Hello everyone, I know that I'm probably getting way ahead of myself here, but I thought it would be interesting to start looking into adding TLS 1.3 support to OpenSSL (for post 1.1.0 of course).
Unfortunately I didn't get very far, so I'm hoping someone more experienced in TLS 1.3 and OpenSSL's internal workings can help me get unstuck. My current (server-side only for now) implementation lives at [0]: the code is pretty awful, incomplete and doesn't work yet. It will need a big clean-up at some point, but I would like to get it to work first. The status is that I can get it to generate the proper handshake keys and IVs, but during record encryption the MAC generated is wrong. I think this is due to the fact that the AEAD construction in 1.3 is different from the one in 1.2 [1] (note that I tried with both AES GCM and ChaCha20-Poly1305). Basically we'd need to XOR the TLS record sequence number with the nonce on a per-record basis. It doesn't seem that the OpenSSL API allows me to provide a per-record nonce (which would be needed here I think), but I'm hoping I can somehow work-around this problem without having to introduce a whole new AEAD API (like the one BoringSSL has). Or maybe I'm just wrong and the problem is somewhere else... I'm kind of hoping on that TBH :) If any of you has a bit of time and is interested in TLS 1.3, please have a look, any help would be appreciated. Cheers [0] https://github.com/ghedo/openssl/tree/tls1.3 [1] https://tlswg.github.io/tls13-spec/#rfc.section.5.2.2
signature.asc
Description: PGP signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev