partial SSL_read()

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

partial SSL_read()

Felipe Gasper-2
Hello,

        I’ve got an OpenSSL client that’s showing the behavior in strace:

read 5 bytes - OK
read 11228 bytes - gets partial response
read remainder - ECONNRESET

        That ECONNRESET causes OpenSSL to fail the entire SSL_read().

        My question is, does TLS allow a client to be _able_ to parse an incomplete message? Or is it that only the entire message can be decoded?

        Thank you!

-Felipe Gasper
Mississauga, Ontario
Reply | Threaded
Open this post in threaded view
|

Re: partial SSL_read()

Michael Wojcik
> From: openssl-users <[hidden email]> on behalf of Felipe Gasper <[hidden email]>
> Sent: Tuesday, April 30, 2019 11:06

> My question is, does TLS allow a client to be _able_ to parse an incomplete message?
> Or is it that only the entire  message can be decoded?

TLS doesn't have the concept of a "message". It has records. Application data from the peer may occupy one or more records.

If a record can't be received completely, while it might be possible to decrypt the partial content (or, depending on cipher type and chaining mode, all but the last cipher block received), it wouldn't be possible to authenticate the data. Thus you'd fall prey to Moxie Marlinspike's Cryptography Doom Principle. Except in unusual circumstances (e.g. attacking the peer, or forensics) you Don't Want To Do That.

Consider that if you're using a stream cipher, or a block cipher in a streaming mode such as GCM, that an attacker can 1) tamper with the application data in a record by bit-flipping, then 2) abort the conversation by forging an RST or similar, cutting the tampered block short. If the receiver attempts to act on the data in the partial block, the attack succeeds.

Even just attempting to decrypt and log the partial data could be dangerous, for example if the log is later displayed using a web-based tool that has an XSS vulnerability, or some sort of binary parser with an exploitable overflow (e.g. a buggy Wireshark dissector).

--
Michael Wojcik
Reply | Threaded
Open this post in threaded view
|

Re: partial SSL_read()

Felipe Gasper-2


> On Apr 30, 2019, at 12:21 PM, Michael Wojcik <[hidden email]> wrote:
>
>> From: openssl-users <[hidden email]> on behalf of Felipe Gasper <[hidden email]>
>> Sent: Tuesday, April 30, 2019 11:06
>
>> My question is, does TLS allow a client to be _able_ to parse an incomplete message?
>> Or is it that only the entire  message can be decoded?
>
> TLS doesn't have the concept of a "message". It has records. Application data from the peer may occupy one or more records.
>
> If a record can't be received completely, while it might be possible to decrypt the partial content (or, depending on cipher type and chaining mode, all but the last cipher block received), it wouldn't be possible to authenticate the data. Thus you'd fall prey to Moxie Marlinspike's Cryptography Doom Principle. Except in unusual circumstances (e.g. attacking the peer, or forensics) you Don't Want To Do That.
>
> Consider that if you're using a stream cipher, or a block cipher in a streaming mode such as GCM, that an attacker can 1) tamper with the application data in a record by bit-flipping, then 2) abort the conversation by forging an RST or similar, cutting the tampered block short. If the receiver attempts to act on the data in the partial block, the attack succeeds.
>
> Even just attempting to decrypt and log the partial data could be dangerous, for example if the log is later displayed using a web-based tool that has an XSS vulnerability, or some sort of binary parser with an exploitable overflow (e.g. a buggy Wireshark dissector).

Ah, ok, that makes sense. Thank you for your response!

-FG