| Hanno Becker | 0c3bebf | 2020-06-02 06:32:43 +0100 | [diff] [blame] | 1 | TLS 1.3 Experimental Developments |
| Hanno Becker | 9338f9f | 2020-05-31 07:39:50 +0100 | [diff] [blame] | 2 | ================================= |
| 3 | |
| 4 | Overview |
| 5 | -------- |
| 6 | |
| 7 | Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development. |
| 8 | Stable parts of this prototype that can be independently tested are being successively |
| 9 | upstreamed under the guard of the following macro: |
| 10 | |
| 11 | ``` |
| 12 | MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL |
| 13 | ``` |
| 14 | |
| 15 | This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable |
| 16 | implementation of the TLS 1.3 protocol is available. |
| 17 | |
| 18 | See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h) |
| 19 | for more information. |
| 20 | |
| 21 | Status |
| 22 | ------ |
| 23 | |
| 24 | The following lists which parts of the TLS 1.3 prototype have already been upstreamed |
| 25 | together with their level of testing: |
| 26 | |
| 27 | * TLS 1.3 record protection mechanisms |
| 28 | |
| 29 | The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended |
| 30 | to support the modified TLS 1.3 record protection mechanism, including modified computation |
| 31 | of AAD, IV, and the introduction of a flexible padding. |
| 32 | |
| 33 | Those record protection routines have unit tests in `test_suite_ssl` alongside the |
| 34 | tests for the other record protection routines. |
| 35 | |
| 36 | TODO: Add some test vectors from RFC 8448. |
| Hanno Becker | 5a83d29 | 2020-06-02 06:33:00 +0100 | [diff] [blame] | 37 | |
| 38 | - The HKDF key derivation function on which the TLS 1.3 key schedule is based, |
| 39 | is already present as an independent module controlled by `MBEDTLS_HKDF_C` |
| 40 | independently of the development of the TLS 1.3 prototype. |
| Hanno Becker | b11c309 | 2020-08-10 17:00:19 +0100 | [diff] [blame] | 41 | |
| 42 | - The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446): |
| 43 | * HKDF-Expand-Label |
| 44 | * Derive-Secret |
| 45 | - Secret evolution |
| 46 | * The traffic {Key,IV} generation from secret |
| 47 | Those functions are implemented in `library/ssl_tls13_keys.c` and |
| 48 | tested in `test_suite_ssl` using test vectors from RFC 8448 and |
| 49 | https://tls13.ulfheim.net/. |
| Hanno Becker | 7594c68 | 2021-03-05 05:17:11 +0000 | [diff] [blame] | 50 | |
| 51 | - New TLS Message Processing Stack (MPS) |
| 52 | |
| 53 | The TLS 1.3 prototype is developed alongside a rewrite of the TLS messaging layer, |
| 54 | encompassing low-level details such as record parsing, handshake reassembly, and |
| 55 | DTLS retransmission state machine. |
| 56 | |
| 57 | MPS has the following components: |
| 58 | - Layer 1 (Datagram handling) |
| 59 | - Layer 2 (Record handling) |
| 60 | - Layer 3 (Message handling) |
| 61 | - Layer 4 (Retransmission State Machine) |
| 62 | - Reader (Abstracted pointer arithmetic and reassembly logic for incoming data) |
| 63 | - Writer (Abstracted pointer arithmetic and fragmentation logic for outgoing data) |
| 64 | |
| 65 | Of those components, the following have been upstreamed |
| 66 | as part of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`: |
| 67 | |
| 68 | - Reader ([`library/mps_reader.h`](../../library/mps_reader.h)) |