sm: implement post-CER/CEA TLS upgrade (RFC 6733 §6.2)#243
Conversation
|
Useful direction but a few things to resolve before merging:
Suggestion: split into (a) #240, #241, #242 can land independently of this — they're useful on their own and don't block the design discussion here. |
|
Thanks — the new commit addresses three of the four concerns nicely:
Two things left:
Also worth adding now that both sides are wired up: an integration test that drives a full plain→CER/CEA→TLS handshake using the new |
Add TLSUpgrader interface and StartTLS method to support upgrading a plain TCP connection to TLS after the CER/CEA exchange, as specified in RFC 6733 §6.2. Changes: - Add TLSUpgrader interface to diam package - Add StartTLS() method to the server connection (response type) - Add TLSConfig field to sm.Settings for server-side TLS upgrade - Update handleCER to accept Inband-Security-Id=1 when TLSConfig is set, and perform TLS upgrade after sending success CEA - Add ParseWithSecurity() to CER parser (accepts tlsActive flag) - Add RequestedSecurity() accessor to CER struct When a peer sends CER with Inband-Security-Id=1 and the server has TLSConfig configured, the server sends a success CEA then upgrades the connection to TLS. Without TLSConfig, the existing behavior (reject with NO_COMMON_SECURITY) is preserved. Fixes fiorix#238
- Add client-side StartTLSClient method (tls.Client) to TLSUpgrader - Add RequestInbandTLS field to Client; sends Inband-Security-Id=1 - Perform client-side TLS upgrade in handleCEA after success CEA - Fix silent downgrade: type-assert TLSUpgrader before accepting Inband-Security-Id=1 in handleCER (rejects non-upgradeable conns) - Document concurrency safety constraints on StartTLS methods - Defensive close if upgrade fails after success CEA was sent
- Document that TLS handshake failure after success CEA results in connection close (both peers observe the failure directly per RFC 6733 §6.2; sending a second CEA would violate the protocol) - Add TestInbandTLSUpgrade_EndToEnd: drives a full plain TCP → CER/CEA with Inband-Security-Id=1 → TLS upgrade flow, then verifies DWR/DWA exchange over the encrypted connection
85637f5 to
254c8d2
Compare
|
I tried to address those last things please check if taths ok ! |
* sm: implement post-CER/CEA TLS upgrade (RFC 6733 §6.2) Add TLSUpgrader interface and StartTLS method to support upgrading a plain TCP connection to TLS after the CER/CEA exchange, as specified in RFC 6733 §6.2. Changes: - Add TLSUpgrader interface to diam package - Add StartTLS() method to the server connection (response type) - Add TLSConfig field to sm.Settings for server-side TLS upgrade - Update handleCER to accept Inband-Security-Id=1 when TLSConfig is set, and perform TLS upgrade after sending success CEA - Add ParseWithSecurity() to CER parser (accepts tlsActive flag) - Add RequestedSecurity() accessor to CER struct When a peer sends CER with Inband-Security-Id=1 and the server has TLSConfig configured, the server sends a success CEA then upgrades the connection to TLS. Without TLSConfig, the existing behavior (reject with NO_COMMON_SECURITY) is preserved. Fixes fiorix#238 * sm: address review comments on TLS upgrade PR - Add client-side StartTLSClient method (tls.Client) to TLSUpgrader - Add RequestInbandTLS field to Client; sends Inband-Security-Id=1 - Perform client-side TLS upgrade in handleCEA after success CEA - Fix silent downgrade: type-assert TLSUpgrader before accepting Inband-Security-Id=1 in handleCER (rejects non-upgradeable conns) - Document concurrency safety constraints on StartTLS methods - Defensive close if upgrade fails after success CEA was sent * sm: document failure semantics and add end-to-end TLS upgrade test - Document that TLS handshake failure after success CEA results in connection close (both peers observe the failure directly per RFC 6733 §6.2; sending a second CEA would violate the protocol) - Add TestInbandTLSUpgrade_EndToEnd: drives a full plain TCP → CER/CEA with Inband-Security-Id=1 → TLS upgrade flow, then verifies DWR/DWA exchange over the encrypted connection
…x#243)" (fiorix#244) This reverts commit 64dabe9.
