From 3785c907c71af0eaeb4772586688f40eaf1a2681 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 20 Sep 2021 09:05:36 +0200 Subject: [PATCH 01/20] Define TLS 1.3 MVP and document coding rules Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 242 ++++++++++++++++++++++++ 1 file changed, 242 insertions(+) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 0009c68180..e6f9065801 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -66,3 +66,245 @@ together with their level of testing: as part of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`: - Reader ([`library/mps_reader.h`](../../library/mps_reader.h)) + + +MVP definition +-------------- + +The TLS 1.3 MVP implements only the client side of the protocol. +The TLS 1.3 MVP does not support the handling of server HelloRetryRequest and +CertificateRequest messages. If it receives one of those messages, it aborts +the handshake with an handshake_failure closure alert. + +- Supported cipher suites: depends on the library configuration. Potentially + all of them: + TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, + TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256. + +- Supported ClientHello extensions: + + MVP Prototype + (for comparison) + + server_name no YES + max_fragment_length no YES + status_request no no + supported_groups YES YES + signature_algorithms YES YES + use_srtp no no + heartbeat no no + apln no YES + signed_certificate_timestamp no no + client_certificate_type no no + server_certificate_type no no + padding no no + key_share YES YES + pre_shared_key no YES + psk_key_exchange_modes no YES + early_data no YES + cookie no YES + supported_versions YES YES + certificate_authorities no no + post_handshake_auth no no + signature_algorithms_cert no no + +- Supported groups: depends on the library configuration. + Potentially all ECDHE groups: + secp256r1, secp384r1, secp521r1(0x0019), x25519, x448. + +- Supported signature algorithms: depends on the library configuration. + Potentially: + ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, + rsa_pss_rsae_sha256. + +- Supported versions: only TLS 1.3 + +- Support of Mbed TLS SSL/TLS related (not DTLS) features: + + The TLS 1.3 MVP is compatible with all TLS 1.2 configuration options in the + sense that when enabling the TLS 1.3 MVP in the library there is no need to + modify the configuration for TLS 1.2. Mbed TLS SSL/TLS related features are + not supported or not applicable to the TLS 1.3 MVP: + + Supported Comment + MBEDTLS_SSL_ALL_ALERT_MESSAGES no + MBEDTLS_SSL_ASYNC_PRIVATE no + MBEDTLS_SSL_CONTEXT_SERIALIZATION no + MBEDTLS_SSL_DEBUG_ALL no + MBEDTLS_SSL_ENCRYPT_THEN_MAC n/a + MBEDTLS_SSL_EXTENDED_MASTER_SECRET n/a + MBEDTLS_SSL_KEEP_PEER_CERTIFICATE no + MBEDTLS_SSL_RENEGOTIATION n/a Not TLS 1.2 dependent + MBEDTLS_SSL_MAX_FRAGMENT_LENGTH no + MBEDTLS_SSL_ALPN no + + MBEDTLS_SSL_SESSION_TICKETS no + MBEDTLS_SSL_EXPORT_KEYS no Incomplete support + MBEDTLS_SSL_SERVER_NAME_INDICATION no + MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH no + + MBEDTLS_ECP_RESTARTABLE no + MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED no + + MBEDTLS_KEY_EXCHANGE_PSK_ENABLED n/a Make sense in TLS 1.3 + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED n/a context but their current + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED n/a definition is TLS 1.2 only. + MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED n/a + MBEDTLS_KEY_EXCHANGE_RSA_ENABLED n/a + MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED n/a + MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED n/a + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED n/a + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED n/a + MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED n/a + MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED n/a + + MBEDTLS_USE_PSA_CRYPTO no + +Not in the plan yet but probably necessary for a viable client: +- server_name extension +- support for HelloRetryRequest +- fallback to TLS 1.2 + +Coding rules checklist for TLS 1.3 +---------------------------------- + +The following coding rules are aimed to be a checklist for TLS 1.3 upstreaming +work to reduce review rounds and the number of comments in each round. They +come along (do NOT replace) the project coding rules +(https://tls.mbed.org/kb/development/mbedtls-coding-standards). They have been +established and discussed following the review of #4882 that was the +PR upstreaming the first part of TLS 1.3 ClientHello writing code. + +TLS 1.3 specific coding rules: + + - TLS 1.3 specific C modules, headers, static functions names are prefixed + with `ssl_tls1_3_`. The same applies to structures and types that are + internal to C modules. + + - TLS 1.3 specific exported functions, macros, structures and types are + prefixed with `mbedtls_ssl_tls1_3_`. + + - The names of macros and variables related to a field or structure in the + TLS 1.3 specification should contain as far as possible the field name as + it is in the specification. If the field name is `too long` and we prefer + to introduce some kind of abbreviation of it, use the same abbreviation + everywhere in the code. + + Example 1: #define CLIENT_HELLO_RANDOM_LEN 32, macro for the length of the + `random` field of the ClientHello message. + + Example 2 (consistent abbreviation): mbedtls_ssl_tls1_3_write_sig_alg_ext() + and MBEDTLS_TLS_EXT_SIG_ALG, `sig_alg` standing for + `signature_algorithms`. + + - Regarding vectors that are represented by a length followed by their value + in the data exchanged between servers and clients: + + - Use `_len` for the name of a variable used to compute the + length in bytes of the vector, where is the name of the + vector as defined in the TLS 1.3 specification. + + - Use `_len_ptr` for the name of a variable intended to hold + the address of the first byte of the vector length. + + - Use `_ptr` for the name of a variable intended to hold the + address of the first byte of the vector value. + + - Use `_end_ptr` for the name of a variable intended to hold + the address of the first byte past the vector value. + + Those two last idioms should lower the risk of mis-using one of the address + in place of the other one which could potentially lead to some nasty + issues. + + Example: `cipher_suites` vector of ClientHello in + ssl_tls1_3_write_client_hello_cipher_suites() + + size_t cipher_suites_len; + unsigned char *cipher_suites_len_ptr; + unsigned char *cipher_suites_ptr; + + - Use of MBEDTLS_BYTE_xyz, MBEDTLS_PUT/GET_xyz, MBEDTLS_SSL_CHK_BUF_PTR + MBEDTLS_SSL_CHK_BUF_READ_PTR macros where applicable. + + These macros were introduced after the prototype was written thus are + likely not to be used in prototype where we now would use them in + development. + + The two first types, MBEDTLS_BYTE_xyz and MBEDTLS_PUT/GET_xyz, improve + the readability of the code and reduce the risk of writing or reading + bytes in the wrong order: we should probably have only MBEDTLS_GET/PUT_*_BE + (BE stands for Big-Endian) macros in the TLS 1.3 code. + + The two last types, MBEDTLS_SSL_CHK_BUF_PTR and + MBEDTLS_SSL_CHK_BUF_READ_PTR, improve the readability of the code and + reduce the risk of error in the non-completely-trivial arithmetic to + check that we do not write or read past the end of a data buffer. The + usage of those macros combined with the following rule mitigate the risk + to read/write past the end of a data buffer. + + Examples: hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 ); + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 ); + + - To mitigate what happened here + (https://github.com/ARMmbed/mbedtls/pull/4882#discussion_r701704527) from + happening again, use always a local variable named `p` for the reading + pointer in functions parsing TLS 1.3 data, and for the writing pointer in + functions writing data into an output buffer. The name `p` has been + chosen as it was already widely used in TLS code. + + - When an TLS 1.3 structure is written or read by a function or as part of + a function, provide as documentation the definition of the structure as + it is in the TLS 1.3 specification. + +General coding rules: + + - We prefer grouping `related statement lines` by not adding blank lines + between them. + + Example 1: + + ret = ssl_tls13_write_client_hello_cipher_suites( ssl, buf, end, &output_len ); + if( ret != 0 ) + return( ret ); + buf += output_len; + + Example 2: + + MBEDTLS_SSL_CHK_BUF_PTR( cipher_suites_iter, end, 2 ); + MBEDTLS_PUT_UINT16_BE( cipher_suite, cipher_suites_iter, 0 ); + cipher_suites_iter += 2; + + - Use macros for constants that are used in different functions, different + places in the code. When a constant is used only locally in a function + (like the length in bytes of the vector lengths in functions reading and + writing TLS handshake message) there is no need to define a macro for it. + + Example: #define CLIENT_HELLO_RANDOM_LEN 32 + + - When declaring a pointer the dereferencing operator should be prepended to + the pointer name not appended to the pointer type: + + Example: mbedtls_ssl_context *ssl; + + - Maximum line length is 80 characters. + + Exceptions: + + - string literals can extend beyond 80 characters as we do not want to + split them to ease their search in the code base. + + - A line can be more than 80 characters by a few characters if just looking + at the 80 first characters is enough to fully understand the line. For + example it is generally fine if some closure characters like ";" or ")" + are beyond the 80 characters limit. + + - When in successive lines, functions and macros parameters should be aligned + vertically. + + Example: + int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, + unsigned hs_type, + unsigned char **buf, + size_t *buf_len ); From def52c36e53ff2d0d3e235fc3f5ef6fc7eed5ff5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 12:03:55 +0200 Subject: [PATCH 02/20] Remove obscure comment about TLS 1.3 renegotiation config option Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index e6f9065801..96f844cdb1 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -134,7 +134,7 @@ the handshake with an handshake_failure closure alert. MBEDTLS_SSL_ENCRYPT_THEN_MAC n/a MBEDTLS_SSL_EXTENDED_MASTER_SECRET n/a MBEDTLS_SSL_KEEP_PEER_CERTIFICATE no - MBEDTLS_SSL_RENEGOTIATION n/a Not TLS 1.2 dependent + MBEDTLS_SSL_RENEGOTIATION n/a MBEDTLS_SSL_MAX_FRAGMENT_LENGTH no MBEDTLS_SSL_ALPN no From 023987feefa805c03ff71f5b9d99b162ba0fda79 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 11:59:25 +0200 Subject: [PATCH 03/20] Use GitHub table format Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 115 ++++++++++++------------ 1 file changed, 60 insertions(+), 55 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 96f844cdb1..1eef961a80 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -83,30 +83,32 @@ the handshake with an handshake_failure closure alert. - Supported ClientHello extensions: - MVP Prototype - (for comparison) + | Extension | MVP | Prototype (1) | + | ---------------------------- | ------- | ------------- | + | server_name | no | YES | + | max_fragment_length | no | YES | + | status_request | no | no | + | supported_groups | YES | YES | + | signature_algorithms | YES | YES | + | use_srtp | no | no | + | heartbeat | no | no | + | apln | no | YES | + | signed_certificate_timestamp | no | no | + | client_certificate_type | no | no | + | server_certificate_type | no | no | + | padding | no | no | + | key_share | YES | YES | + | pre_shared_key | no | YES | + | psk_key_exchange_modes | no | YES | + | early_data | no | YES | + | cookie | no | YES | + | supported_versions | YES | YES | + | certificate_authorities | no | no | + | post_handshake_auth | no | no | + | signature_algorithms_cert | no | no | + + (1) This is just for comparison. - server_name no YES - max_fragment_length no YES - status_request no no - supported_groups YES YES - signature_algorithms YES YES - use_srtp no no - heartbeat no no - apln no YES - signed_certificate_timestamp no no - client_certificate_type no no - server_certificate_type no no - padding no no - key_share YES YES - pre_shared_key no YES - psk_key_exchange_modes no YES - early_data no YES - cookie no YES - supported_versions YES YES - certificate_authorities no no - post_handshake_auth no no - signature_algorithms_cert no no - Supported groups: depends on the library configuration. Potentially all ECDHE groups: @@ -126,39 +128,42 @@ the handshake with an handshake_failure closure alert. modify the configuration for TLS 1.2. Mbed TLS SSL/TLS related features are not supported or not applicable to the TLS 1.3 MVP: - Supported Comment - MBEDTLS_SSL_ALL_ALERT_MESSAGES no - MBEDTLS_SSL_ASYNC_PRIVATE no - MBEDTLS_SSL_CONTEXT_SERIALIZATION no - MBEDTLS_SSL_DEBUG_ALL no - MBEDTLS_SSL_ENCRYPT_THEN_MAC n/a - MBEDTLS_SSL_EXTENDED_MASTER_SECRET n/a - MBEDTLS_SSL_KEEP_PEER_CERTIFICATE no - MBEDTLS_SSL_RENEGOTIATION n/a - MBEDTLS_SSL_MAX_FRAGMENT_LENGTH no - MBEDTLS_SSL_ALPN no + | Mbed TLS configuration option | Support | + | ---------------------------------------- | ------- | + | MBEDTLS_SSL_ALL_ALERT_MESSAGES | no | + | MBEDTLS_SSL_ASYNC_PRIVATE | no | + | MBEDTLS_SSL_CONTEXT_SERIALIZATION | no | + | MBEDTLS_SSL_DEBUG_ALL | no | + | MBEDTLS_SSL_ENCRYPT_THEN_MAC | n/a | + | MBEDTLS_SSL_EXTENDED_MASTER_SECRET | n/a | + | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE | no | + | MBEDTLS_SSL_RENEGOTIATION | n/a | + | MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | no | + | | | + | MBEDTLS_SSL_SESSION_TICKETS | no | + | MBEDTLS_SSL_EXPORT_KEYS | no (1) | + | MBEDTLS_SSL_SERVER_NAME_INDICATION | no | + | MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH | no | + | | | + | MBEDTLS_ECP_RESTARTABLE | no | + | MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED | no | + | | | + | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) | + | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_RSA_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED | n/a | + | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED | n/a | + | | | + | MBEDTLS_USE_PSA_CRYPTO | no | - MBEDTLS_SSL_SESSION_TICKETS no - MBEDTLS_SSL_EXPORT_KEYS no Incomplete support - MBEDTLS_SSL_SERVER_NAME_INDICATION no - MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH no - - MBEDTLS_ECP_RESTARTABLE no - MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED no - - MBEDTLS_KEY_EXCHANGE_PSK_ENABLED n/a Make sense in TLS 1.3 - MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED n/a context but their current - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED n/a definition is TLS 1.2 only. - MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED n/a - MBEDTLS_KEY_EXCHANGE_RSA_ENABLED n/a - MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED n/a - MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED n/a - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED n/a - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED n/a - MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED n/a - MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED n/a - - MBEDTLS_USE_PSA_CRYPTO no + (1) Some support has already been upstreamed but it is incomplete. + (2) Make sense in TLS 1.3 context but their current definition is TLS 1.2 only. Not in the plan yet but probably necessary for a viable client: - server_name extension From 1fa5088c0b6c82dca3438584a0bc33ecccf7a233 