Bug 1417331 - Early exporters for TLS 1.3, r=lekensteyn

Reviewers: Lekensteyn Reviewed By: Lekensteyn Bug #: 1317331 Differential Revision: https://phabricator.services.mozilla.com/D287
author: Martin Thomson <martin.thomson@gmail.com> 2017-11-29 21:20:44 +1100
committer: Martin Thomson <martin.thomson@gmail.com> 2017-11-29 21:20:44 +1100
commit: 82284bff6a7f977cb896a6d2252a6c07f6fe305e (patch)
tree: a03f3e8cbf1f62b3a87787d941cc3a55e322a83e
parent: 7bf8d08f157aae746311e7be1fe41b95d545d3a2 (diff)
download: nss-hg-82284bff6a7f977cb896a6d2252a6c07f6fe305e.tar.gz
2 files changed, 33 insertions, 19 deletions
diff --git a/gtests/ssl_gtest/ssl_keylog_unittest.cc b/gtests/ssl_gtest/ssl_keylog_unittest.cc
index 9463cd02c..029fe0048 100644
--- a/gtests/ssl_gtest/ssl_keylog_unittest.cc
+++ b/gtests/ssl_gtest/ssl_keylog_unittest.cc
@@ -55,6 +55,7 @@ class KeyLogFileTest : public TlsConnectGeneric {
       ASSERT_EQ(2U, labels["CLIENT_RANDOM"]);
     } else {
       ASSERT_EQ(2U, labels["CLIENT_EARLY_TRAFFIC_SECRET"]);
+      ASSERT_EQ(2U, labels["EARLY_EXPORTER_SECRET"]);
       ASSERT_EQ(4U, labels["CLIENT_HANDSHAKE_TRAFFIC_SECRET"]);
       ASSERT_EQ(4U, labels["SERVER_HANDSHAKE_TRAFFIC_SECRET"]);
       ASSERT_EQ(4U, labels["CLIENT_TRAFFIC_SECRET_0"]);
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
index 360beae2f..8de0d1a87 100644
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -125,6 +125,7 @@ const char keylogLabelClientHsTrafficSecret[] = "CLIENT_HANDSHAKE_TRAFFIC_SECRET
 const char keylogLabelServerHsTrafficSecret[] = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
 const char keylogLabelClientTrafficSecret[] = "CLIENT_TRAFFIC_SECRET_0";
 const char keylogLabelServerTrafficSecret[] = "SERVER_TRAFFIC_SECRET_0";
+const char keylogLabelEarlyExporterSecret[] = "EARLY_EXPORTER_SECRET";
 const char keylogLabelExporterSecret[] = "EXPORTER_SECRET";
 
 #define TRAFFIC_SECRET(ss, dir, name) ((ss->sec.isServer ^            \
@@ -767,20 +768,40 @@ tls13_ComputeEarlySecrets(sslSocket *ss)
         if (rv != SECSuccess) {
             return SECFailure;
         }
-
-        rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret,
-                                        kHkdfLabelEarlyExporterSecret,
-                                        strlen(kHkdfLabelEarlyExporterSecret),
-                                        &ss->ssl3.hs.earlyExporterSecret);
-        if (rv != SECSuccess) {
-            return SECFailure;
-        }
     }
     PORT_Assert(!ss->ssl3.hs.resumptionMasterSecret);
 
     return SECSuccess;
 }
 
+/* This derives the early traffic and early exporter secrets. */
+static SECStatus
+tls13_DeriveEarlySecrets(sslSocket *ss)
+{
+    SECStatus rv;
+
+    rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret,
+                                kHkdfLabelClient,
+                                kHkdfLabelEarlyTrafficSecret,
+                                keylogLabelClientEarlyTrafficSecret,
+                                &ss->ssl3.hs.clientEarlyTrafficSecret);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret,
+                                    kHkdfLabelEarlyExporterSecret,
+                                    strlen(kHkdfLabelEarlyExporterSecret),
+                                    &ss->ssl3.hs.earlyExporterSecret);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    ssl3_RecordKeyLog(ss, keylogLabelEarlyExporterSecret,
+                      ss->ssl3.hs.earlyExporterSecret);
+    return SECSuccess;
+}
+
 static SECStatus
 tls13_ComputeHandshakeSecrets(sslSocket *ss)
 {
@@ -1597,11 +1618,7 @@ tls13_HandleClientHelloPart2(sslSocket *ss,
     sid = NULL;
 
     if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) {
-        rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret,
-                                    kHkdfLabelClient,
-                                    kHkdfLabelEarlyTrafficSecret,
-                                    keylogLabelClientEarlyTrafficSecret,
-                                    &ss->ssl3.hs.clientEarlyTrafficSecret);
+        rv = tls13_DeriveEarlySecrets(ss);
         if (rv != SECSuccess) {
             FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
             return SECFailure;
@@ -2823,7 +2840,7 @@ tls13_DeriveSecretNullHash(sslSocket *ss, PK11SymKey *key,
     return tls13_DeriveSecret(ss, key, label, labelLen, &hashes, dest);
 }
 
-/* Convenience wrapper that lets us supply a separate previx and suffix. */
+/* Convenience wrapper that lets us supply a separate prefix and suffix. */
 static SECStatus
 tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key,
                        const char *prefix,
@@ -4846,11 +4863,7 @@ tls13_MaybeDo0RTTHandshake(sslSocket *ss)
     /* Cipher suite already set in tls13_SetupClientHello. */
     ss->ssl3.hs.preliminaryInfo = 0;
 
-    rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret,
-                                kHkdfLabelClient,
-                                kHkdfLabelEarlyTrafficSecret,
-                                keylogLabelClientEarlyTrafficSecret,
-                                &ss->ssl3.hs.clientEarlyTrafficSecret);
+    rv = tls13_DeriveEarlySecrets(ss);
     if (rv != SECSuccess) {
         return SECFailure;
     }
author	Martin Thomson <martin.thomson@gmail.com>	2017-11-29 21:20:44 +1100
committer	Martin Thomson <martin.thomson@gmail.com>	2017-11-29 21:20:44 +1100
commit	82284bff6a7f977cb896a6d2252a6c07f6fe305e (patch)
tree	a03f3e8cbf1f62b3a87787d941cc3a55e322a83e
parent	7bf8d08f157aae746311e7be1fe41b95d545d3a2 (diff)
download	nss-hg-82284bff6a7f977cb896a6d2252a6c07f6fe305e.tar.gz