Merging TLS 1.3

[kazu-yamamoto]

This is the final difference for TLS 1.3.
I don't intend to merge this PR directly.
Rather, I would like to ask reviewers to give comments.
This is a jumbo patch. I have no idea on how to divide this into smaller pieces.
Comments are welcome.
Meanwhile, I will try to resolve fixmes.

[ocheron]

Could you clarify what the test suite does?

• I don't see test cases with TLS13-specific extensions and features like PSK, 0RTT, etc.
• it's like TLS13 is tested against TLS13 only

[kazu-yamamoto]

The test is for full handshake (1RTT) only at this moment.
I will try to add test cases for other three handshakes.

[ocheron]

Yes, working on the test suite first would be useful to dive in this large piece.

I think I have progress regarding the version incompatibilities. It looks there is a bug when connecting TLS13-enabled client with a SSL3-only server. This works better and starts to test more version combinations: https://gist.github.com/ocheron/5b8ddfa47f2f5216bcea13213ebee688

Two test cases are still failing:

• renegotiation: probably not a surprise
• key usage: maybe this is simply not implemented for 1.3?

[ocheron]

I added some comments and questions in the code, please find also global comments here:

• hourglass can be a better choice than time to avoid floating-point conversion (hourglass is already used in the test suite and indirectly in x509 packages)
• new modules should have header and export lists

Client and Server:

• often there is a sequence of calls encodeHandshake13, updateHandshakeDigest, addHandshakeMessage. This should be captured as a common utility, for example in module Sending13.
• intersection with availableGroups is not needed as this contain all possible values now. Some of it can use availableECGroups instead, but FFDHE is probably not complex to add.

SimpleClient and SimpleServer:

• there should be an option --tls13, but not as default until features still missing are added (and TLS13 is default in library too)

[kazu-yamamoto]

I will try to add test cases for other three handshakes.

Test cases for four handshakes were added.

[kazu-yamamoto]

• renegotiation: probably not a surprise

Renegotiation does not exist in TLS 1.3 as you may know.

• key usage: maybe this is simply not implemented for 1.3?

I don't know key usage. How can I learn it?

[ocheron]

I don't know key usage. How can I learn it?

The requirement is listed in RFC 8446 section 4.4.2.2: The certificate MUST allow the key to be used for signing (i.e., the digitalSignature bit MUST be set if the Key Usage extension is present)

More is in RFC 5280 section 4.2.1.3.

The test case about server key usage can be generalized to TLS13 easily. For client key usage, this is not currently possible because client authentication is not implemented.

[kazu-yamamoto]

• new modules should have header and export lists

Done.

[kazu-yamamoto]

• intersection with availableGroups is not needed as this contain all possible values now. Some of it can use availableECGroups instead, but FFDHE is probably not complex to add.

Intersections are deleted.

[kazu-yamamoto]

• often there is a sequence of calls encodeHandshake13, updateHandshakeDigest, addHandshakeMessage. This should be captured as a common utility, for example in module Sending13.

It appeared that this is an awesome idea. Thanks!

[kazu-yamamoto]

• there should be an option --tls13, but not as default until features still missing are added (and TLS13 is default in library too)

Done.

[kazu-yamamoto]

hourglass can be a better choice than time to avoid floating-point conversion (hourglass is already used in the test suite and indirectly in x509 packages)

Done.

[kazu-yamamoto]

I think that I did everything I can.

[ocheron]

I added a few more comments about the new changes.
Also did you look at my patch for SSLv3 / RSA encryption?

[kazu-yamamoto]

Also did you look at my patch for SSLv3 / RSA encryption?

Do you mean this one?

https://gist.github.com/ocheron/5b8ddfa47f2f5216bcea13213ebee688

If so, I'm now trying to resolve the two test failures.

[kazu-yamamoto]

• renegotiation: probably not a surprise

Your patch was applied and the bug of renego has been fixed.

[kazu-yamamoto]

I'm now trying to implement client authentication to fix CI.

[ocheron]

Great, I think this is already a major achievement and we can merge without client authentication.
The test case can run without TLS13 for now.

[kazu-yamamoto]

Great, I think this is already a major achievement and we can merge without client authentication.
The test case can run without TLS13 for now.

OK. I modified the test to skip TLS 1.3 and merged this PR to master.
Thank you for your thorough review!