From 759dbb355afa6c37ae9df7f9fdc864d80d45111f Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Thu, 30 Nov 2017 18:43:18 +0000 Subject: [PATCH] tris: fix nonce length definition and actually use it All TLS 1.3 cipher suites so far use a nonce length of 12, but that does not have to be the case. Correct the cipher suite definition and use it. Spec: https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5.3 Note: there is no functional change, the values were previously unused. Fixes: ("[dev.tls] crypto/tls: implement TLS 1.3 cipher suites") --- 13.go | 2 +- cipher_suites.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/13.go b/13.go index fb920fa..1626f1e 100644 --- a/13.go +++ b/13.go @@ -119,7 +119,7 @@ func (ks *keySchedule13) prepareCipher(secretLabel secretLabel) (interface{}, [] trafficSecret := ks.deriveSecret(secretLabel) hash := hashForSuite(ks.suite) key := hkdfExpandLabel(hash, trafficSecret, nil, "key", ks.suite.keyLen) - iv := hkdfExpandLabel(hash, trafficSecret, nil, "iv", 12) + iv := hkdfExpandLabel(hash, trafficSecret, nil, "iv", ks.suite.ivLen) return ks.suite.aead(key, iv), trafficSecret } diff --git a/cipher_suites.go b/cipher_suites.go index 6bb17a2..8791406 100644 --- a/cipher_suites.go +++ b/cipher_suites.go @@ -81,8 +81,8 @@ type cipherSuite struct { var cipherSuites = []*cipherSuite{ // TLS 1.3 ciphersuites specify only the AEAD and the HKDF hash. {TLS_CHACHA20_POLY1305_SHA256, 32, 0, 12, nil, suiteTLS13, nil, nil, aeadChaCha20Poly1305}, - {TLS_AES_128_GCM_SHA256, 16, 0, 4, nil, suiteTLS13, nil, nil, aeadAESGCM13}, - {TLS_AES_256_GCM_SHA384, 32, 0, 4, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM13}, + {TLS_AES_128_GCM_SHA256, 16, 0, 12, nil, suiteTLS13, nil, nil, aeadAESGCM13}, + {TLS_AES_256_GCM_SHA384, 32, 0, 12, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM13}, // Ciphersuite order is chosen so that ECDHE comes before plain RSA and // AEADs are the top preference.