net: allow SSL secrets to be exported sooner.

net/third_party/nss/ssl/sslinfo.c

 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 21 matching lines @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /* $Id: sslinfo.c,v 1.23.2.1 2010/09/02 01:13:46 wtc%google.com Exp $ */
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
-#include "pk11func.h"
 
 static const char *
 ssl_GetCompressionMethodName(SSLCompressionMethod compression)
 {
     switch (compression) {
     case ssl_compression_null:
         return "NULL";
 #ifdef NSS_ENABLE_ZLIB
     case ssl_compression_deflate:
         return "DEFLATE";
@@ skipping 258 matching lines @@
 {
     unsigned int i;
     for (i = 0; i < NUM_SUITEINFOS; i++) {
         if (suiteInfo[i].cipherSuite == cipherSuite) {
             return (PRBool)(suiteInfo[i].isExportable);
         }
     }
     return PR_FALSE;
 }
 
-/* Export keying material according to draft-ietf-tls-extractor-06.
+/* Export keying material according to RFC 5705.
 ** fd must correspond to a TLS 1.0 or higher socket, out must
 ** be already allocated.
 */
 SECStatus
-SSL_ExportKeyingMaterial(PRFileDesc *fd, const char *label,
+SSL_ExportKeyingMaterial(PRFileDesc *fd,
+                         const char *label,
+                         unsigned int labelLen,
                          const unsigned char *context,
                          unsigned int contextLen,
                          unsigned char *out,
                          unsigned int outLen)
 {
     sslSocket *ss;
     unsigned char *val = NULL;
     unsigned int valLen, i;
     SECStatus rv = SECFailure;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in ExportKeyingMaterial",
                  SSL_GETPID(), fd));
         return SECFailure;
     }
 
     if (ss->version < SSL_LIBRARY_VERSION_3_1_TLS) {
         PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
         return SECFailure;
     }
 
-    if (ss->ssl3.hs.ws != idle_handshake) {
-        PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
-        return SECFailure;
-    }
-
     valLen = SSL3_RANDOM_LENGTH * 2;
     if (contextLen > 0)
         valLen += 2 /* uint16 length */ + contextLen;
     val = PORT_Alloc(valLen);
     if (val == NULL)
         return SECFailure;
     i = 0;
     PORT_Memcpy(val + i, &ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
     i += SSL3_RANDOM_LENGTH;
     PORT_Memcpy(val + i, &ss->ssl3.hs.server_random.rand, SSL3_RANDOM_LENGTH);
     i += SSL3_RANDOM_LENGTH;
     if (contextLen > 0) {
         val[i++] = contextLen >> 8;
         val[i++] = contextLen;
         PORT_Memcpy(val + i, context, contextLen);
         i += contextLen;
     }
     PORT_Assert(i == valLen);
 
     ssl_GetSpecReadLock(ss);
-    rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.crSpec, label, strlen(label), val, valLen, out, outLen);
+    if (ss->ssl3.cwSpec->master_secret == NULL) {

[wtc, 2011/07/25 17:31:13]

I'd like to doublecheck this ss->ssl3.cwSpec->master_secret
test later, but it seems correct to me.

[wtc, 2011/07/25 18:51:22]

I checked this test again.  There are two possible solutions
to this problem.

1. Come up with a conditional expression for the state that
the SSL handshake has completed.  This is the approach taken
by the original code.

2. Come up with a conditional expression for the presence of
master secret.  This is the approach the CL is taking.

Solution #2 is a fine idea because the conditional
expression in solution 1 may be complicated.

In solution #2, we also need to handle the "bypass PKCS #11"
mode, which uses not ss->ssl3.cwSpec->master_secret but
rather ss->ssl3.cwSpec->msItem.  This code should give you
an idea how to test if the master secret is present, in
both the regular mode and the "bypass PKCS #11" mode:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/ssl3...

I think a simple test like
    !ss->ssl3.cwSpec->master_secret && !ss->ssl3.cwSpec->msItem.len
should suffice:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/ssl3...

[agl, 2011/07/26 13:50:04]

Done.

+        PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
+        rv = SECFailure;
+    } else {
+        rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.cwSpec, label, labelLen, val,
+                                         valLen, out, outLen);
+    }
     ssl_ReleaseSpecReadLock(ss);
 
-    if (val != NULL)
-        PORT_ZFree(val, valLen);
+    PORT_ZFree(val, valLen);
     return rv;
 }
 
 SECItem*
 SSL_GetNegotiatedHostInfo(PRFileDesc *fd)
 {
     SECItem *sniName = NULL;
     sslSocket *ss;
     char *name = NULL;
 
@@ skipping 22 matching lines @@
         sniName = PORT_ZNew(SECItem);
         if (!sniName) {
             PORT_Free(name);
             return NULL;
         }
         sniName->data = (void*)name;
         sniName->len  = PORT_Strlen(name);
     }
     return sniName;
 }