Skip to content

Cherry-pick TLS transfer serialization changes to FIPS 3.x branch #2672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 10, 2025
Merged

Cherry-pick TLS transfer serialization changes to FIPS 3.x branch #2672

merged 4 commits into from
Sep 10, 2025

Conversation

@skmcgrail
Copy link
Member

@skmcgrail skmcgrail commented Sep 9, 2025
edited
Loading

Description of changes:

This is being done in order to make it more seamless to migrate from the 3.x to the future 4.x release and incorporate the serialization improvements.

This changes does not impact FIPS module boundary.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

samuel40791765 and others added 3 commits September 9, 2025 19:25
@samuel40791765 @skmcgrail
The field buffer for previous_server_finished and
7f2489a 
    `previous_client_finished` has to grow past 12 since it's also used for
    1.3 now. This breaks the original SSL Transfer assumption and we'll have
    to bump the version while adding corresponding logic to account for the
    updated size. I've regenerated the SSL Transfer bytes for the round trip
    tests and also added a test for that as well. We're not bumping the
    version number here since it's a pretty minuscule change. This doesn't
    break compatibility with us parsing older versions of AWS-LC SSL
    Transfers, but older versions of AWS-LC won't be able to parse the new
    version.

(cherry picked from commit fa1c6c0)
@skmcgrail
TLS Transfer Serialization Improvements (aws#2616)
ee7f967 
Addresses CryptoAlg-3221, CryptoAlg-3220, CryptoAlg-3219,
CryptoAlg-3218, CryptoAlg-3217, CryptoAlg-3216, CryptoAlg-3215,
CryptoAlg-3214, CryptoAlg-3212, CryptoAlg-3211

This pull request addresses and improves the experimental TLS transfer
serialization feature. Primarily focusing on performance of restored
connections for the SSLBuffer by improving the serialization format, and
hardens the checking of the data structures on deserialization.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

(cherry picked from commit 26da017)
@samuel40791765 @skmcgrail
Fix typo in ssl_transfer_asn1 (aws#2665)
16e918e 
Static analysis actually found something where the same condition was
being checked twice.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

(cherry picked from commit 6457caf)
@skmcgrail skmcgrail requested a review from a team as a code owner September 9, 2025 20:20
@codecov-commenter
Copy link

codecov-commenter commented Sep 9, 2025

Codecov Report

❌ Patch coverage is 69.29348% with 113 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.58%. Comparing base (c9723d6) to head (16e918e).

Files with missing lines Patch % Lines
ssl/ssl_buffer.cc 54.78% 104 Missing ⚠️
ssl/ssl_transfer_asn1.cc 90.00% 9 Missing ⚠️
Additional details and impacted files 
@@                 Coverage Diff                 @@
##           fips-2024-09-27    #2672      +/-   ##
===================================================
- Coverage            78.63%   78.58%   -0.06%     
===================================================
  Files                  585      585              
  Lines               100745   101021     +276     
  Branches             14275    14310      +35     
===================================================
+ Hits                 79222    79388     +166     
- Misses               20886    20998     +112     
+ Partials               637      635       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@samuel40791765 @skmcgrail
Increase SSLBuffer size to INT_MAX (aws#2673)
8bd6691 
Curl is setting a buffer size larger than the maximum buffer length that
AWS-LC allows. `0x401e * 4` is inherently `65656`, which is larger than
the allowed `65535` and AWS-LC directly uses the largest size available
(`65535`) if the consuming application sets a value larger than that.
This limitation's due to a buffer size we inherited from upstream.

I've tested against the test that was failing for curl and the test
seems to pass now (for all instances I've ran it). Running `pytest -n
auto -v ./http/test_10_proxy.py::TestProxy::test_10_08_upload_seq_large
-rA` had been failing 5/10 times prior to this change and it passes
every time that I run it now.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

(cherry picked from commit 78ada21)
@skmcgrail skmcgrail merged commit fcd86b8 into aws:fips-2024-09-27 Sep 10, 2025
77 of 110 checks passed
@skmcgrail skmcgrail deleted the cherry-pick-fips-2024-09-27 branch September 10, 2025 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samuel40791765 samuel40791765 samuel40791765 approved these changes

@justsmth justsmth justsmth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@skmcgrail @codecov-commenter @samuel40791765 @justsmth