Closed Bug 1558681 Opened 2 years ago Closed 2 years ago

Stop using a global for anti-replay of TLS 1.3 early data


(NSS :: Libraries, enhancement, P1)



(Not tracked)



(Reporter: mt, Assigned: mt)



(1 file)

The use of a global has a serious impact on our ability to run concurrent test cases involving 0-RTT.

For Rust, where the default test runner is concurrent, the global turns out to be annoying. Concurrent tests interfere with each other.

Yes, this could be fixed by adding another global or constraining tests to run on a single thread, but those are both terrible.

The solution will be to create a new object (say SSLAntiReplayContext) and a function to create it (SSL_CreateAntiReplayContext). This will be reference counted object (freed with SSL_ReleaseAntiReplayContext) and have all the necessary mutexes so that it can be used concurrently. Sockets will have a function (SSL_SetAntiReplayContext) that will be needed to enable 0-RTT on servers. Without this, servers will treat any attempt at 0-RTT as a replay attempt.

Stop using a global anti-replay context and enable creating a context directly.
This increases the overhead of managing anti-replay for applications marginally,
but allows much greater flexibility in use of anti-replay mechanisms. In
particular, it enables the testing of 0-RTT in a threaded environment.

The comments in sslexp should be clear enough in explaining how this works.
Basically, this is a new reference-counted object that can be created and
tracked by applications.

The only thing that I can see might be a problem with the API is that I haven't
exposed a function to add a reference for use by applications. My thinking is
that reference counting is an internal thing; it seems like applications won't
need to worry about that.

selfserv is updated to create a context and attach it to sockets. This shows
that the overhead is minor.

The gtests have been tweaked to create a context during setup. The context is
owned by the overall test framework and is passed to server instances after the
sockets are initialized.

Bonus changes:

  • ESNI keys are copied from the model socket when calling SSL_ReConfigFD().
  • Some better tracing in the anti-replay functions.

Neither of these seemed worth the overhead of a bug to fix.

Priority: -- → P1
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.45
You need to log in before you can comment on or make changes to this bug.