Dear Xiao Nian Jun,
Thanks for your kind words and for reporting this issue you found.
I checked RFC 7427 and indeed while parameters must be present and NULL for all RSA algorithms, appendix A.3 is clear that they must be absent for ECDSA. Since RFC 7427 is about IKEv2 rather than about X.509 certificates, I also checked RFC 5480 (updating RFC 3279 which defines the X.509 profile used by the IETF), and it concurs: for ECDSA, parameters are absent (appendix A).
Our behaviour is not conformant, and this should be fixed. Just to help us evaluate the severity of the issue, I'd like to know if this is something you found by inspecting the generated certificate yourself, or if it caused the generate certificate to be rejected by some other X.509 implementation or verification tool. Said otherwise, is this only a compliance issue, or also an interoperability issue?
Regarding your fix, I think it works as long as you are only generating ECC-signed X.509 certificates, but as you suggest, I'm afraid it only fixes the problem by creating another one: it would suppress the NULL parameters for RSA as well, but unfortunately, they're mandatory there (I wish the standards were more consistent). So, we'll probably have to do something similar, but only for ECDSA.
I was going to create a ticket for that in our bug tracker when I noticed we already have a ticket tracking that: https://github.com/ARMmbed/mbedtls/issues/2924 - Ill add a link to your message in the ticket.
Thanks again for your report.
Best regards,
Manuel
________________________________
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Xiao, Nian Jun via mbed-tls <mbed-tls(a)lists.trustedfirmware.org>
Sent: 28 December 2020 03:24
To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org>
Cc: He, Shu Shan <shushan.he(a)siemens.com>
Subject: [mbed-tls] MBEDTLS issue I found
Dear MBEDTLS team,
I’m a developer at SIEMENS, my name is Xiao Nian Jun. Please accept my sincere gratitude for your excellent work and to spend extra time to read my email.
We are using MBEDTLS to generate ECC key and certificates, we found an issue regarding algorithm identifier in the final ASN.1 certificate. For certificate signed by ECC key, the algorithm identifier is “NULL” which doesn’t conforms to RFC7427 specification.
[cid:image001.png@01D6DD01.C51C7290]
You can see the “NULL” string in the certificate, Chrome will treat this kind of certificate as invalid.
This issue has blocked us for a while, and after some investigation, we found an easy fix –- probably immature fix --- to make it works right--- we just commented out this line of code “MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_null( p, start ) )" in function mbedtls_asn1_write_algorithm_identifier.
To be honesty, we’ve been using MBEDTLS for very short time, probably this is not an issue, probably our fix will end up break up something…currently, it’s just looks correct.
Please check if my fix works or not, if not, please do not hesitate to correct me.
B.R.
Xiao Nian Jun.
Dear MBEDTLS team,
I’m a developer at SIEMENS, my name is Xiao Nian Jun. Please accept my sincere gratitude for your excellent work and to spend extra time to read my email.
We are using MBEDTLS to generate ECC key and certificates, we found an issue regarding algorithm identifier in the final ASN.1 certificate. For certificate signed by ECC key, the algorithm identifier is “NULL” which doesn’t conforms to RFC7427 specification.
[cid:image001.png@01D6DD01.C51C7290]
You can see the “NULL” string in the certificate, Chrome will treat this kind of certificate as invalid.
This issue has blocked us for a while, and after some investigation, we found an easy fix –- probably immature fix --- to make it works right--- we just commented out this line of code “MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_null( p, start ) )" in function mbedtls_asn1_write_algorithm_identifier.
To be honesty, we’ve been using MBEDTLS for very short time, probably this is not an issue, probably our fix will end up break up something…currently, it’s just looks correct.
Please check if my fix works or not, if not, please do not hesitate to correct me.
B.R.
Xiao Nian Jun.
Hello,
We are planning to release Mbed TLS 3.0 around June 2021, alongside an LTS release of Mbed TLS 2.x. Our major version numbers indicate API breaking changes, and this is no exception: Mbed TLS 3.0 will have changes that make it incompatible with 2.x (as an obvious example, functions that are deprecated in 2.x will be removed).
In setting a near-term release date, we have chosen some key areas that we want to focus on for 3.0. Some other API-breaking items (i.e., those requiring significant design time) won't make the cut and we will hold those back for a future major version, in order to have time to get them right. The main focus for 3.0 will be reduction in API surface, and changes that are low-impact for almost everyone.
Work towards 3.0 will start in late January, on the development branch which will contain a public work-in-progress view of Mbed TLS 3.0. Any work for 2.x in this timeframe will take place on a separate branch (provisionally named like "mbedtls-2.x").
During the 3.0 development period, bug fixes and security fixes will continue to be a priority, but we will have slightly less capacity for other features. While 3.0 is in development, any new features will by default be landed in 3.0 only, unless there is a strong case for back-porting to 2.x. The 2.x LTS branches will still be supported with bug fixes and security fixes for the normal three year lifetime (i.e., the final LTS release of 2.x in mid-2021 will be supported until mid-2024).
In terms of content, we are taking a cautious approach to what we plan for 3.0. In the past we've been ambitious here and as a result, have slipped on the release date; by being cautious on feature set we can be confident about hitting the mid-year release date. We won't try to make all of the changes that would be nice-to-have; instead, we will focus on tasks that reduce maintenance, unlock other improvements in a 3.x timeframe, are still valuable if only partially completed, and can fit within this time frame. Currently we're looking at the following areas for 3.0:
* Reduce the public surface of the API
* Clean-up existing APIs
* Changes to default options
Regards
Dave Rodgman
Hi Farhad,
I think for this question as well as the "packets lost" question, it's important to distinguish two phases of a DTLS connection: initially there's a handshake (to negotiate and establish security parameters and session keys), and then application data can be exchanged. Application data is what's passed to `mbedtls_ssl_write()` or written by `mbedtls_ssl_read()` (depending on whether you're the sender or receiver) - this can only happen once the handshake is completed.
During the handshake, there are indeed mechanisms to re-order packets that were received out of order and also retransmit packets that were lost. But that's only during the handshake (because it's a lockstep process where everything needs to happen in order), and only for data that's purely internal to the DTLS protocol and never seen by the application.
Once the handshake is completed and application data starts to be exchanged, there is no longer any kind of re-ordering or retransmission mechanism. The reason is, as you guessed, DTLS aims to provide similar properties to UDP - with cryptographic security in addition. So, if you send something with `mbedtls_ssl_write()` and the record gets lost, the DTLS protocol won't even know about it, and no retransmission will happen. If record N+1 arrives before record N, the DTLS protocol will know but do nothing, and just deliver the records in the order they arrived. Again, as you said, doing otherwise would introduce latency and be contrary to the goals of DTLS - people who want reliability at the expense of latency should use TLS.
The main exception to that principle that you can expect DTLS to behave like UDP is duplicated records: the DTLS protocol provide optional replay protection (that is, if record N arrives twice, the second occurrence is dropped). In Mbed TLS, this mechanism is enabled by default but can be disabled at compile-time by not defining MBEDTLS_SSL_DTLS_ANTI_REPLAY in config.h, or at runtime by calling mbedtls_ssl_conf_dtls_anti_replay().
I hope this answers your questions.
Regards,
Manuel.
________________________________
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of saghili via mbed-tls <mbed-tls(a)lists.trustedfirmware.org>
Sent: 10 December 2020 18:31
To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org>
Subject: [mbed-tls] "Reordering" in DTLS
Hello,
I have a question about DTLS.
One thing that is not entirely clear to me from the RFC is this: suppose
2 records are received within a "short" period, e.g. seq# N+1 followed
by seq# N. In this case, what does DTLS do? My understanding is that it
will pass on packets in the order it was received (i.e. out of order).
But it can (should?) re-order at the DTLS layer and pass them on to the
upper layer in the right order. HOWEVER, this implies that the DTLS
"wait" for a certain window to see if the seq#=N packet arrives or not.
But doing so introduces additional delay at DTLS layer and also
contradicts with the UDP principle (i.e. no concept of order). Could you
please give me a hint regarding this issue?
Best regards,
Farhad
--
mbed-tls mailing list
mbed-tls(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
Hello,
I have a question about DTLS.
One thing that is not entirely clear to me from the RFC is this: suppose
2 records are received within a "short" period, e.g. seq# N+1 followed
by seq# N. In this case, what does DTLS do? My understanding is that it
will pass on packets in the order it was received (i.e. out of order).
But it can (should?) re-order at the DTLS layer and pass them on to the
upper layer in the right order. HOWEVER, this implies that the DTLS
"wait" for a certain window to see if the seq#=N packet arrives or not.
But doing so introduces additional delay at DTLS layer and also
contradicts with the UDP principle (i.e. no concept of order). Could you
please give me a hint regarding this issue?
Best regards,
Farhad
Hello,
I have a question about DTLS.
Because of the latency, I need to disable the "packets lost" feature.
Does MbedTLS provide the flag that we can disable resending the packet
in case of the packet lost? For instance, if I have 3 packets 42, 43,
and 44, is it possible to decrypt packet 44 without receiving packets 42
and 43? It will be in the "Record" layer.
