcjYcUUqZV+ewTHwV-Oyb+QK1mNk3DcPx6xtjAgw@mail.gmail.com>
To: Olivier Levillain <olivier.levillain@ssi.gouv.fr>
Content-Type: multipart/alternative; boundary="001a114dd36e3d5bf50541ea55fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/x8sRmcf6jboMt5D6I9D2-m2VRuE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Draft 18 review : Extensions and message reuse
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 21:19:55 -0000
On Tue, Nov 22, 2016 at 11:02 AM, Olivier Levillain < olivier.levillain@ssi.gouv.fr> wrote: > > = Extensions and message reuse = > > We were sorry to find that some TLS 1.2 extensions were reused with a > different meaning, or that some TLS 1.3 extensions were context > dependent, which does not allow for a clear separation between the > parsing step (which might lead to a decode_error alert) and the > message validation step (which might lead to an invalid_parameter > alert). It is especially disappointing since the choice made for the > ciphersuites is a very clean one. > > The first example of such a problem is the signature_scheme and > signature_algorithms enums. In practice, the signature_algorithm must > contain information valid for TLS 1.2 and TLS 1.3, but the exact > meaning is not the same in both cases. It would be cleaner to have a > new, separate extension called signature_scheme, defining the new > enum. This way, a TLS 1.2/1.3 client implementations would send both > extensions. We would spend 10 bytes on the wire, but it is not that > important for the first message which can be kept reasonably long > (and which is sometimes padded via the corresponding extension...) > We certainly could do this, but I don't think it's the right answer, for two reasons: 1. From a protocol perspective, some of the things you could say with signature_algorithms weren't coherent. For instance: I support ECDSA_SHA512 but only with P256 (via supported_curves). So it's actually a retroactive improvement to TLS 1.2 to use the code points this way. NSS, at least interprets these the same way in TLS 1.2 and TLS 1.3. I believe BoringSSL does as well. 2. From an implementation perspective, it's easier to just have a single external facing surface, which should be the more sensible one, namely signature schemes. > Another example is the key_share extension: it is in fact made of > three different extensions, depending on the message where it is > included. It would be simpler for a (almost-)stateless parser* to > either use three different extensions or to use the same content each > time. In the second case, the extension would each time consist of a > list of (group + optional keyshare). The advantages of such a unified > keyshare extension would be: > - stateless parsing* > - no reuse of supported_groups which can be merged with key_share > - no more validation complexity since higher-level checks were > already required (the groups sent by HRR did not came with a key > share for example). > The major con one might see is that the server can not advertise its > supported groups in an encrypted manner anymore (since > supported_groups is not used anymore). However, we do believe > simplifying the implementation is worth it. > > * Of course the parser still has to use the extension id to know how > to parse the value, but it would not need to have broader context > (the message where the extension is included). In other words, we > would like select syntax in structs to only use local information. > > I can try and propose a PR for each extension if there is an interest > in the WG. > It seems to me you are making two points here: 1. That it would be good to unify supported_groups and key_share 2. That we should use separate code points wherever extensions differ between the messages they appear (this is far from the only one). We've had some conversation about the first approach, which seems like kind of a stylistic/taste issue whether to have the "I can do" and "here is" in one place or two, and on balance I think it's better to not change this at this point without a really compelling reason. I can see the appeal of having one parser per extension ID, but it isn't actually that much easier from an implementation perspective. You already need a mapping table from extension ID to handler and that table also needs to be able to detect common problems (e.g., extension reuse or extensions appearing in the wrong place) and it's not hard at that point to also have it point to message-specific parsers (this is how NSS mostly works). ISTM that the alternative you propose would either result in a proliferation of extensions (which confuses the matching rules) or having extensions which are syntactically valid but not legal in their context (e.g., >1 key share from the server). This pushes these checks further away from the decoder, and makes things which would otherwise be syntax errors (e.g., a "pre_shared_key" extension from the server which contains keys) into semantic errors which require explicit checks. -Ekr > > Olivier Levillain > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Draft 18 review : Extensions and message re… Olivier Levillain
- Re: [TLS] Draft 18 review : Extensions and messag… Eric Rescorla
- Re: [TLS] Draft 18 review : Extensions and messag… Olivier Levillain