Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ktls: add TLS1.3 support #4314

Merged
merged 6 commits into from
Dec 12, 2023
Merged

ktls: add TLS1.3 support #4314

merged 6 commits into from
Dec 12, 2023

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Dec 6, 2023
edited
Loading

Resolved issues:

Related to #3711

Description of changes:

Adds minimal support for TLS1.3 in ktls by deriving the key using the TLS1.3 method and configuring AES according to the TLS1.3 rules.

Call-outs:

This PR does NOT enable TLS1.3 support outside of testing. Because of KeyUpdates, TLS1.3 with ktls is more risky than TLS1.2 with ktls, so we might want a new config method added to the unstable API to explicitly enable it.

This PR does NOT add support for KeyUpdate or key limits. We can't update the keys without a kernel patch. However, we can fail more explicitly when a KeyUpdate is encountered, and we can probably enforce estimates of key limits. Those improvements will be made in a follow-up PR.

Testing:

The self-talk tests using TLS1.3 pass, proving that we've configuring the keys and ivs correctly.
I tested that the updated feature probe fails in both cmake and make if I change TLS_1_3_VERSION to TLS_1_4_VERSION.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Dec 6, 2023
@lrstewart lrstewart marked this pull request as ready for review December 6, 2023 23:42
camshaft
camshaft requested changes Dec 11, 2023
View reviewed changes
Copy link
Contributor

@camshaft camshaft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TLS_1_3_VERSION needs a feature probe, just to make sure it's there (probably a good idea to check for TLS_1_2_VERSION as well).

goatgoose
goatgoose reviewed Dec 11, 2023
View reviewed changes
crypto/s2n_aead_cipher_aes_gcm.c Show resolved Hide resolved
crypto/s2n_aead_cipher_aes_gcm.c Outdated Show resolved Hide resolved
crypto/s2n_aead_cipher_aes_gcm.c Outdated Show resolved Hide resolved
tls/s2n_ktls.c Show resolved Hide resolved
@lrstewart lrstewart enabled auto-merge (squash) December 12, 2023 17:25
@lrstewart lrstewart merged commit 0fb3769 into aws:main Dec 12, 2023
28 checks passed
@lrstewart lrstewart deleted the ktls_tls13_1 branch December 12, 2023 19:23
@BrewTestBot BrewTestBot mentioned this pull request Dec 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@camshaft camshaft camshaft approved these changes

@goatgoose goatgoose goatgoose approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lrstewart @camshaft @goatgoose