Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alias OpenSSL SECLEVEL directives to ALL #2065

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Alias OpenSSL SECLEVEL directives to ALL #2065

wants to merge 2 commits into from
+15 −26

Conversation

WillChilds-Klein
Copy link
Contributor

@WillChilds-Klein WillChilds-Klein commented Dec 18, 2024
edited
Loading

Issues:

Addresses CryptoAlg-2792

Description of changes:

To increase compatibility with OpenSSL's notion of "security levels", this commit aliases all security levels ≤ 2 to AWS-LC's ALL alias. Described here, OpenSSL's security level 0 provides no minimum.

Testing:

  • CI with reduced CPython patch set

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@samuel40791765
Copy link
Contributor

Just to give some more context, I initially set our default security level to 3 under the same justifications. However, I had to change the value to 0 later on because we don't directly prohibit 512 bit RSA keys like OpenSSL states with Level 1..
This commit has more details: 42cd981

@WillChilds-Klein WillChilds-Klein changed the title [DRAFT] Alias OpenSSL SECLEVEL directives to ALL Alias OpenSSL SECLEVEL directives to ALL Dec 28, 2024
@codecov-commenter
Copy link

codecov-commenter commented Dec 31, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 78.75%. Comparing base (c0e927e) to head (c1aa1e9).

Files with missing lines Patch % Lines
ssl/ssl_cipher.cc 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2065      +/-   ##
==========================================
- Coverage   78.75%   78.75%   -0.01%     
==========================================
  Files         598      598              
  Lines      103651   103651              
  Branches    14721    14718       -3     
==========================================
- Hits        81632    81630       -2     
- Misses      21366    21369       +3     
+ Partials      653      652       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@WillChilds-Klein
Copy link
Contributor Author

Thanks for the context @samuel40791765.

However, I had to change the value to 0 later on because we don't directly prohibit 512 bit RSA keys

Do you mean for parsing or generating?

I believe we enforce minimum of 2048 bits in FIPS mode, but looking around a bit, I do see a surprisingly low minimum key size threshold of 256 bits. Given this, I agree that we should only honor SECLEVEL=0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@WillChilds-Klein @samuel40791765 @codecov-commenter