Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add API method to get 'hypothetical' alerts #3171

Merged
merged 6 commits into from
Jan 22, 2022
Merged

Add API method to get 'hypothetical' alerts #3171

merged 6 commits into from
Jan 22, 2022

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Jan 20, 2022
edited
Loading

Description of changes:

For extra security, s2n-tls sends generic close_notify alerts instead of specific TLS alerts.

However, some QUIC interop/compliance tests require specific alerts. Customers might also appreciate knowing what alert an error corresponds to, although alerts should generally be less specific than s2n-tls errors. Additionally, proving compliance with the TLS RFCs would be easier if we could enforce that a specific alert would be sent if we didn't just send a generic close_notify.

I added a new method to the s2n_quic_support APIs to "translate" connection errors into "protocol" / "hypothetical" TLS alerts. For now it mostly just returns internal_error, but we can add more mappings in the future and enforce that new protocol errors include a mapping.

Call-outs:

  • Should the new method handle all error types, or just S2N_ERR_T_PROTO? Technically only protocol errors should map to alerts. There's also already an existing "s2n_connection_get_alert" method that returns an alert sent by the peer, if it exists. However, forcing customers to branch on the error type to call different methods seems like a poor user experience, so I'd prefer if s2n handles the branching.

    • Also maybe worth noting that s2n-tls supporting QUIC will never actually receive an alert so should never have a S2N_ERR_T_ALERT error, since alerts are handled by QUIC instead of TLS.

  • Why not add all the alert mappings immediately? Our protocol errors are a bit of a mess. Some of the current protocol errors don't correspond to actual protocol errors / alerts and will need to be changed to internal errors. Additionally, some code will need to be changed to return different errors /alert in order to match the RFC. To keep this initial code change simple, I stuck to just the first two alerts that QUIC implementations are interested in.

Testing:

Added unit tests for the new API, as well as unit tests to demonstrate how we can enforce RFC alert requirements.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@dougch
Copy link
Contributor

dougch commented Jan 20, 2022

Benchmark report
No change in performance detected.

@lrstewart lrstewart marked this pull request as ready for review January 20, 2022 07:24
maddeleine
maddeleine reviewed Jan 20, 2022
View reviewed changes
tls/s2n_alerts.h Show resolved Hide resolved
tls/s2n_alerts.h
S2N_TLS_ALERT_CERTIFICATE_REQUIRED = 116,
S2N_TLS_ALERT_NO_APPLICATION_PROTOCOL = 120,
} s2n_tls_alert_code;

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of the alerts didn't transfer over. Where did S2N_TLS_ALERT_DECOMP_FAILED go?

Copy link
Contributor Author

@lrstewart lrstewart Jan 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only added the alerts as of TLS1.3. Some old alerts were dropped in TLS1.3. We can add them back if we need them, but they weren't previously being used.

tls/s2n_quic_support.h Outdated Show resolved Hide resolved
camshaft
camshaft reviewed Jan 20, 2022
View reviewed changes
tests/s2n_test.h
@@ -138,6 +139,15 @@ int test_count;
RESET_ERRNO(); \
} while(0)

#define EXPECT_FAILURE_WITH_ALERT( function_call, err, alert ) \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great idea!

tls/s2n_quic_support.h Outdated Show resolved Hide resolved
@dougch
Copy link
Contributor

dougch commented Jan 21, 2022

Benchmark report
No change in performance detected.

@angelonakos angelonakos mentioned this pull request Jan 21, 2022
Closed
@lrstewart lrstewart merged commit 662ae1d into aws:main Jan 22, 2022
@lrstewart lrstewart deleted the alerts branch January 22, 2022 00:23
dougch pushed a commit to dougch/s2n-tls that referenced this pull request Jan 28, 2022
@lrstewart @dougch
Add API method to translate errors to alerts (aws#3171)
9f973c0
dougch pushed a commit to dougch/s2n-tls that referenced this pull request Jan 28, 2022
@lrstewart @dougch
Add API method to translate errors to alerts (aws#3171)
efe8fbd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@camshaft camshaft camshaft approved these changes

@maddeleine maddeleine maddeleine approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lrstewart @dougch @camshaft @maddeleine