static SECStatus tls13_Exporter(sslSocket *ss, PK11SymKey *secret, const char *label, unsigned int labelLen, const unsigned char *context, unsigned int contextLen, unsigned char *out, unsigned int outLen) { if (!secret) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } return tls13_HkdfExpandLabelRaw(secret, tls13_GetHash(ss), context, contextLen, label, labelLen, out, outLen); }
/* Checks for a duplicate in the two filters we have. Performs maintenance on * the filters as a side-effect. This only detects a probable replay, it's * possible that this will return true when the 0-RTT attempt is not genuinely a * replay. In that case, we reject 0-RTT unnecessarily, but that's OK because * no client expects 0-RTT to work every time. */ PRBool tls13_IsReplay(const sslSocket *ss, const sslSessionID *sid) { PRBool replay; unsigned int size; PRUint8 index; SECStatus rv; static const char *label = "tls13 anti-replay"; PRUint8 buf[SSL_MAX_BLOOM_FILTER_SIZE]; /* If SSL_SetupAntiReplay hasn't been called, then treat all attempts at * 0-RTT as a replay. */ if (!ssl_anti_replay.init.initialized) { return PR_TRUE; } if (!tls13_InWindow(ss, sid)) { return PR_TRUE; } size = ssl_anti_replay.filters[0].k * (ssl_anti_replay.filters[0].bits + 7) / 8; PORT_Assert(size <= SSL_MAX_BLOOM_FILTER_SIZE); rv = tls13_HkdfExpandLabelRaw(ssl_anti_replay.key, ssl_hash_sha256, ss->xtnData.pskBinder.data, ss->xtnData.pskBinder.len, label, strlen(label), buf, size); if (rv != SECSuccess) { return PR_TRUE; } PZ_EnterMonitor(ssl_anti_replay.lock); tls13_AntiReplayUpdate(); index = ssl_anti_replay.current; replay = sslBloom_Add(&ssl_anti_replay.filters[index], buf); if (!replay) { replay = sslBloom_Check(&ssl_anti_replay.filters[index ^ 1], buf); } PZ_ExitMonitor(ssl_anti_replay.lock); return replay; }