[gnutls-devel] GnuTLS | Do not forbid excess random padding in TLS1.x CBC ciphersuites (!1054)

Sun Sep 8 12:18:29 CEST 2019

Nikos Mavrogiannopoulos commented:

@tomato42 what you raised in private email regarding the text of rfc5246:
```
   record_overflow
      A TLSCiphertext record was received that had a length more than
      2^14+2048 bytes, or a record decrypted to a TLSCompressed record
      with more than 2^14+1024 bytes.  This message is always fatal and
      should never be observed in communication between proper
      implementations (except when messages were corrupted in the
      network).
```

This is a description of the alert, with some informal? way how to apply it. The actual behavior the RFC mandates is:
```

   length
      The length (in bytes) of the following TLSPlaintext.fragment.  The
      length MUST NOT exceed 2^14.
```

That's what gnutls enforces, and it does it by calculating in `_gnutls_epoch_set_keys` what's the maximum overhead required by this particular ciphersuite. It does not use the number 1024, as this looks like an arbitrary max limit. This change relaxes the strict calculation of the ciphersuite overhead for the cbc ciphersuites, by allowing 256 bytes of additional data as in TLS1.3. That's in accordance with the guidance but smaller than 1024.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1054#note_213867791
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190908/e49fa6c5/attachment.html>