Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Actually add support for SSL_get_server/peer_tmp_key #1945

Merged
merged 2 commits into from
Nov 5, 2024

Conversation

samuel40791765
Copy link
Contributor

@samuel40791765 samuel40791765 commented Oct 23, 2024

Issues:

Addresses CryptoAlg-2699

Description of changes:

Ruby has a dependency on SSL_get_server_tmp_key which we've exposed as a no-op in the past. Ruby has a couple of tests that expect the function to actually return a value however, which means we'll have to actually support this.
The relevant information about the server key was saved in a tmp structure in SSL3_STATE (originally ssl3_state_st in OpenSSL). This tmp structure has been removed by Boring, with its contents moved either to SSL_HANDSHAKE or the state machine. peer_key seems to contain the relevant information we want and it's been moved to SSL_HANDSHAKE in this case. The issue is any information in SSL_HANDSHAKE is shed immediately after the connection has been established and the contents of peer_key is shed along with it. We may have to revert parts of a4c8ff0 to move the field back into SSL3_STATE so we can access the field.
Laster versions of OpenSSL have changed this to an alias to SSL_get_peer_tmp_key which means you can retrieve the client’s key if you’re the server and vice versa (openssl/openssl@a51c9f6). This causes SSL_get_server_tmp_key to have very confusing behavior where you actually retrieve the client's key when you're a server, but Ruby already has tests that's somewhat dependent on the SSL_get_peer_tmp_key behavior.

Testing:

Test that tries retrieving a X25519 or EC_KEY based on the connection for each TLS version.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@samuel40791765 samuel40791765 changed the title Actually add support for SSL_get_server_tmp_key Actually add support for SSL_get_server/peer_tmp_key Oct 24, 2024
@samuel40791765 samuel40791765 force-pushed the ssl-tmp-key branch 3 times, most recently from b77388c to 9f5a08f Compare October 24, 2024 19:10
@samuel40791765 samuel40791765 marked this pull request as ready for review October 24, 2024 19:11
@samuel40791765 samuel40791765 requested a review from a team as a code owner October 24, 2024 19:11
@codecov-commenter
Copy link

codecov-commenter commented Oct 24, 2024

Codecov Report

Attention: Patch coverage is 83.05085% with 10 lines in your changes missing coverage. Please review.

Project coverage is 78.77%. Comparing base (48a4057) to head (efb7969).

Files with missing lines Patch % Lines
ssl/ssl_lib.cc 67.85% 9 Missing ⚠️
ssl/ssl_key_share.cc 85.71% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1945      +/-   ##
==========================================
+ Coverage   78.73%   78.77%   +0.04%     
==========================================
  Files         590      590              
  Lines      101428   101476      +48     
  Branches    14384    14395      +11     
==========================================
+ Hits        79856    79935      +79     
+ Misses      20935    20906      -29     
+ Partials      637      635       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ssl/ssl_lib.cc Show resolved Hide resolved
ssl/ssl_test.cc Show resolved Hide resolved
ssl/ssl_key_share.cc Show resolved Hide resolved
@samuel40791765 samuel40791765 merged commit 8f1aae9 into aws:main Nov 5, 2024
112 of 116 checks passed
@samuel40791765 samuel40791765 deleted the ssl-tmp-key branch November 5, 2024 18:36
skmcgrail added a commit that referenced this pull request Nov 7, 2024
## What's Changed
* 800-131Ar1: length of the key-derivation key shall be at least 112
bits. by @skmcgrail in #1924
* Marshalling/Unmarshalling DH public keys by @justsmth in
#1916
* Also prune SSM documents from ec2-test-framework by @samuel40791765 in
#1925
* Use illegal_parameter instead of decode_error for invalid key shares
by @justsmth in #1923
* Add null check in dh testing by @torben-hansen in
#1937
* DH paramgen callback by @justsmth in
#1928
* Upstream merge 2024 10 17 by @torben-hansen in
#1934
* Remove old Intel CPU types by @justsmth in
#1942
* Remove retries on PCT failure in EC and RSA key generation. by @nebeid
in #1938
* Add p4p, bump up time by @justsmth in
#1943
* PQ README by @jakemas in #1932
* bump mysql CI to 9.1.0 by @justsmth in
#1939
* HKDF, HKDF_expand, and PBKDF Truncated SHA2-512 by @skmcgrail in
#1946
* Missing functionality + Adding Nmap to our CI by @smittals2 in
#1915
* Fix FIPS.md typo by @justsmth in
#1950
* Support encode or decode ∞ like OpenSSL by @samuel40791765 in
#1930
* Expand support for EVP_PKEY_HMAC by @justsmth in
#1933
* Add PKCS7-internal BIO_f_cipher by @WillChilds-Klein in
#1836
* Add PKCS7-internal BIO_f_md by @WillChilds-Klein in
#1886
* Ruby Support - DSA custom md by @justsmth in
#1953
* Add support for POINT_CONVERSION_HYBRID by @samuel40791765 in
#1936
* Fixes for Coverity Alerts by @smittals2 in
#1960
* Also test w/ gcc 4.8 by @justsmth in
#1962
* Actually add support for SSL_get_server/peer_tmp_key by
@samuel40791765 in #1945
* Coverity Fix Null Check by @smittals2 in
#1965
* ML-KEM keygen Pairwise Consistency Test by @dkostic in
#1964
* EDDSA PCT by @torben-hansen in #1968
* Expose AES_cfb1_encrypt and AES_cfb8_encrypt by @skmcgrail in
#1967

**Full Changelog**:
v1.37.0...v1.38.0

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants