support for tls1.3

Signed-off-by: Jordan Filteau <[email protected]>
zowe · Sep 18, 2023 · 2def32d · 2def32d
1 parent 45b2865
commit 2def32d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/c/tls.c b/c/tls.c
@@ -67,6 +67,7 @@ int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) {
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1, GSK_PROTOCOL_TLSV1_OFF);
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_1, GSK_PROTOCOL_TLSV1_1_OFF);
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_2, GSK_PROTOCOL_TLSV1_2_ON);
+  rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_3, GSK_PROTOCOL_TLSV1_3_ON);
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE_2048);
 
 #ifdef DEV_DO_NOT_VALIDATE_CLIENT_CERTIFICATES
@@ -148,16 +149,23 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer
   }
   char *label = env->settings->label;
   char *ciphers = env->settings->ciphers;
+  char *keyshares = env->settings->keyshares;
   rc = rc || gsk_secure_socket_open(env->envHandle, &socket->socketHandle);
   rc = rc || gsk_attribute_set_numeric_value(socket->socketHandle, GSK_FD, fd);
   if (label) {
     rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_KEYRING_LABEL, label, 0);
   }
   rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE, isServer ? GSK_SERVER_SESSION_WITH_CL_AUTH : GSK_CLIENT_SESSION);
   if (ciphers) {
-    rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers, 0);
+    rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers, 0); 
     rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4);
   }
+  if (keyshares) {
+    /*
+     * TLS 1.3 needs this.
+     */
+    rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_SERVER_TLS_KEY_SHARES, keyshares, 0);
+  }
   rc = rc || gsk_attribute_set_callback(socket->socketHandle, GSK_IO_CALLBACK, &ioCallbacks);
   rc = rc || gsk_secure_socket_init(socket->socketHandle);
   if (rc == 0) {

diff --git a/h/tls.h b/h/tls.h
@@ -121,7 +121,14 @@ typedef struct TlsSettings_tag {
 #define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 "C030" // 256-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and ephemeral ECDH key exchange signed with an RSA certificate
 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 "C031" // 128-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and fixed ECDH key exchange signed with an RSA certificate
 #define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 "C032" // 256-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and fixed ECDH key exchange signed with an RSA certificate
+#define TLS_AES_128_GCM_SHA256 "1301"
+#define TLS_AES_256_GCM_SHA384 "1302"
+#define TLS_CHACHA20_POLY1305_SHA256 "1303"
   char *ciphers;
+#define TLS_X25519 "0029"
+#define TLS_SECP256R1 "0023"
+#define TLS_SECP521R1 "0025"
+  char *keyshares;
 } TlsSettings;
 
 typedef struct TlsEnvironment_tag {