[TLS 1.3] Session Resumption

[reneme]

This adds session resumption to the TLS 1.3 implementation.

Central changes in this pull request:

• Extend the TLS::Session class to allow storing TLS 1.3 sessions
• Provide a new entry point into the TLS 1.3 key schedule: init_with_psk()
• Allow premature serialization of Client_Hello_13 to calculate PSK binders
  • Implement a Truncate(Client_Hello) function as outlined in RFC 8446 4.2.11.2
  • Extend the TLS client state machine to accomodate resumption
• Provide TLS::Callbacks::tls_current_timestamp() for deterministic timestamps for testing (now extracted here)

Currently, the TLS 1.3 PSK mechanism is exclusively used for session resumption. It should be fairly straight forward to extend it for out-of-band PSKs. Furthermore, this pull request leaves support for early data and early key export to future work.

Caveat: RFC 8446 suggests to not reuse session tickets to prevent passive client tracking. This is not implemented by the client implementation (neither in TLS 1.2). I suppose this is meant to be implemented by a custom Session_Manager if needed?!

[codecov-commenter]

Codecov Report

Base: 92.59% // Head: 92.57% // Decreases project coverage by -0.01% ⚠️

Coverage data is based on head (f126b55) compared to base (49080fb).
Patch coverage: 88.96% of modified lines in pull request are covered.

❗ Current head f126b55 differs from pull request most recent head 410bd69. Consider uploading reports for the commit 410bd69 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2974      +/-   ##
==========================================
- Coverage   92.59%   92.57%   -0.02%     
==========================================
  Files         600      601       +1     
  Lines       70092    70637     +545     
  Branches     6628     6672      +44     
==========================================
+ Hits        64903    65394     +491     
- Misses       5156     5210      +54     
  Partials       33       33              

Impacted Files	Coverage Δ
src/bogo_shim/bogo_shim.cpp	88.85% <ø> (ø)
src/lib/tls/msg_server_hello.cpp	92.94% <ø> (ø)
src/lib/tls/tls13/tls_extensions_key_share.cpp	87.50% <ø> (ø)
src/lib/tls/tls13/tls_handshake_layer_13.cpp	97.14% <ø> (ø)
src/tests/tests.h	92.14% <0.00%> (ø)
src/tests/test_tls_messages.cpp	86.71% <9.52%> (-6.52%)	⬇️
src/lib/tls/tls_extensions.cpp	89.60% <61.53%> (-1.80%)	⬇️
src/tests/test_tls_rfc8448.cpp	89.43% <80.23%> (-1.84%)	⬇️
src/lib/tls/msg_session_ticket.cpp	81.39% <85.00%> (+4.47%)	⬆️
src/lib/tls/tls13/tls_extensions_psk.cpp	89.81% <89.81%> (ø)
... and 20 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[reneme]

We basically query the Session_Manager before instantiating the TLS 1.2 or TLS 1.3 implementation. If we find a TLS 1.2 session we don't even bother offering TLS 1.3 in the first place. Hence, we cannot fulfil those tests. Though, I think it's worth discussing whether the described behaviour is actually wise.

[lieser]

Would of course be nice to switch to TLS 1.3. even than an older session exist. But unless you think the new some API change for that I don't think it is important to have it in the first version.

[reneme]

... yeah. The binder MACs are unfortunately a major cross-cutting concern through our layered implementation architecture. Probably it would be a good idea to see how other implementations are handling this. Maybe I missed a short cut. The current implementation works, but its sad to see this.

[reneme]

Same as find_client_hello_truncation_mark, this is somewhat "magic" and an ugly breach of abstraction. Before, the Transcript_Hash_State was a dumb class that just "hashed the transcript" as it was passed into it. Now it automagically detects whether it is hashing a Client Hello message, whether that Client Hello message contains a PSK extension (in find_client_hello_truncation_mark) and creates a truncated() hash in that case.

Apart from the level-of-abstraction ugliness, this introduces overhead due to additional memory copies and repeated marshalling and parsing of the data structure.

For now, this is the least intrusive implementation I could come up with. Though, I'm very much open to discussing a better approach to this.... @hrantzsch :)

[reneme]

Rebased and retargeted to master.