I know that I'm probably getting way ahead of myself here, but I thought it
would be interesting to start looking into adding TLS 1.3 support to OpenSSL
(for post 1.1.0 of course).
Unfortunately I didn't get very far, so I'm hoping someone more experienced
in TLS 1.3 and OpenSSL's internal workings can help me get unstuck.
My current (server-side only for now) implementation lives at : the code is
pretty awful, incomplete and doesn't work yet. It will need a big clean-up at
some point, but I would like to get it to work first.
The status is that I can get it to generate the proper handshake keys and IVs,
but during record encryption the MAC generated is wrong. I think this is due
to the fact that the AEAD construction in 1.3 is different from the one in 1.2
 (note that I tried with both AES GCM and ChaCha20-Poly1305). Basically we'd
need to XOR the TLS record sequence number with the nonce on a per-record
It doesn't seem that the OpenSSL API allows me to provide a per-record nonce
(which would be needed here I think), but I'm hoping I can somehow work-around
this problem without having to introduce a whole new AEAD API (like the one
Or maybe I'm just wrong and the problem is somewhere else... I'm kind of hoping
on that TBH :)
If any of you has a bit of time and is interested in TLS 1.3, please have a
look, any help would be appreciated.
On Sun, May 08, 2016 at 12:15:56PM +0100, Alessandro Ghedini wrote:
> I know that I'm probably getting way ahead of myself here, but I thought it
> would be interesting to start looking into adding TLS 1.3 support to OpenSSL
> (for post 1.1.0 of course).
Even after 1.1.0, TLS 1.3 might not be the highest priority item
on the list. We still need to introduce a suitable read/write
buffer abstraction into OpenSSL and migrate all the code that
serializes and de-serializes data from pointer-arithmetic to
read, write, peek, rewind, clear, ...
operations on suitably abstracted "buffer with offset" objects.
In particular, the ASN.1 code needs to be updated to use safe buffer
management, and the SSL code needs to use a safe buffer API for
both reads and writes. More bits of libcrypto are likely in scope,
for example EVP.
Though much cleanup has already taken place in 1.1.0, we still need
to do more, and I would prefer to see TLS 1.3 rest on more solid