diff options
| author | Dennis Jackson <djackson@mozilla.com> | 2021-12-17 13:21:28 +0000 |
|---|---|---|
| committer | Dennis Jackson <djackson@mozilla.com> | 2021-12-17 13:21:28 +0000 |
| commit | 44c9efeac3b36fde75effefb21724e75507856de (patch) | |
| tree | 871675f65be4b27b7ac45a25fb2b49358d8be24e /gtests/ssl_gtest | |
| parent | ff42593964136628165593b17ee488d06b344bfe (diff) | |
| download | nss-hg-44c9efeac3b36fde75effefb21724e75507856de.tar.gz | |
Bug 1728281 - Add ECH-13 HRR Handling. r=mt
This changset adds client and server support for ECH extensions in the HelloRetryRequest Message.
When Servers respond with a HRR to a ECH advertising ClientHello, servers add an additional 8 byte
confirmation value in an ECH extension with their HRR which allows the client to deduce whether ECH
was accepted or rejected. The confirmation value is derived from the ClientHelloInner's random value
and the transcript up to and including the HRR. If ECH is rejected, the confirmation value is replaced
with 8 random bytes.
This nessecitates several further changes to the control flow of HRR generation and handling. Firstly,
the HRR must be generated in two passes, firstly with a placeholder value of zero bytes instead of the
confirmation value, then secondly with the true confirmation value. Further, if the server accepts
ECH in the HRR, it cannot change its mind when processing the second client hello.
If ECH is rejected and the HRR confirmation value is instead a random value, the (stateless) server
must be able to regenerate the correct confirmation value. This patch adds the GREASEd value to the
HRR cookie, increasing its size by 8 bytes. In order to prevent a network observer from distinguishing
whether ECH was accepted, these 8 bytes are used whether or not ECH is accepted.
On the client side, the HRR with zeroed confirmation value must be added to the transcript when calculating
the confirmation value. Unlike a PSK extension, the HRR ECH Extension can appear in any position and so the extension handler stores a pointer into the server hello buffer..
Differential Revision: https://phabricator.services.mozilla.com/D124072
Diffstat (limited to 'gtests/ssl_gtest')
| -rw-r--r-- | gtests/ssl_gtest/tls_connect.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/gtests/ssl_gtest/tls_connect.cc b/gtests/ssl_gtest/tls_connect.cc index d76e18d63..284875fab 100644 --- a/gtests/ssl_gtest/tls_connect.cc +++ b/gtests/ssl_gtest/tls_connect.cc @@ -322,8 +322,8 @@ void TlsConnectTestBase::SetupEch(std::shared_ptr<TlsAgent>& client, {HpkeKdfHkdfSha256, HpkeAeadChaCha20Poly1305}, {HpkeKdfHkdfSha256, HpkeAeadAes128Gcm}}; - GenerateEchConfig(kem_id, kDefaultSuites, "public.name", maxConfigSize, record, - priv); + GenerateEchConfig(kem_id, kDefaultSuites, "public.name", maxConfigSize, + record, priv); ASSERT_NE(0U, record.len()); SECStatus rv; if (set_server_config) { |