Use same HKDF label as TLS 1.3 for QUIC as per draft-ietf-quic-tls-17 Change-Id: Ie9825634f0f290aa3af0e88477013f62e2e0c246 Reviewed-on: https://boringssl-review.googlesource.com/c/33724 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h index fa755d2..bc45b50 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -1299,8 +1299,7 @@ // tls13_derive_session_psk calculates the PSK for this session based on the // resumption master secret and |nonce|. It returns true on success, and false // on failure. -bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce, - bool use_quic); +bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce); // tls13_write_psk_binder calculates the PSK binder value and replaces the last // bytes of |msg| with the resulting value. It returns true on success, and
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc index 40913dc..0ab4021 100644 --- a/ssl/tls13_client.cc +++ b/ssl/tls13_client.cc
@@ -883,8 +883,7 @@ session->timeout = server_timeout; } - if (!tls13_derive_session_psk(session.get(), ticket_nonce, - ssl->ctx->quic_method != nullptr)) { + if (!tls13_derive_session_psk(session.get(), ticket_nonce)) { return false; }
diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc index f18084e..a59686f 100644 --- a/ssl/tls13_enc.cc +++ b/ssl/tls13_enc.cc
@@ -69,27 +69,19 @@ static bool hkdf_expand_label(uint8_t *out, const EVP_MD *digest, const uint8_t *secret, size_t secret_len, const char *label, size_t label_len, - const uint8_t *hash, size_t hash_len, size_t len, - bool use_quic_label) { + const uint8_t *hash, size_t hash_len, + size_t len) { static const char kTLS13ProtocolLabel[] = "tls13 "; - static const char kQUICProtocolLabel[] = "quic "; - - const char *protocol_label; - if (use_quic_label) { - protocol_label = kQUICProtocolLabel; - } else { - protocol_label = kTLS13ProtocolLabel; - } ScopedCBB cbb; CBB child; Array<uint8_t> hkdf_label; - if (!CBB_init(cbb.get(), - 2 + 1 + strlen(protocol_label) + label_len + 1 + hash_len) || + if (!CBB_init(cbb.get(), 2 + 1 + strlen(kTLS13ProtocolLabel) + label_len + 1 + + hash_len) || !CBB_add_u16(cbb.get(), len) || !CBB_add_u8_length_prefixed(cbb.get(), &child) || - !CBB_add_bytes(&child, (const uint8_t *)protocol_label, - strlen(protocol_label)) || + !CBB_add_bytes(&child, (const uint8_t *)kTLS13ProtocolLabel, + strlen(kTLS13ProtocolLabel)) || !CBB_add_bytes(&child, (const uint8_t *)label, label_len) || !CBB_add_u8_length_prefixed(cbb.get(), &child) || !CBB_add_bytes(&child, hash, hash_len) || @@ -115,8 +107,7 @@ if (!hkdf_expand_label(hs->secret, hs->transcript.Digest(), hs->secret, hs->hash_len, kTLS13LabelDerived, strlen(kTLS13LabelDerived), derive_context, - derive_context_len, hs->hash_len, - hs->ssl->ctx->quic_method != nullptr)) { + derive_context_len, hs->hash_len)) { return false; } @@ -137,8 +128,7 @@ return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret, hs->hash_len, label, label_len, context_hash, - context_hash_len, len, - hs->ssl->ctx->quic_method != nullptr); + context_hash_len, len); } bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level, @@ -169,8 +159,7 @@ size_t key_len = EVP_AEAD_key_length(aead); uint8_t key[EVP_AEAD_MAX_KEY_LENGTH]; if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len, - "key", 3, NULL, 0, key_len, - ssl->ctx->quic_method != nullptr)) { + "key", 3, NULL, 0, key_len)) { return false; } @@ -178,8 +167,7 @@ size_t iv_len = EVP_AEAD_nonce_length(aead); uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH]; if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, "iv", - 2, NULL, 0, iv_len, - ssl->ctx->quic_method != nullptr)) { + 2, NULL, 0, iv_len)) { return false; } @@ -364,7 +352,7 @@ if (!hkdf_expand_label(secret, digest, secret, secret_len, kTLS13LabelApplicationTraffic, strlen(kTLS13LabelApplicationTraffic), NULL, 0, - secret_len, ssl->ctx->quic_method != nullptr)) { + secret_len)) { return false; } @@ -392,13 +380,11 @@ static bool tls13_verify_data(const