1TLS 1.3 Experimental Developments 2================================= 3 4Overview 5-------- 6 7Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development. 8Stable parts of this prototype that can be independently tested are being successively 9upstreamed under the guard of the following macro: 10 11``` 12MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL 13``` 14 15This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable 16implementation of the TLS 1.3 protocol is available. 17 18See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h) 19for more information. 20 21Status 22------ 23 24The following lists which parts of the TLS 1.3 prototype have already been upstreamed 25together with their level of testing: 26 27* TLS 1.3 record protection mechanisms 28 29 The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended 30 to support the modified TLS 1.3 record protection mechanism, including modified computation 31 of AAD, IV, and the introduction of a flexible padding. 32 33 Those record protection routines have unit tests in `test_suite_ssl` alongside the 34 tests for the other record protection routines. 35 36 TODO: Add some test vectors from RFC 8448. 37 38- The HKDF key derivation function on which the TLS 1.3 key schedule is based, 39 is already present as an independent module controlled by `MBEDTLS_HKDF_C` 40 independently of the development of the TLS 1.3 prototype. 41 42- The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446): 43 * HKDF-Expand-Label 44 * Derive-Secret 45 - Secret evolution 46 * The traffic {Key,IV} generation from secret 47 Those functions are implemented in `library/ssl_tls13_keys.c` and 48 tested in `test_suite_ssl` using test vectors from RFC 8448 and 49 https://tls13.ulfheim.net/. 50 51- New TLS Message Processing Stack (MPS) 52 53 The TLS 1.3 prototype is developed alongside a rewrite of the TLS messaging layer, 54 encompassing low-level details such as record parsing, handshake reassembly, and 55 DTLS retransmission state machine. 56 57 MPS has the following components: 58 - Layer 1 (Datagram handling) 59 - Layer 2 (Record handling) 60 - Layer 3 (Message handling) 61 - Layer 4 (Retransmission State Machine) 62 - Reader (Abstracted pointer arithmetic and reassembly logic for incoming data) 63 - Writer (Abstracted pointer arithmetic and fragmentation logic for outgoing data) 64 65 Of those components, the following have been upstreamed 66 as part of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`: 67 68 - Reader ([`library/mps_reader.h`](../../library/mps_reader.h)) 69