DTLS1_3: HKDF-Expand-Label

Add Cryptographic Label Prefix "dtls13" Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
author: Frantisek Krenzelok <krenzelok.frantisek@gmail.com> 2023-01-05 08:55:48 +0100
committer: Frantisek Krenzelok <krenzelok.frantisek@gmail.com> 2023-02-20 16:32:13 +0100
commit: 38cf20c60222bed755f46aebe15bf8632d669662 (patch)
tree: 5e66721fec8b26fdbeb3d93d103422689baa5276
parent: 9721fd034ec3447d86568c3bce49d17b81ef5799 (diff)
download: gnutls-38cf20c60222bed755f46aebe15bf8632d669662.tar.gz
8 files changed, 38 insertions, 26 deletions
diff --git a/lib/constate.c b/lib/constate.c
index 0950b5176e..0abe561507 100644
--- a/lib/constate.c
+++ b/lib/constate.c
@@ -344,6 +344,7 @@ _tls13_set_early_keys(gnutls_session_t session,
 
 	ret = _tls13_expand_secret2(session->internals.
 				    resumed_security_parameters.prf,
+				    session->internals.transport,
 				    "key", 3, NULL, 0,
 				    session->key.proto.tls13.e_ckey,
 				    key_size, key_block);
@@ -352,6 +353,7 @@ _tls13_set_early_keys(gnutls_session_t session,
 
 	ret = _tls13_expand_secret2(session->internals.
 				    resumed_security_parameters.prf,
+				    session->internals.transport,
 				    "iv", 2, NULL, 0,
 				    session->key.proto.tls13.e_ckey,
 				    iv_size, iv_block);
diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
index 11e1a40a9b..00d88339f1 100644
--- a/lib/ext/pre_shared_key.c
+++ b/lib/ext/pre_shared_key.c
@@ -36,7 +36,7 @@
 #include <assert.h>
 
 static int
-compute_psk_from_ticket(const tls13_ticket_st *ticket, gnutls_datum_t *key)
+compute_psk_from_ticket(const tls13_ticket_st *ticket, gnutls_datum_t *key, transport_t type)
 {
 	int ret;
 
@@ -50,7 +50,7 @@ compute_psk_from_ticket(const tls13_ticket_st *ticket, gnutls_datum_t *key)
 	}
 	key->size = ticket->prf->output_size;
 
-	ret = _tls13_expand_secret2(ticket->prf,
+	ret = _tls13_expand_secret2(ticket->prf, type,
 				    RESUMPTION_LABEL, sizeof(RESUMPTION_LABEL)-1,
 				    ticket->nonce, ticket->nonce_size,
 				    ticket->resumption_master_secret,
@@ -63,7 +63,7 @@ compute_psk_from_ticket(const tls13_ticket_st *ticket, gnutls_datum_t *key)
 }
 
 static int
-compute_binder_key(const mac_entry_st *prf,
+compute_binder_key(const mac_entry_st *prf, transport_t type,
 		   const uint8_t *key, size_t keylen,
 		   bool resuming,
 		   void *out)
@@ -83,7 +83,7 @@ compute_binder_key(const mac_entry_st *prf,
 		return ret;
 
 	/* Compute Derive-Secret(secret, label, transcript_hash) */
-	ret = _tls13_derive_secret2(prf, label, label_len,
+	ret = _tls13_derive_secret2(prf, type, label, label_len,
 				    NULL, 0, tmp_key, out);
 	if (ret < 0)
 		return ret;
@@ -167,7 +167,7 @@ compute_psk_binder(gnutls_session_t session,
 		}
 	}
 
-	ret = compute_binder_key(prf,
+	ret = compute_binder_key(prf, session->internals.transport,
 				 psk->data, psk->size, resuming,
 				 binder_key);
 	if (ret < 0) {
@@ -175,9 +175,8 @@ compute_psk_binder(gnutls_session_t session,
 		goto error;
 	}
 
-	ret = _gnutls13_compute_finished(prf, binder_key,
-					 &handshake_buf,
-					 out);
+	ret = _gnutls13_compute_finished(prf, session->internals.transport,
+					 binder_key, &handshake_buf, out);
 	if (ret < 0) {
 		gnutls_assert();
 		goto error;
@@ -195,7 +194,8 @@ generate_early_secrets(gnutls_session_t session,
 {
 	int ret;
 
-	ret = _tls13_derive_secret2(prf, EARLY_TRAFFIC_LABEL, sizeof(EARLY_TRAFFIC_LABEL)-1,
+	ret = _tls13_derive_secret2(prf, session->internals.transport, EARLY_TRAFFIC_LABEL,
+				sizeof(EARLY_TRAFFIC_LABEL)-1,
 				    session->internals.handshake_hash_buffer.data,
 				    session->internals.handshake_hash_buffer_client_hello_len,
 				    session->key.proto.tls13.temp_secret,
@@ -209,7 +209,8 @@ generate_early_secrets(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	ret = _tls13_derive_secret2(prf, EARLY_EXPORTER_MASTER_LABEL, sizeof(EARLY_EXPORTER_MASTER_LABEL)-1,
+	ret = _tls13_derive_secret2(prf, session->internals.transport, EARLY_EXPORTER_MASTER_LABEL,
+				    sizeof(EARLY_EXPORTER_MASTER_LABEL)-1,
 				    session->internals.handshake_hash_buffer.data,
 				    session->internals.handshake_hash_buffer_client_hello_len,
 				    session->key.proto.tls13.temp_secret,
@@ -322,7 +323,7 @@ client_send_params(gnutls_session_t session,
 			goto ignore_ticket;
 		}
 
-		ret = compute_psk_from_ticket(ticket, &rkey);
+		ret = compute_psk_from_ticket(ticket, &rkey, session->internals.transport);
 		if (ret < 0) {
 			tls13_ticket_deinit(ticket);
 			goto ignore_ticket;
@@ -603,7 +604,7 @@ static int server_recv_params(gnutls_session_t session,
 				continue;
 			}
 
-			ret = compute_psk_from_ticket(&ticket_data, &key);
+			ret = compute_psk_from_ticket(&ticket_data, &key, session->internals.transport);
 			if (ret < 0) {
 				gnutls_assert();
 				tls13_ticket_deinit(&ticket_data);
diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c
index 9f542047ee..9874a60fa2 100644
--- a/lib/handshake-tls13.c
+++ b/lib/handshake-tls13.c
@@ -210,6 +210,7 @@ static int generate_non_auth_rms_keys(gnutls_session_t session)
 	unsigned spos;
 
 	ret = _gnutls13_compute_finished(session->security_parameters.prf,
+					 session->internals.transport,
 					 session->key.proto.tls13.hs_ckey,
 					 &session->internals.handshake_hash_buffer,
 					 finished+TLS_HANDSHAKE_HEADER_SIZE);
diff --git a/lib/prf.c b/lib/prf.c
index bb76e2ed4e..70ef2a5f1d 100644
--- a/lib/prf.c
+++ b/lib/prf.c
@@ -105,7 +105,8 @@ _tls13_derive_exporter(const mac_entry_st *prf,
 	unsigned digest_size = prf->output_size;
 	int ret;
 
-	ret = _tls13_derive_secret2(prf, label, label_size, NULL, 0,
+	ret = _tls13_derive_secret2(prf, session->internals.transport,
+				    label, label_size, NULL, 0,
 				    session->key.proto.tls13.ap_expkey,
 				    secret);
 	if (ret < 0)
@@ -116,7 +117,7 @@ _tls13_derive_exporter(const mac_entry_st *prf,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	return _tls13_expand_secret2(prf,
+	return _tls13_expand_secret2(prf, session->internals.transport,
 				     EXPORTER_LABEL, sizeof(EXPORTER_LABEL)-1,
 				     digest, digest_size,
 				     secret, outsize, out);
diff --git a/lib/secrets.c b/lib/secrets.c
index 728876ede3..039181d27e 100644
--- a/lib/secrets.c
+++ b/lib/secrets.c
@@ -88,7 +88,7 @@ int _tls13_update_secret(gnutls_session_t session, const uint8_t *key, size_t ke
 }
 
 /* Derive-Secret(Secret, Label, Messages) */
-int _tls13_derive_secret2(const mac_entry_st *prf,
+int _tls13_derive_secret2(const mac_entry_st *prf, transport_t type,
 			 const char *label, unsigned label_size,
 			 const uint8_t *tbh, size_t tbh_size,
 			 const uint8_t secret[MAX_HASH_SIZE],
@@ -109,7 +109,7 @@ int _tls13_derive_secret2(const mac_entry_st *prf,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
-	return _tls13_expand_secret2(prf, label, label_size, digest, digest_size, secret, digest_size, out);
+	return _tls13_expand_secret2(prf, type, label, label_size, digest, digest_size, secret, digest_size, out);
 }
 
 /* Derive-Secret(Secret, Label, Messages) */
@@ -122,25 +122,29 @@ int _tls13_derive_secret(gnutls_session_t session,
 	if (unlikely(session->security_parameters.prf == NULL))
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
 
-	return _tls13_derive_secret2(session->security_parameters.prf, label, label_size, tbh, tbh_size,
-				         secret,
-				         out);
+	return _tls13_derive_secret2(session->security_parameters.prf, session->internals.transport,
+				     label, label_size, tbh, tbh_size, secret, out);
 }
 