* sm: implement post-CER/CEA TLS upgrade (RFC 6733 §6.2) Add TLSUpgrader interface and StartTLS method to support upgrading a plain TCP connection to TLS after the CER/CEA exchange, as specified in RFC 6733 §6.2. Changes: - Add TLSUpgrader interface to diam package - Add StartTLS() method to the server connection (response type) - Add TLSConfig field to sm.Settings for server-side TLS upgrade - Update handleCER to accept Inband-Security-Id=1 when TLSConfig is set, and perform TLS upgrade after sending success CEA - Add ParseWithSecurity() to CER parser (accepts tlsActive flag) - Add RequestedSecurity() accessor to CER struct When a peer sends CER with Inband-Security-Id=1 and the server has TLSConfig configured, the server sends a success CEA then upgrades the connection to TLS. Without TLSConfig, the existing behavior (reject with NO_COMMON_SECURITY) is preserved. Fixes fiorix#238 * sm: address review comments on TLS upgrade PR - Add client-side StartTLSClient method (tls.Client) to TLSUpgrader - Add RequestInbandTLS field to Client; sends Inband-Security-Id=1 - Perform client-side TLS upgrade in handleCEA after success CEA - Fix silent downgrade: type-assert TLSUpgrader before accepting Inband-Security-Id=1 in handleCER (rejects non-upgradeable conns) - Document concurrency safety constraints on StartTLS methods - Defensive close if upgrade fails after success CEA was sent * sm: document failure semantics and add end-to-end TLS upgrade test - Document that TLS handshake failure after success CEA results in connection close (both peers observe the failure directly per RFC 6733 §6.2; sending a second CEA would violate the protocol) - Add TestInbandTLSUpgrade_EndToEnd: drives a full plain TCP → CER/CEA with Inband-Security-Id=1 → TLS upgrade flow, then verifies DWR/DWA exchange over the encrypted connection
…x#243)" (fiorix#244) This reverts commit 64dabe9.
* sm: implement post-CER/CEA TLS upgrade (RFC 6733 §6.2) Add TLSUpgrader interface and StartTLS method to support upgrading a plain TCP connection to TLS after the CER/CEA exchange, as specified in RFC 6733 §6.2. Changes: - Add TLSUpgrader interface to diam package - Add StartTLS() method to the server connection (response type) - Add TLSConfig field to sm.Settings for server-side TLS upgrade - Update handleCER to accept Inband-Security-Id=1 when TLSConfig is set, and perform TLS upgrade after sending success CEA - Add ParseWithSecurity() to CER parser (accepts tlsActive flag) - Add RequestedSecurity() accessor to CER struct When a peer sends CER with Inband-Security-Id=1 and the server has TLSConfig configured, the server sends a success CEA then upgrades the connection to TLS. Without TLSConfig, the existing behavior (reject with NO_COMMON_SECURITY) is preserved. Fixes fiorix#238 * sm: address review comments on TLS upgrade PR - Add client-side StartTLSClient method (tls.Client) to TLSUpgrader - Add RequestInbandTLS field to Client; sends Inband-Security-Id=1 - Perform client-side TLS upgrade in handleCEA after success CEA - Fix silent downgrade: type-assert TLSUpgrader before accepting Inband-Security-Id=1 in handleCER (rejects non-upgradeable conns) - Document concurrency safety constraints on StartTLS methods - Defensive close if upgrade fails after success CEA was sent * sm: document failure semantics and add end-to-end TLS upgrade test - Document that TLS handshake failure after success CEA results in connection close (both peers observe the failure directly per RFC 6733 §6.2; sending a second CEA would violate the protocol) - Add TestInbandTLSUpgrade_EndToEnd: drives a full plain TCP → CER/CEA with Inband-Security-Id=1 → TLS upgrade flow, then verifies DWR/DWA exchange over the encrypted connection
…x#243)" (fiorix#244) This reverts commit 64dabe9.
Add support for upgrading a plain TCP connection to TLS after the CER/CEA exchange, as specified in RFC 6733 §6.2.
Changes
TLSUpgraderinterface todiampackageStartTLS(*tls.Config) errormethod to the server connectionTLSConfig *tls.Configfield tosm.SettingshandleCER: when peer sends Inband-Security-Id=1 and server has TLSConfig, accept the CER, send success CEA, then upgrade to TLSParseWithSecurity()andRequestedSecurity()to CER parserRFC Reference
RFC 6733 §6.2:
Backwards Compatibility
Without
TLSConfigset in Settings, existing behavior is preserved (Inband-Security-Id=1 is rejected with NO_COMMON_SECURITY on plain connections).All existing tests pass. The SCTP close test failure is pre-existing on upstream main.
Fixes #238
Related: #236, #239