feat: define early_secret in SSL structures for enhanced security #792
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
|
Failed to generate code suggestions for PR |
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for the TLS 1.3 early_secret field by defining its offsets, struct storage, and version macros across multiple OpenSSL versions.
- Introduce
early_secretentries in offset utility files for OpenSSL 1.1.1, 3.0, 3.2, and 3.5. - Extend
struct mastersecret_tto include the newearly_secretarray. - Define
SSL_ST_EARLY_SECRETandSSL_CONNECTION_ST_EARLY_SECRETmacros in each version-specific kernel file and bump OpenSSL 3.1.0 to 3.1.8.
Reviewed Changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| utils/openssl_1_1_1_offset.c | Added X(ssl_st, early_secret) to offset list |
| utils/openssl_3_0_offset.c | Added X(ssl_st, early_secret) to offset list |
| utils/openssl_3_2_0_offset.c | Added X(ssl_connection_st, early_secret) to offsets |
| utils/openssl_3_5_0_offset.c | Added X(ssl_connection_st, early_secret) to offsets |
| kern/openssl_masterkey.h | Extended mastersecret_t to include early_secret |
| kern/openssl_1_1_1a_kern.c | Defined SSL_ST_EARLY_SECRET macro |
| kern/openssl_1_1_1b_kern.c | Defined SSL_ST_EARLY_SECRET macro |
| kern/openssl_1_1_1d_kern.c | Defined SSL_ST_EARLY_SECRET macro |
| kern/openssl_1_1_1j_kern.c | Defined SSL_ST_EARLY_SECRET macro |
| kern/openssl_3_0_0_kern.c | Defined SSL_ST_EARLY_SECRET macro |
| kern/openssl_3_1_0_kern.c | Bumped to 3.1.8 and defined SSL_ST_EARLY_SECRET |
| kern/openssl_3_2_0_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
| kern/openssl_3_2_3_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
| kern/openssl_3_2_4_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
| kern/openssl_3_3_0_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
| kern/openssl_3_3_2_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
| kern/openssl_3_3_3_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
| kern/openssl_3_4_0_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
| kern/openssl_3_4_1_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
| kern/openssl_3_5_0_kern.c | Defined SSL_CONNECTION_ST_EARLY_SECRET macro |
Comments suppressed due to low confidence (4)
utils/openssl_3_5_0_offset.c:23
- [nitpick] Add a brief comment explaining the purpose of the
early_secretoffset in this macro list so future readers understand why it’s required.
X(ssl_connection_st, early_secret)
utils/openssl_3_5_0_offset.c:23
- Introduce unit tests to verify that the
early_secretoffset is computed correctly and integrated—this will guard against future regressions.
X(ssl_connection_st, early_secret)
utils/openssl_3_5_0_offset.c:23
- [nitpick] Offset definitions are duplicated across several versioned files; consider refactoring these into a shared header or macro to reduce repetition.
X(ssl_connection_st, early_secret)
…structure Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
…Build.spec Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces support for the
early_secretfield across various OpenSSL versions and updates related structures and utilities to reflect this addition. The changes ensure compatibility with different OpenSSL versions and enhance the ability to capture and process TLS 1.3 secrets.Addition of
early_secretfield in OpenSSL version-specific kernel files:SSL_ST_EARLY_SECRETandSSL_CONNECTION_ST_EARLY_SECRETdefinitions to support theearly_secretfield for OpenSSL versions 1.1.1a, 1.1.1b, 1.1.1d, 1.1.1j, 3.0.0, 3.1.0, 3.2.0, 3.2.3, 3.2.4, 3.3.0, 3.3.2, 3.3.3, 3.4.0, 3.4.1, and 3.5.0. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]Updates to OpenSSL utilities:
early_secretfield references in utility files for offset calculations, includingutils/openssl_1_1_1_offset.c,utils/openssl_3_0_offset.c,utils/openssl_3_2_0_offset.c, andutils/openssl_3_5_0_offset.c. [1] [2] [3] [4]Structural changes to support
early_secret:struct mastersecret_tinkern/openssl_masterkey.hto include theearly_secretfield for TLS 1.3 support.Version update in OpenSSL 3.1.0 kernel file:
kern/openssl_3_1_0_kern.cto reflect OpenSSL 3.1.8 (previously 3.1.7).Minor formatting adjustments:
kern/openssl_3_2_0_kern.candkern/openssl_3_2_3_kern.cfor consistency. [1] [2]