Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite support #1455

Merged
merged 14 commits into from
Mar 28, 2024
Merged

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite support #1455

merged 14 commits into from
Mar 28, 2024

Conversation

skmcgrail
Copy link
Member

@skmcgrail skmcgrail commented Feb 27, 2024
edited
Loading

Description of changes:

Adds support for the TLS 1.2 cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ECDHE-RSA-AES256-SHA384).

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@skmcgrail skmcgrail requested a review from a team as a code owner February 27, 2024 00:58
skmcgrail
skmcgrail commented Feb 27, 2024
View reviewed changes
ssl/ssl_test.cc
Comment on lines 4079 to +4123
{TLS1_2_VERSION,
{0x16, 0x03, 0x01, 0x00, 0x84, 0x01, 0x00, 0x00, 0x80, 0x03, 0x03, 0x00,
{0x16, 0x03, 0x01, 0x00, 0x86, 0x01, 0x00, 0x00, 0x82, 0x03, 0x03, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0xcc, 0xa9,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0xcc, 0xa9,
0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, 0xc0, 0x30, 0xc0, 0x09,
0xc0, 0x13, 0xc0, 0x27, 0xc0, 0x0a, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d,
0x00, 0x2f, 0x00, 0x3c, 0x00, 0x35, 0x01, 0x00, 0x00, 0x37, 0x00, 0x17,
0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01,
0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04,
0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08,
0x06, 0x06, 0x01, 0x02, 0x01}},
0xc0, 0x13, 0xc0, 0x27, 0xc0, 0x0a, 0xc0, 0x14, 0xc0, 0x28, 0x00, 0x9c,
0x00, 0x9d, 0x00, 0x2f, 0x00, 0x3c, 0x00, 0x35, 0x01, 0x00, 0x00, 0x37,
0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00,
0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00,
0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00,
0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05,
0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01}},
Copy link
Member Author

@skmcgrail skmcgrail Feb 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parsed updated client hello message:

[
  {
    "ClientHello": {
      "version": "Tls12",
      "random_data": "00000000000000000000000000000000",
      "session_id": "",
      "cipherlist": [
        "0xcca9(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)",
        "0xcca8(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)",
        "0xc02b(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)",
        "0xc02f(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)",
        "0xc02c(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)",
        "0xc030(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)",
        "0xc009(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)",
        "0xc013(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)",
        "0xc027(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)",
        "0xc00a(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)",
        "0xc014(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)",
        "0xc028(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)",
        "0x009c(TLS_RSA_WITH_AES_128_GCM_SHA256)",
        "0x009d(TLS_RSA_WITH_AES_256_GCM_SHA384)",
        "0x002f(TLS_RSA_WITH_AES_128_CBC_SHA)",
        "0x003c(TLS_RSA_WITH_AES_128_CBC_SHA256)",
        "0x0035(TLS_RSA_WITH_AES_256_CBC_SHA)"
      ],
      "compressionlist": [
        "Null"
      ],
      "extensions": [
        "TlsExtension::ExtendedMasterSecret",
        "TlsExtension::RenegotiationInfo(data=[])",
        "TlsExtension::EllipticCurves([\"EcdhX25519\", \"Secp256r1\", \"Secp384r1\"])",
        "TlsExtension::EcPointFormats([0])",
        "TlsExtension::SessionTicket(data=[])",
        "TlsExtension::SignatureAlgorithms([\"ecdsa_secp256r1_sha256\", \"rsa_pss_rsae_sha256\", \"rsa_pkcs1_sha256\", \"ecdsa_secp384r1_sha384\", \"rsa_pss_rsae_sha384\", \"rsa_pkcs1_sha384\", \"rsa_pss_rsae_sha512\", \"rsa_pkcs1_sha512\", \"rsa_pkcs1_sha1\"])"
      ]
    }
  }
]

@codecov-commenter
Copy link

codecov-commenter commented Feb 27, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 89.36170% with 10 lines in your changes are missing coverage. Please review.

