kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use same HKDF label as TLS 1.3 for QUIC as per draft-ietf-quic-tls-17

Browse Source 
Change-Id: Ie9825634f0f290aa3af0e88477013f62e2e0c246
Reviewed-on: https://boringssl-review.googlesource.com/c/33724
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
Alessandro Ghedini 2018-12-11 11:35:17 +00:00 committed by CQ bot account: commit-bot@chromium.org
parent ba9ad6628c
commit 2cc6f449d7
4 changed files with 26 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ssl/internal.h
View File

@ -1299,8 +1299,7 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
// tls13_derive_session_psk calculates the PSK for this session based on the
// resumption master secret and |nonce|. It returns true on success, and false
// on failure.
bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce,
bool use_quic);
bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce);
// tls13_write_psk_binder calculates the PSK binder value and replaces the last
// bytes of |msg| with the resulting value. It returns true on success, and

3
ssl/tls13_client.cc
View File

@ -883,8 +883,7 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
session->timeout = server_timeout;
}
if (!tls13_derive_session_psk(session.get(), ticket_nonce,
ssl->ctx->quic_method != nullptr)) {
if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
return false;
}

65
ssl/tls13_enc.cc
View File

@ -69,27 +69,19 @@ bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
static bool hkdf_expand_label(uint8_t *out, const EVP_MD *digest,
const uint8_t *secret, size_t secret_len,
const char *label, size_t label_len,
const uint8_t *hash, size_t hash_len, size_t len,
bool use_quic_label) {
const uint8_t *hash, size_t hash_len,
size_t len) {
static const char kTLS13ProtocolLabel[] = "tls13 ";
static const char kQUICProtocolLabel[] = "quic ";
const char *protocol_label;
if (use_quic_label) {
protocol_label = kQUICProtocolLabel;
} else {
protocol_label = kTLS13ProtocolLabel;
}
ScopedCBB cbb;
CBB child;
Array<uint8_t> hkdf_label;
if (!CBB_init(cbb.get(),
2 + 1 + strlen(protocol_label) + label_len + 1 + hash_len) ||
if (!CBB_init(cbb.get(), 2 + 1 + strlen(kTLS13ProtocolLabel) + label_len + 1 +
hash_len) ||
!CBB_add_u16(cbb.get(), len) ||
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
!CBB_add_bytes(&child, (const uint8_t *)protocol_label,
strlen(protocol_label)) ||
!CBB_add_bytes(&child, (const uint8_t *)kTLS13ProtocolLabel,
strlen(kTLS13ProtocolLabel)) ||
!CBB_add_bytes(&child, (const uint8_t *)label, label_len) ||
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
!CBB_add_bytes(&child, hash, hash_len) ||
@ -115,8 +107,7 @@ bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
if (!hkdf_expand_label(hs->secret, hs->transcript.Digest(), hs->secret,
hs->hash_len, kTLS13LabelDerived,
strlen(kTLS13LabelDerived), derive_context,
derive_context_len, hs->hash_len,
hs->ssl->ctx->quic_method != nullptr)) {
derive_context_len, hs->hash_len)) {
return false;
}
@ -137,8 +128,7 @@ static bool derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,
return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret,
hs->hash_len, label, label_len, context_hash,
context_hash_len, len,
hs->ssl->ctx->quic_method != nullptr);
context_hash_len, len);
}
bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
@ -169,8 +159,7 @@ bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
size_t key_len = EVP_AEAD_key_length(aead);
uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len,
"key", 3, NULL, 0, key_len,
ssl->ctx->quic_method != nullptr)) {
"key", 3, NULL, 0, key_len)) {
return false;
}
@ -178,8 +167,7 @@ bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
size_t iv_len = EVP_AEAD_nonce_length(aead);
uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];
if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, "iv",
2, NULL, 0, iv_len,
ssl->ctx->quic_method != nullptr)) {
2, NULL, 0, iv_len)) {
return false;
}
@ -364,7 +352,7 @@ bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
if (!hkdf_expand_label(secret, digest, secret, secret_len,
kTLS13LabelApplicationTraffic,
strlen(kTLS13LabelApplicationTraffic), NULL, 0,
secret_len, ssl->ctx->quic_method != nullptr)) {
secret_len)) {
return false;
}
@ -392,13 +380,11 @@ static const char kTLS13LabelFinished[] = "finished";
static bool tls13_verify_data(const EVP_MD *digest, uint16_t version,
uint8_t *out, size_t *out_len,
const uint8_t *secret, size_t hash_len,
uint8_t *context, size_t context_len,
bool use_quic) {
uint8_t *context, size_t context_len) {
uint8_t key[EVP_MAX_MD_SIZE];
unsigned len;
if (!hkdf_expand_label(key, digest, secret, hash_len, kTLS13LabelFinished,
strlen(kTLS13LabelFinished), NULL, 0, hash_len,
use_quic) ||
strlen(kTLS13LabelFinished), NULL, 0, hash_len) ||
HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {
return false;
}
@ -420,8 +406,7 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||
!tls13_verify_data(hs->transcript.Digest(), hs->ssl->version, out,
out_len, traffic_secret, hs->hash_len, context_hash,
context_hash_len,
hs->ssl->ctx->quic_method != nullptr)) {
context_hash_len)) {
return 0;
}
return 1;
@ -429,13 +414,12 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
static const char kTLS13LabelResumptionPSK[] = "resumption";
bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce,
bool use_quic) {
bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce) {
const EVP_MD *digest = ssl_session_get_digest(session);
return hkdf_expand_label(session->master_key, digest, session->master_key,
session->master_key_length, kTLS13LabelResumptionPSK,
strlen(kTLS13LabelResumptionPSK), nonce.data(),
nonce.size(), session->master_key_length, use_quic);
nonce.size(), session->master_key_length);
}
static const char kTLS13LabelExportKeying[] = "exporter";
@ -464,12 +448,11 @@ bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
nullptr) &&
hkdf_expand_label(derived_secret, digest, secret.data(), secret.size(),
label.data(), label.size(), export_context,
export_context_len, derived_secret_len,
ssl->ctx->quic_method != nullptr) &&
export_context_len, derived_secret_len) &&
hkdf_expand_label(out.data(), digest, derived_secret,
derived_secret_len, kTLS13LabelExportKeying,
strlen(kTLS13LabelExportKeying), hash, hash_len,
out.size(), ssl->ctx->quic_method != nullptr);
out.size());
}
static const char kTLS13LabelPSKBinder[] = "res binder";
@ -477,7 +460,7 @@ static const char kTLS13LabelPSKBinder[] = "res binder";
static bool tls13_psk_binder(uint8_t *out, uint16_t version,
const EVP_MD *digest, uint8_t *psk, size_t psk_len,
uint8_t *context, size_t context_len,
size_t hash_len, bool use_quic) {
size_t hash_len) {
uint8_t binder_context[EVP_MAX_MD_SIZE];
unsigned binder_context_len;
if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {
@ -495,10 +478,9 @@ static bool tls13_psk_binder(uint8_t *out, uint16_t version,
size_t len;
if (!hkdf_expand_label(binder_key, digest, early_secret, hash_len,
kTLS13LabelPSKBinder, strlen(kTLS13LabelPSKBinder),
binder_context, binder_context_len, hash_len,
use_quic) ||
binder_context, binder_context_len, hash_len) ||
!tls13_verify_data(digest, version, out, &len, binder_key, hash_len,
context, context_len, use_quic)) {
context, context_len)) {
return false;
}
@ -531,7 +513,7 @@ bool tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {
if (!tls13_psk_binder(verify_data, ssl->session->ssl_version, digest,
ssl->session->master_key,
ssl->session->master_key_length, context, context_len,
hash_len, ssl->ctx->quic_method != nullptr)) {
hash_len)) {
return false;
}
@ -563,8 +545,7 @@ bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
CBS binder;
if (!tls13_psk_binder(verify_data, hs->ssl->version, hs->transcript.Digest(),
session->master_key, session->master_key_length,
context, context_len, hash_len,
hs->ssl->ctx->quic_method != nullptr) ||
context, context_len, hash_len) ||
// We only consider the first PSK, so compare against the first binder.
!CBS_get_u8_length_prefixed(binders, &binder)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

3
ssl/tls13_server.cc
View File

@ -194,8 +194,7 @@ static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
!CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||
!CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||
!CBB_add_u16_length_prefixed(&body, &ticket) ||
!tls13_derive_session_psk(session.get(), nonce,
ssl->ctx->quic_method != nullptr) ||
!tls13_derive_session_psk(session.get(), nonce) ||
!ssl_encrypt_ticket(hs, &ticket, session.get()) ||
!CBB_add_u16_length_prefixed(&body, &extensions)) {
return false;