zig icon indicating copy to clipboard operation
zig copied to clipboard
verified publisher icon ziglang

Refactor TLS, add TLS server

Open clickingbuttons opened this issue 1 year ago • 3 comments

Blockers:

  • Need RSA signature signing (#19776). Key generation would be convenient for testing and users.
  • Strongly prefer DER parser upgrade for parsing more Certificate fields (#19976).

Bugfixes:

  • Account for trailing padding before inner message type after decrypting ciphertext
  • Greatly simplified reading logic, no more index out of bounds when reading (fixes #15590, fixes #15226, fixes #14573, and fixes #18126). This is at the cost of every TLS read @memcpying, which will be benchmarked and potentially optimized.
  • Support spec's 2^24-1 size certificates with an allocator (sorry, gotta do it for the spec...)
  • Send alerts (fixes #14167)
  • Handle fragmentation when reading and writing

Features:

  • Add TLS server (closes #14171)
  • Only buffer a single message at a time (cost: MultiHash triple hashing first Handshake message)
  • Less RAM usage when handshaking (only single message is buffered) and reading application data (ciphertext, plaintext, and various stack buffers replaced with single fragment buffer)
  • Pass null for Client ca_bundle to skip Certificate validation.
  • Support SSLKEYLOGFILE
  • Convenient encoding and decoding for TLS implementers

Tests:

  • Client and server messages byte by byte. Bootstrapped from xargs and bytebybyte.
  • Every supported cipher suite, group, and signature algorithm between server and client
  • [ ] Fragmentation

Even without a coverage report, I can confidently say this closes #14174

TODO:

  • [x] Server state machine + curl test
  • [x] KeyShare kyber read
  • [x] StreamInterface readv instead of readAll
  • [ ] Review implementation pitfalls
  • [ ] Top 100 sites (closes #14172)
    • [ ] Client TLS 1.2 support
  • [x] Top clients (chrome, curl, wget, python)
  • [ ] Send key update on overflow
  • [ ] Server key update support
  • [ ] Proper HelloRetryRequest support in server
  • [ ] Add kyber without increasing struct sizes from 256 bytes to 13Kb (possibly use HelloRetryRequest?)

Performance TODO:

  • [ ] support 0-RTT (one roundtrip will likely save more than any other optimization and works great for idempotent requests like HTTP get)
  • [ ] benchmark handshake time + application data throughput
  • [ ] store multiple fragments in buffer for less syscalls
  • [ ] streaming crypto decrypt to avoid memcpy
  • [x] store handshake_cipher somewhere temporary
  • [ ] investigate #17051
  • [ ] remove debug printing

https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

clickingbuttons avatar Mar 14 '24 18:03 clickingbuttons

This will be really nice if TLS 1.2 will finally be supported!

VisenDev avatar Mar 14 '24 19:03 VisenDev

This branch isn't abandoned. I've made a PR with DateTime added, am working on a crypto PR (adding a DER parser and RSA functions), and then finally will base this PR on those.

clickingbuttons avatar Apr 17 '24 00:04 clickingbuttons