Project coverage is 77.00%. Comparing base (ad40a9a) to head (d4fa43f).

Files Patch % Lines
ssl/ssl_cipher.cc 40.00% 6 Missing ⚠️
crypto/cipher_extra/tls_cbc.c 94.80% 4 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1455   +/-   ##
=======================================
  Coverage   76.99%   77.00%           
=======================================
  Files         425      425           
  Lines       71546    71628   +82     
=======================================
+ Hits        55088    55154   +66     
- Misses      16458    16474   +16

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@skmcgrail skmcgrail changed the title TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite support TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite support Mar 7, 2024
@skmcgrail skmcgrail marked this pull request as draft March 12, 2024 15:52
@skmcgrail skmcgrail force-pushed the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 branch 2 times, most recently from da7ed85 to dd58578 Compare March 21, 2024 00:30
@skmcgrail skmcgrail marked this pull request as ready for review March 21, 2024 00:31
@skmcgrail skmcgrail requested a review from dkostic March 21, 2024 00:31
@skmcgrail skmcgrail force-pushed the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 branch from dd58578 to 742811b Compare March 21, 2024 20:07
@skmcgrail skmcgrail force-pushed the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 branch from 742811b to 8dc198e Compare March 21, 2024 23:50
dkostic
dkostic reviewed Mar 25, 2024
View reviewed changes
crypto/cipher_extra/cipher_test.cc Show resolved Hide resolved
crypto/cipher_extra/tls_cbc.c Outdated Show resolved Hide resolved
crypto/cipher_extra/tls_cbc.c Outdated Show resolved Hide resolved
crypto/cipher_extra/tls_cbc.c Outdated Show resolved Hide resolved
samuel40791765
samuel40791765 reviewed Mar 25, 2024
View reviewed changes
Copy link
Contributor

@samuel40791765 samuel40791765 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also document the new cipher support here?

crypto/cipher_extra/aead_test.cc Outdated Show resolved Hide resolved
crypto/cipher_extra/internal.h Outdated Show resolved Hide resolved
crypto/cipher_extra/tls_cbc.c Outdated Show resolved Hide resolved
include/openssl/sha.h Outdated Show resolved Hide resolved
crypto/cipher_extra/tls_cbc.c Show resolved Hide resolved
crypto/cipher_extra/tls_cbc.c Outdated Show resolved Hide resolved
crypto/cipher_extra/tls_cbc.c Show resolved Hide resolved
ssl/ssl_cipher.cc Outdated Show resolved Hide resolved
dkostic
dkostic previously approved these changes Mar 26, 2024
View reviewed changes
samuel40791765
samuel40791765 previously approved these changes Mar 26, 2024
View reviewed changes
crypto/cipher_extra/tls_cbc.c Show resolved Hide resolved
include/openssl/sha.h Outdated Show resolved Hide resolved
crypto/cipher_extra/tls_cbc.c Show resolved Hide resolved
@skmcgrail @samuel40791765
Update include/openssl/sha.h
1535156 
Co-authored-by: Samuel Chiang <[email protected]>
@skmcgrail skmcgrail dismissed stale reviews from samuel40791765 and dkostic via 1535156 March 26, 2024 23:47
samuel40791765
samuel40791765 previously approved these changes Mar 26, 2024
View reviewed changes
@skmcgrail skmcgrail force-pushed the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 branch from a11a75d to 88fd8bc Compare March 27, 2024 00:49
@skmcgrail skmcgrail enabled auto-merge (squash) March 28, 2024 16:58
@skmcgrail skmcgrail merged commit 2ce9017 into aws:main Mar 28, 2024
44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuel40791765 samuel40791765 samuel40791765 approved these changes

@dkostic dkostic dkostic approved these changes

Assignees
No one assigned
Labels
reviewers-assigned
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@skmcgrail @codecov-commenter @samuel40791765 @dkostic