Define OPENSSL_NO_TLS_PHA, typedef PSK callback signatures #1526
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WillChilds-Klein
changed the title
WillChilds-Klein
force-pushed
the
define-no-pha
branch
2 times, most recently
from
7307547
to
98956a9
Compare
WillChilds-Klein
force-pushed
the
define-no-pha
branch
from
98956a9
to
07749d3
Compare
samuel40791765
previously approved these changes
Apr 18, 2024
WillChilds-Klein
changed the title
This commit defines a new configuration macro `OPENSSL_NO_PHA`. This macro is meant to be used by consuming applications to detect the fact that we (or other libssls) don't support TLSv1.3's post-handshake authentication (PHA). We then use this macro in place of `OPENSSL_IS_AWSLC` to detect PHA support in our CPython patch. We also enable PSK in our CPython patch and create two PSK-related callback function signatures [defined by OpenSSL][1] and used by CPython. Finally, we fix the now-executed PSK tests in CPython. [1]: https://www.openssl.org/docs/man1.1.1/man3/SSL_psk_client_cb_func.html
WillChilds-Klein
force-pushed
the
define-no-pha
branch
from
1d93c08
to
69b08a6
Compare
samuel40791765
approved these changes
Apr 18, 2024
| @@ -63,6 +63,7 @@ | |||
| },{ | |||
| "Name": "SSL implementation", | |||
| "Headers": [ | |||
| "include/openssl/opensslconf.h", | |||
There was a problem hiding this comment.
Does this belong under "SSL implementation"? I'm not sure which of the other categories would make more sense though...
There was a problem hiding this comment.
that's a good question, opensslconf.hseems to span both libcrypto and libssl. what do you think @andrewhop?
There was a problem hiding this comment.
hm, so it looks like available sections are
- Low-level infrastructure
- Low-level crypto primitives
- Crypto interfaces
- Legacy ASN.1 and X.509 implementation
- SSL implementation
opensslconf.h contains configuration macros pertaining to SSL/TLS, low-level primitives, obscure protocols (e.g. trusted timestamping), etc. it's a bit of a grab bag, but I think out of the available sections "SSL implementation" is most appropriate.
I suppose we could also break it out into a new "configuration" section.
There was a problem hiding this comment.
This seems fine for now, thanks for getting this in.
andrewhop
approved these changes
Apr 19, 2024
skmcgrail
added a commit
that referenced
this pull request
May 2, 2024
d52018b Minor functions to build with Ruby's cipher module (#1564) 364d28b Changed SSL_client_hello_get0_ciphers to align with OpenSSL behavior (#1542) e8eb7de ppc64le: EVP_has_aes_hardware is false w/ no-asm (#1566) d726d06 OpenBSD 7.4 and 7.5 Support (#1437) a66c66e Remove comments about overread for entropy generation (#1551) f8a575f Migrate from __FreeBSD__ to __FreeBSD_version (#1562) c31d1ce Centralize handling of s2n-bignum alt/non-alt function selection (#1547) 00f3c45 CI for other MacOS versions (#1558) 0541314 Cleanup remaing duplicate symbol definitions and turn Wredundant-decls on (#1561) 4d280eb Fix ec2 CI testing framework (#1541) 9a4b43e Update x25519_test.cc array initialization to avoid a bug with a GCC 13 warning (#1555) 388cbe7 Remove duplicate X509_OBJECT_new and X509_OBJECT_free declarations (#1560) 2ea6706 Avoid 'z' format with MSVCRT (#1559) c25dc2a Add dependency to python3-six in github action grpc (#1554) 2bdcba3 Link porting guide table to header documentation (#1540) 311ca38 Basic GH CI build/test with full range of gcc/clang (#1546) 1f19717 Add SHA3-256 KAT to FIPS self-test (#1549) 0f3548a Add EC point add/dbl to speed.cc (#1545) d7ddfc4 Fix the NTP integration test (NTP website changed) (#1548) 8ccd85b Fix skipped tests in Mariadb integration CI (#1533) d940162 Support vpinsrq in delocater (#1543) 4cd6d21 Remove redundant test exec libraries (#1544) 56f3569 [ML-KEM] Add experimental support for ML-KEM-512-IPD (#1516) c295aef Upstream merge 2024 04 16 (#1535) 2e51629 Re-add function 0aebf17 Define OPENSSL_NO_TLS_PHA, typedef PSK callback signatures (#1526) 46056cf Pull the string-based extensions APIs into their own section 960ea42 Unexport X509_VERIFY_PARAM_lookup 3c597b1 Remove X509_VERIFY_PARAM_get0_peername 9c399e5 Document some key usage accessors 2fe70b5 Simplify and document X509_supported_extension 2e04897 Const-correct X509_LOOKUP_METHOD 9826568 Replace X509_LOOKUP_ctrl with real functions e47c056 Tidy up x509_lu.c functions a little 62e019f Clean up the by_file_ctrl x509 code to be slightly less obtuse 45c46c2 Use relative links in markdown files By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
WillChilds-Klein
added a commit
that referenced
this pull request
Jun 26, 2024
PR #1526 introduced the `OPENSSL_NO_TLS_PHA` directive mostly for the purposes of AWS-LC's compatibility with CPython, but in [cpython PR #117785](python/cpython#117785) @encukou points out that detecting the absence of OpenSSL's own `SSL_VERIFY_POST_HANDSHAKE` directive is sufficient. This change removes AWS-LC's `OPENSSL_NO_TLS_PHA` directive in favor of detecting absence of `SSL_VERIFY_POST_HANDSHAKE`.
lilpoozie2005
approved these changes
Sep 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
This commit defines a new configuration macro
OPENSSL_NO_TLS_PHA. This macro is meant to be used by consuming applications to detect the fact that we (or otherlibssls) don't support TLSv1.3's post-handshake authentication (PHA). We then use this macro in place ofOPENSSL_IS_AWSLCto detect PHA support in our CPython patch.We also enable PSK in our CPython patch and create two PSK-related callback function signatures defined by OpenSSL and used by CPython.
Finally, we fix the now-executed PSK tests in CPython.
Call-outs:
n/a
Testing:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.