diff options
author | Martin Thomson <martin.thomson@gmail.com> | 2017-11-29 21:20:44 +1100 |
---|---|---|
committer | Martin Thomson <martin.thomson@gmail.com> | 2017-11-29 21:20:44 +1100 |
commit | 82284bff6a7f977cb896a6d2252a6c07f6fe305e (patch) | |
tree | a03f3e8cbf1f62b3a87787d941cc3a55e322a83e /lib | |
parent | 7bf8d08f157aae746311e7be1fe41b95d545d3a2 (diff) | |
download | nss-hg-82284bff6a7f977cb896a6d2252a6c07f6fe305e.tar.gz |
Bug 1417331 - Early exporters for TLS 1.3, r=lekensteyn
Reviewers: Lekensteyn
Reviewed By: Lekensteyn
Bug #: 1317331
Differential Revision: https://phabricator.services.mozilla.com/D287
Diffstat (limited to 'lib')
-rw-r--r-- | lib/ssl/tls13con.c | 51 |
1 files changed, 32 insertions, 19 deletions
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c index 360beae2f..8de0d1a87 100644 --- a/lib/ssl/tls13con.c +++ b/lib/ssl/tls13con.c @@ -125,6 +125,7 @@ const char keylogLabelClientHsTrafficSecret[] = "CLIENT_HANDSHAKE_TRAFFIC_SECRET const char keylogLabelServerHsTrafficSecret[] = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; const char keylogLabelClientTrafficSecret[] = "CLIENT_TRAFFIC_SECRET_0"; const char keylogLabelServerTrafficSecret[] = "SERVER_TRAFFIC_SECRET_0"; +const char keylogLabelEarlyExporterSecret[] = "EARLY_EXPORTER_SECRET"; const char keylogLabelExporterSecret[] = "EXPORTER_SECRET"; #define TRAFFIC_SECRET(ss, dir, name) ((ss->sec.isServer ^ \ @@ -767,20 +768,40 @@ tls13_ComputeEarlySecrets(sslSocket *ss) if (rv != SECSuccess) { return SECFailure; } - - rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, - kHkdfLabelEarlyExporterSecret, - strlen(kHkdfLabelEarlyExporterSecret), - &ss->ssl3.hs.earlyExporterSecret); - if (rv != SECSuccess) { - return SECFailure; - } } PORT_Assert(!ss->ssl3.hs.resumptionMasterSecret); return SECSuccess; } +/* This derives the early traffic and early exporter secrets. */ +static SECStatus +tls13_DeriveEarlySecrets(sslSocket *ss) +{ + SECStatus rv; + + rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, + kHkdfLabelClient, + kHkdfLabelEarlyTrafficSecret, + keylogLabelClientEarlyTrafficSecret, + &ss->ssl3.hs.clientEarlyTrafficSecret); + if (rv != SECSuccess) { + return SECFailure; + } + + rv = tls13_DeriveSecretNullHash(ss, ss->ssl3.hs.currentSecret, + kHkdfLabelEarlyExporterSecret, + strlen(kHkdfLabelEarlyExporterSecret), + &ss->ssl3.hs.earlyExporterSecret); + if (rv != SECSuccess) { + return SECFailure; + } + + ssl3_RecordKeyLog(ss, keylogLabelEarlyExporterSecret, + ss->ssl3.hs.earlyExporterSecret); + return SECSuccess; +} + static SECStatus tls13_ComputeHandshakeSecrets(sslSocket *ss) { @@ -1597,11 +1618,7 @@ tls13_HandleClientHelloPart2(sslSocket *ss, sid = NULL; if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { - rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, - kHkdfLabelClient, - kHkdfLabelEarlyTrafficSecret, - keylogLabelClientEarlyTrafficSecret, - &ss->ssl3.hs.clientEarlyTrafficSecret); + rv = tls13_DeriveEarlySecrets(ss); if (rv != SECSuccess) { FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error); return SECFailure; @@ -2823,7 +2840,7 @@ tls13_DeriveSecretNullHash(sslSocket *ss, PK11SymKey *key, return tls13_DeriveSecret(ss, key, label, labelLen, &hashes, dest); } -/* Convenience wrapper that lets us supply a separate previx and suffix. */ +/* Convenience wrapper that lets us supply a separate prefix and suffix. */ static SECStatus tls13_DeriveSecretWrap(sslSocket *ss, PK11SymKey *key, const char *prefix, @@ -4846,11 +4863,7 @@ tls13_MaybeDo0RTTHandshake(sslSocket *ss) /* Cipher suite already set in tls13_SetupClientHello. */ ss->ssl3.hs.preliminaryInfo = 0; - rv = tls13_DeriveSecretWrap(ss, ss->ssl3.hs.currentSecret, - kHkdfLabelClient, - kHkdfLabelEarlyTrafficSecret, - keylogLabelClientEarlyTrafficSecret, - &ss->ssl3.hs.clientEarlyTrafficSecret); + rv = tls13_DeriveEarlySecrets(ss); if (rv != SECSuccess) { return SECFailure; } |