EVP_MD *digest, uint16_t version, uint8_t *out, size_t *out_len, const uint8_t *secret, size_t hash_len, - uint8_t *context, size_t context_len, - bool use_quic) { + uint8_t *context, size_t context_len) { uint8_t key[EVP_MAX_MD_SIZE]; unsigned len; if (!hkdf_expand_label(key, digest, secret, hash_len, kTLS13LabelFinished, - strlen(kTLS13LabelFinished), NULL, 0, hash_len, - use_quic) || + strlen(kTLS13LabelFinished), NULL, 0, hash_len) || HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) { return false; } @@ -420,8 +406,7 @@ if (!hs->transcript.GetHash(context_hash, &context_hash_len) || !tls13_verify_data(hs->transcript.Digest(), hs->ssl->version, out, out_len, traffic_secret, hs->hash_len, context_hash, - context_hash_len, - hs->ssl->ctx->quic_method != nullptr)) { + context_hash_len)) { return 0; } return 1; @@ -429,13 +414,12 @@ static const char kTLS13LabelResumptionPSK[] = "resumption"; -bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce, - bool use_quic) { +bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce) { const EVP_MD *digest = ssl_session_get_digest(session); return hkdf_expand_label(session->master_key, digest, session->master_key, session->master_key_length, kTLS13LabelResumptionPSK, strlen(kTLS13LabelResumptionPSK), nonce.data(), - nonce.size(), session->master_key_length, use_quic); + nonce.size(), session->master_key_length); } static const char kTLS13LabelExportKeying[] = "exporter"; @@ -464,12 +448,11 @@ nullptr) && hkdf_expand_label(derived_secret, digest, secret.data(), secret.size(), label.data(), label.size(), export_context, - export_context_len, derived_secret_len, - ssl->ctx->quic_method != nullptr) && + export_context_len, derived_secret_len) && hkdf_expand_label(out.data(), digest, derived_secret, derived_secret_len, kTLS13LabelExportKeying, strlen(kTLS13LabelExportKeying), hash, hash_len, - out.size(), ssl->ctx->quic_method != nullptr); + out.size()); } static const char kTLS13LabelPSKBinder[] = "res binder"; @@ -477,7 +460,7 @@ static bool tls13_psk_binder(uint8_t *out, uint16_t version, const EVP_MD *digest, uint8_t *psk, size_t psk_len, uint8_t *context, size_t context_len, - size_t hash_len, bool use_quic) { + size_t hash_len) { uint8_t binder_context[EVP_MAX_MD_SIZE]; unsigned binder_context_len; if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) { @@ -495,10 +478,9 @@ size_t len; if (!hkdf_expand_label(binder_key, digest, early_secret, hash_len, kTLS13LabelPSKBinder, strlen(kTLS13LabelPSKBinder), - binder_context, binder_context_len, hash_len, - use_quic) || + binder_context, binder_context_len, hash_len) || !tls13_verify_data(digest, version, out, &len, binder_key, hash_len, - context, context_len, use_quic)) { + context, context_len)) { return false; } @@ -531,7 +513,7 @@ if (!tls13_psk_binder(verify_data, ssl->session->ssl_version, digest, ssl->session->master_key, ssl->session->master_key_length, context, context_len, - hash_len, ssl->ctx->quic_method != nullptr)) { + hash_len)) { return false; } @@ -563,8 +545,7 @@ CBS binder; if (!tls13_psk_binder(verify_data, hs->ssl->version, hs->transcript.Digest(), session->master_key, session->master_key_length, - context, context_len, hash_len, - hs->ssl->ctx->quic_method != nullptr) || + context, context_len, hash_len) || // We only consider the first PSK, so compare against the first binder. !CBS_get_u8_length_prefixed(binders, &binder)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index 7073b57..efdb602 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc
@@ -194,8 +194,7 @@ !CBB_add_u8_length_prefixed(&body, &nonce_cbb) || !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) || !CBB_add_u16_length_prefixed(&body, &ticket) || - !tls13_derive_session_psk(session.get(), nonce, - ssl->ctx->quic_method != nullptr) || + !tls13_derive_session_psk(session.get(), nonce) || !ssl_encrypt_ticket(hs, &ticket, session.get()) || !CBB_add_u16_length_prefixed(&body, &extensions)) { return false;