Remove SSL_export_early_keying_material. We did not end up needing this feature. Removing it trims 64 bytes of per-connection memory. Change-Id: Ifb8e66af2d583b6bf00c63f509eda8e8691d452a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36789 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index c3735cd..3d2bc07 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -3327,13 +3327,6 @@ // |SSL_ERROR_EARLY_DATA_REJECTED|. OPENSSL_EXPORT void SSL_reset_early_data_reject(SSL *ssl); -// SSL_export_early_keying_material behaves like |SSL_export_keying_material|, -// but it uses the early exporter. The operation will fail if |ssl| did not -// negotiate TLS 1.3 or 0-RTT. -OPENSSL_EXPORT int SSL_export_early_keying_material( - SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len, - const uint8_t *context, size_t context_len); - // SSL_get_ticket_age_skew returns the difference, in seconds, between the // client-sent ticket age and the server-computed value in TLS 1.3 server // connections which resumed a session.
diff --git a/ssl/internal.h b/ssl/internal.h index 85b8112..81242ca 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -2296,11 +2296,9 @@ uint8_t write_traffic_secret[EVP_MAX_MD_SIZE] = {0}; uint8_t read_traffic_secret[EVP_MAX_MD_SIZE] = {0}; uint8_t exporter_secret[EVP_MAX_MD_SIZE] = {0}; - uint8_t early_exporter_secret[EVP_MAX_MD_SIZE] = {0}; uint8_t write_traffic_secret_len = 0; uint8_t read_traffic_secret_len = 0; uint8_t exporter_secret_len = 0; - uint8_t early_exporter_secret_len = 0; // Connection binding to prevent renegotiation attacks uint8_t previous_client_finished[12] = {0};
diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc index c6b2844..4c2fffb 100644 --- a/ssl/t1_enc.cc +++ b/ssl/t1_enc.cc
@@ -359,27 +359,3 @@ MakeConstSpan(session->master_key, session->master_key_length), MakeConstSpan(label, label_len), seed, {}); } - -int SSL_export_early_keying_material( - SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len, - const uint8_t *context, size_t context_len) { - if (!SSL_in_early_data(ssl) && - (!ssl->s3->have_version || - ssl_protocol_version(ssl) < TLS1_3_VERSION)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); - return 0; - } - - // The early exporter only exists if we accepted early data or offered it as - // a client. - if (!SSL_in_early_data(ssl) && !SSL_early_data_accepted(ssl)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_EARLY_DATA_NOT_IN_USE); - return 0; - } - - return tls13_export_keying_material( - ssl, MakeSpan(out, out_len), - MakeConstSpan(ssl->s3->early_exporter_secret, - ssl->s3->early_exporter_secret_len), - MakeConstSpan(label, label_len), MakeConstSpan(context, context_len)); -}
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc index dfcb2c7..f58c151 100644 --- a/ssl/test/bssl_shim.cc +++ b/ssl/test/bssl_shim.cc
@@ -872,22 +872,6 @@ GetTestState(ssl)->got_new_session = false; } - if (config->export_early_keying_material > 0) { - std::vector<uint8_t> result( - static_cast<size_t>(config->export_early_keying_material)); - if (!SSL_export_early_keying_material( - ssl, result.data(), result.size(), config->export_label.data(), - config->export_label.size(), - reinterpret_cast<const uint8_t *>(config->export_context.data()), - config->export_context.size())) { - fprintf(stderr, "failed to export keying material\n"); - return false; - } - if (WriteAll(ssl, result.data(), result.size()) < 0) { - return false; - } - } - if (config->export_keying_material > 0) { std::vector<uint8_t> result( static_cast<size_t>(config->export_keying_material));
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index 9930bd3..b56b9b3 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go
@@ -1326,21 +1326,6 @@ // it was accepted. SendEarlyDataExtension bool - // ExpectEarlyKeyingMaterial, if non-zero, causes a TLS 1.3 server to - // read an application data record after the ClientHello before it sends - // a ServerHello. The record's contents have the specified length and - // match the corresponding early exporter value. This is used to test - // the client using the early exporter in the 0-RTT state. - ExpectEarlyKeyingMaterial int - - // ExpectEarlyKeyingLabel is the label to use with - // ExpectEarlyKeyingMaterial. - ExpectEarlyKeyingLabel string - - // ExpectEarlyKeyingContext is the context string to use with - // ExpectEarlyKeyingMaterial - ExpectEarlyKeyingContext string - // ExpectEarlyData causes a TLS 1.3 server to read application // data after the ClientHello (assuming the server is able to // derive the key under which the data is encrypted) before it
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index 1eb92bf..3a6c810 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go
@@ -726,16 +726,7 @@ } c.earlyCipherSuite = hs.suite - expectEarlyData := config.Bugs.ExpectEarlyData - if n := config.Bugs.ExpectEarlyKeyingMaterial; n > 0 { - exporter, err := c.ExportEarlyKeyingMaterial(n, []byte(config.Bugs.ExpectEarlyKeyingLabel), []byte(config.Bugs.ExpectEarlyKeyingContext)) - if err != nil { - return err - } - expectEarlyData = append([][]byte{exporter}, expectEarlyData...) - } - - for _, expectedMsg := range expectEarlyData { + for _, expectedMsg := range config.Bugs.ExpectEarlyData { if err := c.readRecord(recordTypeApplicationData); err != nil { return err }
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index ff4a55a..877a239 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go
@@ -589,9 +589,6 @@ exportLabel string exportContext string useExportContext bool - // exportEarlyKeyingMaterial, if non-zero, behaves like - // exportKeyingMaterial, but for the early exporter. - exportEarlyKeyingMaterial int // flags, if not empty, contains a list of command-line flags that will // be passed to the shim program. flags []string @@ -881,20 +878,6 @@ } } - if isResume && test.exportEarlyKeyingMaterial > 0 { - actual := make([]byte, test.exportEarlyKeyingMaterial) - if _, err := io.ReadFull(tlsConn, actual); err != nil { - return err - } - expected, err := tlsConn.ExportEarlyKeyingMaterial(test.exportEarlyKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext)) - if err != nil { - return err - } - if !bytes.Equal(actual, expected) { - return fmt.Errorf("early keying material mismatch; got %x, wanted %x", actual, expected) - } - } - if test.exportKeyingMaterial > 0 { actual := make([]byte, test.exportKeyingMaterial) if _, err := io.ReadFull(tlsConn, actual); err != nil { @@ -1272,10 +1255,7 @@ flags = append(flags, "-use-export-context") } } - if test.exportEarlyKeyingMaterial > 0 { - flags = append(flags, "-on-resume-export-early-keying-material", strconv.Itoa(test.exportEarlyKeyingMaterial)) - } - if test.exportKeyingMaterial > 0 || test.exportEarlyKeyingMaterial > 0 { + if test.exportKeyingMaterial > 0 { flags = append(flags, "-export-label", test.exportLabel) flags = append(flags, "-export-context", test.exportContext) } @@ -10146,106 +10126,6 @@ expectedError: ":HANDSHAKE_NOT_COMPLETE:", }) - // Test the early exporter works while the client is - // sending 0-RTT data. This data arrives during the - // server handshake, so we test it with ProtocolBugs. - testCases = append(testCases, testCase{ - name: "ExportEarlyKeyingMaterial-Client-InEarlyData-" + vers.name, - config: Config{ - MaxVersion: vers.version, - MaxEarlyDataSize: 16384, - }, - resumeConfig: &Config{ - MaxVersion: vers.version, - MaxEarlyDataSize: 16384, - Bugs: ProtocolBugs{ - ExpectEarlyKeyingMaterial: 1024, - ExpectEarlyKeyingLabel: "label", - ExpectEarlyKeyingContext: "context", - }, - }, - resumeSession: true, - flags: []string{ - "-enable-early-data", - "-expect-ticket-supports-early-data", - "-on-resume-expect-accept-early-data", - "-on-resume-export-early-keying-material", "1024", - "-on-resume-export-label", "label", - "-on-resume-export-context", "context", - }, - }) - - // Test the early exporter still works on the client - // after the handshake is confirmed. This arrives after - // the server handshake, so the normal hooks work. - testCases = append(testCases, testCase{ - name: "ExportEarlyKeyingMaterial-Client-EarlyDataAccept-" + vers.name, - config: Config{ - MaxVersion: vers.version, - MaxEarlyDataSize: 16384, - }, - resumeConfig: &Config{ - MaxVersion: vers.version, - MaxEarlyDataSize: 16384, - }, - resumeSession: true, - exportEarlyKeyingMaterial: 1024, - exportLabel: "label", - exportContext: "context", - flags: []string{ - "-enable-early-data", - "-expect-ticket-supports-early-data", - "-on-resume-expect-accept-early-data", - // Handshake twice on the client to force - // handshake confirmation. - "-handshake-twice", - }, - }) - - // Test the early exporter does not work on the client - // if 0-RTT was not offered. - testCases = append(testCases, testCase{ - name: "NoExportEarlyKeyingMaterial-Client-Initial-" + vers.name, - config: Config{ - MaxVersion: vers.version, - }, - flags: []string{"-export-early-keying-material", "1024"}, - shouldFail: true, - expectedError: ":EARLY_DATA_NOT_IN_USE:", - }) - testCases = append(testCases, testCase{ - name: "NoExportEarlyKeyingMaterial-Client-Resume-" + vers.name, - config: Config{ - MaxVersion: vers.version, - }, - resumeSession: true, - flags: []string{"-on-resume-export-early-keying-material", "1024"}, - shouldFail: true, - expectedError: ":EARLY_DATA_NOT_IN_USE:", - }) - - // Test the early exporter does not work on the client - // after a 0-RTT reject. - testCases = append(testCases, testCase{ - name: "NoExportEarlyKeyingMaterial-Client-EarlyDataReject-" + vers.name, - config: Config{ - MaxVersion: vers.version, - MaxEarlyDataSize: 16384, - Bugs: ProtocolBugs{ - AlwaysRejectEarlyData: true, - }, - }, - resumeSession: true, - flags: []string{ - "-enable-early-data", - "-expect-ticket-supports-early-data", - "-expect-reject-early-data", - "-on-retry-export-early-keying-material", "1024", - }, - shouldFail: true, - expectedError: ":EARLY_DATA_NOT_IN_USE:", - }) - // Test the normal exporter on the server in half-RTT. testCases = append(testCases, testCase{ testType: serverTest, @@ -10264,75 +10144,6 @@ useExportContext: true, flags: []string{"-enable-early-data"}, }) - - // Test the early exporter works on the server in half-RTT. - testCases = append(testCases, testCase{ - testType: serverTest, - name: "ExportEarlyKeyingMaterial-Server-HalfRTT-" + vers.name, - config: Config{ - MaxVersion: vers.version, - Bugs: ProtocolBugs{ - SendEarlyData: [][]byte{}, - ExpectEarlyDataAccepted: true, - }, - }, - resumeSession: true, - exportEarlyKeyingMaterial: 1024, - exportLabel: "label", - exportContext: "context", - flags: []string{"-enable-early-data"}, - }) - - // Test the early exporter does not work on the server - // if 0-RTT was not offered. - testCases = append(testCases, testCase{ - testType: serverTest, - name: "NoExportEarlyKeyingMaterial-Server-Initial-" + vers.name, - config: Config{ - MaxVersion: vers.version, - }, - flags: []string{"-export-early-keying-material", "1024"}, - shouldFail: true, - expectedError: ":EARLY_DATA_NOT_IN_USE:", - }) - testCases = append(testCases, testCase{ - testType: serverTest, - name: "NoExportEarlyKeyingMaterial-Server-Resume-" + vers.name, - config: Config{ - MaxVersion: vers.version, - }, - resumeSession: true, - flags: []string{"-on-resume-export-early-keying-material", "1024"}, - shouldFail: true, - expectedError: ":EARLY_DATA_NOT_IN_USE:", - }) - } else { - // Test the early exporter fails before TLS 1.3. - testCases = append(testCases, testCase{ - name: "NoExportEarlyKeyingMaterial-Client-" + vers.name, - config: Config{ - MaxVersion: vers.version, - }, - resumeSession: true, - exportEarlyKeyingMaterial: 1024, - exportLabel: "label", - exportContext: "context", - shouldFail: true, - expectedError: ":WRONG_SSL_VERSION:", - }) - testCases = append(testCases, testCase{ - testType: serverTest, - name: "NoExportEarlyKeyingMaterial-Server-" + vers.name, - config: Config{ - MaxVersion: vers.version, - }, - resumeSession: true, - exportEarlyKeyingMaterial: 1024, - exportLabel: "label", - exportContext: "context", - shouldFail: true, - expectedError: ":WRONG_SSL_VERSION:", - }) } }
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index a53aed2..bd32ce9 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc
@@ -207,8 +207,6 @@ {"-max-version", &TestConfig::max_version}, {"-expect-version", &TestConfig::expect_version}, {"-mtu", &TestConfig::mtu}, - {"-export-early-keying-material", - &TestConfig::export_early_keying_material}, {"-export-keying-material", &TestConfig::export_keying_material}, {"-expect-total-renegotiations", &TestConfig::expect_total_renegotiations}, {"-expect-peer-signature-algorithm",
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h index 57bf66a..ce4b416 100644 --- a/ssl/test/test_config.h +++ b/ssl/test/test_config.h
@@ -89,7 +89,6 @@ bool fail_cert_callback = false; std::string cipher; bool handshake_never_done = false; - int export_early_keying_material = 0; int export_keying_material = 0; std::string export_label; std::string export_context;
diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc index 7353561..f457c2f 100644 --- a/ssl/tls13_enc.cc +++ b/ssl/tls13_enc.cc
@@ -215,7 +215,6 @@ static const char kTLS13LabelExporter[] = "exp master"; -static const char kTLS13LabelEarlyExporter[] = "e exp master"; static const char kTLS13LabelClientEarlyTraffic[] = "c e traffic"; static const char kTLS13LabelClientHandshakeTraffic[] = "c hs traffic"; @@ -229,13 +228,9 @@ kTLS13LabelClientEarlyTraffic, strlen(kTLS13LabelClientEarlyTraffic)) || !ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET", - hs->early_traffic_secret, hs->hash_len) || - !derive_secret(hs, ssl->s3->early_exporter_secret, hs->hash_len, - kTLS13LabelEarlyExporter, - strlen(kTLS13LabelEarlyExporter))) { + hs->early_traffic_secret, hs->hash_len)) { return false; } - ssl->s3->early_exporter_secret_len = hs->hash_len; if (ssl->quic_method != nullptr) { if (ssl->server) {