| Hanno Becker | 0c3bebf | 2020-06-02 06:32:43 +0100 | [diff] [blame] | 1 | TLS 1.3 Experimental Developments |
| Hanno Becker | 9338f9f | 2020-05-31 07:39:50 +0100 | [diff] [blame] | 2 | ================================= |
| 3 | |
| 4 | Overview |
| 5 | -------- |
| 6 | |
| 7 | Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development. |
| 8 | Stable parts of this prototype that can be independently tested are being successively |
| 9 | upstreamed under the guard of the following macro: |
| 10 | |
| 11 | ``` |
| 12 | MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL |
| 13 | ``` |
| 14 | |
| 15 | This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable |
| 16 | implementation of the TLS 1.3 protocol is available. |
| 17 | |
| Bence Szépkúti | bb0cfeb | 2021-05-28 09:42:25 +0200 | [diff] [blame] | 18 | See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/mbedtls_config.h) |
| Hanno Becker | 9338f9f | 2020-05-31 07:39:50 +0100 | [diff] [blame] | 19 | for more information. |
| 20 | |
| 21 | Status |
| 22 | ------ |
| 23 | |
| 24 | The following lists which parts of the TLS 1.3 prototype have already been upstreamed |
| 25 | together with their level of testing: |
| 26 | |
| 27 | * TLS 1.3 record protection mechanisms |
| 28 | |
| 29 | The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended |
| 30 | to support the modified TLS 1.3 record protection mechanism, including modified computation |
| 31 | of AAD, IV, and the introduction of a flexible padding. |
| 32 | |
| 33 | Those record protection routines have unit tests in `test_suite_ssl` alongside the |
| 34 | tests for the other record protection routines. |
| 35 | |
| 36 | TODO: Add some test vectors from RFC 8448. |
| Hanno Becker | 5a83d29 | 2020-06-02 06:33:00 +0100 | [diff] [blame] | 37 | |
| 38 | - The HKDF key derivation function on which the TLS 1.3 key schedule is based, |
| 39 | is already present as an independent module controlled by `MBEDTLS_HKDF_C` |
| 40 | independently of the development of the TLS 1.3 prototype. |
| Hanno Becker | b11c309 | 2020-08-10 17:00:19 +0100 | [diff] [blame] | 41 | |
| 42 | - The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446): |
| 43 | * HKDF-Expand-Label |
| 44 | * Derive-Secret |
| 45 | - Secret evolution |
| 46 | * The traffic {Key,IV} generation from secret |
| 47 | Those functions are implemented in `library/ssl_tls13_keys.c` and |
| 48 | tested in `test_suite_ssl` using test vectors from RFC 8448 and |
| 49 | https://tls13.ulfheim.net/. |
| Hanno Becker | 7594c68 | 2021-03-05 05:17:11 +0000 | [diff] [blame] | 50 | |
| 51 | - New TLS Message Processing Stack (MPS) |
| 52 | |
| 53 | The TLS 1.3 prototype is developed alongside a rewrite of the TLS messaging layer, |
| 54 | encompassing low-level details such as record parsing, handshake reassembly, and |
| 55 | DTLS retransmission state machine. |
| 56 | |
| 57 | MPS has the following components: |
| 58 | - Layer 1 (Datagram handling) |
| 59 | - Layer 2 (Record handling) |
| 60 | - Layer 3 (Message handling) |
| 61 | - Layer 4 (Retransmission State Machine) |
| 62 | - Reader (Abstracted pointer arithmetic and reassembly logic for incoming data) |
| 63 | - Writer (Abstracted pointer arithmetic and fragmentation logic for outgoing data) |
| 64 | |
| 65 | Of those components, the following have been upstreamed |
| 66 | as part of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`: |
| 67 | |
| 68 | - Reader ([`library/mps_reader.h`](../../library/mps_reader.h)) |
| Ronald Cron | 3785c90 | 2021-09-20 09:05:36 +0200 | [diff] [blame] | 69 | |
| 70 | |
| 71 | MVP definition |
| 72 | -------------- |
| 73 | |
| 74 | The TLS 1.3 MVP implements only the client side of the protocol. |
| 75 | The TLS 1.3 MVP does not support the handling of server HelloRetryRequest and |
| 76 | CertificateRequest messages. If it receives one of those messages, it aborts |
| Ronald Cron | 004df8a | 2021-09-27 12:12:00 +0200 | [diff] [blame] | 77 | the handshake with an handshake_failure closure alert and the |
| 78 | `mbedtls_ssl_handshake()` returns in error with the |
| 79 | `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE` error code. |
| Ronald Cron | 3785c90 | 2021-09-20 09:05:36 +0200 | [diff] [blame] | 80 | |
| 81 | - Supported cipher suites: depends on the library configuration. Potentially |
| 82 | all of them: |
| 83 | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, |
| 84 | TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256. |
| 85 | |
| 86 | - Supported ClientHello extensions: |
| 87 | |
| Ronald Cron | 023987f | 2021-09-27 11:59:25 +0200 | [diff] [blame] | 88 | | Extension | MVP | Prototype (1) | |
| 89 | | ---------------------------- | ------- | ------------- | |
| Ronald Cron | 85e5108 | 2021-09-27 12:13:16 +0200 | [diff] [blame] | 90 | | server_name | YES | YES | |
| Ronald Cron | 023987f | 2021-09-27 11:59:25 +0200 | [diff] [blame] | 91 | | max_fragment_length | no | YES | |
| 92 | | status_request | no | no | |
| 93 | | supported_groups | YES | YES | |
| 94 | | signature_algorithms | YES | YES | |
| 95 | | use_srtp | no | no | |
| 96 | | heartbeat | no | no | |
| 97 | | apln | no | YES | |
| 98 | | signed_certificate_timestamp | no | no | |
| 99 | | client_certificate_type | no | no | |
| 100 | | server_certificate_type | no | no | |
| 101 | | padding | no | no | |
| Ronald Cron | 3160d70 | 2021-09-27 13:27:21 +0200 | [diff] [blame^] | 102 | | key_share | YES (2) | YES | |
| Ronald Cron | 023987f | 2021-09-27 11:59:25 +0200 | [diff] [blame] | 103 | | pre_shared_key | no | YES | |
| 104 | | psk_key_exchange_modes | no | YES | |
| 105 | | early_data | no | YES | |
| 106 | | cookie | no | YES | |
| Ronald Cron | 3160d70 | 2021-09-27 13:27:21 +0200 | [diff] [blame^] | 107 | | supported_versions | YES (3) | YES | |
| Ronald Cron | 023987f | 2021-09-27 11:59:25 +0200 | [diff] [blame] | 108 | | certificate_authorities | no | no | |
| 109 | | post_handshake_auth | no | no | |
| 110 | | signature_algorithms_cert | no | no | |
| Ronald Cron | 3785c90 | 2021-09-20 09:05:36 +0200 | [diff] [blame] | 111 | |
| Ronald Cron | 023987f | 2021-09-27 11:59:25 +0200 | [diff] [blame] | 112 | (1) This is just for comparison. |
| 113 | |
| Ronald Cron | 3160d70 | 2021-09-27 13:27:21 +0200 | [diff] [blame^] | 114 | (2) The MVP sends one shared secret corresponding to the configured preferred |
| 115 | group. The preferred group is the group of the first curve in the list of |
| 116 | allowed curves as defined by the configuration. By default, it is the |
| 117 | mandatory group as defined by section 9.1 of the specification, |
| 118 | `secp256r1`. The list of allowed curves can be set through the |
| 119 | `mbedtls_ssl_conf_curves()` API. |
| 120 | |
| 121 | (3) The MVP proposes only TLS 1.3 and does not support version negociation. |
| 122 | Out-of-protocol fallback is supported though if the Mbed TLS library |
| 123 | has been built to support both TLS 1.3 and TLS 1.2: just set the |
| 124 | maximum of the minor version of the SSL configuration to |
| 125 | MBEDTLS_SSL_MINOR_VERSION_3 (`mbedtls_ssl_conf_min_version()` API) and |
| 126 | re-initiate a server handshake. |
| Ronald Cron | 3785c90 | 2021-09-20 09:05:36 +0200 | [diff] [blame] | 127 | |
| 128 | - Supported groups: depends on the library configuration. |
| 129 | Potentially all ECDHE groups: |
| 130 | secp256r1, secp384r1, secp521r1(0x0019), x25519, x448. |
| 131 | |
| 132 | - Supported signature algorithms: depends on the library configuration. |
| 133 | Potentially: |
| 134 | ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, |
| 135 | rsa_pss_rsae_sha256. |
| 136 | |
| Ronald Cron | 3785c90 | 2021-09-20 09:05:36 +0200 | [diff] [blame] | 137 | - Support of Mbed TLS SSL/TLS related (not DTLS) features: |
| 138 | |
| 139 | The TLS 1.3 MVP is compatible with all TLS 1.2 configuration options in the |
| 140 | sense that when enabling the TLS 1.3 MVP in the library there is no need to |
| 141 | modify the configuration for TLS 1.2. Mbed TLS SSL/TLS related features are |
| 142 | not supported or not applicable to the TLS 1.3 MVP: |
| 143 | |
| Ronald Cron | 023987f | 2021-09-27 11:59:25 +0200 | [diff] [blame] | 144 | | Mbed TLS configuration option | Support | |
| 145 | | ---------------------------------------- | ------- | |
| 146 | | MBEDTLS_SSL_ALL_ALERT_MESSAGES | no | |
| 147 | | MBEDTLS_SSL_ASYNC_PRIVATE | no | |
| 148 | | MBEDTLS_SSL_CONTEXT_SERIALIZATION | no | |
| 149 | | MBEDTLS_SSL_DEBUG_ALL | no | |
| 150 | | MBEDTLS_SSL_ENCRYPT_THEN_MAC | n/a | |
| 151 | | MBEDTLS_SSL_EXTENDED_MASTER_SECRET | n/a | |
| 152 | | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE | no | |
| 153 | | MBEDTLS_SSL_RENEGOTIATION | n/a | |
| 154 | | MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | no | |
| 155 | | | | |
| 156 | | MBEDTLS_SSL_SESSION_TICKETS | no | |
| 157 | | MBEDTLS_SSL_EXPORT_KEYS | no (1) | |
| 158 | | MBEDTLS_SSL_SERVER_NAME_INDICATION | no | |
| 159 | | MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH | no | |
| 160 | | | | |
| 161 | | MBEDTLS_ECP_RESTARTABLE | no | |
| 162 | | MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED | no | |
| 163 | | | | |
| 164 | | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) | |
| 165 | | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED | n/a | |
| 166 | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a | |
| 167 | | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED | n/a | |
| 168 | | MBEDTLS_KEY_EXCHANGE_RSA_ENABLED | n/a | |
| 169 | | MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED | n/a | |
| 170 | | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a | |
| 171 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a | |
| 172 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED | n/a | |
| 173 | | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED | n/a | |
| 174 | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED | n/a | |
| 175 | | | | |
| 176 | | MBEDTLS_USE_PSA_CRYPTO | no | |
| Ronald Cron | 3785c90 | 2021-09-20 09:05:36 +0200 | [diff] [blame] | 177 | |
| Ronald Cron | 023987f | 2021-09-27 11:59:25 +0200 | [diff] [blame] | 178 | (1) Some support has already been upstreamed but it is incomplete. |
| Ronald Cron | 1fa5088 | 2021-09-27 12:06:52 +0200 | [diff] [blame] | 179 | (2) Key exchange configuration options for TLS 1.3 will likely to be |
| 180 | organized around the notion of key exchange mode along the line |
| 181 | of the MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL |
| 182 | runtime configuration macros. |
| Ronald Cron | 3785c90 | 2021-09-20 09:05:36 +0200 | [diff] [blame] | 183 | |
| 184 | Not in the plan yet but probably necessary for a viable client: |
| 185 | - server_name extension |
| 186 | - support for HelloRetryRequest |
| 187 | - fallback to TLS 1.2 |
| 188 | |
| 189 | Coding rules checklist for TLS 1.3 |
| 190 | ---------------------------------- |
| 191 | |
| 192 | The following coding rules are aimed to be a checklist for TLS 1.3 upstreaming |
| 193 | work to reduce review rounds and the number of comments in each round. They |
| 194 | come along (do NOT replace) the project coding rules |
| 195 | (https://tls.mbed.org/kb/development/mbedtls-coding-standards). They have been |
| 196 | established and discussed following the review of #4882 that was the |
| 197 | PR upstreaming the first part of TLS 1.3 ClientHello writing code. |
| 198 | |
| 199 | TLS 1.3 specific coding rules: |
| 200 | |
| 201 | - TLS 1.3 specific C modules, headers, static functions names are prefixed |
| 202 | with `ssl_tls1_3_`. The same applies to structures and types that are |
| 203 | internal to C modules. |
| 204 | |
| 205 | - TLS 1.3 specific exported functions, macros, structures and types are |
| 206 | prefixed with `mbedtls_ssl_tls1_3_`. |
| 207 | |
| 208 | - The names of macros and variables related to a field or structure in the |
| 209 | TLS 1.3 specification should contain as far as possible the field name as |
| 210 | it is in the specification. If the field name is `too long` and we prefer |
| 211 | to introduce some kind of abbreviation of it, use the same abbreviation |
| 212 | everywhere in the code. |
| 213 | |
| 214 | Example 1: #define CLIENT_HELLO_RANDOM_LEN 32, macro for the length of the |
| 215 | `random` field of the ClientHello message. |
| 216 | |
| 217 | Example 2 (consistent abbreviation): mbedtls_ssl_tls1_3_write_sig_alg_ext() |
| 218 | and MBEDTLS_TLS_EXT_SIG_ALG, `sig_alg` standing for |
| 219 | `signature_algorithms`. |
| 220 | |
| 221 | - Regarding vectors that are represented by a length followed by their value |
| 222 | in the data exchanged between servers and clients: |
| 223 | |
| 224 | - Use `<vector name>_len` for the name of a variable used to compute the |
| 225 | length in bytes of the vector, where <vector name> is the name of the |
| 226 | vector as defined in the TLS 1.3 specification. |
| 227 | |
| 228 | - Use `<vector_name>_len_ptr` for the name of a variable intended to hold |
| 229 | the address of the first byte of the vector length. |
| 230 | |
| 231 | - Use `<vector_name>_ptr` for the name of a variable intended to hold the |
| 232 | address of the first byte of the vector value. |
| 233 | |
| 234 | - Use `<vector_name>_end_ptr` for the name of a variable intended to hold |
| 235 | the address of the first byte past the vector value. |
| 236 | |
| 237 | Those two last idioms should lower the risk of mis-using one of the address |
| 238 | in place of the other one which could potentially lead to some nasty |
| 239 | issues. |
| 240 | |
| 241 | Example: `cipher_suites` vector of ClientHello in |
| 242 | ssl_tls1_3_write_client_hello_cipher_suites() |
| 243 | |
| 244 | size_t cipher_suites_len; |
| 245 | unsigned char *cipher_suites_len_ptr; |
| 246 | unsigned char *cipher_suites_ptr; |
| 247 | |
| 248 | - Use of MBEDTLS_BYTE_xyz, MBEDTLS_PUT/GET_xyz, MBEDTLS_SSL_CHK_BUF_PTR |
| 249 | MBEDTLS_SSL_CHK_BUF_READ_PTR macros where applicable. |
| 250 | |
| 251 | These macros were introduced after the prototype was written thus are |
| 252 | likely not to be used in prototype where we now would use them in |
| 253 | development. |
| 254 | |
| 255 | The two first types, MBEDTLS_BYTE_xyz and MBEDTLS_PUT/GET_xyz, improve |
