mbedtls/docs/architecture/tls13-experimental.md

TLS 1.3 Experimental Developments
=================================

Overview
--------

Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development.
Stable parts of this prototype that can be independently tested are being successively
upstreamed under the guard of the following macro:

```
MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
```

This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable
implementation of the TLS 1.3 protocol is available.

See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h)
for more information.

Status
------

The following lists which parts of the TLS 1.3 prototype have already been upstreamed
together with their level of testing:

* TLS 1.3 record protection mechanisms

  The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended
  to support the modified TLS 1.3 record protection mechanism, including modified computation
  of AAD, IV, and the introduction of a flexible padding.

  Those record protection routines have unit tests in `test_suite_ssl` alongside the
  tests for the other record protection routines.

  TODO: Add some test vectors from RFC 8448.

- The HKDF key derivation function on which the TLS 1.3 key schedule is based,
  is already present as an independent module controlled by `MBEDTLS_HKDF_C`
  independently of the development of the TLS 1.3 prototype.

- The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446):
  * HKDF-Expand-Label
  * Derive-Secret
  - Secret evolution
  * The traffic {Key,IV} generation from secret
  Those functions are implemented in `library/ssl_tls13_keys.c` and
  tested in `test_suite_ssl` using test vectors from RFC 8448 and
  https://tls13.ulfheim.net/.
Fix typo in header of TLS 1.3 experimental features document Signed-off-by: Hanno Becker <hanno.becker@arm.com> 2020-06-02 05:32:43 +00:00			`TLS 1.3 Experimental Developments`
Add documentation on state of upstreaming of TLS 1.3 prototype Signed-off-by: Hanno Becker <hanno.becker@arm.com> 2020-05-31 06:39:50 +00:00			`=================================`

			`Overview`
			`--------`

			`Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development.`
			`Stable parts of this prototype that can be independently tested are being successively`
			`upstreamed under the guard of the following macro:`

			```
			`MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`
			```

			This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable
			`implementation of the TLS 1.3 protocol is available.`

			See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h)
			`for more information.`

			`Status`
			`------`

			`The following lists which parts of the TLS 1.3 prototype have already been upstreamed`
			`together with their level of testing:`

			`* TLS 1.3 record protection mechanisms`

			The record protection routines `mbedtls_ssl_{encrypt\|decrypt}_buf()` have been extended
			`to support the modified TLS 1.3 record protection mechanism, including modified computation`
			`of AAD, IV, and the introduction of a flexible padding.`

			Those record protection routines have unit tests in `test_suite_ssl` alongside the
			`tests for the other record protection routines.`

			`TODO: Add some test vectors from RFC 8448.`
Mention HKDF in TLS 1.3 feature document Signed-off-by: Hanno Becker <hanno.becker@arm.com> 2020-06-02 05:33:00 +00:00
			`- The HKDF key derivation function on which the TLS 1.3 key schedule is based,`
			is already present as an independent module controlled by `MBEDTLS_HKDF_C`
			`independently of the development of the TLS 1.3 prototype.`
Update state of TLS 1.3 functionality in architecture document Signed-off-by: Hanno Becker <hanno.becker@arm.com> 2020-08-10 16:00:19 +00:00
			`- The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446):`
			`* HKDF-Expand-Label`
			`* Derive-Secret`
			`- Secret evolution`
			`* The traffic {Key,IV} generation from secret`
			Those functions are implemented in `library/ssl_tls13_keys.c` and
			tested in `test_suite_ssl` using test vectors from RFC 8448 and
			`https://tls13.ulfheim.net/.`