1. 25 Jan, 2021 1 commit
  2. 01 Dec, 2020 1 commit
  3. 17 Nov, 2020 1 commit
    • Kevin Jacobs's avatar
      Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt · 4516d102
      Kevin Jacobs authored
      This patch adds support for Encrypted Client Hello (draft-ietf-tls-esni-08), replacing the existing ESNI (draft -02) support.
      
      There are five new experimental functions to enable this:
      
        - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig given a set of parameters.
        - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the given socket. When configured, an ephemeral HPKE keypair will be generated for the CH encryption.
        - SSL_SetServerEchConfigs: Configures the provided ECHConfig and keypair to the socket. The keypair specified will be used for HPKE operations in order to decrypt encrypted Client Hellos as they are received.
        - SSL_GetEchRetryConfigs: If ECH is rejected by the server and compatible retry_configs are provided, this API allows the application to extract those retry_configs for use in a new connection.
        - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is disabled by default, as there are known compatibility issues that will be addressed in a subsequent draft.
      
      The following ESNI experimental functions are deprecated by this update:
      
        - SSL_EncodeESNIKeys
        - SSL_EnableESNI
        - SSL_SetESNIKeyPair
      
      
      In order to be used, NSS must be compiled with `NSS_ENABLE_DRAFT_HPKE` defined.
      
      Differential Revision: https://phabricator.services.mozilla.com/D86106
      
      --HG--
      rename : gtests/ssl_gtest/tls_esni_unittest.cc => gtests/ssl_gtest/tls_ech_unittest.cc
      rename : lib/ssl/tls13esni.c => lib/ssl/tls13ech.c
      rename : lib/ssl/tls13esni.h => lib/ssl/tls13ech.h
      extra : moz-landing-system : lando
      4516d102
  4. 05 Aug, 2020 1 commit
  5. 10 Jul, 2020 1 commit
    • Daiki Ueno's avatar
      Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs, r=mt · 69f4843c
      Daiki Ueno authored
      Summary:
      In TLS 1.3, unless "signature_algorithms_cert" is advertised, the
      "signature_algorithms" extension is used as an indication of supported
      algorithms for signatures on certificates.  While rsa_pkcs1_*
      signatures schemes cannot be used for signing handshake messages, they
      should be advertised if the peer wants to to support certificates
      signed with RSA PKCS#1.
      
      This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to
      preserve rsa_pkcs1_* schemes in the output.
      
      Reviewers: mt
      
      Reviewed By: mt
      
      Bug #: 1646324
      
      Differential Revision: https://phabricator.services.mozilla.com/D80881
      
      --HG--
      extra : rebase_source : d58be09155b7b197f2500b8831f3b0f1ae8a30f0
      extra : amend_source : 0a4cfe26f33dcf3cee44e1001f844d8012350fd0
      69f4843c
  6. 10 Mar, 2020 1 commit
  7. 09 Mar, 2020 1 commit
  8. 06 Sep, 2019 1 commit
    • Martin Thomson's avatar
      Bug 1549225 - Up front Signature Scheme validation, r=ueno · 0d386a8a
      Martin Thomson authored
      Summary:
      This patch started as an attempt to ensure that a DSA signature scheme would not
      be advertised if we weren't willing to negotiate versions less than TLS 1.3.
      Then I realized that we didn't do the same for PKCS#1 RSA.
      
      Then I realized that we were still willing to try to establish connections when
      we had a certificate that we couldn't use.
      
      Then I realized that ssl3_config_match_init() wasn't being run consistently.  On
      resumption, we only ran it when we were PARANOID.  That's silly because we
      weren't checking policies.
      
      Then I realized that we were allowing ECDSA certificates to be used when the
      named group in the certificate was disabled.  We weren't enforcing that
      consistently either.  However, I also discovered that the check we have wouldn't
      work without a tweak because in TLS 1.3 the named group is part of the signature
      scheme; the configured named groups are only used prior to TLS 1.3 when
      selecting ECDSA/ECDH certificates.
      
      So that sounds like a lot of changes but what it boils down to is more robust
      checking of the configuration prior to starting a connection.  As a result, we
      should be offering fewer options that we're unwilling or unable to follow
      through on.  A good number of tests needed tweaking as a result because we were
      relying on getting past the checks in those tests.  No real problems were found
      as a result; this just moves failures that might arise from misconfiguration a
      little earlier in the process.
      
      Differential Revision: https://phabricator.services.mozilla.com/D45966
      
      --HG--
      extra : rebase_source : 44632658baf414f035f13493d3f2f0ff5753ae9e
      0d386a8a
  9. 20 May, 2019 1 commit
    • Martin Thomson's avatar
      Bug 1543874 - Use an external clock for SSL functions, r=ekr,kevinjacobs · 7de04fb4
      Martin Thomson authored
      Summary:
      This adds a new (experimental) API that allows users of libssl to provide their
      own clock function.  This is primarily of use in testing, but it also enables
      our QUIC implementation, which also runs off an external clock.
      
      SSL Sockets (and session IDs, when they are in memory) now have a "now()"
      function and void* arg attached to them.  By default, this is a function that
      calls PR_Now().  These values are copied from the socket to any session ID that
      is created from the socket, and to any session ID that is restored from the
      session cache.
      
      The ssl_Time() and ssl_TimeUsec() functions have been removed.
      
      As part of this, the experimental SSL_SetupAntiReplay() function had to be
      modified to take an external clock (PR_Now() suffices generally).  That function
      relies on knowing the time, and it doesn't have a socket to work from.  To avoid
      problems arising from the change in the signature, SSL_SetupAntiReplay is now
      removed.
      
      There are now three uses of time in the library:
      
      * The primary source of time runs of these newly added functions.  This governs
        session expiry, 0-RTT checks, and related functions.
      
      * The session cache uses a separate time to manage its locking.  This is of type
        PRUint32 in seconds (rather than PRTime in microseconds).  In investigating
        this, I found several places where this time in seconds was leaking across to
        the main functions via the lastAccessTime property.  That was fixed.  The
        cache functions that use time now all call ssl_CacheNow() to get time.
      
      * DTLS timers run using PRIntervalTime.  This is a little annoying and these
        could be made to use the main time source, but that would result in
        conversions between PRTime and PRIntervalTime at the DTLS API.  PRIntervalTime
        has a different epoch to PRTime, so this would be a little awkward.
      
      Only the first of these can be controlled using the new API.
      
      Bugs found:
      
      * Expiration time of resumption tokens was based on the sid->expirationTime,
        which didn't account for the lifetime provided by the server.  These are now
        capped by the minimum of ssl_ticket_lifetime and the value the server
        indicates.
      
        I removed ssl3_sid_timeout, the old limit, because inconsistent lifetimes
        between client and server messed with tests.  The client would have a lower
        cap than the server, which prevented testing of the enforcement of server
        limits without jumping through hoops.
      
      * There was a missing time conversion in tls13_InWindow which made the window
        checks too lenient.
      
      * lastAccessTime was being set to seconds-since-epoch instead of
        microseconds-since-epoch in a few places.
      
      Reviewers: ekr, KevinJacobs
      
      Reviewed By: KevinJacobs
      
      Subscribers: cjpatton
      
      Bug #: 1543874
      
      Differential Revision: https://phabricator.services.mozilla.com/D27238
      
      --HG--
      extra : rebase_source : 3317ecc00f37fc09f0e7c36e947dcd162d1d258a
      extra : amend_source : cf2bfb90a05911e0a0cc76bd377d99ccca8e1900
      7de04fb4
  10. 12 Feb, 2019 1 commit
  11. 28 Sep, 2018 1 commit
  12. 22 Aug, 2018 1 commit
    • Daiki Ueno's avatar
      Bug 1471967, skip unrecognized session tickets in TLS 1.3, r=ekr · 0c3fab7e
      Daiki Ueno authored
      Summary: In TLS 1.3, upon receiving a malformed ticket, server doesn't immediately abort the connection, but rejects client's resumption attempt.
      
      Reviewers: ekr
      
      Reviewed By: ekr
      
      Subscribers: mt, ekr, kaie, ueno, rrelyea, HubertKario
      
      Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3
      
      Bug #: 1471967
      
      Differential Revision: https://phabricator.services.mozilla.com/D3620
      
      --HG--
      extra : rebase_source : 8d81c1c91d58f363f29ef1e5084cfcdf142f3d38
      extra : amend_source : 518ae54337eafe0fa5054637cc9b8a2aea5c8282
      0c3fab7e
  13. 27 Feb, 2018 1 commit
  14. 07 Feb, 2018 1 commit
    • Franziskus Kiefer's avatar
      Bug 1432144 - clean-up sid handling, r=mt · aa30a457
      Franziskus Kiefer authored
      Summary:
      SIDs usage is pretty messy. In this patch I move all *sid to point to ss->sec.ci.sid (unless the SID is purely local to the function).
      This allows us to free sids when uncaching them.
      
      Reviewers: mt
      
      Reviewed By: mt
      
      Bug #: 1432144
      
      Differential Revision: https://phabricator.services.mozilla.com/D517
      
      --HG--
      extra : amend_source : 5ef18a287bc484ad89ca1832b34a80b9156fc2a0
      extra : histedit_source : fe16f957386bde7340a9e9c03f58cbf5eeecf4ca%2C54da085800cd3ff79b1a3eeb01918a25382c7a6f
      aa30a457
  15. 22 Jan, 2018 1 commit
  16. 16 Jan, 2018 1 commit
  17. 18 Jan, 2018 1 commit
  18. 17 Jan, 2018 1 commit
  19. 02 Jan, 2018 1 commit
  20. 24 Nov, 2017 1 commit
  21. 13 Apr, 2018 1 commit
  22. 26 Nov, 2017 1 commit
  23. 22 Nov, 2017 1 commit
    • Martin Thomson's avatar
      Bug 1418862 - Make HelloRetryRequest look like ServerHello, r=ekr · 875149a9
      Martin Thomson authored
      Update TLS 1.3 implementation for draft-22.
      
      This makes the changes from Bug 1411475 the default mode of operation.  A new
      option, SSL_ENABLE_TLS13_COMPAT_MODE, is added to control whether a client
      attempts to force the server into compatibility mode.  When enabled, clients
      will send a fake session_id in the ClientHello and send a ChangeCipherSpec
      message before sending any encrypted records.
      
      This patch also includes changes to make a HelloRetryRequest look like a
      ServerHello.
      
      This includes the version number change to draft-22.
      
      --HG--
      branch : NSS_TLS13_DRAFT19_BRANCH
      extra : rebase_source : 0a2868314e7fed0930be029352a0824ec1eb4b46
      extra : amend_source : 8a39378587292bd9acaed5de1da105806f3d0522
      extra : histedit_source : b2a5f8f4439eba4c41347fea267af6a320c16e52%2C2b1453083a95b9dcfa95f54e70a197f3d870d885
      875149a9
  24. 24 Oct, 2017 1 commit
    • Martin Thomson's avatar
      Bug 1411475 - Google Hack, r=ekr · d81088d7
      Martin Thomson authored
      This makes the TLS 1.3 handshake look like TLS 1.2.
      
      The trickiest part here is in 0-RTT.  I've chosen to remember that the
      alternative handshake was used and send a ChangeCipherSpec if the previous
      session used the alternative AND if the client enables the alternative.
      
      This assumes that a server will commit to supporting - and selecting - this
      alternative handshake type for as long as it supports 0-RTT from sessions that
      have the alternative handshake type.  That is, if you negotiate the alternative
      handshake and the server supports 0-RTT, then it will not just support TLS 1.3
      for the duration of the ticket, but also the alternative handshake type.  A
      client can disable the alternative handshake because the version in the
      ClientHello indicates whether the client intended to send a CCS, but the server
      cannot refuse to pick it if the client offers.
      
      Of course, if we agree that the final TLS 1.3 is in this form, we don't have a
      problem, it's only an issue because we need to switch-hit.
      
      I chose to remove the Facebook alternative content type hack as all signs
      indicate that it doesn't help.
      
      --HG--
      branch : NSS_TLS13_DRAFT19_BRANCH
      extra : rebase_source : cba8b9be8726f29acf742d225693a70af10ac5ca
      d81088d7
  25. 18 Oct, 2017 1 commit
  26. 16 Oct, 2017 1 commit
  27. 11 Sep, 2017 2 commits
    • Martin Thomson's avatar
      Bug 1398679 - Make cipher specs properly directional, r?ekr · c3225079
      Martin Thomson authored
      This makes each cipher spec unidirectional.  This is a tiny bit less efficient
      in TLS 1.2 and earlier, where some of the material could be shared (primarily
      the master secret), but it is much more efficient for TLS 1.3.
      
      Also, there is now only one variable of each type on the specs.  Up to now, the
      specs had two copies of almost everything to support being used for both read
      and write.  Now there are separate specs for reading and writing.  We only
      duplicate the pointers to the master secret, and the cipher definitions.
      
      This also does away with the backing array that was used to hold two copies of
      specs.  Cipher specs are allocated on the heap as they are used and reference
      counted, using the same system as is already used for TLS 1.3.
      
      This uses the |direction| attribute that was previously added for TLS 1.3 and
      uses that more thoroughly.
      
      Finally, this REMOVES compression support from libssl entirely.
      
