[I split this off from #698 so that #698 can be just about large messages.]
Zero-length fragments are not accepted in TLS 1.3, and zero-length plaintext handshake fragments are not accepted for TLS 1.2. Only TLS 1.2 encrypted application data records should be accepted if they have length 0. This should be enforced in the deframer, I think.
There are two issues with zero-length fragments: (1) We might be busy doing a lot of work, but not making any progress; this can be hard to detect by DoS countermeasures above and below Rustls in the network stack. (2) Some of our limits on memory usage are probably measuring memory usage without considering all the overheads; with many zero-length/tiny fragments, the overhead being ignored could end up being larger than what we measure to enforce the limits. For (2) one solution would be to always measure the full cost when computing a limit.
[I split this off from #698 so that #698 can be just about large messages.]
Zero-length fragments are not accepted in TLS 1.3, and zero-length plaintext handshake fragments are not accepted for TLS 1.2. Only TLS 1.2 encrypted application data records should be accepted if they have length 0. This should be enforced in the deframer, I think.
There are two issues with zero-length fragments: (1) We might be busy doing a lot of work, but not making any progress; this can be hard to detect by DoS countermeasures above and below Rustls in the network stack. (2) Some of our limits on memory usage are probably measuring memory usage without considering all the overheads; with many zero-length/tiny fragments, the overhead being ignored could end up being larger than what we measure to enforce the limits. For (2) one solution would be to always measure the full cost when computing a limit.