Software
 » 
Encryption and Cryptography
 » 
OpenSSL
 » 
OpenSSL - Dev

[openssl.org #1709] DTLS BUG: retransmition of handshake messages does not work

View: New views
3 Messages — Rating Filter:   Alert me  

Parent Message unknown [openssl.org #1709] DTLS BUG: retransmition of handshake messages does not work

by David Woodhouse via RT :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hello,

This problem was described by Martin Vladic, but i cant find it in RT.

Here is description:

"Let's suppose that handshake between client and server comes to the
point where client sends this message flight to the server:

Certificate
ClientKeyExchange
CertificateVerify
ChangeCipherSpec
Finished [this message is protected]

So, client comes to the stage when all subsequent messages shall be
protected. In above message flight only last message (Finished) is
protected. First four messages are unprotected. That's all OK.

To continue, client needs following response from the server:

ChangeCipherSpec
Finished [this message is encrypted]

What happens if such message doesn't arrive? Retransmission timer
expires and client must send last flight again.

But, OpenSSL DTLS implementation doesn't handle this situation very
well. It sends the last flight of messages, but all messages are
protected because implementation thinks that CipherSpec and keys are
negotiated. I think that only last message must be protected, and
first four must not (like it was in first transmission of the same
flight)."

Also, when client retransmits his last flight (5 messages), message
"retransmit:  message 4 non-existant" is printed to stderr.

Even if client resends correct last flight (encrypting only Finished
message),
server will not retransmit his last flight (2 messages).

Pavel

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

Parent Message unknown Re: [openssl.org #1709] DTLS BUG: retransmition of handshake messages does not work

by David Woodhouse via RT :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message


The DTLS code makes some assumptions that it is using a UDP socket BIO
to detect the timeout condition for resend.

When using another BIO type (e.g. BIO pair) on read, this does not work
properly.

  - Ariel

Pavel via RT wrote:

> Hello,
>
> This problem was described by Martin Vladic, but i cant find it in RT.
>
> Here is description:
>
> "Let's suppose that handshake between client and server comes to the
> point where client sends this message flight to the server:
>
> Certificate
> ClientKeyExchange
> CertificateVerify
> ChangeCipherSpec
> Finished [this message is protected]
>
> So, client comes to the stage when all subsequent messages shall be
> protected. In above message flight only last message (Finished) is
> protected. First four messages are unprotected. That's all OK.
>
> To continue, client needs following response from the server:
>
> ChangeCipherSpec
> Finished [this message is encrypted]
>
> What happens if such message doesn't arrive? Retransmission timer
> expires and client must send last flight again.
>
> But, OpenSSL DTLS implementation doesn't handle this situation very
> well. It sends the last flight of messages, but all messages are
> protected because implementation thinks that CipherSpec and keys are
> negotiated. I think that only last message must be protected, and
> first four must not (like it was in first transmission of the same
> flight)."
>
> Also, when client retransmits his last flight (5 messages), message
> "retransmit:  message 4 non-existant" is printed to stderr.
>
> Even if client resends correct last flight (encrypting only Finished
> message),
> server will not retransmit his last flight (2 messages).
>
> Pavel
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@...
> Automated List Manager                           majordomo@...
>
>  


--
 - Ariel Salomon / Senior Software Engineer
Real-Time Innovations (RTI) / www.rti.com
408 990-7439 / ariel@...

RTI - The Real-Time Middleware Experts



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

Parent Message unknown Re: [openssl.org #1709] DTLS BUG: retransmition of handshake messages does not work

by David Woodhouse via RT :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

The timeout condition is detected properly. Described situation happens
after
timeout. The problem is that DTLS client resends described flight with
errors.

Pavel

>
> The DTLS code makes some assumptions that it is using a UDP socket BIO
> to detect the timeout condition for resend.
>
> When using another BIO type (e.g. BIO pair) on read, this does not work
> properly.
>
>  - Ariel


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...
LightInTheBox - Buy quality products at wholesale price
Free Forum Powered by Nabble Forum Help