Hello everyone,

I know that I'm probably getting way ahead of myself here, but I thought it
would be interesting to start looking into adding TLS 1.3 support to OpenSSL
(for post 1.1.0 of course).

Unfortunately I didn't get very far, so I'm hoping someone more experienced
in TLS 1.3 and OpenSSL's internal workings can help me get unstuck.

My current (server-side only for now) implementation lives at [0]: the code is
pretty awful, incomplete and doesn't work yet. It will need a big clean-up at
some point, but I would like to get it to work first.

The status is that I can get it to generate the proper handshake keys and IVs,
but during record encryption the MAC generated is wrong. I think this is due
to the fact that the AEAD construction in 1.3 is different from the one in 1.2
[1] (note that I tried with both AES GCM and ChaCha20-Poly1305). Basically we'd
need to XOR the TLS record sequence number with the nonce on a per-record
basis.

It doesn't seem that the OpenSSL API allows me to provide a per-record nonce
(which would be needed here I think), but I'm hoping I can somehow work-around
this problem without having to introduce a whole new AEAD API (like the one
BoringSSL has).

Or maybe I'm just wrong and the problem is somewhere else... I'm kind of hoping
on that TBH :)

If any of you has a bit of time and is interested in TLS 1.3, please have a
look, any help would be appreciated.

Cheers

[0] https://github.com/ghedo/openssl/tree/tls1.3
[1] https://tlswg.github.io/tls13-spec/#rfc.section.5.2.2

Attachment: signature.asc
Description: PGP signature

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to