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 12:06:52 +0200 Subject: [PATCH 04/20] Improve comment about PSK TLS 1.3 configuration options Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 1eef961a80..ee4e5fb592 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -163,7 +163,10 @@ the handshake with an handshake_failure closure alert. | MBEDTLS_USE_PSA_CRYPTO | no | (1) Some support has already been upstreamed but it is incomplete. - (2) Make sense in TLS 1.3 context but their current definition is TLS 1.2 only. + (2) Key exchange configuration options for TLS 1.3 will likely to be + organized around the notion of key exchange mode along the line + of the MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL + runtime configuration macros. Not in the plan yet but probably necessary for a viable client: - server_name extension From 004df8ad5f8ffb724493d88be8e987efcdf8fb59 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 12:12:00 +0200 Subject: [PATCH 05/20] Improve comment about handshake failure with HRR and CertificateRequest Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index ee4e5fb592..9f6d0e48c5 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -74,7 +74,9 @@ MVP definition The TLS 1.3 MVP implements only the client side of the protocol. The TLS 1.3 MVP does not support the handling of server HelloRetryRequest and CertificateRequest messages. If it receives one of those messages, it aborts -the handshake with an handshake_failure closure alert. +the handshake with an handshake_failure closure alert and the +`mbedtls_ssl_handshake()` returns in error with the +`MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE` error code. - Supported cipher suites: depends on the library configuration. Potentially all of them: From 85e51083d8b6b4a6968235d57713b9af98a150ea Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 12:13:16 +0200 Subject: [PATCH 06/20] Add support for server_name extension Section 9.2 of the specification defines server_name extension as mandatory if not specified otherwise by an application profile. Thus add its support to the MVP scope. Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 9f6d0e48c5..29cda88dc2 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -87,7 +87,7 @@ the handshake with an handshake_failure closure alert and the | Extension | MVP | Prototype (1) | | ---------------------------- | ------- | ------------- | - | server_name | no | YES | + | server_name | YES | YES | | max_fragment_length | no | YES | | status_request | no | no | | supported_groups | YES | YES | From 3160d700498bd88f29444ba621e103b7784547e0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 13:27:21 +0200 Subject: [PATCH 07/20] Add comments about key_share and supported_versions support Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 29cda88dc2..dce999fb45 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -99,18 +99,31 @@ the handshake with an handshake_failure closure alert and the | client_certificate_type | no | no | | server_certificate_type | no | no | | padding | no | no | - | key_share | YES | YES | + | key_share | YES (2) | YES | | pre_shared_key | no | YES | | psk_key_exchange_modes | no | YES | | early_data | no | YES | | cookie | no | YES | - | supported_versions | YES | YES | + | supported_versions | YES (3) | YES | | certificate_authorities | no | no | | post_handshake_auth | no | no | | signature_algorithms_cert | no | no | (1) This is just for comparison. + (2) The MVP sends one shared secret corresponding to the configured preferred + group. The preferred group is the group of the first curve in the list of + allowed curves as defined by the configuration. By default, it is the + mandatory group as defined by section 9.1 of the specification, + `secp256r1`. The list of allowed curves can be set through the + `mbedtls_ssl_conf_curves()` API. + + (3) The MVP proposes only TLS 1.3 and does not support version negociation. + Out-of-protocol fallback is supported though if the Mbed TLS library + has been built to support both TLS 1.3 and TLS 1.2: just set the + maximum of the minor version of the SSL configuration to + MBEDTLS_SSL_MINOR_VERSION_3 (`mbedtls_ssl_conf_min_version()` API) and + re-initiate a server handshake. - Supported groups: depends on the library configuration. Potentially all ECDHE groups: @@ -121,8 +134,6 @@ the handshake with an handshake_failure closure alert and the ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256. -- Supported versions: only TLS 1.3 - - Support of Mbed TLS SSL/TLS related (not DTLS) features: The TLS 1.3 MVP is compatible with all TLS 1.2 configuration options in the From c3b510f096a3d88137ffdb8ab38a1ad8bcd3ad49 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 13:36:33 +0200 Subject: [PATCH 08/20] Amend supported groups and signatures based on spec 9.1 section Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index dce999fb45..ed2b38f4fe 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -126,13 +126,22 @@ the handshake with an handshake_failure closure alert and the re-initiate a server handshake. - Supported groups: depends on the library configuration. - Potentially all ECDHE groups: - secp256r1, secp384r1, secp521r1(0x0019), x25519, x448. + Minimally (as defined in section 9.1 of the TLS 1.3 specification): + secp256r1 and x25519. -- Supported signature algorithms: depends on the library configuration. - Potentially: - ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, - rsa_pss_rsae_sha256. + Furthermore, depending on the library configuration, potentially: + secp384r1 and secp521r1. + + Finite field groups (DHE) are not supported. + +- Supported signature algorithms(both for certificates and CertificateVerify): + Minimally (as defined in section 9.1 of the TLS 1.3 specification): + rsa_pkcs1_sha256, rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256 + + Furthermore, depending on the library configuration, potentially: + ecdsa_secp384r1_sha384 and ecdsa_secp521r1_sha512 + +- Supported versions: only TLS 1.3, version negotiation is not supported. - Support of Mbed TLS SSL/TLS related (not DTLS) features: From 7a7032a4bacb38f772e7b153c77d1f636d9ef8b3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 13:38:46 +0200 Subject: [PATCH 09/20] Remove out of MVP scope items Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index ed2b38f4fe..c3c181e0a8 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -190,11 +190,6 @@ the handshake with an handshake_failure closure alert and the of the MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL runtime configuration macros. -Not in the plan yet but probably necessary for a viable client: -- server_name extension -- support for HelloRetryRequest -- fallback to TLS 1.2 - Coding rules checklist for TLS 1.3 ---------------------------------- From 660c723b098090b69a050795d6c60c87df35e860 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 13:40:53 +0200 Subject: [PATCH 10/20] Add paragraph about expected quality Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index c3c181e0a8..f7e3043f4f 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -190,6 +190,17 @@ the handshake with an handshake_failure closure alert and the of the MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL runtime configuration macros. +- Quality considerations + - Standard Mbed TLS review bar + - Interoperability testing with OpenSSL and GnuTLS. Test with all the + cipher suites supported by OpenSSL/GnuTLS server with and without + certificate base authentication. + - Negative testing against OpenSSL/GnuTLS servers with which the + handshake fails due to imcompatibility with the capabilities of the + MVP: TLS 1.2 or 1.1 server, server sending an HelloRetryRequest message in + response to the MVP ClientHello, server sending a CertificateRequest + message ... + Coding rules checklist for TLS 1.3 ---------------------------------- From 72064b30cf714ba9e1c3dcabea13554b4b49f221 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 13:54:28 +0200 Subject: [PATCH 11/20] Fix usage of backticks Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 44 +++++++++++++++---------- 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index f7e3043f4f..e63fbbc0ac 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -222,15 +222,15 @@ TLS 1.3 specific coding rules: - The names of macros and variables related to a field or structure in the TLS 1.3 specification should contain as far as possible the field name as - it is in the specification. If the field name is `too long` and we prefer + it is in the specification. If the field name is "too long" and we prefer to introduce some kind of abbreviation of it, use the same abbreviation everywhere in the code. Example 1: #define CLIENT_HELLO_RANDOM_LEN 32, macro for the length of the `random` field of the ClientHello message. - Example 2 (consistent abbreviation): mbedtls_ssl_tls1_3_write_sig_alg_ext() - and MBEDTLS_TLS_EXT_SIG_ALG, `sig_alg` standing for + Example 2 (consistent abbreviation): `mbedtls_ssl_tls1_3_write_sig_alg_ext()` + and `MBEDTLS_TLS_EXT_SIG_ALG`, `sig_alg` standing for `signature_algorithms`. - Regarding vectors that are represented by a length followed by their value @@ -254,11 +254,12 @@ TLS 1.3 specific coding rules: issues. Example: `cipher_suites` vector of ClientHello in - ssl_tls1_3_write_client_hello_cipher_suites() - - size_t cipher_suites_len; - unsigned char *cipher_suites_len_ptr; - unsigned char *cipher_suites_ptr; + `ssl_tls1_3_write_client_hello_cipher_suites()` + ``` + size_t cipher_suites_len; + unsigned char *cipher_suites_len_ptr; + unsigned char *cipher_suites_ptr; + ``` - Use of MBEDTLS_BYTE_xyz, MBEDTLS_PUT/GET_xyz, MBEDTLS_SSL_CHK_BUF_PTR MBEDTLS_SSL_CHK_BUF_READ_PTR macros where applicable. @@ -272,16 +273,19 @@ TLS 1.3 specific coding rules: bytes in the wrong order: we should probably have only MBEDTLS_GET/PUT_*_BE (BE stands for Big-Endian) macros in the TLS 1.3 code. - The two last types, MBEDTLS_SSL_CHK_BUF_PTR and - MBEDTLS_SSL_CHK_BUF_READ_PTR, improve the readability of the code and + The two last types, `MBEDTLS_SSL_CHK_BUF_PTR` and + `MBEDTLS_SSL_CHK_BUF_READ_PTR`, improve the readability of the code and reduce the risk of error in the non-completely-trivial arithmetic to check that we do not write or read past the end of a data buffer. The usage of those macros combined with the following rule mitigate the risk to read/write past the end of a data buffer. - Examples: hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len ); - MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 ); - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 ); + Examples: + ``` + hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len ); + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 ); + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 ); + ``` - To mitigate what happened here (https://github.com/ARMmbed/mbedtls/pull/4882#discussion_r701704527) from @@ -296,33 +300,35 @@ TLS 1.3 specific coding rules: General coding rules: - - We prefer grouping `related statement lines` by not adding blank lines + - We prefer grouping "related statement lines" by not adding blank lines between them. Example 1: - + ``` ret = ssl_tls13_write_client_hello_cipher_suites( ssl, buf, end, &output_len ); if( ret != 0 ) return( ret ); buf += output_len; + ``` Example 2: - + ``` MBEDTLS_SSL_CHK_BUF_PTR( cipher_suites_iter, end, 2 ); MBEDTLS_PUT_UINT16_BE( cipher_suite, cipher_suites_iter, 0 ); cipher_suites_iter += 2; + ``` - Use macros for constants that are used in different functions, different places in the code. When a constant is used only locally in a function (like the length in bytes of the vector lengths in functions reading and writing TLS handshake message) there is no need to define a macro for it. - Example: #define CLIENT_HELLO_RANDOM_LEN 32 + Example: `#define CLIENT_HELLO_RANDOM_LEN 32` - When declaring a pointer the dereferencing operator should be prepended to the pointer name not appended to the pointer type: - Example: mbedtls_ssl_context *ssl; + Example: `mbedtls_ssl_context *ssl;` - Maximum line length is 80 characters. @@ -340,7 +346,9 @@ General coding rules: vertically. Example: + ``` int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type, unsigned char **buf, size_t *buf_len ); + ``` From b194466e99c9530359b8b64f28f999b4dcca03dd Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 13:56:46 +0200 Subject: [PATCH 12/20] Amend TLS 1.3 prefix Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index e63fbbc0ac..defba776a7 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -214,11 +214,13 @@ PR upstreaming the first part of TLS 1.3 ClientHello writing code. TLS 1.3 specific coding rules: - TLS 1.3 specific C modules, headers, static functions names are prefixed - with `ssl_tls1_3_`. The same applies to structures and types that are + with `ssl_tls13_`. The same applies to structures and types that are internal to C modules. - - TLS 1.3 specific exported functions, macros, structures and types are - prefixed with `mbedtls_ssl_tls1_3_`. + - TLS 1.3 specific exported functions, structures and types are + prefixed with `mbedtls_ssl_tls13_`. + + - Use TLS1_3 in TLS 1.3 specific macros. - The names of macros and variables related to a field or structure in the TLS 1.3 specification should contain as far as possible the field name as From 99733f05111f1fd59655e5c0d0933353d37c3c4e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 13:58:21 +0200 Subject: [PATCH 13/20] Amend vector variables Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index defba776a7..ca97a251cf 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -242,25 +242,24 @@ TLS 1.3 specific coding rules: length in bytes of the vector, where is the name of the vector as defined in the TLS 1.3 specification. - - Use `_len_ptr` for the name of a variable intended to hold + - Use `p__len` for the name of a variable intended to hold the address of the first byte of the vector length. - - Use `_ptr` for the name of a variable intended to hold the + - Use `` for the name of a variable intended to hold the address of the first byte of the vector value. - - Use `_end_ptr` for the name of a variable intended to hold + - Use `_end` for the name of a variable intended to hold the address of the first byte past the vector value. - Those two last idioms should lower the risk of mis-using one of the address - in place of the other one which could potentially lead to some nasty - issues. + Those idioms should lower the risk of mis-using one of the address in place + of another one which could potentially lead to some nasty issues. Example: `cipher_suites` vector of ClientHello in `ssl_tls1_3_write_client_hello_cipher_suites()` ``` size_t cipher_suites_len; - unsigned char *cipher_suites_len_ptr; - unsigned char *cipher_suites_ptr; + unsigned char *p_cipher_suites_len; + unsigned char *cipher_suites; ``` - Use of MBEDTLS_BYTE_xyz, MBEDTLS_PUT/GET_xyz, MBEDTLS_SSL_CHK_BUF_PTR From fecda8ddb417f1479a88843ed934e6ad2f3ae696 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 13:59:38 +0200 Subject: [PATCH 14/20] Improve the description of common macros usage Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index ca97a251cf..1b6f5355b1 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -262,17 +262,24 @@ TLS 1.3 specific coding rules: unsigned char *cipher_suites; ``` - - Use of MBEDTLS_BYTE_xyz, MBEDTLS_PUT/GET_xyz, MBEDTLS_SSL_CHK_BUF_PTR - MBEDTLS_SSL_CHK_BUF_READ_PTR macros where applicable. + - Where applicable, use: + - the macros to extract a byte from a multi-byte integer MBEDTLS_BYTE_{0-8}. + - the macros to write in memory in big-endian order a multi-byte integer + MBEDTLS_PUT_UINT{8|16|32|64}_BE. + - the macros to read from memory a multi-byte integer in big-endian order + MBEDTLS_GET_UINT{8|16|32|64}_BE. + - the macro to check for space when writing into an output buffer + `MBEDTLS_SSL_CHK_BUF_PTR`. + - the macro to check for data when reading from an input buffer + `MBEDTLS_SSL_CHK_BUF_READ_PTR`. These macros were introduced after the prototype was written thus are likely not to be used in prototype where we now would use them in development. - The two first types, MBEDTLS_BYTE_xyz and MBEDTLS_PUT/GET_xyz, improve - the readability of the code and reduce the risk of writing or reading - bytes in the wrong order: we should probably have only MBEDTLS_GET/PUT_*_BE - (BE stands for Big-Endian) macros in the TLS 1.3 code. + The three first types, MBEDTLS_BYTE_{0-8}, MBEDTLS_PUT_UINT{8|16|32|64}_BE + and MBEDTLS_GET_UINT{8|16|32|64}_BE improve the readability of the code and + reduce the risk of writing or reading bytes in the wrong order. The two last types, `MBEDTLS_SSL_CHK_BUF_PTR` and `MBEDTLS_SSL_CHK_BUF_READ_PTR`, improve the readability of the code and From 3e7c4036b4dc9b51578a81d919885d0a866a038f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 14:22:38 +0200 Subject: [PATCH 15/20] Miscellaneous improvements Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 1b6f5355b1..314928fe8d 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -143,7 +143,7 @@ the handshake with an handshake_failure closure alert and the - Supported versions: only TLS 1.3, version negotiation is not supported. -- Support of Mbed TLS SSL/TLS related (not DTLS) features: +- Compatibility with existing SSL/TLS build options: The TLS 1.3 MVP is compatible with all TLS 1.2 configuration options in the sense that when enabling the TLS 1.3 MVP in the library there is no need to @@ -299,8 +299,8 @@ TLS 1.3 specific coding rules: (https://github.com/ARMmbed/mbedtls/pull/4882#discussion_r701704527) from happening again, use always a local variable named `p` for the reading pointer in functions parsing TLS 1.3 data, and for the writing pointer in - functions writing data into an output buffer. The name `p` has been - chosen as it was already widely used in TLS code. + functions writing data into an output buffer and only that variable. The + name `p` has been chosen as it was already widely used in TLS code. - When an TLS 1.3 structure is written or read by a function or as part of a function, provide as documentation the definition of the structure as From 847c3580b8e2f25e724395e748914c8b024237b6 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 14:24:43 +0200 Subject: [PATCH 16/20] Expend coding rules Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 314928fe8d..481caef93b 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -350,6 +350,11 @@ General coding rules: example it is generally fine if some closure characters like ";" or ")" are beyond the 80 characters limit. + If a line becomes too long due to a refactoring (for example renaming a + function to a longer name, or indenting a block more), avoid rewrapping + lines in the same commit: it makes the review harder. Make one commit with + the longer lines and another commit with just the rewrapping. + - When in successive lines, functions and macros parameters should be aligned vertically. @@ -360,3 +365,19 @@ General coding rules: unsigned char **buf, size_t *buf_len ); ``` + + - When a function's parameters span several lines, group related parameters + together if possible. + + For example, prefer: + + ``` + mbedtls_ssl_tls13_start_handshake_msg( ssl, hs_type, + buf, buf_len ); + ``` + over + ``` + mbedtls_ssl_tls13_start_handshake_msg( ssl, hs_type, buf, + buf_len ); + ``` + even if it fits. From f164b6a7ff940ff0501ce06045a97f96146d3d55 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Sep 2021 15:36:29 +0200 Subject: [PATCH 17/20] Add an overview section Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 34 ++++++++++++++++++++----- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 481caef93b..5421492aee 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -71,12 +71,34 @@ together with their level of testing: MVP definition -------------- -The TLS 1.3 MVP implements only the client side of the protocol. -The TLS 1.3 MVP does not support the handling of server HelloRetryRequest and -CertificateRequest messages. If it receives one of those messages, it aborts -the handshake with an handshake_failure closure alert and the -`mbedtls_ssl_handshake()` returns in error with the -`MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE` error code. +- Overview + + - The TLS 1.3 MVP implements only the client side of the protocol. + + - The TLS 1.3 MVP supports ECDHE key establishment. + + - The TLS 1.3 MVP does not support DHE key establishment. + + - The TLS 1.3 MVP does not support pre-shared keys, including any form of + session resumption. This