[TLS 1.3] Overhaul TLS::Policy

[reneme]

Policy Methods that might need attention

Cipher suite related: allowed_ciphers(), allowed_macs(), ...

My current working assumption: TLS 1.3 cipher suites are simply subject to those policy configurations as well.

• allowed_key_exchange_methods() needs to be extended for hybrid key exchange for PQC.

only_resume_with_exact_version()

Sessions that originally negotiated TLS 1.2 cannot be resumed as TLS 1.3 and vice versa in the current implementation. I'm not sure whether this would even be technically possible. Since TLS protocol versions prior to 1.2 were removed, this will not have an effect.

record_size_limit()

Currently, the record size limit extension is supported by the TLS 1.3 implementation only. Hence, it cannot be offered if our Botan-client signals willingness to negotiate either 1.2 or 1.3. Otherwise a peer might choose to negotiate TLS 1.2 and use the record size limit extension which would break. That's a bit of a bummer (and a non-obvious cause for user frustration), but the extension is fairly niche anyway. We mainly implemented it for compliance with the RFC 8448 tests that use it.

Modifications at a Glance

Removed use_extended_master_secret()

TLS 1.2 enables this extension by default (and ignores the setting of this policy config). TLS 1.3 connections don't have a notion of "extended master secret" anymore. Hence the removal.

key_exchange_groups_to_offer()

TLS 1.3 client specific: the groups (in order of preference) that should be offered in the initial Client Hello's KeyShare extension. By default, this will offer the first supported group (as returned by Policy::key_exhange_groups()) but applications may adjust this. Somewhat obvious: only groups that are supported can be offered.

choose_key_exchange_group() has a new parameter

This method existed before. It is responsible for deciding which key exchange group a peer should use given the counter-party's supported groups. Now, it additionally obtains a list of groups that the counter-party send TLS 1.3 key share offers for. When called from the TLS 1.2 implementation the new parameter is always empty.
With that, it is up to the application whether a Hello Retry Request should be issued (e.g. to choose a PQ-safe group over an offered conventional group). By default, this will try to avoid Hello Retry Requests by choosing a group that was offered by the counter-party.

tls_13_middlebox_compatibility_mode()

Lets a TLS 1.3 client behave as specified in RFC 8446 Appendix D.4. TL;DR: Make the TLS 1.3 handshake appear to be a TLS 1.2 session resumption to fool non-compliant middleboxes. This is on by default and (obviously) has no effect on the TLS 1.2 implementation. Not added in this PR.

hash_hello_random()

Whether or not the random string in client/server hello should be hashed with SHA-256 after being drawn from the RNG. This is enabled by default and was added to allow deterministic testing (i.e. RFC 8448). Not added in this PR.

Documentation

Added @note paragraphs for policy configs that have no effect for either TLS 1.2 or 1.3 respectively.

[codecov-commenter]

Codecov Report

Base: 92.55% // Head: 91.79% // Decreases project coverage by -0.76% ⚠️

Coverage data is based on head (b560171) compared to base (864cbf2).
Patch coverage: 62.50% of modified lines in pull request are covered.

❗ Current head b560171 differs from pull request most recent head 465e6fb. Consider uploading reports for the commit 465e6fb to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2989      +/-   ##
==========================================
- Coverage   92.55%   91.79%   -0.77%     
==========================================
  Files         601      599       -2     
  Lines       70608    72086    +1478     
  Branches     6666     6603      -63     
==========================================
+ Hits        65353    66172     +819     
- Misses       5225     5914     +689     
+ Partials       30        0      -30     

Impacted Files	Coverage Δ
src/lib/tls/tls12/msg_client_kex.cpp	85.98% <ø> (+0.45%)	⬆️
src/lib/tls/tls_text_policy.cpp	86.30% <ø> (-1.56%)	⬇️
src/lib/tls/tls12/msg_server_kex.cpp	91.37% <50.00%> (-0.80%)	⬇️
src/lib/tls/tls_policy.cpp	92.36% <60.00%> (-1.05%)	⬇️
src/lib/tls/tls12/tls_server_impl_12.cpp	88.18% <100.00%> (-0.24%)	⬇️
src/tests/test_pubkey.h	73.46% <0.00%> (-16.78%)	⬇️
src/tests/test_workfactor.cpp	86.66% <0.00%> (-13.34%)	⬇️
src/tests/test_gf2m.cpp	86.95% <0.00%> (-13.05%)	⬇️
src/tests/test_elgamal.cpp	88.00% <0.00%> (-12.00%)	⬇️
src/tests/runner/test_reporter.cpp	88.73% <0.00%> (-11.27%)	⬇️
... and 454 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[lgtm-com]

This pull request introduces 1 alert when merging 72f44f0 into db89870 - view on LGTM.com

new alerts:

• 1 for Comparison result is always the same

[randombit]

Similar comment re the callbacks PR - for EMS support, if it is always enabled and the policy does nothing, we might as well just remove it entirely in 3.0. Otherwise LGTM

[randombit]

This being the case we should just remote it as a toggle