1TLS 1.3 support
2===============
3
4Overview
5--------
6
7Mbed TLS provides an implementation of the TLS 1.3 protocol. The TLS 1.3 support
8may be enabled using the MBEDTLS_SSL_PROTO_TLS1_3 configuration option.
9
10Support description
11-------------------
12
13- Overview
14
15  - Mbed TLS implements both the client and the server side of the TLS 1.3
16    protocol.
17
18  - Mbed TLS supports ECDHE key establishment.
19
20  - Mbed TLS supports DHE key establishment.
21
22  - Mbed TLS supports pre-shared keys for key establishment, pre-shared keys
23    provisioned externally as well as provisioned via the ticket mechanism.
24
25  - Mbed TLS supports session resumption via the ticket mechanism.
26
27  - Mbed TLS supports sending and receiving early data (0-RTT data).
28
29- Supported cipher suites: depends on the library configuration. Potentially
30  all of them:
31  TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256,
32  TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256.
33
34- Supported ClientHello extensions:
35
36  | Extension                    | Support |
37  | ---------------------------- | ------- |
38  | server_name                  | YES     |
39  | max_fragment_length          | no      |
40  | status_request               | no      |
41  | supported_groups             | YES     |
42  | signature_algorithms         | YES     |
43  | use_srtp                     | no      |
44  | heartbeat                    | no      |
45  | alpn                         | YES     |
46  | signed_certificate_timestamp | no      |
47  | client_certificate_type      | no      |
48  | server_certificate_type      | no      |
49  | padding                      | no      |
50  | key_share                    | YES     |
51  | pre_shared_key               | YES     |
52  | psk_key_exchange_modes       | YES     |
53  | early_data                   | YES     |
54  | cookie                       | no      |
55  | supported_versions           | YES     |
56  | certificate_authorities      | no      |
57  | post_handshake_auth          | no      |
58  | signature_algorithms_cert    | no      |
59
60
61- Supported groups: depends on the library configuration.
62  Potentially all ECDHE groups:
63  secp256r1, x25519, secp384r1, x448 and secp521r1.
64
65  Potentially all DHE groups:
66  ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144 and ffdhe8192.
67
68- Supported signature algorithms (both for certificates and CertificateVerify):
69  depends on the library configuration.
70  Potentially:
71  ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512,
72  rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, rsa_pss_rsae_sha256,
73  rsa_pss_rsae_sha384 and rsa_pss_rsae_sha512.
74
75  Note that in absence of an application profile standard specifying otherwise
76  rsa_pkcs1_sha256, rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256 are
77  mandatory (see section 9.1 of the specification).
78
79- Supported versions:
80
81  - TLS 1.2 and TLS 1.3 with version negotiation on client and server side.
82
83  - TLS 1.2 and TLS 1.3 can be enabled in the build independently of each
84    other.
85
86- Compatibility with existing SSL/TLS build options:
87
88  The TLS 1.3 implementation is compatible with nearly all TLS 1.2
89  configuration options in the sense that when enabling TLS 1.3 in the library
90  there is rarely any need to modify the configuration from that used for
91  TLS 1.2. There are two exceptions though: the TLS 1.3 implementation requires
92  MBEDTLS_PSA_CRYPTO_C and MBEDTLS_SSL_KEEP_PEER_CERTIFICATE, so these options
93  must be enabled.
94
95  Most of the Mbed TLS SSL/TLS related options are not supported or not
96  applicable to the TLS 1.3 implementation:
97
98  | Mbed TLS configuration option            | Support |
99  | ---------------------------------------- | ------- |
100  | MBEDTLS_SSL_ALL_ALERT_MESSAGES           | yes     |
101  | MBEDTLS_SSL_ASYNC_PRIVATE                | no      |
102  | MBEDTLS_SSL_CONTEXT_SERIALIZATION        | no      |
103  | MBEDTLS_SSL_DEBUG_ALL                    | no      |
104  | MBEDTLS_SSL_ENCRYPT_THEN_MAC             | n/a     |
105  | MBEDTLS_SSL_EXTENDED_MASTER_SECRET       | n/a     |
106  | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE        | no (1)  |
107  | MBEDTLS_SSL_RENEGOTIATION                | n/a     |
108  | MBEDTLS_SSL_MAX_FRAGMENT_LENGTH          | no      |
109  |                                          |         |
110  | MBEDTLS_SSL_SESSION_TICKETS              | yes     |
111  | MBEDTLS_SSL_SERVER_NAME_INDICATION       | yes     |
112  | MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH       | no      |
113  |                                          |         |
114  | MBEDTLS_ECP_RESTARTABLE                  | no      |
115  | MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED     | no      |
116  |                                          |         |
117  | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED         | n/a (2) |
118  | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED   | n/a     |
119  | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED   | n/a     |
120  | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a     |
121  | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED  | n/a     |
122  | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED    | n/a     |
123  | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED     | n/a     |
124  |                                          |         |
125  | MBEDTLS_PSA_CRYPTO_C                     | no (1)  |
126
127  (1) These options must remain in their default state of enabled.
128  (2) See the TLS 1.3 specific build options section below.
129
130- TLS 1.3 specific build options:
131
132  - MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE enables the support for middlebox
133    compatibility mode as defined in section D.4 of RFC 8446.
134
135  - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED enables the support for
136    the PSK key exchange mode as defined by RFC 8446. If it is the only key
137    exchange mode enabled, the TLS 1.3 implementation does not contain any code
138    related to key exchange protocols, certificates and signatures.
139
140  - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED enables the
141    support for the ephemeral key exchange mode. If it is the only key exchange
142    mode enabled, the TLS 1.3 implementation does not contain any code related
143    to PSK based key exchange. The ephemeral key exchange mode requires at least
144    one of the key exchange protocol allowed by the TLS 1.3 specification, the
145    parsing and validation of x509 certificates and at least one signature
146    algorithm allowed by the TLS 1.3 specification for signature computing and
147    verification.
148
149  - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED enables the
150    support for the PSK ephemeral key exchange mode. If it is the only key
151    exchange mode enabled, the TLS 1.3 implementation does not contain any code
152    related to certificates and signatures. The PSK ephemeral key exchange
153    mode requires at least one of the key exchange protocol allowed by the
154    TLS 1.3 specification.
155
156
157Coding rules checklist for TLS 1.3
158----------------------------------
159
160The following coding rules are aimed to be a checklist for TLS 1.3 upstreaming
161work to reduce review rounds and the number of comments in each round. They
162come along (do NOT replace) the project coding rules
163(https://mbed-tls.readthedocs.io/en/latest/kb/development/mbedtls-coding-standards). They have been
164established and discussed following the review of #4882 that was the
165PR upstreaming the first part of TLS 1.3 ClientHello writing code.
166
167TLS 1.3 specific coding rules:
168
169  - TLS 1.3 specific C modules, headers, static functions names are prefixed
170    with `ssl_tls13_`. The same applies to structures and types that are
171    internal to C modules.
172
173  - TLS 1.3 specific exported functions, structures and types are
174    prefixed with `mbedtls_ssl_tls13_`.
175
176  - Use TLS1_3 in TLS 1.3 specific macros.
177
178  - The names of macros and variables related to a field or structure in the
179    TLS 1.3 specification should contain as far as possible the field name as
180    it is in the specification. If the field name is "too long" and we prefer
181    to introduce some kind of abbreviation of it, use the same abbreviation
182    everywhere in the code.
183
184    Example 1: #define CLIENT_HELLO_RANDOM_LEN 32, macro for the length of the
185        `random` field of the ClientHello message.
186
187    Example 2 (consistent abbreviation): `mbedtls_ssl_tls13_write_sig_alg_ext()`
188        and `MBEDTLS_TLS_EXT_SIG_ALG`, `sig_alg` standing for
189        `signature_algorithms`.
190
191  - Regarding vectors that are represented by a length followed by their value
192    in the data exchanged between servers and clients:
193
194    - Use `<vector name>_len` for the name of a variable used to compute the
195      length in bytes of the vector, where <vector name> is the name of the
196      vector as defined in the TLS 1.3 specification.
197
198    - Use `p_<vector_name>_len` for the name of a variable intended to hold
199      the address of the first byte of the vector length.
200
201    - Use `<vector_name>` for the name of a variable intended to hold the
202      address of the first byte of the vector value.
203
204    - Use `<vector_name>_end` for the name of a variable intended to hold
205      the address of the first byte past the vector value.
206
207    Those idioms should lower the risk of mis-using one of the address in place
208    of another one which could potentially lead to some nasty issues.
209
210    Example: `cipher_suites` vector of ClientHello in
211             `ssl_tls13_write_client_hello_cipher_suites()`
212    ```
213    size_t cipher_suites_len;
214    unsigned char *p_cipher_suites_len;
215    unsigned char *cipher_suites;
216    ```
217
218  - Where applicable, use:
219    - the macros to extract a byte from a multi-byte integer MBEDTLS_BYTE_{0-8}.
220    - the macros to write in memory in big-endian order a multi-byte integer
221      MBEDTLS_PUT_UINT{8|16|32|64}_BE.
222    - the macros to read from memory a multi-byte integer in big-endian order
223      MBEDTLS_GET_UINT{8|16|32|64}_BE.
224    - the macro to check for space when writing into an output buffer
225      `MBEDTLS_SSL_CHK_BUF_PTR`.
226    - the macro to check for data when reading from an input buffer
227      `MBEDTLS_SSL_CHK_BUF_READ_PTR`.
228
229    The three first types, MBEDTLS_BYTE_{0-8}, MBEDTLS_PUT_UINT{8|16|32|64}_BE
230    and MBEDTLS_GET_UINT{8|16|32|64}_BE improve the readability of the code and
231    reduce the risk of writing or reading bytes in the wrong order.
232
233    The two last types, `MBEDTLS_SSL_CHK_BUF_PTR` and
234    `MBEDTLS_SSL_CHK_BUF_READ_PTR`, improve the readability of the code and
235    reduce the risk of error in the non-completely-trivial arithmetic to
236    check that we do not write or read past the end of a data buffer. The
237    usage of those macros combined with the following rule mitigate the risk
238    to read/write past the end of a data buffer.
239
240    Examples:
241    ```
242    hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
243    MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
244    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
245    ```
246
247  - To mitigate what happened here
248    (https://github.com/Mbed-TLS/mbedtls/pull/4882#discussion_r701704527) from
249    happening again, use always a local variable named `p` for the reading
250    pointer in functions parsing TLS 1.3 data, and for the writing pointer in
251    functions writing data into an output buffer and only that variable. The
252    name `p` has been chosen as it was already widely used in TLS code.
253
254  - When an TLS 1.3 structure is written or read by a function or as part of
255    a function, provide as documentation the definition of the structure as
256    it is in the TLS 1.3 specification.
257
258General coding rules:
259
260  - We prefer grouping "related statement lines" by not adding blank lines
261    between them.
262
263    Example 1:
264    ```
265    ret = ssl_tls13_write_client_hello_cipher_suites( ssl, buf, end, &output_len );
266    if( ret != 0 )
267        return( ret );
268    buf += output_len;
269    ```
270
271    Example 2:
272    ```
273    MBEDTLS_SSL_CHK_BUF_PTR( cipher_suites_iter, end, 2 );
274    MBEDTLS_PUT_UINT16_BE( cipher_suite, cipher_suites_iter, 0 );
275    cipher_suites_iter += 2;
276    ```
277
278  - Use macros for constants that are used in different functions, different
279    places in the code. When a constant is used only locally in a function
280    (like the length in bytes of the vector lengths in functions reading and
281    writing TLS handshake message) there is no need to define a macro for it.
282
283    Example: `#define CLIENT_HELLO_RANDOM_LEN 32`
284
285  - When declaring a pointer the dereferencing operator should be prepended to
286    the pointer name not appended to the pointer type:
287
288    Example: `mbedtls_ssl_context *ssl;`
289
290  - Maximum line length is 80 characters.
291
292    Exceptions:
293
294    - string literals can extend beyond 80 characters as we do not want to
295      split them to ease their search in the code base.
296
297    - A line can be more than 80 characters by a few characters if just looking
298      at the 80 first characters is enough to fully understand the line. For
299      example it is generally fine if some closure characters like ";" or ")"
300      are beyond the 80 characters limit.
301
302    If a line becomes too long due to a refactoring (for example renaming a
303    function to a longer name, or indenting a block more), avoid rewrapping
304    lines in the same commit: it makes the review harder. Make one commit with
305    the longer lines and another commit with just the rewrapping.
306
307  - When in successive lines, functions and macros parameters should be aligned
308    vertically.
309
310    Example:
311    ```
312    int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl,
313                                         unsigned hs_type,
314                                         unsigned char **buf,
315                                         size_t *buf_len );
316    ```
317
318  - When a function's parameters span several lines, group related parameters
319    together if possible.
