Closed Bug 1935925 Opened 3 months ago Closed 1 month ago

SSLKEYLOG HANDSHAKE_TRAFFIC_SECRETs not written when using mlkem768x25519

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: johnthacker, Assigned: jschanck)

Details

Attachments

(1 file)

Bug 1935925 - change default sensitivity of KEM keys. r=djackson
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0

Steps to reproduce:

  1. export SSLKEYLOGFILE="${HOME}/sslkey.log"
  2. Start Firefox 132 or133 (or 134b7 developer edition).
  3. Start a network capture, e.g. with Wireshark.
  4. Browse to sites, e.g. www.google.com.
  5. Try disabling "network.http.http3.enable_kyber" and "network.http.http3.enable" in about:config to see slightly different results in QUIC without X25519MLKEM768, and in TLS over TCP (with HTTP2 or HTTP depending on "network.http.http2.enable")

Actual results:

For TLS 1.3 handshakes (both in QUIC and in TLS) where the X25519MLKEM768 Key Share (4588) is chosen, the SSLKEYLOGFILE has entries for CLIENT_EARLY_TRAFFIC_SECRET, EARLY_EXPORTER_SECRET, CLIENT_TRAFFIC_SECRET_0, SERVER_TRAFFIC_SECRET_0, and EXPORTER_SECRET, but no entries for CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET.

This makes it impossible to decrypt Encrypted Extensions at the conclusion of the server handshake after the Server Hello. With current Wireshark, the missing handshake traffic secrets also cause the later traffic to fail to decrypt (because by not decrypting the encrypted extensions, Wireshark misses the Handshake Finished message (which is encrypted), and thus doesn't change to the Traffic secret.)

With handshakes that do not use X25519MLKEM768 (e.g., x25519 (29), for example with QUIC if network.http.http3.enable_kyber is set to false), the CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET are written to the sslkeylogfile normally, as done in Firefox 131 (before https://bugzilla.mozilla.org/show_bug.cgi?id=1916525 )

Expected results:

CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET should have written to the SSLKEYLOGFILE along with the other secrets, enabling Encrypted Extensions decryption.

Reported originally at https://gitlab.com/wireshark/wireshark/-/issues/20240

Assignee: nobody → jschanck
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P3

https://hg.mozilla.org/projects/nss/rev/1426ed44173af731e0a76fce14159b6cfeea19f9

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: