Change SERVER_HELLO_MAX_LENGTH constant

[baentsch]

With the OpenSSL3 capability to add new types of TLS (1.3) groups via providers, new cryptographic mechanisms can be added changing the contents and lengths of different TLS (1.3) fields. A concrete example is the addition of PQC algorithms with large KEM (ciphertext) structures, already going beyond the limits imposed by this constant:

openssl/ssl/statem/statem_local.h

Line 22 in 5eb24fb

#define SERVER_HELLO_MAX_LENGTH 20000

As discussed here, not changing this constant means that some PQC algorithms simply cannot run within OpenSSL3 just because of this constant. The TLS specification does permit higher values.

Before merely proposing a pragmatically simple change-of-constant (to 30000 as that value served the OQS integration well so far) the computer scientist in me would prefer a discussion on a possible (probably provider-driven) general mechanism for this. I'd surely at least invite @mattcaswell @dstebila @christianpaquin @romen @t8m to chime in. The more general question may be whether more than just SERVER_HELLO_MAX_LENGTH should be updated/become updateable.

[mattcaswell]

The definition of ServerHello from RFC 8446 is:

      struct {
          ProtocolVersion legacy_version = 0x0303;    /* TLS v1.2 */
          Random random;
          opaque legacy_session_id_echo<0..32>;
          CipherSuite cipher_suite;
          uint8 legacy_compression_method = 0;
          Extension extensions<6..2^16-1>;
      } ServerHello;

This means, if I'm doing my sums right, the theoretical maximum size is:

  2 (legacy_version)
+ 32 (random)
+ 1 + 32 (legacy_session_id_echo)
+ 2 (cipher_suite)
+ 1 (legacy compression_method)
+ 2 + 2^16 - 1 (extensions)
= 65607

I'd be tempted to just go with that.

The alternative is a more complex mechanism to calculate a maximum based on the maximum size of all available groups and all other known extensions. I'm not sure this is justified. The length check was only ever intended as a quick sanity check to make sure message sizes look about right.

[t8m]

I am with @mattcaswell on this. The maximum length given by the RFC is not as big as it would impose any serious concerns about possible DoS so why not go with it right away.

[baentsch]

The alternative is a more complex mechanism to calculate a maximum based on the maximum size of all available groups and all other known extensions. I'm not sure this is justified.

Agree, it isn't: A single PQC algorithm/group breaks the 20000 limit. If we'd calculate everything theoretically possible we'd blow way past what the spec permits.

My only concern with such a drastic increase is that it might tax (read: break) embedded OpenSSL implementations. But then again, that would a) mean they violate the spec and b) this is just a theoretical maximum that most likely will never happen.

So, I guess your proposal makes most sense -- albeit, my calculation does not include the 2 bytes for ExtensionType: I'd give the more conservative <6..2^16-1> notation in the ServerHello struct preference over the subsequent

struct {
        ExtensionType extension_type;
        opaque extension_data<0..2^16-1>;
    } Extension;

arriving at 65605 instead.

[richsalz]

Please do not increase the size used by 40K without an option to turn it off. For a server with a thousand connections, you're talking 40Meg of space. I suppose something like this would be okay:

#ifndef SERVER_HELL_MAX_LENGTH
# define SERVER_HELLO_MAX_LENGTH         20000 
#endif

But you must document this 40K/connection increase in size!

My preference is that this doesn't change. Put the burden of folks playing with PQC to make the change themselves. (Use the ifndef so it can be a simple matter of ./config -DSERVER_HELLO_MAX_LENGTH 65535 for example.)

[mattcaswell]

My calcaulation was using the <6..2^16-1> notation. That actually always means 2 + 2^16 - 1 of "on the wire" bytes due to this:

   Variable-length vectors are defined by specifying a subrange of legal
   lengths, inclusively, using the notation <floor..ceiling>.  When
   these are encoded, the actual length precedes the vector's contents
   in the byte stream.  The length will be in the form of a number
   consuming as many bytes as required to hold the vector's specified
   maximum (ceiling) length.  A variable-length vector with an actual
   length field of zero is referred to as an empty vector.

      T T'<floor..ceiling>;

   In the following example, "mandatory" is a vector that must contain
   between 300 and 400 bytes of type opaque.  It can never be empty.
   The actual length field consumes two bytes, a uint16, which is
   sufficient to represent the value 400 (see Section 3.3).  Similarly,
   "longer" can represent up to 800 bytes of data, or 400 uint16
   elements, and it may be empty.  Its encoding will include a two-byte
   actual length field prepended to the vector.  The length of an
   encoded vector must be an exact multiple of the length of a single
   element (e.g., a 17-byte vector of uint16 would be illegal).

      opaque mandatory<300..400>;
            /* length field is two bytes, cannot be empty */
      uint16 longer<0..800>;
            /* zero to 400 16-bit unsigned integers */

[mattcaswell]

Please do not increase the size used by 40K without an option to turn it off. For a server with a thousand connections, you're talking 40Meg of space.

This doesn't make any difference to allocated space on the server. This value is just used as a sanity check to verify that the incoming message size looks sane. It actually happens after we've already decrypted it so its already been allocated on the server anyway. It's just an early bale out without having to try and parse it in the event that it looks too long.

[richsalz]

This doesn't make any difference to allocated space on the server.

Thanks for the explanation/correction.

Would still like to see the ifndef.

[baentsch]

My preference is that this doesn't change. Put the burden of folks playing with PQC to make the change themselves. (Use the ifndef so it can be a simple matter of ./config -DSERVER_HELLO_MAX_LENGTH 65535 for example.)

This is for enabling OpenSSL to utilize correctly providers equally correctly "playing by the book" (TLS specs), PQC or otherwise. The oqsprovider just demonstrated the issue. I would agree it's unlikely that such enormously large (PQC) algorithms will eventually be used in production -- but again, this is permitted by the specs.

[t8m]

Would still like to see the ifndef.

This change actually should not affect servers at all, just clients. I do not think the ifndef is
needed.