      --HG--
      branch : NSS_TLS13_DRAFT19_BRANCH
      extra : rebase_source : 9d8a05d08fcaec783c54e4a9c45105b964e607d8
      extra : amend_source : d9aa17d8dce4ab8ff599657c9db215d91ad67090
      extra : intermediate-source : 60552a0d8fc13732e06458ce9c6be9e8264a256b
      extra : source : e9619fea6154a4e1c4fd731a96a9a6ac7e40135e
      c3225079
    • Martin Thomson's avatar
      Bug 1398647 - Remove the SECItem used for "storing" the master secret, r=ttaubert · 4171be63
      Martin Thomson authored
      --HG--
      branch : NSS_TLS13_DRAFT19_BRANCH
      extra : rebase_source : 7b6b118d9a116e1803db64ad29f4e0c1e4ebfe1b
      extra : amend_source : 6285cc56284e96566fdf653475fb04526fd11ddb
      extra : source : 1430f8033e9f639ec6912b78b52652948ba5d57a
      4171be63
  28. 04 Oct, 2017 1 commit
  29. 01 Aug, 2017 1 commit
    • Martin Thomson's avatar
      Bug 1385203 - Use sslBuffer for encoding more widely, r=ekr · a9aee608
      Martin Thomson authored
      This removes ssl3_Append[Number]ToItem and switches more places to using
      buffers.  The advantage with that, aside from a consistent interface, is that
      encoding using sslBuffer is length checked.  A new field is added to the struct
      so that it can be used for encoding directly onto the stack rather than relying
      on reallocation when the space limit is reached.
      
      New macros are added so that the internals of sslBuffer aren't accessed
      directly.  Not all instances of these accesses have been fixed.
      
      Differential Revision: https://nss-review.dev.mozaws.net/D390
      
      --HG--
      branch : NSS_TLS13_DRAFT19_BRANCH
      extra : rebase_source : 60595ab46e30d80dc8bd13a341053edd5cd907b6
      extra : amend_source : 25edd67ac2d8bda91a4f927c8671cabd257ccba7
      a9aee608
  30. 16 Jul, 2017 1 commit
  31. 01 Aug, 2017 1 commit
  32. 31 Jul, 2017 1 commit
  33. 04 Sep, 2017 1 commit
  34. 24 Oct, 2017 1 commit
    • Martin Thomson's avatar
      Bug 1411475 - Google Hack, r=ekr · 6ff9164f
      Martin Thomson authored
      This makes the TLS 1.3 handshake look like TLS 1.2.
      
      The trickiest part here is in 0-RTT.  I've chosen to remember that the
      alternative handshake was used and send a ChangeCipherSpec if the previous
      session used the alternative AND if the client enables the alternative.
      
      This assumes that a server will commit to supporting - and selecting - this
      alternative handshake type for as long as it supports 0-RTT from sessions that
      have the alternative handshake type.  That is, if you negotiate the alternative
      handshake and the server supports 0-RTT, then it will not just support TLS 1.3
      for the duration of the ticket, but also the alternative handshake type.  A
      client can disable the alternative handshake because the version in the
      ClientHello indicates whether the client intended to send a CCS, but the server
      cannot refuse to pick it if the client offers.
      
      Of course, if we agree that the final TLS 1.3 is in this form, we don't have a
      problem, it's only an issue because we need to switch-hit.
      
      I chose to remove the Facebook alternative content type hack as all signs
      indicate that it doesn't help.
      
      --HG--
      extra : rebase_source : 76a2c380db9945948667c5a7e0be8b975f0debe9
      extra : source : 4241288b70235a1c9be7c30a49f7cd7e811d4f36
      6ff9164f
  35. 22 May, 2017 1 commit
  36. 14 Jul, 2017 1 commit
  37. 31 May, 2017 2 commits
    • Martin Thomson's avatar
      Bug 1368980 - Custom extension writers/handlers, r=ekr · 509c3567
      Martin Thomson authored
      --HG--
      branch : NSS_TLS13_DRAFT19_BRANCH
      extra : rebase_source : fda5096a9c565a4470a85a15913bc6cac1ba9fc1
      extra : amend_source : d6247b24a6c801c74fa664ff2b2c776fc1f29c5f
      extra : intermediate-source : 0d4827d3dee666b4923d3abfa8446b6edc43342e
      extra : source : b394de6e2d5d5cda34a9725b7782bcb5ae2f54a9
      509c3567
    • Martin Thomson's avatar
      Bug 1368980 - Refactor extension senders, r=ekr,ttaubert · 793a2fca
      Martin Thomson authored
      --HG--
      branch : NSS_TLS13_DRAFT19_BRANCH
      extra : rebase_source : c2c4eae5bc13298513fac59b2f336af0047094e1
      extra : amend_source : c598baccb0a630e2648d8b2d6733694c861f89b6
      extra : source : 15572efbbc172c68ef8a307a7c2f61f5e7b17319
      793a2fca
  38. 11 Jun, 2017 1 commit