diff options
| author | Martin Thomson <mt@lowentropy.net> | 2019-06-25 12:24:15 +1000 |
|---|---|---|
| committer | Martin Thomson <mt@lowentropy.net> | 2019-06-25 12:24:15 +1000 |
| commit | bcacf7b350e9e26db0e5c1d46a98f8b417e38e46 (patch) | |
| tree | dc845c0324711d2ecc66d6c506db2de0e4088338 /cmd | |
| parent | af023085c60058746b5f15e7042bba598f318197 (diff) | |
| download | nss-hg-bcacf7b350e9e26db0e5c1d46a98f8b417e38e46.tar.gz | |
Bug 1558681 - Anti-replay contexts, r=jcj,kjacobs
Stop using a global anti-replay context and enable creating a context directly.
This increases the overhead of managing anti-replay for applications marginally,
but allows much greater flexibility in use of anti-replay mechanisms. In
particular, it enables the testing of 0-RTT in a threaded environment.
The comments in sslexp should be clear enough in explaining how this works.
Basically, this is a new reference-counted object that can be created and
tracked by applications.
The only thing that I can see might be a problem with the API is that I haven't
exposed a function to add a reference for use by applications. My thinking is
that reference counting is an internal thing; it seems like applications won't
need to worry about that.
selfserv is updated to create a context and attach it to sockets. This shows
that the management overhead is minor.
The gtests have been tweaked to create a context during setup. The context is
owned by the overall test framework and is passed to server instances after the
sockets are initialized.
Bonus changes:
* ESNI keys are copied from the model socket when calling SSL_ReConfigFD().
* Some better tracing in the anti-replay functions.
Neither of these seemed worth the overhead of a bug to fix.
Differential Revision: https://phabricator.services.mozilla.com/D34660
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/selfserv/selfserv.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c index 4b1adb028..533b3f053 100644 --- a/cmd/selfserv/selfserv.c +++ b/cmd/selfserv/selfserv.c @@ -805,6 +805,7 @@ PRBool enableSessionTickets = PR_FALSE; PRBool failedToNegotiateName = PR_FALSE; PRBool enableExtendedMasterSecret = PR_FALSE; PRBool zeroRTT = PR_FALSE; +SSLAntiReplayContext *antiReplay = NULL; PRBool enableALPN = PR_FALSE; PRBool enablePostHandshakeAuth = PR_FALSE; SSLNamedGroup *enabledGroups = NULL; @@ -1954,7 +1955,7 @@ server_main( if (enabledVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) { errExit("You tried enabling 0RTT without enabling TLS 1.3!"); } - rv = SSL_InitAntiReplay(PR_Now(), 10L * PR_USEC_PER_SEC, 7, 14); + rv = SSL_SetAntiReplayContext(model_sock, antiReplay); if (rv != SECSuccess) { errExit("error configuring anti-replay "); } @@ -2469,6 +2470,12 @@ main(int argc, char **argv) case 'Z': zeroRTT = PR_TRUE; + rv = SSL_CreateAntiReplayContext(PR_Now(), 10L * PR_USEC_PER_SEC, 7, 14, &antiReplay); + if (rv != SECSuccess) { + PL_DestroyOptState(optstate); + fprintf(stderr, "Unable to create anti-replay context for 0-RTT.\n"); + exit(1); + } break; case 'Q': @@ -2798,6 +2805,9 @@ cleanup: if (enabledGroups) { PORT_Free(enabledGroups); } + if (antiReplay) { + SSL_ReleaseAntiReplayContext(antiReplay); + } if (NSS_Shutdown() != SECSuccess) { SECU_PrintError(progName, "NSS_Shutdown"); if (loggerThread) { |