A Minimal TLS 1.3 Implementation in Go
Clone or download
Latest commit 93c51c6 Jul 15, 2018
Permalink
Failed to load latest commit information.
.circleci use test helper functions and sub tests Nov 9, 2017
bin Barnes's comments Feb 20, 2018
syntax @ekr comments Feb 23, 2018
LICENSE.md Correct year Feb 14, 2016
README.md Update README Mar 3, 2018
alert.go implement stateless resets Dec 6, 2017
alert_test.go implement stateless resets Dec 6, 2017
client-state-machine.go HRR with attempted 0-RTT works. Fixes #175 Mar 5, 2018
common.go Merge pull request #177 from ekr/enhance_dtls2 Mar 6, 2018
common_test.go gofmt -s Mar 4, 2018
conn.go Enforce packet boundaries Jul 14, 2018
conn_test.go Enforce packet boundaries Jul 14, 2018
cookie-protector.go rename the CookieSource to CookieProtector Dec 6, 2017
cookie-protector_test.go rename the CookieSource to CookieProtector Dec 6, 2017
crypto.go Make self-signed cert API Feb 18, 2018
crypto_test.go Multiple enhancements to support DTLS. Feb 23, 2018
dtls.go More comments from Richard Mar 4, 2018
extensions.go Barnes's review comments Dec 21, 2017
extensions_test.go Multiple enhancements to support DTLS. Feb 23, 2018
ffdhe.go Add finite-field DH Apr 2, 2016
frame-reader.go Multiple enhancements to support DTLS. Feb 23, 2018
frame-reader_test.go Multiple enhancements to support DTLS. Feb 23, 2018
fuzz_test.go Unhexlify Apr 29, 2017
handshake-layer.go Multiple enhancements to support DTLS. Feb 23, 2018
handshake-layer_test.go gofmt -s Mar 4, 2018
handshake-messages.go DTLS interop with NSS (Mint as Client) Jan 2, 2018
handshake-messages_test.go DTLS interop with NSS (Mint as Client) Jan 2, 2018
log.go Big refactor of the I/O discipline. The big change is that reading Jun 6, 2017
log_test.go Multiple enhancements to support DTLS. Feb 23, 2018
mint.svg Add a logo to the README Feb 19, 2016
negotiation.go Checkpoint Feb 27, 2018
negotiation_test.go Multiple enhancements to support DTLS. Feb 23, 2018
record-layer.go HRR with attempted 0-RTT works. Fixes #175 Mar 5, 2018
record-layer_test.go Checkpoint Feb 27, 2018
server-state-machine.go HRR with attempted 0-RTT works. Fixes #175 Mar 5, 2018
state-machine.go HRR with attempted 0-RTT works. Fixes #175 Mar 5, 2018
state-machine_test.go Checkpoint Feb 27, 2018
timer.go More comments from Richard Mar 4, 2018
tls.go DTLS interop with NSS (Mint as Client) Jan 2, 2018
tls_test.go Merge branch 'master' into no-default-selfsigned Feb 1, 2018

README.md

A lock with a mint leaf

mint - A Minimal TLS 1.3 stack

Build Status

This project is primarily a learning effort for me to understand the TLS 1.3 protocol. The goal is to arrive at a pretty complete implementation of TLS 1.3, with minimal, elegant code that demonstrates how things work. Testing is a priority to ensure correctness, but otherwise, the quality of the software engineering might not be at a level where it makes sense to integrate this with other libraries. Backward compatibility is not an objective.

We borrow liberally from the Go TLS library, especially where TLS 1.3 aligns with earlier TLS versions. However, unnecessary parts will be ruthlessly cut off.

DTLS Support

Mint has partial support for DTLS, but that support is not yet complete and may still contain serious defects.

Quickstart

Installation is the same as for any other Go package:

go get github.com/bifurcation/mint

The API is pretty much the same as for the TLS module, with Dial and Listen methods wrapping the underlying socket APIs.

conn, err := mint.Dial("tcp", "localhost:4430", &mint.Config{...})
...
listener, err := mint.Listen("tcp", "localhost:4430", &mint.Config{...})

Documentation is available on godoc.org

Interoperability testing

The mint-client and mint-server executables are included to make it easy to do basic interoperability tests with other TLS 1.3 implementations. The steps for testing against NSS are as follows.

# Install mint
go get github.com/bifurcation/mint

# Environment for NSS (you'll probably want a new directory)
NSS_ROOT=<whereever you want to put NSS>
mkdir $NSS_ROOT
cd $NSS_ROOT
export USE_64=1
export ENABLE_TLS_1_3=1
export HOST=localhost
export DOMSUF=localhost

# Build NSS
hg clone https://hg.mozilla.org/projects/nss
hg clone https://hg.mozilla.org/projects/nspr
cd nss
make nss_build_all

export PLATFORM=`cat $NSS_ROOT/dist/latest`
export DYLD_LIBRARY_PATH=$NSS_ROOT/dist/$PLATFORM/lib
export LD_LIBRARY_PATH=$NSS_ROOT/dist/$PLATFORM/lib

# Run NSS tests (this creates data for the server to use)
cd tests/ssl_gtests
./ssl_gtests.sh

# Test with client=mint server=NSS
cd $NSS_ROOT
./dist/$PLATFORM/bin/selfserv -d tests_results/security/$HOST.1/ssl_gtests/ -n rsa -p 4430
# if you get `NSS_Init failed.`, check the path above, particularly around $HOST
# ...
go run $GOPATH/src/github.com/bifurcation/mint/bin/mint-client/main.go

# Test with client=NSS server=mint
go run $GOPATH/src/github.com/bifurcation/mint/bin/mint-server/main.go
# ...
cd $NSS_ROOT
dist/$PLATFORM/bin/tstclnt -d tests_results/security/$HOST/ssl_gtests/ -V tls1.3:tls1.3 -h 127.0.0.1 -p 4430 -o