TLS 1.3 Experimental Developments ================================= Overview -------- Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development. Stable parts of this prototype that can be independently tested are being successively upstreamed under the guard of the following macro: ``` MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ``` This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable implementation of the TLS 1.3 protocol is available. See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h) for more information. Status ------ The following lists which parts of the TLS 1.3 prototype have already been upstreamed together with their level of testing: * TLS 1.3 record protection mechanisms The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended to support the modified TLS 1.3 record protection mechanism, including modified computation of AAD, IV, and the introduction of a flexible padding. Those record protection routines have unit tests in `test_suite_ssl` alongside the tests for the other record protection routines. TODO: Add some test vectors from RFC 8448. - The HKDF key derivation function on which the TLS 1.3 key schedule is based, is already present as an independent module controlled by `MBEDTLS_HKDF_C` independently of the development of the TLS 1.3 prototype. - The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446): * HKDF-Expand-Label * Derive-Secret - Secret evolution * The traffic {Key,IV} generation from secret Those functions are implemented in `library/ssl_tls13_keys.c` and tested in `test_suite_ssl` using test vectors from RFC 8448 and https://tls13.ulfheim.net/.