static SECStatus
tls13_Exporter(sslSocket *ss, PK11SymKey *secret,
const char *label, unsigned int labelLen,
const unsigned char *context, unsigned int contextLen,
unsigned char *out, unsigned int outLen)
{
if (!secret) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
return tls13_HkdfExpandLabelRaw(secret,
tls13_GetHash(ss),
context, contextLen,
label, labelLen,
out, outLen);
}
/* Checks for a duplicate in the two filters we have. Performs maintenance on
* the filters as a side-effect. This only detects a probable replay, it's
* possible that this will return true when the 0-RTT attempt is not genuinely a
* replay. In that case, we reject 0-RTT unnecessarily, but that's OK because
* no client expects 0-RTT to work every time. */
PRBool
tls13_IsReplay(const sslSocket *ss, const sslSessionID *sid)
{
PRBool replay;
unsigned int size;
PRUint8 index;
SECStatus rv;
static const char *label = "tls13 anti-replay";
PRUint8 buf[SSL_MAX_BLOOM_FILTER_SIZE];
/* If SSL_SetupAntiReplay hasn't been called, then treat all attempts at
* 0-RTT as a replay. */
if (!ssl_anti_replay.init.initialized) {
return PR_TRUE;
}
if (!tls13_InWindow(ss, sid)) {
return PR_TRUE;
}
size = ssl_anti_replay.filters[0].k *
(ssl_anti_replay.filters[0].bits + 7) / 8;
PORT_Assert(size <= SSL_MAX_BLOOM_FILTER_SIZE);
rv = tls13_HkdfExpandLabelRaw(ssl_anti_replay.key, ssl_hash_sha256,
ss->xtnData.pskBinder.data,
ss->xtnData.pskBinder.len,
label, strlen(label),
buf, size);
if (rv != SECSuccess) {
return PR_TRUE;
}
PZ_EnterMonitor(ssl_anti_replay.lock);
tls13_AntiReplayUpdate();
index = ssl_anti_replay.current;
replay = sslBloom_Add(&ssl_anti_replay.filters[index], buf);
if (!replay) {
replay = sslBloom_Check(&ssl_anti_replay.filters[index ^ 1],
buf);
}
PZ_ExitMonitor(ssl_anti_replay.lock);
return replay;
}
