8000 Add two new APIs to expose TLS 1.3 traffic secrets for kTLS by skmcgrail · Pull Request #2506 · aws/aws-lc · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add two new APIs to expose TLS 1.3 traffic secrets for kTLS #2506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 26, 2025
Merged

Add two new APIs to expose TLS 1.3 traffic secrets for kTLS #2506

merged 6 commits into from
Jun 26, 2025
+153 −0

Conversation

skmcgrail
Copy link
Member
@skmcgrail skmcgrail commented Jun 24, 2025
edited
Loading

Overview

This PR adds two new APIs to expose TLS 1.3 traffic secrets:

  • SSL_get_read_traffic_secret: Retrieves the read traffic secret for the current connection state
  • SSL_get_write_traffic_secret: Retrieves the write traffic secret for the current connection state

Purpose

These APIs allow applications to access the TLS 1.3 traffic secrets, similar to the previous protocol version SSL_generate_key_block.

API Details

Both functions follow the same pattern:

  • Only valid for TLS 1.3 connections (error if called with TLS 1.2 or lower)
  • Cannot be called during a handshake
  • Return 1 on success, 0 on error
  • Support a query mode (passing NULL for the secret buffer) to determine required buffer size

Security Considerations

These APIs are intended for advanced use cases where applications need direct access to TLS 1.3 key material. Users should be aware that exposing these secrets allows for decryption of TLS 1.3 traffic, and appropriate security measures should be taken when handling this sensitive material.

Testing

The implementation includes comprehensive tests that verify:

  • The client's read secret matches the server's write secret
  • The client's write secret matches the server's read secret
  • The secrets have the expected length
  • Error handling for invalid parameters and states

Compatibility

These APIs are new additions and do not affect existing functionality.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@codecov-commenter
Copy link
codecov-commenter commented Jun 24, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.87%. Comparing base (e2a5299) to head (6dc4d6b).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2506      +/-   ##
==========================================
+ Coverage   78.85%   78.87%   +0.02%     
==========================================
  Files         640      640              
  Lines      109560   109604      +44     
  Branches    15520    15527       +7     
==========================================
+ Hits        86389    86449      +60     
+ Misses      22471    22457      -14     
+ Partials      700      698       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

github-actions[bot]
github-actions bot reviewed Jun 24, 2025
View reviewed changes
Copy link
Contributor
@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clang-tidy made some suggestions

@skmcgrail skmcgrail marked this pull request as ready for review June 24, 2025 23:28
@skmcgrail skmcgrail requested a review from a team as a code owner June 24, 2025 23:28
@skmcgrail skmcgrail changed the title Add initial implementations for TLS 1.3 traffic secret export capability for kTLS Add two new APIs to expose TLS 1.3 traffic secrets for kTLS Jun 25, 2025
samuel40791765
samuel40791765 previously approved these changes Jun 25, 2025
View reviewed changes
torben-hansen
torben-hansen previously approved these changes Jun 25, 2025
View reviewed changes
@skmcgrail @torben-hansen
Update include/openssl/ssl.h
5012b93 
Co-authored-by: torben-hansen <50673096+torben-hansen@users.noreply.github.com>
@skmcgrail skmcgrail dismissed stale reviews from torben-hansen and samuel40791765 via 5012b93 June 25, 2025 23:05
@skmcgrail @torben-hansen
Update include/openssl/ssl.h
6dc4d6b 
Co-authored-by: torben-hansen <50673096+torben-hansen@users.noreply.github.com>
@skmcgrail skmcgrail requested a review from torben-hansen June 26, 2025 00:03
@skmcgrail skmcgrail merged commit 95244e4 into aws:main Jun 26, 2025
124 of 126 checks passed
@skmcgrail skmcgrail deleted the tls13-key-export branch June 26, 2025 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@samuel40791765 samuel40791765 samuel40791765 approved these changes

@torben-hansen torben-hansen torben-hansen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@skmcgrail @codecov-commenter @samuel40791765 @torben-hansen
0