Implement TLS Flags and the request mTLS flag.

Author: jhoyla

src/crypto/tls/common.go

@@ -126,6 +126,7 @@ const (
 	extensionRenegotiationInfo       uint16 = 0xff01
 	extensionECH                     uint16 = 0xfe0d // draft-ietf-tls-esni-13
 	extensionECHOuterExtensions      uint16 = 0xfd00 // draft-ietf-tls-esni-13
+	extensionTLSFlags                uint16 = 0xfe01 // draft-ietf-tls-tlsflags-12
 )
 
 // TLS signaling cipher suite values
@@ -364,6 +365,17 @@ type ConnectionState struct {
 	// This means the client has offered ECH or sent GREASE ECH.
 	ECHOffered bool
 
+	// PeerTLSFlags is the set of TLS Flags sent by the Peer.
+	PeerTLSFlags []TLSFlag
+
+	// AgreedTLSFlags is the set of TLS Flags mutually supported by the Client
+	// and Server.
+	AgreedTLSFlags []TLSFlag
+
+	// RequestClientCert is true if the server decided to request a client
+	// certificate.
+	RequestClientCert bool
+
 	// ekm is a closure exposed via ExportKeyingMaterial.
 	ekm func(label string, context []byte, length int) ([]byte, error)
 }
@@ -469,6 +481,20 @@ const (
 	ECDSAWithSHA1 SignatureScheme = 0x0203
 )
 
+// TLSFlag is the index of a bit in the TLSFlags bit array that should be set to
+// send the flag. Because TLSFlags can have so many different uses, many yet to
+// be defined, this extension should not be copied into the ECH
+// ClientHelloOuter.
+type TLSFlag uint16
+
+const (
+	// ExperimentalFlagSupportMTLS is a flag that signals that a client supports
+	// mTLS, and will be able to respond to CertificateRequest messages
+	// appropriately.
+	// https://datatracker.ietf.org/doc/draft-jhoyla-req-mtls-flag/
+	ExperimentalFlagSupportMTLS TLSFlag = 0x50
+)
+
 // ClientHelloInfo contains information from a ClientHello message in order to
 // guide application logic in the GetCertificate and GetConfigForClient callbacks.
 type ClientHelloInfo struct {
@@ -905,6 +931,12 @@ type Config struct {
 	// See https://tools.ietf.org/html/draft-ietf-tls-subcerts.
 	SupportDelegatedCredential bool
 
+	// TLSFlagsSupported is the list of flags that the client or server is
+	// willing to support. This is currently limited to the set of flags set in
+	// the ClientHello, although the draft specifies various other messages
+	// where they can appear.
+	TLSFlagsSupported []TLSFlag
+
 	// mutex protects sessionTicketKeys and autoSessionTicketKeys.
 	mutex sync.RWMutex
 	// sessionTicketKeys contains zero or more ticket keys. If set, it means
@@ -995,6 +1027,7 @@ func (c *Config) Clone() *Config {
 		Renegotiation:               c.Renegotiation,
 		KeyLogWriter:                c.KeyLogWriter,
 		SupportDelegatedCredential:  c.SupportDelegatedCredential,
+		TLSFlagsSupported:           c.TLSFlagsSupported,
 		ECHEnabled:                  c.ECHEnabled,
 		ClientECHConfigs:            c.ClientECHConfigs,
 		ServerECHProvider:           c.ServerECHProvider,

src/crypto/tls/conn.go

@@ -143,6 +143,10 @@ type Conn struct {
 		configId     uint8  // The ECH config id
 		maxNameLen   int    // maximum_name_len indicated by the ECH config
 	}
+
+	agreedTLSFlags    []TLSFlag
+	peerTLSFlags      []TLSFlag
+	requestClientCert bool
 }
 
 // Access to net.Conn methods.
@@ -1696,6 +1700,9 @@ func (c *Conn) connectionStateLocked() ConnectionState {
 	} else {
 		state.ekm = c.ekm
 	}
+	state.PeerTLSFlags = c.peerTLSFlags
+	state.AgreedTLSFlags = c.agreedTLSFlags
+	state.RequestClientCert = c.requestClientCert
 	return state
 }
 

src/crypto/tls/handshake_client.go

@@ -218,6 +218,11 @@ func (c *Conn) makeClientHello(minVersion uint16) (*clientHelloMsg, clientKeySha
 
 		hello.delegatedCredentialSupported = config.SupportDelegatedCredential
 		hello.supportedSignatureAlgorithmsDC = supportedSignatureAlgorithmsDC
+		flagBytes, err := encodeFlags(config.TLSFlagsSupported)
+		if err != nil {
+			return nil, nil, err
+		}
+		hello.tlsFlags = flagBytes
 	}
 
 	if c.quic != nil {
@@ -234,6 +239,23 @@ func (c *Conn) makeClientHello(minVersion uint16) (*clientHelloMsg, clientKeySha
 	return hello, secret, nil
 }
 
