Fix dlts_get_max_record_overhead()#19516
Closed
mattcaswell wants to merge 3 commits intoopenssl:masterfrom
Closed
Conversation
Stitched ciphersuites can grow by more during encryption than the code allowed for. We fix the calculation and add an assert to check we go it right.
We fix dtls_get_max_record_overhead() to give a better value for the max record overhead. We can't realistically handle the compression case so we just ignore that.
mattcaswell
added
branch: master
github-actions
bot
added
the
severity: fips change
2 tasks
hlandau
approved these changes
Oct 27, 2022
2 tasks
Member
Author
|
Ping for second review? |
paulidale
approved these changes
Nov 3, 2022
Contributor
paulidale
left a comment
paulidale
left a comment
There was a problem hiding this comment.
I'm sure I'd already reviewed this 😕
paulidale
added
approval: done
openssl-machine
added
approval: ready to merge
Collaborator
|
This pull request is ready to merge |
openssl-machine
pushed a commit
that referenced
this pull request
Nov 7, 2022
Stitched ciphersuites can grow by more during encryption than the code allowed for. We fix the calculation and add an assert to check we go it right. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Hugo Landau <[email protected]> (Merged from #19516)
openssl-machine
pushed a commit
that referenced
this pull request
Nov 7, 2022
We fix dtls_get_max_record_overhead() to give a better value for the max record overhead. We can't realistically handle the compression case so we just ignore that. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Hugo Landau <[email protected]> (Merged from #19516)
openssl-machine
pushed a commit
that referenced
this pull request
Nov 7, 2022
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Hugo Landau <[email protected]> (Merged from #19516)
Member
Author
|
Oops. I might have prematurely merged this. CI failure looks potentially relevant. Investigating... |
Member
Author
|
Why did openssl-machine add "ready to merge" when there was a CI failure?? |
Member
That's interesting. I've never seen such occurrence before. |
Member
Author
|
Fix in #19622 |
beldmit
pushed a commit
to beldmit/openssl
that referenced
this pull request
Dec 26, 2022
Stitched ciphersuites can grow by more during encryption than the code allowed for. We fix the calculation and add an assert to check we go it right. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Hugo Landau <[email protected]> (Merged from openssl#19516)
beldmit
pushed a commit
to beldmit/openssl
that referenced
this pull request
Dec 26, 2022
We fix dtls_get_max_record_overhead() to give a better value for the max record overhead. We can't realistically handle the compression case so we just ignore that. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Hugo Landau <[email protected]> (Merged from openssl#19516)
beldmit
pushed a commit
to beldmit/openssl
that referenced
this pull request
Dec 26, 2022
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Hugo Landau <[email protected]> (Merged from openssl#19516)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The calculation of the maximum DTLS record overhead was incorrect which means that we could exceed the MTU in some situations. We fix the calculation to take account of more sources of record overhead. We ignore potential overheads due to expansion after compression. At the time we make the calculation we don't know how long the record will be yet. However we can't accurately calculate the expansion without knowing that length. Just using a fallback expansion value for the worst case scenario doesn't help because that value is too high and is bigger than our fallback MTU size.
Testing this was tricky. The best solution I've come up with is to add an assert into statem_dtls.c to verify that we never exceed the MTU. Without the fix in dtls_get_max_record_overhead() this causes the existing test suite to fail. With the fix the test suite still passes.
While investigating this problem I spotted and fixed a different but related problem in tls_common.c. We calculates the maximum amount of growth we might expect to see during an encryption operation and reserve that many bytes in the WPACKET. Unfortunately the calculation was wrong which means that the encryption can overflow the amount of bytes reserved for it. In practice this isn't really an issue because the underlying buffer is still sufficiently large.