TLSv1.3

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

TLSv1.3

Alessandro Ghedini
Hello everyone,

I know that I'm probably getting way ahead of myself here, but I thought it
would be interesting to start looking into adding TLS 1.3 support to OpenSSL
(for post 1.1.0 of course).

Unfortunately I didn't get very far, so I'm hoping someone more experienced
in TLS 1.3 and OpenSSL's internal workings can help me get unstuck.

My current (server-side only for now) implementation lives at [0]: the code is
pretty awful, incomplete and doesn't work yet. It will need a big clean-up at
some point, but I would like to get it to work first.

The status is that I can get it to generate the proper handshake keys and IVs,
but during record encryption the MAC generated is wrong. I think this is due
to the fact that the AEAD construction in 1.3 is different from the one in 1.2
[1] (note that I tried with both AES GCM and ChaCha20-Poly1305). Basically we'd
need to XOR the TLS record sequence number with the nonce on a per-record
basis.

It doesn't seem that the OpenSSL API allows me to provide a per-record nonce
(which would be needed here I think), but I'm hoping I can somehow work-around
this problem without having to introduce a whole new AEAD API (like the one
BoringSSL has).

Or maybe I'm just wrong and the problem is somewhere else... I'm kind of hoping
on that TBH :)

If any of you has a bit of time and is interested in TLS 1.3, please have a
look, any help would be appreciated.

Cheers

[0] https://github.com/ghedo/openssl/tree/tls1.3
[1] https://tlswg.github.io/tls13-spec/#rfc.section.5.2.2

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.3

Salz, Rich
This is cool.

I think lots of things will be broken for TLS 1.3, but haven't looked at implementation at all.  And "early data" will mean API changes, although I'm fine if that doesn't happen in the first release :)

Good luck :)
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: TLSv1.3

Viktor Dukhovni
In reply to this post by Alessandro Ghedini
On Sun, May 08, 2016 at 12:15:56PM +0100, Alessandro Ghedini wrote:

> I know that I'm probably getting way ahead of myself here, but I thought it
> would be interesting to start looking into adding TLS 1.3 support to OpenSSL
> (for post 1.1.0 of course).

Even after 1.1.0, TLS 1.3 might not be the highest priority item
on the list.  We still need to introduce a suitable read/write
buffer abstraction into OpenSSL and migrate all the code that
serializes and de-serializes data from pointer-arithmetic to

        read, write, peek, rewind, clear, ...

operations on suitably abstracted "buffer with offset" objects.

In particular, the ASN.1 code needs to be updated to use safe buffer
management, and the SSL code needs to use a safe buffer API for
both reads and writes.  More bits of libcrypto are likely in scope,
for example EVP.

Though much cleanup has already taken place in 1.1.0, we still need
to do more, and I would prefer to see TLS 1.3 rest on more solid
foundations.

--
        Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev