Closed Bug 1471126 Opened 7 years ago Closed 6 years ago

Record layer separation

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mt, Assigned: mt)

References

Details

Attachments

(6 files)

Bug 1471126 - Rename SSL3ContentType and make it public, r?ekr
46 bytes, text/x-phabricator-request
ekr
: review+
Details | Review
Bug 1471126 - Provide a callback for traffic secrets, r?ekr
46 bytes, text/x-phabricator-request
ekr
: review+
Details | Review
Bug 1471126 - Record layer separation, r?ekr
46 bytes, text/x-phabricator-request
Details | Review
Bug 1471126 - Provide extra information needed to use record layer separation, r?ekr
46 bytes, text/x-phabricator-request
ekr
: review+
Details | Review
Bug 1471126 - Fix return codes from SSL_ForceHandshake and SSL_RecordLayerData, r?ekr
47 bytes, text/x-phabricator-request
Details | Review
Bug 1471126 - Fix documentation, r?KevinJacobs
47 bytes, text/x-phabricator-request
Details | Review
QUIC draft -13 will require a use of TLS where the TLS record layer is replaced with QUIC packets. To support that, we need to provide APIs in two parts: 1. Callbacks or functions that enable reading and writing of the contents of records. This will allow QUIC to replace the record layer. 2. Callbacks or functions that allow access to the secrets that TLS generates. This will allow QUIC to use these secrets so that it can generate QUIC packet protection keys. Proposed API here: https://docs.google.com/document/d/1_fnDGxS3Btdk3iIvfDhe3O8IjbxBcOLQql4FamtmnMs/edit?usp=sharing
The renaming here is less widespread than I expected. I removed the content_alt_handshake while I was at this; no point in putting that in a public API.
This seemed very neatly separable, and less complicated than the record layer separation piece.
Testing this was a little tricky, I had to do something abominable with NSPR IO layers to get this to work cleanly, but the results seem reasonably clean. This isn't the end of this. There will be another patch that removes the custom hooks added so that we can decrypt and re-encrypt in tests. That can use the new API.
Comment on attachment 8987733 [details] Bug 1471126 - Rename SSL3ContentType and make it public, r?ekr Eric Rescorla (:ekr) has approved the revision. https://phabricator.services.mozilla.com/D1823
Attachment #8987733 - Flags: review+
This started as an attempt to remove the cipher spec update callback we use for testing. Using the new, public secrets interface should be better for that. In doing so, it became apparent that we needed more interfaces to NSS to support the use of these secrets. In particular: 1. We need to know what the KDF hash function is for a given cipher suite. This allows users of the secret to use the right hash function. 2. We need to know what cipher spec was picked when sending 0-RTT. NSS currently doesn't expose that information. (When receiving 0-RTT you can safely assume that the negotiated cipher suite is good to use.) So this patch adds these functions to the appropriate info functions and uses that information in tests to remove and re-add protection.
Comment on attachment 8987747 [details] Bug 1471126 - Provide a callback for traffic secrets, r?ekr Eric Rescorla (:ekr) has approved the revision. https://phabricator.services.mozilla.com/D1824
Attachment #8987747 - Flags: review+
Comment on attachment 8990172 [details] Bug 1471126 - Provide extra information needed to use record layer separation, r?ekr Eric Rescorla (:ekr) has approved the revision.
Attachment #8990172 - Flags: review+
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.43

Turns out that there were two errors that made my life using SSL_RecordLayerData hard:

  • SSL_ForceHandshake was returning SECFailure/PR_WOULD_BLOCK_ERROR when the record layer was replaced, even when the handshake was complete. This was being obscured in the tests by the fact that we mark sockets as complete through both the callback and SSL_ForceHandshake. I didn't change that aspect of the tests because different tests rely on that being the case. I don't have a good strategy for dealing with that, but I will continue to think on it.

  • SSL_RecordLayerData was returning SECFailure/PR_WOULD_BLOCK_ERROR when it succeeded, but the AuthCertificate callback blocked. The contract for SSL_RecordLayerData is that it returns SECSuccess always. I had explicitly ignored this error in tests, which was just a mistake.

Depends on: 1538479

In D1992, @glandium pointed out an error in the comments.
There is the bigger question of forward compatibility there, but this is just
to fix the obvious error.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: