Skip to content

Implement TLS 1.3 key schedule using crypto/hkdf#1472

Merged
karianna merged 2 commits intomicrosoft/mainfrom
dev/qmuntal/tls1prf
Jan 11, 2025
Merged

Implement TLS 1.3 key schedule using crypto/hkdf#1472
karianna merged 2 commits intomicrosoft/mainfrom
dev/qmuntal/tls1prf

Conversation

@qmuntal
Copy link
Member

@qmuntal qmuntal commented Jan 9, 2025

TLS 1.3 Key Schedule is normally not part of the FIPS boundary, but upstream Go decided to include it in the FIPS boundary to facilitate the FIPS 140-3 certification process.

The problem is that crypto/internal/fips140/tls13 uses crypto/internal/fips140/hkdf, which can't be patched to use other backends.

To solve this problem, we created this package, which is a direct copy of crypto/internal/fips140/tls13, but uses crypto/hkdf instead of crypto/internal/fips140/hkdf.

I tried hard to move the tls13 outside of the FIPS boundary without luck: https://go-review.googlesource.com/c/go/+/626836/comments/6e8e9eee_7a8fbce3.

Fixes #1470.

@qmuntal qmuntal requested review from a user, dagood, gdams and mertakman January 9, 2025 16:16
@qmuntal qmuntal requested a review from a team as a code owner January 9, 2025 16:16
@karianna karianna merged commit f9eb8ba into microsoft/main Jan 11, 2025
31 checks passed
@gdams gdams deleted the dev/qmuntal/tls1prf branch January 14, 2025 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@karianna karianna karianna approved these changes

@gdams gdams gdams approved these changes

@dagood dagood Awaiting requested review from dagood

+1 more reviewer

@mertakman mertakman mertakman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement TLS 1.3 KDF using the crypto backends

4 participants

@qmuntal @karianna @mertakman @gdams