Closed Bug 1712879 Opened 3 years ago Closed 3 years ago

Include bogus PSK when attempting ECH

Categories

(NSS :: Libraries, enhancement, P1)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mt, Assigned: mt)

References

(Blocks 1 open bug)

Details

(Whiteboard: [nss-fx])

Attachments

(4 files)

Bug 1712879 - Scramble the PSK extension in CHOuter. r=bbeurdouche,mt
(deleted), text/x-phabricator-request
Details
Bug 1712879 - Allow for compressed, non-contiguous, extensions r=mt
(deleted), text/x-phabricator-request
Details
Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello r=mt
(deleted), text/x-phabricator-request
Details
Bug 1712879 - Add test cases for ECH compression and unexpected extensions in SH. r=mt
(deleted), text/x-phabricator-request
Details

Recent changes to ECH include a change that allows the PSK extension to appear in CHOuter. This minimizes the extent to which CHOuter can be distinguished as such. This will make the message larger, but should make it less obvious when PSKs are used.

We can do this by keeping the PSK extension (we currently trim it off). To avoid leaking information (other than the PSK ID length), the values can be replaced with random garbage.

I don't think that it is great that we leak the PSK ID length in this way, but we don't have any good information about that, and the length isn't protected by padding in CHInner. Overall, it's probably safest to keep the length for the bogus extension.

Depends on D115852

Attachment #9223501 - Attachment description: WIP: Bug 1712879 - Scramble the PSK extension in CHOuter → Bug 1712879 - Scramble the PSK extension in CHOuter
Attachment #9223501 - Attachment description: Bug 1712879 - Scramble the PSK extension in CHOuter → WIP: Bug 1712879 - Scramble the PSK extension in CHOuter
Priority: -- → P1
Whiteboard: [nss-fx]

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:mt, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(mt)
Flags: needinfo?(bbeurdouche)
Blocks: ech
Severity: -- → N/A
Flags: needinfo?(bbeurdouche)

In Draft 13, clients can now compress extensions which are non-contiguous but in-order.
This changeset removes the logic handling this.

Previously, we only tracked whether we'd advertised an extension at all. This change allows us to track the advertisements for both the Outer and Inner Client Hello seperately. If the server accepts ECH but includes an extension we only offered in the Outer Client Hello, we will send an alert.

As a side-effect, if the client offers an extension in the ClientHelloInner which is not offered in the ClientHelloOuter and the server accepts, we will send the same alert. It is unclear whether this is desirable behavior or not - since if we did not alert this would allow a network observer to distinguish whether ECH was used.

Attachment #9240477 - Attachment description: WIP: Bug 1712879 - Allow for compressed, non-contiguous, extensions → Bug 1712879 - Allow for compressed, non-contiguous, extensions
Attachment #9240532 - Attachment description: WIP: Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello → Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello
Attachment #9223501 - Attachment description: WIP: Bug 1712879 - Scramble the PSK extension in CHOuter → Bug 1712879 - Scramble the PSK extension in CHOuter. r=bbeurdouche,mt
Attachment #9240477 - Attachment description: Bug 1712879 - Allow for compressed, non-contiguous, extensions → Bug 1712879 - Allow for compressed, non-contiguous, extensions r=mt
Attachment #9240532 - Attachment description: Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello → Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello r=mt
  • Update the test custom extension injectors to create large (1024 byte) extensions
  • Update the compression tests to verify that compression ocurrs correctly.
  • Add tests to ensure that when accepting ECH, the client rejects Xtns which are only
    valid for the CHO and vice versa

Depends on D130698

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: