partial SSL_read()
Michael Wojcik
Michael.Wojcik at microfocus.com
Tue Apr 30 16:21:51 UTC 2019
> From: openssl-users <openssl-users-bounces at openssl.org> on behalf of Felipe Gasper <felipe at felipegasper.com>
> Sent: Tuesday, April 30, 2019 11:06
> My question is, does TLS allow a client to be _able_ to parse an incomplete message?
> Or is it that only the entire message can be decoded?
TLS doesn't have the concept of a "message". It has records. Application data from the peer may occupy one or more records.
If a record can't be received completely, while it might be possible to decrypt the partial content (or, depending on cipher type and chaining mode, all but the last cipher block received), it wouldn't be possible to authenticate the data. Thus you'd fall prey to Moxie Marlinspike's Cryptography Doom Principle. Except in unusual circumstances (e.g. attacking the peer, or forensics) you Don't Want To Do That.
Consider that if you're using a stream cipher, or a block cipher in a streaming mode such as GCM, that an attacker can 1) tamper with the application data in a record by bit-flipping, then 2) abort the conversation by forging an RST or similar, cutting the tampered block short. If the receiver attempts to act on the data in the partial block, the attack succeeds.
Even just attempting to decrypt and log the partial data could be dangerous, for example if the log is later displayed using a web-based tool that has an XSS vulnerability, or some sort of binary parser with an exploitable overflow (e.g. a buggy Wireshark dissector).
--
Michael Wojcik
More information about the openssl-users
mailing list