IETF Logo Mail Archive

Re: [TLS] Possible TLS 1.3 erratum

Eric Rescorla <ekr@rtfm.com> Thu, 15 July 2021 13:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8B6E3A1007 for <tls@ietfa.amsl.com>; Thu, 15 Jul 2021 06:02:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gbsp86UfThlm for <tls@ietfa.amsl.com>; Thu, 15 Jul 2021 06:01:58 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58B7C3A0FF6 for <tls@ietf.org>; Thu, 15 Jul 2021 06:01:58 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id e13so4887010ilc.1 for <tls@ietf.org>; Thu, 15 Jul 2021 06:01:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iYw5T9Wd6mKAT8+SIeUVjmFRS5Z9QzHNOpWgq8K1fmk=; b=JBg2GJ1urVuC2+avcBn4UgaZmxruV5ITD70WysE9OBxlQHD5Q2yzkT7Ndqsr02VIv+ c4qbRJymCpXDPun36RLoJrxFKsCNVP923IKcT2qa8VwgQz3kVeIQuYBGhjG8ZHzWQ2iI nppLEJNTt9g5qyQGY9codukAYkD4LKRx/mR05AUDEGsyQSuzAAp2Wqf6HH1oYDwerwcr xfeU0DbgS2pvY0FG3CnShxkvpxp2PFgZi15K0OVqaoZtgM0RUxFPpU02r5W2ZBsuwmvg xA7firNlzI6ATJUV8dfXm2vvZH/DENrao6HiXsQZ20OiLdLooQUFlN2dotg4I7kC5Tjb mebQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iYw5T9Wd6mKAT8+SIeUVjmFRS5Z9QzHNOpWgq8K1fmk=; b=UoAgJ16fVITbl+/lG951VzQu66LPmblTjeUQtP/vBEHDPy6qpgRp9yxStVIYm7JqIV xPZ+uElFeUJa5Zhd46baK1mJjDwppMnXyll9KQ34A8b64dP1wHVxcAwsCSLjv8YCXQ8B VE3fCSNReDqppCxywDp/edafnQNdUloqnHFmQ2sbVuDwztJVTs/NpxvXr5el7xVz2ACg 3cBxQ2oCJcQkDyvmxX+CSyjLeZPddKC4AzrV1uv62FzqmzsPbvU92rIXwzGLSB8dg3TI ulk42wTRWkHN2/jmT863A/9maVF6yIUKlQ4z9qDBkjB5GNbO2kve7fOGJDsoKp0kx7Yj T/9A==
X-Gm-Message-State: AOAM532j3A6po1TzRE/tMgdUpdyW/Cm/lWsgEKF3fQjLUE+bG4P78m6L ZudfQ03rvR9sYBuRZzCV9lxdhVOBbs6e8/ljGmNrRZmlZxmZgtbB
X-Google-Smtp-Source: ABdhPJyIOWSPto66//gLDCmwS6deftbxDC8DPaqzMrqSoI5QEKv3jfGPZeXe7OwAFdDTVP0q3ngilwHLtLLCnTrq48E=
X-Received: by 2002:a05:6e02:1aae:: with SMTP id l14mr2666109ilv.35.1626354117155; Thu, 15 Jul 2021 06:01:57 -0700 (PDT)
MIME-Version: 1.0
References: <ME3PR01MB624282F25AA6983F9CEFDCD2EE129@ME3PR01MB6242.ausprd01.prod.outlook.com>
In-Reply-To: <ME3PR01MB624282F25AA6983F9CEFDCD2EE129@ME3PR01MB6242.ausprd01.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 15 Jul 2021 06:01:20 -0700
Message-ID: <CABcZeBNajvtG8pebcrD2dgmP+Pb4+gTQMfB6NDOMH7hpqNSS-w@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006eb12505c7291325"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xiJcmQCUxueAgrCka104-cWzIA0>
Subject: Re: [TLS] Possible TLS 1.3 erratum
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 13:02:04 -0000

As we are currently working on a 8446-bis, the best thing to do would be to
file a PR at:
https://github.com/tlswg/tls13-spec

Thanks,
-Ekr


On Thu, Jul 15, 2021 at 3:56 AM Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> I've got some code that dumps TLS diagnostic info and realised it was
> displaying garbage values for some signature_algorithms entries.  Section
> 4.2.3 of the RFC says:
>
>       In TLS 1.2, the extension contained hash/signature pairs.  The
>       pairs are encoded in two octets, so SignatureScheme values have
>       been allocated to align with TLS 1.2's encoding.
>
> However, they don't align with TLS 1.2's encoding (apart from being 16-bit
> values), the values are encoded backwards compared to TLS 1.2, so where 1.2
> uses { hash, sig } 1.3 uses values equivalent to { sig, hash }.  In
> particular
> to decode them you need to know whether you're looking at a 1.2 value or a
> 1.3
> value, and a 1.2-compliant decoder that's looking at what it thinks are
> { hash, sig } pairs will get very confused.
>
> Should I submit an erratum changing the above text to point out that the
> encoding is incompatible and signature_algorithms needs to be decoded
> differently depending on whether it's coming from a 1.2 or 1.3 client?  At
> the
> moment the text is misleading since it implies that it's possible to
> process
> the extension with a 1.2-compliant decoder when in fact all the 1.3 ones
> can't
> be decoded like that.
>
> Peter.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email