Implement TLSFlags extension #151
Conversation
|
It needs some tests. |
There was a problem hiding this comment.
+1 to tests. We should at least test that, when the flags are enabled by the client in crypto/tls.Config, the server sees the value in the ClientHello.
Another high-level question: How does this interact with ECH?
- Is the the extension present in both the inner and outer handshake?
- If so, should it appear only in the inner handshake?
| @@ -851,6 +858,8 @@ type Config struct { | |||
| // See https://tools.ietf.org/html/draft-ietf-tls-subcerts. | |||
| SupportDelegatedCredential bool | |||
|
|
|||
There was a problem hiding this comment.
Please document here what TLSFlagSet is.
There was a problem hiding this comment.
TLSFlagsSupported still needs to be documented. It appears that it controls both the client and server-supported flags.
You should document that this is currently limited to controlling TLS Flags in the Server Hello. The spec also allows EncryptedExtensions, Certificate, Hello Retry Request.
| type TLSFlag uint16 | ||
|
|
||
| const ( | ||
| FlagSupportMTLS TLSFlag = 0x50 |
There was a problem hiding this comment.
Please document what this is. IIRC this is not yet a codepoint that's documented? If so, we should mark it as experimental in the API.
| FlagSupportMTLS TLSFlag = 0x50 | |
| /// ExperimentalFlagSuppportMTLS ... | |
| ExperimentalFlagSupportMTLS TLSFlag = 0x50 |
There was a problem hiding this comment.
Is it intentional that this flag occupies 11 bytes? 0x50 is 80 decimal, and since we start counting at 0, this occupies ceil(81 / 8) = 11 bytes.
Very good question. |
jhoyla
changed the title
|
Added code for server side. |
Currently the extension will be added to the inner handshake only: https://github.com/cloudflare/go/blob/cf/src/crypto/tls/ech.go#L81-L85 Only specific extensions are copied into the outer handshake: https://github.com/cloudflare/go/blob/cf/src/crypto/tls/ech.go#L92-L106 In my opinion, this is the correct behavior, assuming conservatively that the value of the TLS flags extension is privacy sensitive: https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.html#name-outer-clienthello Note that since it appears in the inner handshake, it will be used by the server to terminate the connection. OTOH, if ECH is rejected, then it won't be used by the server to terminate the connection. |
Lekensteyn
force-pushed
the
jhoyla/tls-flags
branch
from
fd0be4b
to
1b8ed4f
Compare
|
(Rebased on the |
| return false | ||
| } | ||
| m.tlsFlags = append(m.tlsFlags, flagByte) | ||
| } |
There was a problem hiding this comment.
I think that this whole block can be simplified to:
var flagsList cryptobyte.String
if !extData.ReadUint8LengthPrefixed(&flagsList) || flagsList.Empty() {
return false
}
m.tlsFlags = flagsListThat would save some unnecessary memory allocations as well by avoiding the append. A cryptobyte.String is an alias for []byte: https://pkg.go.dev/golang.org/x/crypto/cryptobyte#String
| @@ -318,6 +319,23 @@ GroupSelection: | |||
| c.sendAlert(alertIllegalParameter) | |||
| return errors.New("tls: invalid client key share") | |||
| } | |||
| if len(hs.clientHello.tlsFlags) != 0 { | |||
There was a problem hiding this comment.
Missing check: hs.clientHello.tlsFlags[0] != 0 or else you need to c.sendAlert(alertIllegalParameter).
To comply with: "An implementation that receives an all-zero value for this extension or a value that contains trailing zero bytes MUST generate a fatal illegal_parameter alert."
| if len(hs.clientHello.tlsFlags) != 0 { | ||
| supportedFlags, err := encodeFlags(hs.c.config.TLSFlagsSupported) | ||
| if err != nil { | ||
| return errors.New("tls: invalid server flags") |
There was a problem hiding this comment.
Perhaps you should also send an internal error alert here?
| @@ -465,6 +466,12 @@ const ( | |||
| ECDSAWithSHA1 SignatureScheme = 0x0203 | |||
| ) | |||
|
|
|||
| type TLSFlag uint16 | |||
There was a problem hiding this comment.
Let's make clear that this is the flag number (index) rather than the raw representation:
| type TLSFlag uint16 | |
| // TLSFlag represents the flag number. | |
| type TLSFlag uint16 |
| @@ -125,6 +125,7 @@ const ( | |||
| extensionRenegotiationInfo uint16 = 0xff01 | |||
| extensionECH uint16 = 0xfe0d // draft-ietf-tls-esni-13 | |||
| extensionECHOuterExtensions uint16 = 0xfd00 // draft-ietf-tls-esni-13 | |||
| extensionTLSFlags uint16 = 0xfe01 // draft-ietf-tls-tlsflags-12 | |||
There was a problem hiding this comment.
0xfe01 (65025) belongs to the "Unassigned" namespace. Unless we have it assigned, we should probably stick to the "Reserved for Private Use" namespace which has a range starting at 0xff02 (65282).
| @@ -851,6 +858,8 @@ type Config struct { | |||
| // See https://tools.ietf.org/html/draft-ietf-tls-subcerts. | |||
| SupportDelegatedCredential bool | |||
|
|
|||
There was a problem hiding this comment.
TLSFlagsSupported still needs to be documented. It appears that it controls both the client and server-supported flags.
You should document that this is currently limited to controlling TLS Flags in the Server Hello. The spec also allows EncryptedExtensions, Certificate, Hello Retry Request.
| flagNo := byteIndex*8 + i | ||
| if flagNo >= int(maxTLSFlag) { | ||
| return nil, fmt.Errorf("TLS flag is out of range: %d", flagNo) | ||
| } |
There was a problem hiding this comment.
Optimization: This check can be removed by checking outside the outer loop. Fail on len(flagBytes) > 255 or alternatively len(flagBytes) * 8 > maxTLSFlag.
| type TLSFlag uint16 | ||
|
|
||
| const ( | ||
| FlagSupportMTLS TLSFlag = 0x50 |
There was a problem hiding this comment.
Is it intentional that this flag occupies 11 bytes? 0x50 is 80 decimal, and since we start counting at 0, this occupies ceil(81 / 8) = 11 bytes.
bwesterb
force-pushed
the
cf
branch
2 times, most recently
from
3086991
to
891ed94
Compare
jhoyla
force-pushed
the
jhoyla/tls-flags
branch
2 times, most recently
from
b071690
to
ead11a3
Compare
jhoyla
force-pushed
the
jhoyla/tls-flags
branch
from
ead11a3
to
4092d3f
Compare
This PR implements the first half of the TLS Flags extension.