[ech] TLSProxy and ECH
Matt Caswell
matt at openssl.org
Wed Mar 22 11:31:52 UTC 2023
On 21/03/2023 21:45, Stephen Farrell wrote:
>
> Hiya,
>
> On 21/03/2023 20:51, Dmitry Belyavsky wrote:
>> I have added some basic test scenarios using TLSfuzzer in openssl
>> project,
>> but I don't have capacity to improve this work yet.
>
> Ah right, I see that now. Must give it a try. (I guess I
> just need to clone tlsfuzzer in the right place and it'll
> try run as part of ``make test``?)
>
>>
>> I don't think it would be sufficient for including ECH upstream
>> because it
>> is an external test, and usually the internal one is requred, but it
>> could
>> be used as a starting point.
>
> Fair point.
Right - I wouldn't recommend tlsfuzzer for this since we really need
internal tests for this.
All our current TLS tests for this stuff are built using TLSProxy.
There *is* a potential alternative in the form of the QUIC fault
injector which does much the same thing but for QUIC. It includes the
ability to inject TLS faults into a QUIC TLS handshake. It does this
from pure C code. I believe it would be possible to extend the concept
to be able to do the same thing for standalone TLS. The hook to enable
this is already present:
https://github.com/openssl/openssl/blob/83ff6cbd9a02ed713bf66f960ab9aea5fced49a3/ssl/statem/statem_lib.c#L39-L54
and
https://github.com/openssl/openssl/blob/83ff6cbd9a02ed713bf66f960ab9aea5fced49a3/ssl/statem/statem_lib.c#L66-L90
The framework around that hook would need to be implemented and that
would be a significant investment of effort.
Some of the test framework for QUIC that uses the above hook is here:
https://github.com/openssl/openssl/blob/83ff6cbd9a02ed713bf66f960ab9aea5fced49a3/test/helpers/quictestlib.c#L489-L688
An example test using this approach for QUIC can be seen here. This test
modifies the TLS EncryptedExtensions message to drop the transport
parameters extension from the message:
https://github.com/openssl/openssl/blob/83ff6cbd9a02ed713bf66f960ab9aea5fced49a3/test/quicfaultstest.c#L165-L218
>>>>> My possibly incorrect understanding is that the TLSProxy
>>>>> is a bunch of perl code used for tests, that re-implements
>>>>> variants of the TLS handshake so they can contain e.g. badly
>>>>> encoded messages.
Not quite. TLSProxy (and the QUIC fault injector described above) sit in
the middle between a normal server and a normal client. They modify the
messages created by each in order to create bad encodings. It doesn't
reimplement its own implementation of the handshake. Effectively it is
performing a man-in-the-middle attack!
Obviously TLS is designed to prevent a man-in-the-middle attack from
working. The TLSProxy framework works by replacing the normal MAC
calculations with dummy ones so that TLSProxy can make arbitrary changes
without the Finished message checks failing. It also uses NULL
encryption. The QUIC fault injector works by using a callback to modify
messages *before* they are encrypted/passed through the finished mac and
sent to the peer (so the standard MAC and encryption algorithms can
still be used).
> I wanted to
check if that perl TLSProxy code is the long term plan or
if it's something felt to be approaching end of life?
For now TLSProxy is it. I would like to perhaps replace it with
something more like the QUIC fault injector - but I don't expect that to
happen in the short to medium term.
Matt
More information about the ech
mailing list