From 38cf20c60222bed755f46aebe15bf8632d669662 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Thu, 5 Jan 2023 08:55:48 +0100 Subject: DTLS1_3: HKDF-Expand-Label Add Cryptographic Label Prefix "dtls13" Signed-off-by: Frantisek Krenzelok --- lib/constate.c | 2 ++ lib/ext/pre_shared_key.c | 25 +++++++++++++------------ lib/handshake-tls13.c | 1 + lib/prf.c | 5 +++-- lib/secrets.c | 19 ++++++++++++------- lib/secrets.h | 4 ++-- lib/tls13/finished.c | 7 ++++--- lib/tls13/finished.h | 1 + 8 files changed, 38 insertions(+), 26 deletions(-) diff --git a/lib/constate.c b/lib/constate.c index 0950b5176e..0abe561507 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -344,6 +344,7 @@ _tls13_set_early_keys(gnutls_session_t session, ret = _tls13_expand_secret2(session->internals. resumed_security_parameters.prf, + session->internals.transport, "key", 3, NULL, 0, session->key.proto.tls13.e_ckey, key_size, key_block); @@ -352,6 +353,7 @@ _tls13_set_early_keys(gnutls_session_t session, ret = _tls13_expand_secret2(session->internals. resumed_security_parameters.prf, + session->internals.transport, "iv", 2, NULL, 0, session->key.proto.tls13.e_ckey, iv_size, iv_block); diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index 11e1a40a9b..00d88339f1 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -36,7 +36,7 @@ #include static int -compute_psk_from_ticket(const tls13_ticket_st *ticket, gnutls_datum_t *key) +compute_psk_from_ticket(const tls13_ticket_st *ticket, gnutls_datum_t *key, transport_t type) { int ret; @@ -50,7 +50,7 @@ compute_psk_from_ticket(const tls13_ticket_st *ticket, gnutls_datum_t *key) } key->size = ticket->prf->output_size; - ret = _tls13_expand_secret2(ticket->prf, + ret = _tls13_expand_secret2(ticket->prf, type, RESUMPTION_LABEL, sizeof(RESUMPTION_LABEL)-1, ticket->nonce, ticket->nonce_size, ticket->resumption_master_secret, @@ -63,7 +63,7 @@ compute_psk_from_ticket(const tls13_ticket_st *ticket, gnutls_datum_t *key) } static int -compute_binder_key(const mac_entry_st *prf, +compute_binder_key(const mac_entry_st *prf, transport_t type, const uint8_t *key, size_t keylen, bool resuming, void *out) @@ -83,7 +83,7 @@ compute_binder_key(const mac_entry_st *prf, return ret; /* Compute Derive-Secret(secret, label, transcript_hash) */ - ret = _tls13_derive_secret2(prf, label, label_len, + ret = _tls13_derive_secret2(prf, type, label, label_len, NULL, 0, tmp_key, out); if (ret < 0) return ret; @@ -167,7 +167,7 @@ compute_psk_binder(gnutls_session_t session, } } - ret = compute_binder_key(prf, + ret = compute_binder_key(prf, session->internals.transport, psk->data, psk->size, resuming, binder_key); if (ret < 0) { @@ -175,9 +175,8 @@ compute_psk_binder(gnutls_session_t session, goto error; } - ret = _gnutls13_compute_finished(prf, binder_key, - &handshake_buf, - out); + ret = _gnutls13_compute_finished(prf, session->internals.transport, + binder_key, &handshake_buf, out); if (ret < 0) { gnutls_assert(); goto error; @@ -195,7 +194,8 @@ generate_early_secrets(gnutls_session_t session, { int ret; - ret = _tls13_derive_secret2(prf, EARLY_TRAFFIC_LABEL, sizeof(EARLY_TRAFFIC_LABEL)-1, + ret = _tls13_derive_secret2(prf, session->internals.transport, EARLY_TRAFFIC_LABEL, + sizeof(EARLY_TRAFFIC_LABEL)-1, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer_client_hello_len, session->key.proto.tls13.temp_secret, @@ -209,7 +209,8 @@ generate_early_secrets(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_derive_secret2(prf, EARLY_EXPORTER_MASTER_LABEL, sizeof(EARLY_EXPORTER_MASTER_LABEL)-1, + ret = _tls13_derive_secret2(prf, session->internals.transport, EARLY_EXPORTER_MASTER_LABEL, + sizeof(EARLY_EXPORTER_MASTER_LABEL)-1, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer_client_hello_len, session->key.proto.tls13.temp_secret, @@ -322,7 +323,7 @@ client_send_params(gnutls_session_t session, goto ignore_ticket; } - ret = compute_psk_from_ticket(ticket, &rkey); + ret = compute_psk_from_ticket(ticket, &rkey, session->internals.transport); if (ret < 0) { tls13_ticket_deinit(ticket); goto ignore_ticket; @@ -603,7 +604,7 @@ static int server_recv_params(gnutls_session_t session, continue; } - ret = compute_psk_from_ticket(&ticket_data, &key); + ret = compute_psk_from_ticket(&ticket_data, &key, session->internals.transport); if (ret < 0) { gnutls_assert(); tls13_ticket_deinit(&ticket_data); diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c index 9f542047ee..9874a60fa2 100644 --- a/lib/handshake-tls13.c +++ b/lib/handshake-tls13.c @@ -210,6 +210,7 @@ static int generate_non_auth_rms_keys(gnutls_session_t session) unsigned spos; ret = _gnutls13_compute_finished(session->security_parameters.prf, + session->internals.transport, session->key.proto.tls13.hs_ckey, &session->internals.handshake_hash_buffer, finished+TLS_HANDSHAKE_HEADER_SIZE); diff --git a/lib/prf.c b/lib/prf.c index bb76e2ed4e..70ef2a5f1d 100644 --- a/lib/prf.c +++ b/lib/prf.c @@ -105,7 +105,8 @@ _tls13_derive_exporter(const mac_entry_st *prf, unsigned digest_size = prf->output_size; int ret; - ret = _tls13_derive_secret2(prf, label, label_size, NULL, 0, + ret = _tls13_derive_secret2(prf, session->internals.transport, + label, label_size, NULL, 0, session->key.proto.tls13.ap_expkey, secret); if (ret < 0) @@ -116,7 +117,7 @@ _tls13_derive_exporter(const mac_entry_st *prf, if (ret < 0) return gnutls_assert_val(ret); - return _tls13_expand_secret2(prf, + return _tls13_expand_secret2(prf, session->internals.transport, EXPORTER_LABEL, sizeof(EXPORTER_LABEL)-1, digest, digest_size, secret, outsize, out); diff --git a/lib/secrets.c b/lib/secrets.c index 728876ede3..039181d27e 100644 --- a/lib/secrets.c +++ b/lib/secrets.c @@ -88,7 +88,7 @@ int _tls13_update_secret(gnutls_session_t session, const uint8_t *key, size_t ke } /* Derive-Secret(Secret, Label, Messages) */ -int _tls13_derive_secret2(const mac_entry_st *prf, +int _tls13_derive_secret2(const mac_entry_st *prf, transport_t type, const char *label, unsigned label_size, const uint8_t *tbh, size_t tbh_size, const uint8_t secret[MAX_HASH_SIZE], @@ -109,7 +109,7 @@ int _tls13_derive_secret2(const mac_entry_st *prf, if (ret < 0) return gnutls_assert_val(ret); - return _tls13_expand_secret2(prf, label, label_size, digest, digest_size, secret, digest_size, out); + return _tls13_expand_secret2(prf, type, label, label_size, digest, digest_size, secret, digest_size, out); } /* Derive-Secret(Secret, Label, Messages) */ @@ -122,25 +122,29 @@ int _tls13_derive_secret(gnutls_session_t session, if (unlikely(session->security_parameters.prf == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - return _tls13_derive_secret2(session->security_parameters.prf, label, label_size, tbh, tbh_size, - secret, - out); + return _tls13_derive_secret2(session->security_parameters.prf, session->internals.transport, + label, label_size, tbh, tbh_size, secret, out); } /* HKDF-Expand-Label(Secret, Label, HashValue, Length) */ -int _tls13_expand_secret2(const mac_entry_st *prf, +int _tls13_expand_secret2(const mac_entry_st *prf, transport_t type, const char *label, unsigned label_size, const uint8_t *msg, size_t msg_size, const uint8_t secret[MAX_HASH_SIZE], unsigned out_size, void *out) { - uint8_t tmp[256] = "tls13 "; + uint8_t tmp[256]; gnutls_buffer_st str; gnutls_datum_t key; gnutls_datum_t info; int ret; + if (type == GNUTLS_STREAM) + memcpy(tmp, "tls13 ", 6); + else + memcpy(tmp, "dtls13", 6); + if (unlikely(label_size >= sizeof(tmp)-6)) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); @@ -207,6 +211,7 @@ int _tls13_expand_secret(gnutls_session_t session, return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); return _tls13_expand_secret2(session->security_parameters.prf, + session->internals.transport, label, label_size, msg, msg_size, secret, out_size, out); diff --git a/lib/secrets.h b/lib/secrets.h index 181b53bed2..8655f60ad2 100644 --- a/lib/secrets.h +++ b/lib/secrets.h @@ -37,7 +37,7 @@ int _tls13_derive_secret(gnutls_session_t session, const uint8_t *msg, size_t msg_size, const uint8_t secret[MAX_HASH_SIZE], void *out /* of enough length to hold PRF MAC */); -int _tls13_derive_secret2(const mac_entry_st *prf, +int _tls13_derive_secret2(const mac_entry_st *prf, transport_t type, const char *label, unsigned label_size, const uint8_t *tbh, size_t tbh_size, const uint8_t secret[MAX_HASH_SIZE], @@ -49,7 +49,7 @@ int _tls13_expand_secret(gnutls_session_t session, const uint8_t secret[MAX_HASH_SIZE], unsigned out_size, void *out); -int _tls13_expand_secret2(const mac_entry_st *prf, +int _tls13_expand_secret2(const mac_entry_st *prf, transport_t type, const char *label, unsigned label_size, const uint8_t *msg, size_t msg_size, const uint8_t secret[MAX_HASH_SIZE], diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c index ec646e6732..6e4bda2e05 100644 --- a/lib/tls13/finished.c +++ b/lib/tls13/finished.c @@ -29,7 +29,7 @@ #include "secrets.h" int _gnutls13_compute_finished(const mac_entry_st *prf, - const uint8_t *base_key, + transport_t type, const uint8_t *base_key, gnutls_buffer_st *handshake_hash_buffer, void *out) { @@ -37,7 +37,7 @@ int _gnutls13_compute_finished(const mac_entry_st *prf, uint8_t fkey[MAX_HASH_SIZE]; uint8_t ts_hash[MAX_HASH_SIZE]; - ret = _tls13_expand_secret2(prf, + ret = _tls13_expand_secret2(prf, type, "finished", 8, NULL, 0, base_key, @@ -88,7 +88,7 @@ int _gnutls13_recv_finished(gnutls_session_t session) } ret = _gnutls13_compute_finished(session->security_parameters.prf, - base_key, + session->internals.transport, base_key, &session->internals.handshake_hash_buffer, verifier); if (ret < 0) { @@ -153,6 +153,7 @@ int _gnutls13_send_finished(gnutls_session_t session, unsigned again) } ret = _gnutls13_compute_finished(session->security_parameters.prf, + session->internals.transport, base_key, &session->internals.handshake_hash_buffer, verifier); diff --git a/lib/tls13/finished.h b/lib/tls13/finished.h index cf475b220f..c797330809 100644 --- a/lib/tls13/finished.h +++ b/lib/tls13/finished.h @@ -24,6 +24,7 @@ #define GNUTLS_LIB_TLS13_FINISHED_H int _gnutls13_compute_finished(const mac_entry_st *prf, + transport_t type, const uint8_t *base_key, gnutls_buffer_st *handshake_hash_buffer, void *out); -- cgit v1.2.1