[openssl-dev] TLSv1.3
Alessandro Ghedini
alessandro at ghedini.me
Sun May 8 11:15:56 UTC 2016
Hello everyone,
I know that I'm probably getting way ahead of myself here, but I thought it
would be interesting to start looking into adding TLS 1.3 support to OpenSSL
(for post 1.1.0 of course).
Unfortunately I didn't get very far, so I'm hoping someone more experienced
in TLS 1.3 and OpenSSL's internal workings can help me get unstuck.
My current (server-side only for now) implementation lives at [0]: the code is
pretty awful, incomplete and doesn't work yet. It will need a big clean-up at
some point, but I would like to get it to work first.
The status is that I can get it to generate the proper handshake keys and IVs,
but during record encryption the MAC generated is wrong. I think this is due
to the fact that the AEAD construction in 1.3 is different from the one in 1.2
[1] (note that I tried with both AES GCM and ChaCha20-Poly1305). Basically we'd
need to XOR the TLS record sequence number with the nonce on a per-record
basis.
It doesn't seem that the OpenSSL API allows me to provide a per-record nonce
(which would be needed here I think), but I'm hoping I can somehow work-around
this problem without having to introduce a whole new AEAD API (like the one
BoringSSL has).
Or maybe I'm just wrong and the problem is somewhere else... I'm kind of hoping
on that TBH :)
If any of you has a bit of time and is interested in TLS 1.3, please have a
look, any help would be appreciated.
Cheers
[0] https://github.com/ghedo/openssl/tree/tls1.3
[1] https://tlswg.github.io/tls13-spec/#rfc.section.5.2.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160508/a14ee414/attachment.sig>
More information about the openssl-dev
mailing list