320
321    For example, prefer:
322
323    ```
324    mbedtls_ssl_start_handshake_msg( ssl, hs_type,
325                                     buf, buf_len );
326    ```
327    over
328    ```
329    mbedtls_ssl_start_handshake_msg( ssl, hs_type, buf,
330                                     buf_len );
331    ```
332    even if it fits.
333
334
335Overview of handshake code organization
336---------------------------------------
337
338The TLS 1.3 handshake protocol is implemented as a state machine. The
339functions `mbedtls_ssl_tls13_handshake_{client,server}_step` are the top level
340functions of that implementation. They are implemented as a switch over all the
341possible states of the state machine.
342
343Most of the states are either dedicated to the processing or writing of an
344handshake message.
345
346The implementation does not go systematically through all states as this would
347result in too many checks of whether something needs to be done or not in a
348given state to be duplicated across several state handlers. For example, on
349client side, the states related to certificate parsing and validation are
350bypassed if the handshake is based on a pre-shared key and thus does not
351involve certificates.
352
353On the contrary, the implementation goes systematically though some states
354even if they could be bypassed if it helps in minimizing when and where inbound
355and outbound keys are updated. The `MBEDTLS_SSL_CLIENT_CERTIFICATE` state on
356client side is a example of that.
357
358The names of the handlers processing/writing an handshake message are
359prefixed with `(mbedtls_)ssl_tls13_{process,write}`. To ease the maintenance and
360reduce the risk of bugs, the code of the message processing and writing
361handlers is split into a sequence of stages.
362
363The sending of data to the peer only occurs in `mbedtls_ssl_handshake_step`
364between the calls to the handlers and as a consequence handlers do not have to
365care about the MBEDTLS_ERR_SSL_WANT_WRITE error code. Furthermore, all pending
366data are flushed before to call the next handler. That way, handlers do not
367have to worry about pending data when changing outbound keys.
368
369### Message processing handlers
370For message processing handlers, the stages are:
371
372* coordination stage: check if the state should be bypassed. This stage is
373optional. The check is either purely based on the reading of the value of some
374fields of the SSL context or based on the reading of the type of the next
375message. The latter occurs when it is not known what the next handshake message
376will be, an example of that on client side being if we are going to receive a
377CertificateRequest message or not. The intent is, apart from the next record
378reading to not modify the SSL context as this stage may be repeated if the
379next handshake message has not been received yet.
380
381* fetching stage: at this stage we are sure of the type of the handshake
382message we must receive next and we try to fetch it. If we did not go through
383a coordination stage involving the next record type reading, the next
384handshake message may not have been received yet, the handler returns with
385`MBEDTLS_ERR_SSL_WANT_READ` without changing the current state and it will be
386called again later.
387
388* pre-processing stage: prepare the SSL context for the message parsing. This
389stage is optional. Any processing that must be done before the parsing of the
390message or that can be done to simplify the parsing code. Some simple and
391partial parsing of the handshake message may append at that stage like in the
392ServerHello message pre-processing.
393
394* parsing stage: parse the message and restrict as much as possible any
395update of the SSL context. The idea of the pre-processing/parsing/post-processing
396organization is to concentrate solely on the parsing in the parsing function to
397reduce the size of its code and to simplify it.
398
399* post-processing stage: following the parsing, further update of the SSL
400context to prepare for the next incoming and outgoing messages. This stage is
401optional. For example, secret and key computations occur at this stage, as well
402as handshake messages checksum update.
403
404* state change: the state change is done in the main state handler to ease the
405navigation of the state machine transitions.
406
407
408### Message writing handlers
409For message writing handlers, the stages are:
410
411* coordination stage: check if the state should be bypassed. This stage is
412optional. The check is based on the value of some fields of the SSL context.
413
414* preparation stage: prepare for the message writing. This stage is optional.
415Any processing that must be done before the writing of the message or that can
416be done to simplify the writing code.
417
418* writing stage: write the message and restrict as much as possible any update
419of the SSL context. The idea of the preparation/writing/finalization
420organization is to concentrate solely on the writing in the writing function to
421reduce the size of its code and simplify it.
422
423* finalization stage: following the writing, further update of the SSL
424context to prepare for the next incoming and outgoing messages. This stage is
425optional. For example, handshake secret and key computation occur at that
426stage (ServerHello writing finalization), switching to handshake keys for
427outbound message on server side as well.
428
429* state change: the state change is done in the main state handler to ease
430the navigation of the state machine transitions.
431