| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates the DTLS 1.3 implementation to draft-34. Notable changes:
1) Key separation via `ssl_protocol_variant`.
2) No longer apply sequence number masking when in `UNSAFE_FUZZER_MODE`. This allowed removal of workarounds for unpadded (<16B) ciphertexts being used as input to `SSL_CreateMask`.
3) Compile ssl_gtests in `UNSAFE_FUZZER_MODE` iff `--fuzz=tls` was specified. Currently all gtests are compiled this way if `--fuzz`, but lib/ssl only if `--fuzz=tls`. (See above, we can't have ssl_gtests in fuzzer mode, but not lib/ssl, since the masking mismatch will break filters).
4) Parameterize masking tests, as appropriate.
5) Reject non-empty legacy_cookie, and test.
6) Reject ciphertexts <16B in length in `dtls13_MaskSequenceNumber` (if not `UNSAFE_FUZZER_MODE`).
Differential Revision: https://phabricator.services.mozilla.com/D62488
|
|
|
|
|
|
|
|
| |
This patch updates the DTLS 1.3 implementation to draft version 30, including unified header format and sequence number encryption.
Also added are new `SSL_CreateMask` experimental functions.
Differential Revision: https://phabricator.services.mozilla.com/D51014
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
We should really include version with the ciphersuite in case we decide to reuse the ciphersuite definitions for TLS 1.4, but also change the way they operate.
I also included a fixup for the clang4 build error from the last set.
Reviewers: ekr
Tags: #secure-revision
Bug #: 1528175
Differential Revision: https://phabricator.services.mozilla.com/D20761
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
separation, r=ekr
This started as an attempt to remove the cipher spec update callback we use for
testing. Using the new, public secrets interface should be better for that.
In doing so, it became apparent that we needed more interfaces to NSS to support
the use of these secrets. In particular:
1. We need to know what the KDF hash function is for a given cipher suite. This
allows users of the secret to use the right hash function.
2. We need to know what cipher spec was picked when sending 0-RTT. NSS
currently doesn't expose that information. (When receiving 0-RTT you can
safely assume that the negotiated cipher suite is good to use.)
3. We need to know what epoch NSS is currently using. Otherwise, we can't be
sure which epoch to feed it. Data from a good epoch is saved, whereas data
from a bad epoch is lost, so applications need to know.
So this patch adds these functions to the appropriate info functions and uses
that information in tests to remove and re-add protection.
The test changes are considerable. The main effect of the changes is to rely on
the new functions for managing secrets, rather than the old interface. But with
the changes in the other CLs for this bug, secrets appear before they are used,
which complicates things considerably. For that, I've moved more logic into the
TlsCipherSpec class, which now tracks per-epoch state, like sequence numbers and
record drops.
Trial decryption (yep) is used to identify the right cipher spec every time when
decrypting, so tests are no longer tolerant of failures to decrypt. It's no
longer possible to have a test enable decryption and pass when decryption fails;
this is particularly true for some parameterized tests that assumed it was OK to
enable decryption even for TLS 1.2 and earlier.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Update version number
- Forbid negotiating < TLS 1.3 with supported_versions
- Change to version number 0303 after HRR. Plus test
- Update AAD.
https://phabricator.services.mozilla.com/D753
|
| |
|
| |
|
|
Differential Revision: https://nss-review.dev.mozaws.net/D92
|