Skip to content

Comments

No EtM for GOST ciphers in TLS 1.2#17150

Closed
beldmit wants to merge 1 commit intoopenssl:masterfrom
beldmit:noetm_gost
Closed

No EtM for GOST ciphers in TLS 1.2#17150
beldmit wants to merge 1 commit intoopenssl:masterfrom
beldmit:noetm_gost

Conversation

@beldmit
Copy link
Member

@beldmit beldmit commented Nov 28, 2021

GOST ciphers don't use EtM. We don't send this extension in server and shouldn't set use_etm in client.

Checklist
  • documentation is added or updated
  • tests are added or updated

@beldmit beldmit added branch: 3.0 Applies to openssl-3.0 branch branch: master Applies to master branch labels Nov 28, 2021
@beldmit
Copy link
Member Author

beldmit commented Nov 28, 2021

A similar fix should be also implemented for 1.1.1

@beldmit beldmit added the triaged: bug The issue/pr is/fixes a bug label Nov 28, 2021
@t8m t8m added the approval: done This pull request has the required number of approvals label Nov 28, 2021
@mattcaswell
Copy link
Member

mattcaswell commented Nov 29, 2021

I'm surprised that this problem hasn't been identified before. Surely ETM will be negotiated by default for all modern OpenSSL versions? How is that we've never noticed this?

@openssl-machine
Copy link
Collaborator

openssl-machine commented Nov 29, 2021

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

@beldmit
Copy link
Member Author

beldmit commented Nov 29, 2021

I'm surprised that this problem hasn't been identified before. Surely ETM will be negotiated by default for all modern OpenSSL versions? How is that we've never noticed this?

It's on a client side. Server side has this code for a long time, and, if no EtM extension is sent by server, client should have use_etm=0. This case as far as I understand it really covers the case of incorrect server implementation.

@beldmit beldmit added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Nov 29, 2021
@mattcaswell
Copy link
Member

mattcaswell commented Nov 29, 2021

It's on a client side. Server side has this code for a long time, and, if no EtM extension is sent by server, client should have use_etm=0. This case as far as I understand it really covers the case of incorrect server implementation.

Ah! Right - interesting. I missed that. Hmm...I wondering whether in this case we should actually abort the connection? If the server indicates it wants to use ETM for a ciphersuite that it isn't appropriate for we probably shouldn't just continue regardless?

@beldmit
Copy link
Member Author

beldmit commented Nov 29, 2021

Current behavior is silently ignore this extension and I think it's reasonable

@mattcaswell
Copy link
Member

mattcaswell commented Nov 29, 2021

Current behavior is silently ignore this extension and I think it's reasonable

Yeah, I get that. I'm just questioning whether the current behaviour really is reasonable. I won't block this PR - it doesn't make the situation worse. But I wonder whether we should be stricter.

openssl-machine pushed a commit that referenced this pull request Nov 29, 2021
@beldmit
No EtM for GOST ciphers in TLS 1.2
d724da6 
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #17150)
@beldmit
Copy link
Member Author

beldmit commented Nov 29, 2021

Merged. Thanks for the approval!

@beldmit beldmit closed this Nov 29, 2021
@beldmit beldmit deleted the noetm_gost branch November 29, 2021 15:31
openssl-machine pushed a commit that referenced this pull request Nov 29, 2021
@beldmit
No EtM for GOST ciphers in TLS 1.2
09e1818 
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #17150)

(cherry picked from commit d724da6)
@beldmit beldmit mentioned this pull request Nov 29, 2021
Closed
@kaduk
Copy link
Contributor

kaduk commented Nov 29, 2021

I wondering whether in this case we should actually abort the connection? If the server indicates it wants to use ETM for a ciphersuite that it isn't appropriate for we probably shouldn't just continue regardless?

I think most of the relevant RFCs have language like "server MUST NOT negotiatie the EtM extension when using this cipher", so having the client abort would be appropriate.

@se-prok
Copy link

se-prok commented Dec 15, 2021
edited
Loading

I'm surprised that this problem hasn't been identified before. Surely ETM will be negotiated by default for all modern OpenSSL versions? How is that we've never noticed this?

This problem was detected as a result of adversarial testing. I think the client should definitely abort the connection. Otherwise every fuzzer will be bumping into this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@t8m t8m t8m approved these changes

@paulidale paulidale paulidale approved these changes

Assignees

No one assigned

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Applies to master branch branch: 3.0 Applies to openssl-3.0 branch triaged: bug The issue/pr is/fixes a bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@beldmit @mattcaswell @openssl-machine @kaduk @se-prok @t8m @paulidale