Re: [TLS] TLS 1.3 and max_fragment_length
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 14 March 2017 08:06 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ECCA1288B8 for <tls@ietfa.amsl.com>; Tue, 14 Mar 2017 01:06:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztM9c8nCQdLX for <tls@ietfa.amsl.com>; Tue, 14 Mar 2017 01:06:17 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 37938120725 for <tls@ietf.org>; Tue, 14 Mar 2017 01:06:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 602001EF1D; Tue, 14 Mar 2017 10:06:15 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 7T9Sxd4AHuc1; Tue, 14 Mar 2017 10:06:15 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 28C87C4; Tue, 14 Mar 2017 10:06:15 +0200 (EET)
Date: Tue, 14 Mar 2017 10:06:07 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20170314080607.GA18882@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnWZgo5xs=+26j6C=o+AMgWHmyQwuMWw7vL=+xvRnpZgog@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABkgnnWZgo5xs=+26j6C=o+AMgWHmyQwuMWw7vL=+xvRnpZgog@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sqa5AZT3YBwKdE4AZHsx4hDbSYk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 and max_fragment_length
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 08:06:19 -0000
On Tue, Mar 14, 2017 at 02:38:14PM +1100, Martin Thomson wrote: > When we added padding to TLS 1.3, we created an ambiguity with the > max_fragment_length extension. > > Does the limit apply to len(TLSInnerPlaintext) or does it apply to > len(TLSInnerPlaintext.content) (i.e., TLSPlaintext.length)? That is, > does is include the padding and content type, or not? > > Including the padding would recognize the limitations apply to > handling large blobs of encrypted data (see earlier email from Thomas > Pornin). That would be my preference. I think that we need to say > that though. I guess the second-order question is whether to roll > RFC6066-bis or patch these things in TLS 1.3 directly. I would think it would include the padding, because otherwise you can not limit the size of buffers to store a record. And if you have an encrypted record, you can decrypt it in-place anyway, so limits on plaintext size post-depadding are not useful. Furthermore, there is edge case in how max_fragement_length is currently defined in TLS 1.3 (it isn't available when parsing ServerHello, but ServerHello is also limited by it). Fortunately, that edge case is very unlikely to be hit, as ServerHello is highly likely to be under the limit[1], and ServerHello can't be coalesced with anything (since it has flight or key boundaries on both sides). [1] Base ServerHello is 42 bytes, pre_shared_key gives you 6. And key_share gives you 8+size_of_share. So at maximum you have 56+ size_of_share. The minimum limit is 512, and to reach that you need 456 byte share. The only things that have shares of that size are groups 258, 259 and 260. And none of those would seem to be likely implemented by any device that uses max_fragment_length. For 1024-byte limit, you have 968 bytes, which is only exceeded by group 260. And for higher 2048 and 4096 byte limits, no current group is big enough to blow the size limits. -Ilari
- [TLS] TLS 1.3 and max_fragment_length Martin Thomson
- Re: [TLS] TLS 1.3 and max_fragment_length Ilari Liusvaara
- Re: [TLS] TLS 1.3 and max_fragment_length Yoav Nir
- Re: [TLS] TLS 1.3 and max_fragment_length Ilari Liusvaara
- Re: [TLS] TLS 1.3 and max_fragment_length Yoav Nir
- Re: [TLS] TLS 1.3 and max_fragment_length Benjamin Kaduk
- Re: [TLS] TLS 1.3 and max_fragment_length Martin Thomson