implies that it does not support sending early + data (0-RTT data). + + - The TLS 1.3 MVP supports the authentication of the server by the client + but does not support authentication of the client by the server. In terms + of TLS 1.3 authentication messages, this means that the TLS 1.3 MVP + supports the processing of the Certificate and CertificateVerify messages + but not of the CertificateRequest message. + + - The TLS 1.3 MVP does not support the handling of server HelloRetryRequest + message. In practice, this means that the handshake will fail if the MVP + does not provide in its ClientHello the shared secret associated to the + group selected by the server for key establishement. For more information, + see the comment associated to the `key_share` extension below. + + - If the TLS 1.3 MVP receives a HelloRetryRequest or a CertificateRequest + message, it aborts the handshake with an handshake_failure closure alert + and the `mbedtls_ssl_handshake()` returns in error with the + `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE` error code. - Supported cipher suites: depends on the library configuration. Potentially all of them: From 8ee9ed6785e1f9ded44f1bd07401b0b70c524479 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Sep 2021 14:46:43 +0200 Subject: [PATCH 18/20] Fix and improve the documentation of supported groups Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 5421492aee..b15d77ca61 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -135,9 +135,12 @@ MVP definition (2) The MVP sends one shared secret corresponding to the configured preferred group. The preferred group is the group of the first curve in the list of - allowed curves as defined by the configuration. By default, it is the - mandatory group as defined by section 9.1 of the specification, - `secp256r1`. The list of allowed curves can be set through the + allowed curves as defined by the configuration. The allowed curves are + by default ordered as follow: `secp256r1`, `x25519`, `secp384r1` + and finally `secp521r1`. This default order is aligned with the + list of mandatory-to-implement groups (in absence of an application + profile standard specifying otherwise) defined in section 9.1 of the + specification. The list of allowed curves can be changed through the `mbedtls_ssl_conf_curves()` API. (3) The MVP proposes only TLS 1.3 and does not support version negociation. @@ -148,11 +151,8 @@ MVP definition re-initiate a server handshake. - Supported groups: depends on the library configuration. - Minimally (as defined in section 9.1 of the TLS 1.3 specification): - secp256r1 and x25519. - - Furthermore, depending on the library configuration, potentially: - secp384r1 and secp521r1. + Potentially all ECDHE groups but x448: + secp256r1, x25519, secp384r1 and secp521r1. Finite field groups (DHE) are not supported. From fb877215b56152215622b44a48f0d8fe8e11e788 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Sep 2021 15:49:39 +0200 Subject: [PATCH 19/20] Fix supported signature documentation Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index b15d77ca61..5a73715b0e 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -156,12 +156,15 @@ MVP definition Finite field groups (DHE) are not supported. -- Supported signature algorithms(both for certificates and CertificateVerify): - Minimally (as defined in section 9.1 of the TLS 1.3 specification): - rsa_pkcs1_sha256, rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256 +- Supported signature algorithms (both for certificates and CertificateVerify): + depends on the library configuration. + Potentially: + rsa_pkcs1_sha256, rsa_pss_rsae_sha256, ecdsa_secp256r1_sha256, + ecdsa_secp384r1_sha384 and ecdsa_secp521r1_sha512. - Furthermore, depending on the library configuration, potentially: - ecdsa_secp384r1_sha384 and ecdsa_secp521r1_sha512 + Note that in absence of an application profile standard specifying otherwise + the three first ones in the list above are mandatory (see section 9.1 of the + specification). - Supported versions: only TLS 1.3, version negotiation is not supported. From 7fc96c1a5731df5fa41bc4dca235e1f6ba62ffad Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Sep 2021 15:54:57 +0200 Subject: [PATCH 20/20] Fix test description Signed-off-by: Ronald Cron --- docs/architecture/tls13-experimental.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index 5a73715b0e..5d7c14f1bb 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -218,10 +218,9 @@ MVP definition - Quality considerations - Standard Mbed TLS review bar - Interoperability testing with OpenSSL and GnuTLS. Test with all the - cipher suites supported by OpenSSL/GnuTLS server with and without - certificate base authentication. + cipher suites and signature algorithms supported by OpenSSL/GnuTLS server. - Negative testing against OpenSSL/GnuTLS servers with which the - handshake fails due to imcompatibility with the capabilities of the + handshake fails due to incompatibility with the capabilities of the MVP: TLS 1.2 or 1.1 server, server sending an HelloRetryRequest message in response to the MVP ClientHello, server sending a CertificateRequest message ...