Re: [TLS] ESNI padding the Certificate message

Matt Caswell <matt@openssl.org> Thu, 13 December 2018 13:36 UTC

Return-Path: <matt@openssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BBB51286E3 for <tls@ietfa.amsl.com>; Thu, 13 Dec 2018 05:36:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYQAXvan6bzr for <tls@ietfa.amsl.com>; Thu, 13 Dec 2018 05:36:15 -0800 (PST)
Received: from mta.openssl.org (mta.openssl.org [IPv6:2001:608:c00:180::1:e6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B182127332 for <tls@ietf.org>; Thu, 13 Dec 2018 05:36:15 -0800 (PST)
Received: from [10.89.10.6] (ip-22-84-52-196.southampton.uk.amsterdamresidential.com [196.52.84.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta.openssl.org (Postfix) with ESMTPSA id 7AD55E1125 for <tls@ietf.org>; Thu, 13 Dec 2018 13:36:13 +0000 (UTC)
To: tls@ietf.org
References: <876187a2-df66-2eb0-5a55-b6e67cf668f6@cs.tcd.ie>
From: Matt Caswell <matt@openssl.org>
Openpgp: preference=signencrypt
Autocrypt: addr=matt@openssl.org; prefer-encrypt=mutual; keydata= mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ayhJbwAtsQ 69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3iN7I8aU66yMt710n GEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi2hLApPpaATXnD3ZkhgtHV3ln 3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0YpaN19BDBrxM3WPOAKbJk0Ab1bjgEadavrF BCOl9CrbThewRGmkOdxJWaVkERXMShlzUzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEB AAG0H01hdHQgQ2Fzd2VsbCA8bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0z U0ARvUXHjbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p3tPbnQzA NjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyHsIvebMgKTI/bMG8Z 7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0hmHLqjWqYs5PzyXeoNnsPXJt 69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga5AQ0EUYAuwgEIAM9nUJAEpsVBYwK92PP9Mlo1 /etXp6JgBI68sOCJxTwzBrbTzIlevVQXqW9zdODD6ObKcgGNuG+G6Nwn54P6McRpd2dxor9Y A+yaI0yT6CVnhxsXjwc/vuQ4tBAL6tfuMAXRVIeEVk22cKk4HJB68ImXCCRdyRi9HIE5iTrZ HsHC4sjAsirhlc0o8hU3gqkKh2Ehwa6+U8lzNx06hoFEZxIVRteoz1jzCHImF7EXztEcDIam O8uckVKAuKbJgFGkU3bkvNgWlc8Pgx4tRUNJGC1LE4nYqaSEwee1SpA/VewiDObj97PozCTF zRCUBCnSvaAlTnpA90TnODH7ar+L5aEAEQEAAYkBHwQYAQIACQUCUYAuwgIbDAAKCRDZxNJt DmBEkQs2B/96XB9hyFpX/bhu41YNr7nSA65dDi9d+PkMqvLppickG3VR4xXWywzEJTw6W2DN MyFO6mOtdXWgNdgDF7HKZYvHBr6pyttLAMP7BfWBvU7YY59uKmUSc5vl0NzsaSbx5PDSQEkS ICLI+/hIwuEXOb6Z7gOrX7F1uy83TmHFOOjD2mLl5isUzFhaLVk0fZSY+mCgg3/inbwb8g31 91Ybk2LfXmndaEsdEzMLrT0g6wIgmybz6UdVuVPfSPGly0VWVAG1sNPOCpAuJpNV6+VxrdVi Ax3vQPbx3XzqDFS1ISlnd0qS/7RXwMuFDpVH/BDvzQcoikWnpRY/loPGkSg4TB7a
Message-ID: <ed463806-067d-bd83-f186-2ef6f5bd3518@openssl.org>
Date: Thu, 13 Dec 2018 13:36:12 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <876187a2-df66-2eb0-5a55-b6e67cf668f6@cs.tcd.ie>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/J5oPhMKeUtoBeN4F_gOv1OGZ75I>
Subject: Re: [TLS] ESNI padding the Certificate message
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 13:36:19 -0000


On 13/12/2018 13:10, Stephen Farrell wrote:
> 
> Hiya,
> 
> Was just adding code for this and I noticed that the draft says
> a server: "SHOULD pad the Certificate message, via padding at
> the record layer, such that its length equals the size of the
> largest possible Certificate (message) covered by the same ESNI
> key."
> 
> I think that ought also mention the CertificateVerify as that
> could also tell you something about the ESNI being used if the
> key lengths in the various certificates differ.
> 
> More specific to openssl though, there isn't really a terribly
> easy way to do such fine-grained padding (that I've found so
> far),

You can set a padding callback using SSL_CTX_set_record_padding_callback() (or
SSL_set_record_padding_callback()). The callback can determine whether it is
padding a handshake message by examining its "type" parameter, and which message
it is by calling SSL_get_state(). From there you should be able to get the
callback to add padding only to the Certificate and/or CertificateVerify
messages as required.

Matt



> so to cover the above, and as there are likely many
> other ways that the ESNI could be exposed, it might be good to
> add that clients and servers could reasonably decide to pad all
> handshake messages or even all records. (That last being what
> is currently easiest with openssl, and hence what I've done
> for now with my proof-of-concept code:-)
> 
> Cheers,
> S.
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>