+const maxTLSFlag = TLSFlag(2040)
+
+func encodeFlags(flags []TLSFlag) ([]byte, error) {
+	flagBytes := make([]byte, 0, 255)
+	for _, flag := range flags {
+		if flag >= maxTLSFlag {
+			return nil, fmt.Errorf("cannot encode TLS flags greater than %d", maxTLSFlag)
+		}
+		whichByte := int(flag) >> 3
+		if whichByte >= len(flagBytes) {
+			flagBytes = flagBytes[:whichByte+1]
+		}
+		flagBytes[whichByte] |= 1 << (flag % 8)
+	}
+	return flagBytes, nil
+}
+
 func (c *Conn) clientHandshake(ctx context.Context) (err error) {
 	if c.config == nil {
 		c.config = defaultConfig()

src/crypto/tls/handshake_messages.go

@@ -90,6 +90,7 @@ type clientHelloMsg struct {
 	alpnProtocols                    []string
 	scts                             bool
 	supportedVersions                []uint16
+	tlsFlags                         []byte
 	cookie                           []byte
 	keyShares                        []keyShare
 	earlyData                        bool
@@ -239,6 +240,14 @@ func (m *clientHelloMsg) marshal() ([]byte, error) {
 			})
 		})
 	}
+	if len(m.tlsFlags) > 0 {
+		exts.AddUint16(extensionTLSFlags)
+		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
+			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
+				exts.AddBytes(m.tlsFlags)
+			})
+		})
+	}
 	if len(m.cookie) > 0 {
 		// RFC 8446, Section 4.2.2
 		exts.AddUint16(extensionCookie)
@@ -577,6 +586,12 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 				}
 				m.supportedVersions = append(m.supportedVersions, vers)
 			}
+		case extensionTLSFlags:
+			var flagsList cryptobyte.String
+			if !extData.ReadUint8LengthPrefixed(&flagsList) || flagsList.Empty() {
+				return false
+			}
+			m.tlsFlags = flagsList
 		case extensionCookie:
 			// RFC 8446, Section 4.2.2
 			if !readUint16LengthPrefixed(&extData, &m.cookie) ||

src/crypto/tls/handshake_server_test.go

@@ -16,6 +16,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	math_rand "math/rand"
 	"net"
 	"os"
 	"os/exec"
@@ -539,6 +540,90 @@ func testCrossVersionResume(t *testing.T, version uint16) {
 	}
 }
 
+func TestTLSFlags(t *testing.T) {
+	serverConfig := &Config{
+		Certificates: []Certificate{{
+			Certificate: [][]byte{testRSACertificate},
+			PrivateKey:  testRSAPrivateKey,
+		}},
+		TLSFlagsSupported: []TLSFlag{0x50},
+	}
+	clientCert, err := X509KeyPair([]byte(clientECDSACertificatePEM), []byte(clientECDSAKeyPEM))
+	if err != nil {
+		t.Fatalf("couldn't load client certs")
+	}
+	var flags = make([]TLSFlag, 10, 100)
+	for i := 0; i < math_rand.Intn(100)+1; i++ {
+		flags = append(flags, TLSFlag(math_rand.Intn(2040)))
+	}
+	clientConfig := &Config{
+		TLSFlagsSupported:  flags,
+		InsecureSkipVerify: true,
+		Certificates:       []Certificate{clientCert},
+	}
+	state, _, err := testHandshake(t, clientConfig, serverConfig)
+	if err != nil {
+		t.Fatalf("handshake failed: %s", err)
+	}
+	found := false
+	for _, flag := range state.PeerTLSFlags {
+		found = found || (flag == 0x50)
+	}
+	if found && (state.AgreedTLSFlags[0] != TLSFlag(0x50)) {
+		t.Fatalf("Failed to agree correct flags")
+	}
+	if !state.RequestClientCert == found {
+		t.Fatalf("Failed to request client cert")
+	}
+	if (len(state.PeerCertificates) == 0) == found {
+		t.Fatalf("Didn't receive correct client certs")
+	}
+}
+
+func TestTLSFlagsReqmTLS(t *testing.T) {
+	serverConfig := &Config{
+		Certificates: []Certificate{{
+			Certificate: [][]byte{testRSACertificate},
+			PrivateKey:  testRSAPrivateKey,
+		}},
+		TLSFlagsSupported: []TLSFlag{0x50},
+	}
+	clientCert, err := X509KeyPair([]byte(clientECDSACertificatePEM), []byte(clientECDSAKeyPEM))
+	if err != nil {
+		t.Fatalf("couldn't load client certs")
+	}
+	var flags = make([]TLSFlag, 10, 100)
+	for i := 0; i < math_rand.Intn(100); i++ {
+		flags = append(flags, TLSFlag(math_rand.Intn(2040)))
+	}
+	flags = append(flags, TLSFlag(0x50))
+	clientConfig := &Config{
+		TLSFlagsSupported:  flags,
+		InsecureSkipVerify: true,
+		Certificates:       []Certificate{clientCert},
+	}
+	state, _, err := testHandshake(t, clientConfig, serverConfig)
+	if err != nil {
+		t.Fatalf("handshake failed: %s", err)
+	}
+	found := false
+	for _, flag := range state.PeerTLSFlags {
+		found = found || (flag == 0x50)
+	}
+	if !found {
+		t.Fatalf("req mTLS Flag not found")
+	}
+	if state.AgreedTLSFlags[0] != TLSFlag(0x50) {
+		t.Fatalf("Failed to agree correct flags")
+	}
+	if !state.RequestClientCert {
+		t.Fatalf("Failed to request client cert")
+	}
+	if len(state.PeerCertificates) == 0 {
+		t.Fatalf("Didn't receive correct client certs")
+	}
+}
+
 // Note: see comment in handshake_test.go for details of how the reference
 // tests work.
 