 /* HKDF-Expand-Label(Secret, Label, HashValue, Length) */
-int _tls13_expand_secret2(const mac_entry_st *prf,
+int _tls13_expand_secret2(const mac_entry_st *prf, transport_t type,
 			 const char *label, unsigned label_size,
 			 const uint8_t *msg, size_t msg_size,
 			 const uint8_t secret[MAX_HASH_SIZE],
 			 unsigned out_size,
 			 void *out)
 {
-	uint8_t tmp[256] = "tls13 ";
+	uint8_t tmp[256];
 	gnutls_buffer_st str;
 	gnutls_datum_t key;
 	gnutls_datum_t info;
 	int ret;
 
+	if (type == GNUTLS_STREAM)
+		memcpy(tmp, "tls13 ", 6);
+	else
+		memcpy(tmp, "dtls13", 6);
+
 	if (unlikely(label_size >= sizeof(tmp)-6))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
@@ -207,6 +211,7 @@ int _tls13_expand_secret(gnutls_session_t session,
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
 
 	return _tls13_expand_secret2(session->security_parameters.prf,
+			session->internals.transport,
 			label, label_size,
 			msg, msg_size, secret,
 			out_size, out);
diff --git a/lib/secrets.h b/lib/secrets.h
index 181b53bed2..8655f60ad2 100644
--- a/lib/secrets.h
+++ b/lib/secrets.h
@@ -37,7 +37,7 @@ int _tls13_derive_secret(gnutls_session_t session,
 			 const uint8_t *msg, size_t msg_size,
 			 const uint8_t secret[MAX_HASH_SIZE],
 			 void *out /* of enough length to hold PRF MAC */);
-int _tls13_derive_secret2(const mac_entry_st *prf,
+int _tls13_derive_secret2(const mac_entry_st *prf, transport_t type,
 			  const char *label, unsigned label_size,
 			  const uint8_t *tbh, size_t tbh_size,
 			  const uint8_t secret[MAX_HASH_SIZE],
@@ -49,7 +49,7 @@ int _tls13_expand_secret(gnutls_session_t session,
 			 const uint8_t secret[MAX_HASH_SIZE],
 			 unsigned out_size,
 			 void *out);
-int _tls13_expand_secret2(const mac_entry_st *prf,
+int _tls13_expand_secret2(const mac_entry_st *prf, transport_t type,
 			  const char *label, unsigned label_size,
 			  const uint8_t *msg, size_t msg_size,
 			  const uint8_t secret[MAX_HASH_SIZE],
diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c
index ec646e6732..6e4bda2e05 100644
--- a/lib/tls13/finished.c
+++ b/lib/tls13/finished.c
@@ -29,7 +29,7 @@
 #include "secrets.h"
 
 int _gnutls13_compute_finished(const mac_entry_st *prf,
-		const uint8_t *base_key,
+		transport_t type, const uint8_t *base_key,
 		gnutls_buffer_st *handshake_hash_buffer,
 		void *out)
 {
@@ -37,7 +37,7 @@ int _gnutls13_compute_finished(const mac_entry_st *prf,
 	uint8_t fkey[MAX_HASH_SIZE];
 	uint8_t ts_hash[MAX_HASH_SIZE];
 
-	ret = _tls13_expand_secret2(prf,
+	ret = _tls13_expand_secret2(prf, type,
 			"finished", 8,
 			NULL, 0,
 			base_key,
@@ -88,7 +88,7 @@ int _gnutls13_recv_finished(gnutls_session_t session)
 	}
 
 	ret = _gnutls13_compute_finished(session->security_parameters.prf,
-			base_key,
+			session->internals.transport, base_key,
 			&session->internals.handshake_hash_buffer,
 			verifier);
 	if (ret < 0) {
@@ -153,6 +153,7 @@ int _gnutls13_send_finished(gnutls_session_t session, unsigned again)
 		}
 
 		ret = _gnutls13_compute_finished(session->security_parameters.prf,
+				session->internals.transport,
 				base_key,
 				&session->internals.handshake_hash_buffer,
 				verifier);
diff --git a/lib/tls13/finished.h b/lib/tls13/finished.h
index cf475b220f..c797330809 100644
--- a/lib/tls13/finished.h
+++ b/lib/tls13/finished.h
@@ -24,6 +24,7 @@
 #define GNUTLS_LIB_TLS13_FINISHED_H
 
 int _gnutls13_compute_finished(const mac_entry_st *prf,
+		transport_t type,
 		const uint8_t *base_key,
 		gnutls_buffer_st *handshake_hash_buffer,
 		void *out);
author	Frantisek Krenzelok <krenzelok.frantisek@gmail.com>	2023-01-05 08:55:48 +0100
committer	Frantisek Krenzelok <krenzelok.frantisek@gmail.com>	2023-02-20 16:32:13 +0100
commit	38cf20c60222bed755f46aebe15bf8632d669662 (patch)
tree	5e66721fec8b26fdbeb3d93d103422689baa5276
parent	9721fd034ec3447d86568c3bce49d17b81ef5799 (diff)
download	gnutls-38cf20c60222bed755f46aebe15bf8632d669662.tar.gz