IETF Logo Mail Archive

Re: [TLS] Draft 18 review : Message splitting and interleaving

David Benjamin <davidben@chromium.org> Tue, 22 November 2016 22:18 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3D81295F4 for <tls@ietfa.amsl.com>; Tue, 22 Nov 2016 14:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id do7iBEung104 for <tls@ietfa.amsl.com>; Tue, 22 Nov 2016 14:18:39 -0800 (PST)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADEF512949D for <tls@ietf.org>; Tue, 22 Nov 2016 14:18:39 -0800 (PST)
Received: by mail-qk0-x22e.google.com with SMTP id q130so45380647qke.1 for <tls@ietf.org>; Tue, 22 Nov 2016 14:18:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=KWBG+ETLCsELBkOukSLqmbWfLD+FBVq9gzNFWUW9Piw=; b=PZHG9Fjf4hRjVivmfxKxkfCJm5f5IGP8QRh7AmmlxkwhR60n5fxdScwXhrnudVK4GN UNKwhudvO+s+vzXC0l/IZR0FXUKwN6yUE1GRTz9RIjlKdHAPCv3G6xeEfOaDEh5m8FoU ZC1XrRTNS4c4eyK10oMb0SngVrVYbEjJk6cGA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=KWBG+ETLCsELBkOukSLqmbWfLD+FBVq9gzNFWUW9Piw=; b=GxWy8/IS7vmPjwXHvD4luMf4CP69duIymF1/zLgrPRAbrgWx/uR0tD3MX5Fb+AvgvM U4tSZVUwdavpe/lHxGWvSq0fWlYRgWFyWEKqlfYn52r626y6/DDvaMGpfaOApXsf7a1I h+fXWx7NDsrHSbudTjQ8AJfaqb71NcWaM0Z0CqPKv/TCW+VkPFcCPvckdAJq+U+Dg8gm FxtSv58hHI3EruQFFgOeSm5st07bVX0hzmEbrAk+H79fLRg9kiZckaXKB5YgBuxvSFc+ HP60aP0r/kH3fV2+8i0wfSw/SEbAoMoqatwL0I2sHgA943ponOI4OWNf2o3defiW5lF/ cWLw==
X-Gm-Message-State: AKaTC02xYiKzBh9//8HUz31Ou184ihfoHf4VbJ9V4P7VeO8QHWZG2s2FBdHG06VW2V6XmwbuItfz4BWEO6ecBQ49
X-Received: by 10.55.122.134 with SMTP id v128mr23087094qkc.111.1479853117819; Tue, 22 Nov 2016 14:18:37 -0800 (PST)
MIME-Version: 1.0
References: <20161122190822.GH19978@neoplankton.picty.org>
In-Reply-To: <20161122190822.GH19978@neoplankton.picty.org>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 22 Nov 2016 22:18:27 +0000
Message-ID: <CAF8qwaDxGH0xEPE7600yCnkJgLG51yJAyjVx2irNfhvptdT9Dw@mail.gmail.com>
To: Olivier Levillain <olivier.levillain@ssi.gouv.fr>, tls@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c062a5868ae8c0541eb27fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xTOw5VDerWtYpoqo5ZPtfGdaKLQ>
Subject: Re: [TLS] Draft 18 review : Message splitting and interleaving
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 22:18:42 -0000

On Tue, Nov 22, 2016 at 2:05 PM Olivier Levillain <
olivier.levillain@ssi.gouv.fr> wrote:

> Hi list,
>
> I am sorry for the very late answer concerning draft 18, but we
> (ANSSI) have several remarks after proof-reading the current
> specification.
>
> We are sorry for the multiple long messages.
>
> If the WG is interested by some of our concerns/proposals, we would be
> glad to propose some PRs.
>
>
> = Message splitting and interleaving =
>
> How to split and interleave subprotocols in TLS has not been clearly
> specified in the past, and it would be useful to be crystal clear on
> this point.
>
> In the specification, the subject is first presented in 4.5 (P.61):
>    Handshake messages sent after the handshake MUST NOT be interleaved
>    with other record types.  That is, if a message is split over two or
>    more handshake records, there MUST NOT be any other records between
>    them.
> But I am wondering why this text only concern "messages after the
> handshake".  It should always be the case!
>
> It is next present in section 4.5.3 (P.64):
>    Handshake messages MUST NOT span key changes.  Because the
>    ServerHello, Finished, and KeyUpdate messages signal a key change,
>    upon receiving these messages a receiver MUST verify that the end of
>    these messages aligns with a record boundary; if not, then it MUST
>    terminate the connection with an "unexpected_message" alert.
>
> And then in section 5 (mostly P.64 and P.65) plus a repetition P.69.
>
>
> It is worth noting that this specific point was (at least partially)
> the origin of several security issues:
>  - the alert attack (https://www.mitls.org/pages/attacks/Alert);
>  - Heartbleed (where OpenSSL answered with a fragmented record whereas
>    it was not the spirit of the spec);
>  - the OpenSSL Downgrade attack in 2014.
>
> Some of this is covered in the current specification, but it might be
> worth being even stricter:
>  - regarding splitting/merging, they should be forbidden by default;
>  - the default would apply to alerts (currently, the spec states that
>    alerts MUST not be split, but they should not be merged either
>    for simplicity's sake and since it is useless);
>

+1. We (BoringSSL) and I believe NSS already forbid this for alerts at all
versions.

This rule is actually implied by TLS 1.3 already, because we've gotten rid
of warning alerts. All alerts terminate the connection, except for
end_of_early_data, and end_of_early_data immediately signals a key change.
So it is not legal to send two alerts in the same epoch, much less in the
same record. (Being explicit about this is good, of course.)


>  - incidentally, the default behaviour would apply to Heartbeat, as
>    was the intent of the specification;
>  - ApplicationData should be considered as a stream with possibly
>    0-length records
>  - Handshake messages should either come as a sequence of multiple
>    *entire* messages, or as a fraction of *one* message.  That is,
>    the number of HS messages inside one record should either be a
>    round number or strictly less than 1.
>

What simplifications were you expecting out of this? It seems to me this
would be a nuisance to both enforce as a receiver and honor as a sender.

Our implementation doesn't try to pack handshake messages into records, but
I believe NSS does. NSS folks should confirm, but I expect such
implementations just buffer the messages up and flush when the buffer
exceeds the records size. That means all kinds of splits are plausible:

  [EncryptedExtensions Certifi]
  [cateRequest Certificate Cer]
  [tificateVerify Finished]

I share your dislike of the way handshake messages and record boundaries
interact (or, rather, don't), but I'm not sure how this rule helps.


> These constraints can be expressed in 5.1 and cover most of the
> problematic cases.  They are easy to check and to enforce.
>
>
> However, the problem of the OpenSSL Downgrade flaw (where the first
> record containing the beginning of the ClientHello was cut before the
> ClientHello.version field) will still stand, but there is no simple
> way to fix this, since version negotiation can now happen anywhere in
> the ClientHello extensions, so it might be impossible to enforce that
> the client versions are sent in the first record.
>
> I might volunteer some text if there is an interest of the WG.
>
>
> Olivier Levillain
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email