Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MessageFragmenter doesn't take account of encryption overhead #991

Open
ctz opened this issue Jan 29, 2022 · 3 comments
Open

MessageFragmenter doesn't take account of encryption overhead #991

ctz opened this issue Jan 29, 2022 · 3 comments

Comments

@ctz
Copy link
Member

ctz commented Jan 29, 2022
edited

If we set ServerConfig::max_fragment_size or ClientConfig::max_fragment_size it is expected that all the TLS messages are no larger than this. However, this is only true if the messages are unencrypted: after that the sizes are larger by the encryption overhead.

This means, setting max_fragment_size to Some(64), the message sizes are:

64, 64, 9, 6, 32, 81, 81, 81, 81, 81, 81, 81, 81, 81, 81, 81, 81, 81, 81, 81, 81
@jbr
Copy link
Contributor

jbr commented Jan 10, 2023

I'm reading RFC 6066 and it seems like 81 would be a reasonable length at the record layer since that the max_fragment_size limits plaintext length, not the protected length at the record layer.

The negotiated length limits the input that the record layer may
process without fragmentation (that is, the maximum value of
TLSPlaintext.length; see [RFC5246], Section 6.2.1). Note that the
output of the record layer may be larger. For example, if the
negotiated length is 2^9=512, then, when using currently defined
cipher suites (those defined in [RFC5246] and [RFC2712]) and null
compression, the record-layer output can be at most 805 bytes: 5
bytes of headers, 512 bytes of application data, 256 bytes of
padding, and 32 bytes of MAC. This means that in this event a TLS
record-layer peer receiving a TLS record-layer message larger than
805 bytes MUST discard the message and send a "record_overflow"
alert, without decrypting the message. When this extension is used
with Datagram Transport Layer Security (DTLS), implementations SHOULD
NOT generate record_overflow alerts unless the packet passes message
authentication.

If I'm misreading that, would we need to determine the record payload protection overhead before fragmenting in order to fragment shorter?

@ctz
Copy link
Member Author

ctz commented Jan 11, 2023

We don't implement RFC6066 max_fragment_size negotiation (reasons here: #585 (comment)); instead we just have a control for the size of fragments we produce. The goal for that feature is that applications can provide their TCP MSS and always get TLS fragments that fit in one TCP packet.

would we need to determine the record payload protection overhead before fragmenting in order to fragment shorter?

Yes I think so.

@ctz
Copy link
Member Author

ctz commented Dec 1, 2023

#1579 is relevant to this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbr @ctz