Implement TLS-Exporter

[mfil]

Description

This pull request implements the TLS-Exporter feature as defined in RFC 8446, Section 7.5 and RFC 5705.

TLS-Exporter allows the client and server to extract additional shared symmetric keys from the SSL context by inputting a label and a desired length for the key.

Currently, it is possible for library users to implement TLS-Exporter in TLS 1.2 by using mbedtls_ssl_set_export_keys_cb() to obtain the master secret and then calculate mbedtls_ssl_tls_prf(). It is not currently possible to do this for TLS 1.3. This pull request adds the function mbedtls_ssl_export_keying_material() to implement TLS-Exporter in the library for both TLS 1.2 and 1.3.

I have marked this pull request as "Draft" because I have not yet added any automated tests, and I would like some help in figuring out what would be the best way to add them. I have added options to ssl_client2 and ssl_server2 to print out the derived symmetric keys on the command line. I have checked that when connecting openssl s_client (with the -keymatexport option) to ssl_server2, they both produce the same key.

I have added a test for the TLS 1.3 Exporter. I could not find test vectors online, so I have taken the "exp master" key from RFC 8448 and used an online HMAC-SHA256 calculator to calculate the expected result. Additionally, I have added options to ssl_client2 and ssl_server2 to print out the derived symmetric keys on the command line. I have checked that when connecting openssl s_client (with the -keymatexport option) to ssl_server2, they both export the same key.

PR checklist

Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.

• changelog provided
• development PR provided
• framework PR not required
• 3.6 PR provided [Backport 3.6] Implement TLS-Exporter #9469
• 2.28 PR not required because: TLS 1.3 is only experimental in this version, and the user can implement TLS-Exporter in TLS 1.2
• tests provided

[mfil]

Sorry for the force-push. I forgot to sign off my latest commit, and there's no way to fix that with more commits.

I can close and reopen this merge request, but first I'd like to ask for some help with implementing unit tests.

[davidhorstmann-arm]

@mfil Thanks for this very succinct and well-documented PR. @waleed-elmelegy-arm and I plan to do reviews over the next couple of months so we can try to get this merged.

In the meantime, there are some merge conflicts (I think from the 3.6 release). Would you be able to resolve these? We aren't planning much work in this area of the code for a while, so it will be unlikely to bitrot again.

[mfil]

@mfil Thanks for this very succinct and well-documented PR. @waleed-elmelegy-arm and I plan to do reviews over the next couple of months so we can try to get this merged.

In the meantime, there are some merge conflicts (I think from the 3.6 release). Would you be able to resolve these? We aren't planning much work in this area of the code for a while, so it will be unlikely to bitrot again.

I've rebased onto develop, fixed some mistakes in the comments, and force-pushed. (Let me know if you prefer opening a new pull request.)

I'll wait for reviews before changing the 3.6 backport pull request, ok?

[davidhorstmann-arm]

I'll wait for reviews before changing the 3.6 backport pull request, ok?

That sounds fine to me, thanks! I'll start the CI again, I seem to remember it failed the last time with a build error in some configurations. If you need a hand reproducing it let me know.

[mfil]

I'll wait for reviews before changing the 3.6 backport pull request, ok?

That sounds fine to me, thanks! I'll start the CI again, I seem to remember it failed the last time with a build error in some configurations. If you need a hand reproducing it let me know.

Most of them make sense to me.

In all_u16-check_names, it complains that mbedtls_ssl_export_keying_material isn't declared in a header, but it's right there in include/mbedtls/ssl.h, so I don't understand that.

[mfil]

@davidhorstmann-arm I think I fixed everything. Can you re-run the CI?

[gilles-peskine-arm]

I've started a CI run.

[mfil]

I've started a CI run.

Thank you!

I'm stuck on getting the last tests to succeed. The TLS 1.2 Exporter needs client_random and server_random. If I'm seeing this correctly, if MBEDTLS_SSL_CONTEXT_SERIALIZATION is not defined, then these go away when the handshake is done.

Would it be a problem to always have a randbytes field in struct mbedtls_ssl_transform?

[tom-cosgrove-arm]

I've started the CI on the updated PR

[mfil]

Ok, the code style check is happy now, that still leaves my problem I mentioned above.

[mfil]

I've fixed the merge conflict and added a commit that should fix the remaining CI failures. Please re-run the CI @davidhorstmann-arm @gilles-peskine-arm

[gilles-peskine-arm]

There's a 3.6 backport but it isn't up to date. @mfil @davidhorstmann-arm @waleed-elmelegy-arm Is there still interest in the 3.6 backport? Given the size of the code now, is it still ok for a long-term support branch?

[gilles-peskine-arm]

Having checked internally, it seems that we would still like to include this in Mbed TLS 3.6. @mfil Can you please update #9469 ? Since it hasn't been reviewed yet, please rebase it on top of the current head of mbedtls-3.6, and update the patch to the version that's approved for the development branch. If any differences are needed in 3.6, please briefly explain what's changed, so we know what to expect in git range-diff.

[mfil]

The backport pull request is ready!

[gilles-peskine-arm]

Approving the change from 1a1ec2f to dba07e1

[davidhorstmann-arm]

LGTM, thanks!

[davidhorstmann-arm]

@mfil Thanks for all your work on this. Everything looks fine and the backport is approved, so I'll add it to the merge queue!

[Neustradamus]

Thanks @mfil for your PR and @davidhorstmann-arm, @gilles-peskine-arm, @tom-cosgrove-arm, @waleed-elmelegy-arm, @gowthamsk-arm: I have discovered this PR, it follows a part of my ticket here:

• RFC 9266: Channel Bindings for TLS 1.3 support #6150

So "tls-exporter" is now supported but "tls-unique" and "tls-server-end-point" are always missing.