| 256 | the readability of the code and reduce the risk of writing or reading |
| 257 | bytes in the wrong order: we should probably have only MBEDTLS_GET/PUT_*_BE |
| 258 | (BE stands for Big-Endian) macros in the TLS 1.3 code. |
| 259 | |
| 260 | The two last types, MBEDTLS_SSL_CHK_BUF_PTR and |
| 261 | MBEDTLS_SSL_CHK_BUF_READ_PTR, improve the readability of the code and |
| 262 | reduce the risk of error in the non-completely-trivial arithmetic to |
| 263 | check that we do not write or read past the end of a data buffer. The |
| 264 | usage of those macros combined with the following rule mitigate the risk |
| 265 | to read/write past the end of a data buffer. |
| 266 | |
| 267 | Examples: hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len ); |
| 268 | MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 ); |
| 269 | MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 ); |
| 270 | |
| 271 | - To mitigate what happened here |
| 272 | (https://github.com/ARMmbed/mbedtls/pull/4882#discussion_r701704527) from |
| 273 | happening again, use always a local variable named `p` for the reading |
| 274 | pointer in functions parsing TLS 1.3 data, and for the writing pointer in |
| 275 | functions writing data into an output buffer. The name `p` has been |
| 276 | chosen as it was already widely used in TLS code. |
| 277 | |
| 278 | - When an TLS 1.3 structure is written or read by a function or as part of |
| 279 | a function, provide as documentation the definition of the structure as |
| 280 | it is in the TLS 1.3 specification. |
| 281 | |
| 282 | General coding rules: |
| 283 | |
| 284 | - We prefer grouping `related statement lines` by not adding blank lines |
| 285 | between them. |
| 286 | |
| 287 | Example 1: |
| 288 | |
| 289 | ret = ssl_tls13_write_client_hello_cipher_suites( ssl, buf, end, &output_len ); |
| 290 | if( ret != 0 ) |
| 291 | return( ret ); |
| 292 | buf += output_len; |
| 293 | |
| 294 | Example 2: |
| 295 | |
| 296 | MBEDTLS_SSL_CHK_BUF_PTR( cipher_suites_iter, end, 2 ); |
| 297 | MBEDTLS_PUT_UINT16_BE( cipher_suite, cipher_suites_iter, 0 ); |
| 298 | cipher_suites_iter += 2; |
| 299 | |
| 300 | - Use macros for constants that are used in different functions, different |
| 301 | places in the code. When a constant is used only locally in a function |
| 302 | (like the length in bytes of the vector lengths in functions reading and |
| 303 | writing TLS handshake message) there is no need to define a macro for it. |
| 304 | |
| 305 | Example: #define CLIENT_HELLO_RANDOM_LEN 32 |
| 306 | |
| 307 | - When declaring a pointer the dereferencing operator should be prepended to |
| 308 | the pointer name not appended to the pointer type: |
| 309 | |
| 310 | Example: mbedtls_ssl_context *ssl; |
| 311 | |
| 312 | - Maximum line length is 80 characters. |
| 313 | |
| 314 | Exceptions: |
| 315 | |
| 316 | - string literals can extend beyond 80 characters as we do not want to |
| 317 | split them to ease their search in the code base. |
| 318 | |
| 319 | - A line can be more than 80 characters by a few characters if just looking |
| 320 | at the 80 first characters is enough to fully understand the line. For |
| 321 | example it is generally fine if some closure characters like ";" or ")" |
| 322 | are beyond the 80 characters limit. |
| 323 | |
| 324 | - When in successive lines, functions and macros parameters should be aligned |
| 325 | vertically. |
| 326 | |
| 327 | Example: |
| 328 | int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, |
| 329 | unsigned hs_type, |
| 330 | unsigned char **buf, |
| 331 | size_t *buf_len ); |