Add support for datagram packing #1918
Conversation
`mbedtls_ssl_get_record_expansion()` is supposed to return the maximum
difference between the size of a protected record and the size of the
encapsulated plaintext.
It had the following two bugs:
(1) It did not consider the new ChaChaPoly ciphersuites, returning
the error code #MBEDTLS_ERR_SSL_INTERNAL_ERROR in this case.
(2) It did not correctly estimate the maximum record expansion in case
of CBC ciphersuites in (D)TLS versions 1.1 and higher, in which
case the ciphertext is prefixed by an explicit IV.
This commit fixes both bugs.
hanno-becker
changed the title
hanno-becker
force-pushed
the
datagram_packing
branch
from
58b29ac to
3f24fda
Compare
hanno-becker
changed the title
|
This is on hold until the test failures in #1879 have been resolved. |
|
All CI interoperability failures on the underlying #1879 have been understood and seen as not caused by an issue in Mbed TLS; see IOTSSL-2401. Testing this again. |
|
retest |
hanno-becker
added
needs-review
|
@mpg @AndrzejKurek Do you think you will have time to review this? |
|
Yes, I'll review this next week! |
|
The introduction of datagram packing significantly changes the nature of the proxy tests in I believe we should consider ways around this, for example
Leaving tests aside, the only practical reason I see for allowing to disable datagram packing are potential interoperability issues with peers that happen to have problems receiving packed datagrams, but this seems quite unlikely. Going through the options, the following are the consequences to the test system for each of them:
@mpg What do you think? |
|
@hanno-arm I'll reply to those question later because I have to go now, but I wanted to let you know I've put up a new PR with the fragmentation work here: #1918 It has a cleaner history, fixes for a few bugs, more tests for MTU settings, and should pass CI (as it doesn't have the problematic interop tests yet). I'd like to suggest you rebase your work on the new branch of mine, in order to have a cleaner history (currently there are a number of WIP/temporary/revert commits in the history) and the bug fixes. |
|
Thanks @mpg, I will do the rebase in the meantime. |
hanno-becker
force-pushed
the
datagram_packing
branch
from
3fa6a52 to
390d64f
Compare
I'm not sure. IIRC, OpenSSL starts by sending packed datagrams, then if it has to retransmit tries unpacked, then it if has to retransmit again, it starts lowering the "estimated handshake MTU" and fragmenting if necessary. I don't think I've seen it stated anywhere, but I always assumed this was in order to enhance compatibility with peers that might not support datagram packing. However perhaps I'm misinterpreting, and even if I'm not, perhaps this is no longer a concern these days. Anyway, I'm inclined to go for option 2 (dynamic setting of this behaviour) unless you think that will make the code too complex. If we don't got for option 2, I quite dislike option 1 (static setting) as we have too many build options to test already, but before we go for option 3 I'd like to suggest option 4: find a peer that doesn't pack (I think you mentioned recently that |
hanno-becker
force-pushed
the
datagram_packing
branch
from
390d64f to
85f4225
Compare
|
@mpg Thank you for your feedback. I don't expect it to be difficult to enable/disable datagram packing dynamically, and I'll do the corresponding change. In the meantime, I implemented datagram splitting on the UDP proxy, which I think is a feature worth having in any case, complementing the datagram packing ability of the UDP proxy that we already have; in conjunction, both would e.g. allow to reorder records within a single datagram, which is not something you would practically expect to happen, but still worth testing, as it tests that we don't make make any ordering assumptions from the fact that records come within the same datagram. |
|
Aw, github is now showing commit in the wrong order. Apparently it does this on purpose because it's "a space for discussion" - well I find it much easier to discuss a series of commits when it's presented in its logical order. Anyway, reviewers beware of the github interface. Thankfully |
|
@hanno-arm Thanks for reworking the history! However I'm afraid you didn't quite rebase on top of #1939, but rather cherry-picked it or something. As a result, all the commits from #1939 are present with a different commit ID, which means when both PRs are merged, the history will contains "duplicate" commits with the same title and date but different hashes, which I tend to find pretty annoying when searching the history later on. I fixed the issue by In the future, tempted to base a branch on two other branches (that are also going to be merged independently), we should base on one and merge the other in, in order to avoid near-duplicate commits in the overall history. |
hanno-becker
force-pushed
the
datagram_packing
branch
2 times, most recently
from
138648f to
c5438d8
Compare
|
@mpg I have pushed some commits to address your comments, and left a comment on your point in regards to the length check in |
This commit introduces some tests to ssl-opt.sh checking that
setting the MFL limits the MTU to MFL + { Maximum Record Expansion }.
|
@mpg Tests checking the MFL effectively restricting the MTU are currently failing, I am investigating. |
The negotiated MFL is always the one suggested by the client, even if the server has a smaller MFL configured locally. Hence, in the test where the client asks for an MFL of 4096 bytes while the server locally has an MFL of 512 bytes configured, the client will still send datagrams of up to ~4K size.
|
One of the tests I just added to |
tests/ssl-opt.sh
Outdated
| @@ -5020,6 +5020,10 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ | |||
| -c "found fragmented DTLS handshake message" \ | |||
| -C "error" | |||
|
|
|||
| # With the MFL extension, the server has no way of forcing | |||
There was a problem hiding this comment.
I think you just re-discovered our biggest issue with the MFL extension :) Fortunately the IETF has a replacement underway: https://tools.ietf.org/html/draft-ietf-tls-record-limit-03#section-3
|
Note: |
There was a problem hiding this comment.
I'm okay with the PR -as-is- but I'd like to document our use of --insecure in gnutls-cli. I don't want to delay merging this PR, so @hanno-arm, can you please raise a secondary PR to fix this? (Assuming you don't disagree!). If you don't agree, please reply to this PR.
tests/ssl-opt.sh
Outdated
| @@ -5459,35 +5515,31 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ | |||
| -c "fragmenting handshake message" \ | |||
| -C "error" | |||
|
|
|||
| # gnutls-cli always tries IPv6 first, and doesn't fall back to IPv4 with DTLS | |||
| requires_ipv6 | |||
| requires_config_enabled MBEDTLS_SSL_PROTO_DTLS | |||
There was a problem hiding this comment.
I think we need to have a comment here that explains and justifies the use of --insecure here and below.
simonbutcher
added
approved
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918.
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918.
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918.
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918.
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for other tests in Mbed-TLS#1918. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Summary: This PR adds support for stacking multiple records in a single datagram, based on the ongoing work to support outgoing handshake fragmentation in #1939. The first new commit is 5aa4e2c.