src/crypto/tls/handshake_server_tls13.go

@@ -43,6 +43,8 @@ type serverHandshakeStateTLS13 struct {
 	transcript      hash.Hash
 	clientFinished  []byte
 	certReq         *certificateRequestMsgTLS13
+	peerTLSFlags    []TLSFlag
+	tlsFlags        []TLSFlag
 
 	hsTimings CFEventTLS13ServerHandshakeTimingInfo
 }
@@ -132,7 +134,9 @@ func (hs *serverHandshakeStateTLS13) handshake() error {
 
 	c.handleCFEvent(hs.hsTimings)
 	c.isHandshakeComplete.Store(true)
-
+	c.agreedTLSFlags = hs.tlsFlags
+	c.peerTLSFlags = hs.peerTLSFlags
+	c.requestClientCert = hs.requestClientCert()
 	return nil
 }
 
@@ -317,6 +321,34 @@ GroupSelection:
 		c.sendAlert(alertIllegalParameter)
 		return errors.New("tls: invalid client key share")
 	}
+	if len(hs.clientHello.tlsFlags) != 0 {
+		if hs.clientHello.tlsFlags[len(hs.clientHello.tlsFlags)-1] == 0 {
+			c.sendAlert(alertIllegalParameter)
+			return errors.New("tls: invalid client TLS flags")
+		}
+		supportedFlags, err := encodeFlags(hs.c.config.TLSFlagsSupported)
+		if err != nil {
+			c.sendAlert(alertInternalError)
+			return errors.New("tls: invalid server flags")
+		}
+		var mutuallySupportedFlags []byte
+		for i, sFB := range supportedFlags {
+			if i >= len(hs.clientHello.tlsFlags) {
+				break
+			}
+			mutuallySupportedFlags = append(mutuallySupportedFlags, hs.clientHello.tlsFlags[i]&sFB)
+		}
+
+		peerTLSFlags, err := decodeFlags(hs.clientHello.tlsFlags)
+		if err == nil {
+			hs.peerTLSFlags = peerTLSFlags
+		}
+
+		tlsFlags, err := decodeFlags(mutuallySupportedFlags)
+		if err == nil {
+			hs.tlsFlags = tlsFlags
+		}
+	}
 
 	selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, c.quic != nil)
 	if err != nil {
@@ -356,6 +388,24 @@ GroupSelection:
 	return nil
 }
 
+func decodeFlags(flagBytes []byte) ([]TLSFlag, error) {
+	var flags []TLSFlag
+	if len(flagBytes) > int(maxTLSFlag>>3) {
+		return nil, fmt.Errorf("TLS flags extension malformed (too long)")
+	}
+
+	for byteIndex, b := range flagBytes {
+		for i := 0; !(b == 0); i++ {
+			if (b & 1) == 1 {
+				flagNo := byteIndex*8 + i
+				flags = append(flags, TLSFlag(flagNo))
+			}
+			b >>= 1
+		}
+	}
+	return flags, nil
+}
+
 func (hs *serverHandshakeStateTLS13) checkForResumption() error {
 	c := hs.c
 
@@ -892,6 +942,11 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
 }
 
 func (hs *serverHandshakeStateTLS13) requestClientCert() bool {
+	for _, flag := range hs.tlsFlags {
+		if flag == ExperimentalFlagSupportMTLS {
+			return true
+		}
+	}
 	return hs.c.config.ClientAuth >= RequestClientCert && !hs.usingPSK
 }
 

src/crypto/tls/tls_test.go

@@ -877,6 +877,10 @@ func TestCloneNonFuncFields(t *testing.T) {
 			f.Set(reflect.ValueOf([]ECHConfig{ECHConfig{}}))
 		case "ECHEnabled":
 			f.Set(reflect.ValueOf(true))
+		case "PeerTLSFlags", "AgreedTLSFlags", "TLSFlagsSupported":
+			f.Set(reflect.ValueOf([]TLSFlag{}))
+		case "RequestClientCert":
+			f.Set(reflect.ValueOf(true))
 		default:
 			t.Errorf("all fields must be accounted for, but saw unknown field %q", fn)
 		}