Google Git
Sign in
boringssl / boringssl.git / 2cc6f449d7e238f4a651e976481b56c1939839d9^! / . / ssl
commit2cc6f449d7e238f4a651e976481b56c1939839d9[log] [tgz]
authorAlessandro Ghedini <alessandro@cloudflare.com>Tue Dec 11 11:35:17 2018 +0000
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Wed Dec 19 20:25:34 2018 +0000
tree72302e54d0235cba6c15355a3b61a8c279c52080
parentba9ad6628ca8f399cc1ef22824a6791181828639 [diff]
Use same HKDF label as TLS 1.3 for QUIC as per draft-ietf-quic-tls-17

Change-Id: Ie9825634f0f290aa3af0e88477013f62e2e0c246
Reviewed-on: https://boringssl-review.googlesource.com/c/33724
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/ssl/internal.h b/ssl/internal.h
index fa755d2..bc45b50 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -1299,8 +1299,7 @@
 // tls13_derive_session_psk calculates the PSK for this session based on the
 // resumption master secret and |nonce|. It returns true on success, and false
 // on failure.
-bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce,
-                              bool use_quic);
+bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce);
 
 // tls13_write_psk_binder calculates the PSK binder value and replaces the last
 // bytes of |msg| with the resulting value. It returns true on success, and

diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 40913dc..0ab4021 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc

@@ -883,8 +883,7 @@
     session->timeout = server_timeout;
   }
 
-  if (!tls13_derive_session_psk(session.get(), ticket_nonce,
-                                ssl->ctx->quic_method != nullptr)) {
+  if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
     return false;
   }
 

diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc
index f18084e..a59686f 100644
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc

@@ -69,27 +69,19 @@
 static bool hkdf_expand_label(uint8_t *out, const EVP_MD *digest,
                               const uint8_t *secret, size_t secret_len,
                               const char *label, size_t label_len,
-                              const uint8_t *hash, size_t hash_len, size_t len,
-                              bool use_quic_label) {
+                              const uint8_t *hash, size_t hash_len,
+                              size_t len) {
   static const char kTLS13ProtocolLabel[] = "tls13 ";
-  static const char kQUICProtocolLabel[] = "quic ";
-
-  const char *protocol_label;
-  if (use_quic_label) {
-    protocol_label = kQUICProtocolLabel;
-  } else {
-    protocol_label = kTLS13ProtocolLabel;
-  }
 
   ScopedCBB cbb;
   CBB child;
   Array<uint8_t> hkdf_label;
-  if (!CBB_init(cbb.get(),
-                2 + 1 + strlen(protocol_label) + label_len + 1 + hash_len) ||
+  if (!CBB_init(cbb.get(), 2 + 1 + strlen(kTLS13ProtocolLabel) + label_len + 1 +
+                               hash_len) ||
       !CBB_add_u16(cbb.get(), len) ||
       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
-      !CBB_add_bytes(&child, (const uint8_t *)protocol_label,
-                     strlen(protocol_label)) ||
+      !CBB_add_bytes(&child, (const uint8_t *)kTLS13ProtocolLabel,
+                     strlen(kTLS13ProtocolLabel)) ||
       !CBB_add_bytes(&child, (const uint8_t *)label, label_len) ||
       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
       !CBB_add_bytes(&child, hash, hash_len) ||
@@ -115,8 +107,7 @@
   if (!hkdf_expand_label(hs->secret, hs->transcript.Digest(), hs->secret,
                          hs->hash_len, kTLS13LabelDerived,
                          strlen(kTLS13LabelDerived), derive_context,
-                         derive_context_len, hs->hash_len,
-                         hs->ssl->ctx->quic_method != nullptr)) {
+                         derive_context_len, hs->hash_len)) {
     return false;
   }
 
@@ -137,8 +128,7 @@
 
   return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret,
                            hs->hash_len, label, label_len, context_hash,
-                           context_hash_len, len,
-                           hs->ssl->ctx->quic_method != nullptr);
+                           context_hash_len, len);
 }
 
 bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
@@ -169,8 +159,7 @@
     size_t key_len = EVP_AEAD_key_length(aead);
     uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
     if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len,
-                           "key", 3, NULL, 0, key_len,
-                           ssl->ctx->quic_method != nullptr)) {
+                           "key", 3, NULL, 0, key_len)) {
       return false;
     }
 
@@ -178,8 +167,7 @@
     size_t iv_len = EVP_AEAD_nonce_length(aead);
     uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];
     if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, "iv",
-                           2, NULL, 0, iv_len,
-                           ssl->ctx->quic_method != nullptr)) {
+                           2, NULL, 0, iv_len)) {
       return false;
     }
 
@@ -364,7 +352,7 @@
   if (!hkdf_expand_label(secret, digest, secret, secret_len,
                          kTLS13LabelApplicationTraffic,
                          strlen(kTLS13LabelApplicationTraffic), NULL, 0,
-                         secret_len, ssl->ctx->quic_method != nullptr)) {
+                         secret_len)) {
     return false;
   }
 