Thank you.
Best regards,
Farhad
Thank you for quick response.
> Are you using blocking or non-blocking I/O?
Non-blocking IO
I've preset bio_send/recv callbacks
I have pair of buffers, transport buffer and application buffer, for
reading and writing (4 buffers total). Application buffers are protected
by mutexes.
Transport buffers are written/read in bio_send/recv (if no async op
pending, otherwise WANT_READ/WRITE).
mbedtls_ssl_xxx work with application buffers.
> Are you using TLS or DTLS? What protocol version, what cipher suite
and what extensions are negotiated?
TLS (over tcp, no lossy channel involved)
version 1.2
> Does your application call mbedtls_ssl_write() and mbedtls_ssl_read()
again with the same buffer if they return MBEDTLS_ERR_SSL_WANT_READ or
MBEDTLS_ERR_SSL_WANT_WRITE?
Well, actually, no. AND it's quite possible, that application outgoing
buffer (std::vector) has been relocated between mbedtls_ssl_write calls,
because app could push data several times while async op was pending and
bio_send returned WANT_WRITE, causing these buffers to resize. So
buf.data() will not be equal to that from previous mbedtls_ssl_write
call. Is this what causes trouble? It's somehow connected to partial
sends? I do call ssl_write inside while-loop, counting sent and unsent
bytes - thought this was enough. But if mbedtls somehow remembers
addresses from previos calls - that might cause problems.
> Do you close the TLS connection if mbedtls_ssl_xxx() returns an error
other than WANT_XXX (or XXX_IN_PROGRESS if you use these features)?
Yes, but that never happens (from handshake to until problem appears)
> What is the value of MBEDTLS_SSL_MAX_CONTENT_LEN (or
MBEDTLS_SSL_OUT_CONTENT_LEN if it's defined)?
Not defined in config, looks like both 16834
>What operating system are you using?
Ubuntu 20, Kali 20
> Is this a client or a server? What TLS stack does the other side run?
Both are written same way, both using same library.
I'll try to prepare test-case code, that reproduces the problem, and
logs, but that will require some time.
10.12.2020 1:07, Gilles Peskine via mbed-tls пишет:
> Hi Андрей,
>
> The behavior you describe is a bug. But there isn't enough information
> to tell whether the bug is in Mbed TLS, in asio-standalone, in some
> other third-party code, or in your application.
>
> Some things to consider:
>
> * Are you using blocking or non-blocking I/O?
> * Are you using TLS or DTLS? What protocol version, what cipher suite
> and what extensions are negotiated?
> * Does your application call mbedtls_ssl_write() and mbedtls_ssl_read()
> again with the same buffer if they return MBEDTLS_ERR_SSL_WANT_READ or
> MBEDTLS_ERR_SSL_WANT_WRITE?
> * Do you close the TLS connection if mbedtls_ssl_xxx() returns an error
> other than WANT_XXX (or XXX_IN_PROGRESS if you use these features)?
> * What is the value of MBEDTLS_SSL_MAX_CONTENT_LEN (or
> MBEDTLS_SSL_OUT_CONTENT_LEN if it's defined)?
> * What operating system are you using?
> * Is this a client or a server? What TLS stack does the other side run?
>
> You'll give others the most chance to help you if you post small,
> complete code to reproduce the problem. I realize this may be difficult.
> A good intermediate way to see what is going on would be to post debug
> logs. To get debug logs, make sure that MBEDTLS_DEBUG_C is enabled and
> call these functions before opening the TLS connection:
>
> mbedtls_ssl_conf_dbg(&ssl_conf, my_debug, stdout);
> mbedtls_debug_set_threshold(2);
>
> See https://tls.mbed.org/kb/how-to/mbedtls-tutorial for a sample version
> of my_debug().
>
> Calls to bio_send() are shown in the logs as
>
> => flush output
> message length: %d, out_left: %d
> ssl->f_send() returned %d
> <= flush output
>
> If they don't show expected numbers, the rest of the logs should give a
> clue as to why.
>
> Hope this helps,
>
By the way, I notice you're using Mbed TLS 2.16.3. This version has
known bugs, including security issues. Please upgrade to the latest Mbed
TLS 2.16.x (currently 2.16.8, very soon 2.16.9) which is a security and
bugfix update, or to the latest release (2.24.0, soon 2.25.0) which has
all the latest bugfixes and features. Looking at the changelog, I don't
see any mention of a bug that could explain your problem, but I might
have missed something.
--
Gilles Peskine
Mbed TLS developer
On 09/12/2020 22:17, Сысоев Андрей via mbed-tls wrote:
> Hello.
>
> I need a little help with mbedtls 2.16.3.
> I'm using it under x86-64 with asio-standalone.
>
> Here's a standard situation:
> - I call mbedtls_ssl_write() to write let's say 8192 bytes of payload
> - it calls my own bio_send() with (8192+21) bytes as len parameter
> - bio_send() returns len=(8192+21), indicating transport data
> correctly written
> - mbedtls_ssl_write() returns 8192, indicating payload send
> GOOD: next I use this value to shift application buffer (erase first
> 8192 bytes), then send next chunk
>
> BUT after some time of running this situation happens:
> - once again, a call to mbedtls_ssl_write() to write let's say 8192
> bytes of payload
> - it calls bio_send() with smaller number, about 5500 bytes as len
> parameter (?? but OK)
> - bio_send() returns len=5500, indicating transport data correctly
> written
> - mbedtls_ssl_write() returns 8192 (??? why not 5500 ???), indicating
> payload send
> BAD: next I use this value to shift application buffer (erase first
> 8192 bytes), this leads to data loss of (8192-5500)=2692 bytes and
> ruins protocol
>
> As you can see, mbedtls_ssl_write() incorrectly reports about sent
> application data (8192 instead of 5500) - is this a bug? How can such
> situation happen under normal operation?
>
> Thanks in advance.
>
Hi Андрей,
The behavior you describe is a bug. But there isn't enough information
to tell whether the bug is in Mbed TLS, in asio-standalone, in some
other third-party code, or in your application.
Some things to consider:
* Are you using blocking or non-blocking I/O?
* Are you using TLS or DTLS? What protocol version, what cipher suite
and what extensions are negotiated?
* Does your application call mbedtls_ssl_write() and mbedtls_ssl_read()
again with the same buffer if they return MBEDTLS_ERR_SSL_WANT_READ or
MBEDTLS_ERR_SSL_WANT_WRITE?
* Do you close the TLS connection if mbedtls_ssl_xxx() returns an error
other than WANT_XXX (or XXX_IN_PROGRESS if you use these features)?
* What is the value of MBEDTLS_SSL_MAX_CONTENT_LEN (or
MBEDTLS_SSL_OUT_CONTENT_LEN if it's defined)?
* What operating system are you using?
* Is this a client or a server? What TLS stack does the other side run?
You'll give others the most chance to help you if you post small,
complete code to reproduce the problem. I realize this may be difficult.
A good intermediate way to see what is going on would be to post debug
logs. To get debug logs, make sure that MBEDTLS_DEBUG_C is enabled and
call these functions before opening the TLS connection:
mbedtls_ssl_conf_dbg(&ssl_conf, my_debug, stdout);
mbedtls_debug_set_threshold(2);
See https://tls.mbed.org/kb/how-to/mbedtls-tutorial for a sample version
of my_debug().
Calls to bio_send() are shown in the logs as
=> flush output
message length: %d, out_left: %d
ssl->f_send() returned %d
<= flush output
If they don't show expected numbers, the rest of the logs should give a
clue as to why.
Hope this helps,
--
Gilles Peskine
Mbed TLS developer
On 09/12/2020 22:17, Сысоев Андрей via mbed-tls wrote:
> Hello.
>
> I need a little help with mbedtls 2.16.3.
> I'm using it under x86-64 with asio-standalone.
>
> Here's a standard situation:
> - I call mbedtls_ssl_write() to write let's say 8192 bytes of payload
> - it calls my own bio_send() with (8192+21) bytes as len parameter
> - bio_send() returns len=(8192+21), indicating transport data
> correctly written
> - mbedtls_ssl_write() returns 8192, indicating payload send
> GOOD: next I use this value to shift application buffer (erase first
> 8192 bytes), then send next chunk
>
> BUT after some time of running this situation happens:
> - once again, a call to mbedtls_ssl_write() to write let's say 8192
> bytes of payload
> - it calls bio_send() with smaller number, about 5500 bytes as len
> parameter (?? but OK)
> - bio_send() returns len=5500, indicating transport data correctly
> written
> - mbedtls_ssl_write() returns 8192 (??? why not 5500 ???), indicating
> payload send
> BAD: next I use this value to shift application buffer (erase first
> 8192 bytes), this leads to data loss of (8192-5500)=2692 bytes and
> ruins protocol
>
> As you can see, mbedtls_ssl_write() incorrectly reports about sent
> application data (8192 instead of 5500) - is this a bug? How can such
> situation happen under normal operation?
>
> Thanks in advance.
>