@@ -392,13 +380,11 @@
 static bool tls13_verify_data(const EVP_MD *digest, uint16_t version,
                               uint8_t *out, size_t *out_len,
                               const uint8_t *secret, size_t hash_len,
-                              uint8_t *context, size_t context_len,
-                              bool use_quic) {
+                              uint8_t *context, size_t context_len) {
   uint8_t key[EVP_MAX_MD_SIZE];
   unsigned len;
   if (!hkdf_expand_label(key, digest, secret, hash_len, kTLS13LabelFinished,
-                         strlen(kTLS13LabelFinished), NULL, 0, hash_len,
-                         use_quic) ||
+                         strlen(kTLS13LabelFinished), NULL, 0, hash_len) ||
       HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {
     return false;
   }
@@ -420,8 +406,7 @@
   if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||
       !tls13_verify_data(hs->transcript.Digest(), hs->ssl->version, out,
                          out_len, traffic_secret, hs->hash_len, context_hash,
-                         context_hash_len,
-                         hs->ssl->ctx->quic_method != nullptr)) {
+                         context_hash_len)) {
     return 0;
   }
   return 1;
@@ -429,13 +414,12 @@
 
 static const char kTLS13LabelResumptionPSK[] = "resumption";
 
-bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce,
-                              bool use_quic) {
+bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce) {
   const EVP_MD *digest = ssl_session_get_digest(session);
   return hkdf_expand_label(session->master_key, digest, session->master_key,
                            session->master_key_length, kTLS13LabelResumptionPSK,
                            strlen(kTLS13LabelResumptionPSK), nonce.data(),
-                           nonce.size(), session->master_key_length, use_quic);
+                           nonce.size(), session->master_key_length);
 }
 
 static const char kTLS13LabelExportKeying[] = "exporter";
@@ -464,12 +448,11 @@
                     nullptr) &&
          hkdf_expand_label(derived_secret, digest, secret.data(), secret.size(),
                            label.data(), label.size(), export_context,
-                           export_context_len, derived_secret_len,
-                           ssl->ctx->quic_method != nullptr) &&
+                           export_context_len, derived_secret_len) &&
          hkdf_expand_label(out.data(), digest, derived_secret,
                            derived_secret_len, kTLS13LabelExportKeying,
                            strlen(kTLS13LabelExportKeying), hash, hash_len,
-                           out.size(), ssl->ctx->quic_method != nullptr);
+                           out.size());
 }
 
 static const char kTLS13LabelPSKBinder[] = "res binder";
@@ -477,7 +460,7 @@
 static bool tls13_psk_binder(uint8_t *out, uint16_t version,
                              const EVP_MD *digest, uint8_t *psk, size_t psk_len,
                              uint8_t *context, size_t context_len,
-                             size_t hash_len, bool use_quic) {
+                             size_t hash_len) {
   uint8_t binder_context[EVP_MAX_MD_SIZE];
   unsigned binder_context_len;
   if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {
@@ -495,10 +478,9 @@
   size_t len;
   if (!hkdf_expand_label(binder_key, digest, early_secret, hash_len,
                          kTLS13LabelPSKBinder, strlen(kTLS13LabelPSKBinder),
-                         binder_context, binder_context_len, hash_len,
-                         use_quic) ||
+                         binder_context, binder_context_len, hash_len) ||
       !tls13_verify_data(digest, version, out, &len, binder_key, hash_len,
-                         context, context_len, use_quic)) {
+                         context, context_len)) {
     return false;
   }
 
@@ -531,7 +513,7 @@
   if (!tls13_psk_binder(verify_data, ssl->session->ssl_version, digest,
                         ssl->session->master_key,
                         ssl->session->master_key_length, context, context_len,
-                        hash_len, ssl->ctx->quic_method != nullptr)) {
+                        hash_len)) {
     return false;
   }
 
@@ -563,8 +545,7 @@
   CBS binder;
   if (!tls13_psk_binder(verify_data, hs->ssl->version, hs->transcript.Digest(),
                         session->master_key, session->master_key_length,
-                        context, context_len, hash_len,
-                        hs->ssl->ctx->quic_method != nullptr) ||
+                        context, context_len, hash_len) ||
       // We only consider the first PSK, so compare against the first binder.
       !CBS_get_u8_length_prefixed(binders, &binder)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index 7073b57..efdb602 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc

@@ -194,8 +194,7 @@
         !CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||
         !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||
         !CBB_add_u16_length_prefixed(&body, &ticket) ||
-        !tls13_derive_session_psk(session.get(), nonce,
-                                  ssl->ctx->quic_method != nullptr) ||
+        !tls13_derive_session_psk(session.get(), nonce) ||
         !ssl_encrypt_ticket(hs, &ticket, session.get()) ||
         !CBB_add_u16_length_prefixed(&body, &extensions)) {
       return false;