Merge 7c34387 into 7c73070

rustls · Jul 25, 2019 · a8cab7a · a8cab7a
2 parents 7c73070 + 7c34387
commit a8cab7a
Show file tree

Hide file tree

Showing 9 changed files with 288 additions and 277 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -13,7 +13,7 @@ categories = ["network-programming", "cryptography"]
 [dependencies]
 base64 = "0.10"
 log = { version = "0.4.4", optional = true }
-ring = "0.16.2"
+ring = "0.16.4"
 sct = "0.6.0"
 webpki = "0.21.0"
 

diff --git a/src/cipher.rs b/src/cipher.rs
@@ -1,4 +1,4 @@
-use ring::aead;
+use ring::{aead, hkdf};
 use std::io::Write;
 use crate::msgs::codec;
 use crate::msgs::codec::Codec;
@@ -123,22 +123,20 @@ pub fn new_tls12(scs: &'static SupportedCipherSuite,
 
 pub fn new_tls13_read(scs: &'static SupportedCipherSuite,
                       secret: &[u8]) -> Box<dyn MessageDecrypter> {
-    let hash = scs.get_hash();
-    let key = derive_traffic_key(hash, secret, scs.enc_key_len);
-    let iv = derive_traffic_iv(hash, secret);
-    let aead_alg = scs.get_aead_alg();
+    let secret = hkdf::Prk::new_less_safe(scs.hkdf_algorithm, secret);
+    let key = derive_traffic_key(&secret, scs.get_aead_alg());
+    let iv = derive_traffic_iv(&secret);
 
-    Box::new(TLS13MessageDecrypter::new(aead_alg, &key, iv))
+    Box::new(TLS13MessageDecrypter::new(key, iv))
 }
 
 pub fn new_tls13_write(scs: &'static SupportedCipherSuite,
                        secret: &[u8]) -> Box<dyn MessageEncrypter> {
-    let hash = scs.get_hash();
-    let key = derive_traffic_key(hash, secret, scs.enc_key_len);
-    let iv = derive_traffic_iv(hash, secret);
-    let aead_alg = scs.get_aead_alg();
+    let secret = hkdf::Prk::new_less_safe(scs.hkdf_algorithm, secret);
+    let key = derive_traffic_key(&secret, scs.get_aead_alg());
+    let iv = derive_traffic_iv(&secret);
 
-    Box::new(TLS13MessageEncrypter::new(aead_alg, &key, iv))
+    Box::new(TLS13MessageEncrypter::new(key, iv))
 }
 
 /// A `MessageEncrypter` for AES-GCM AEAD ciphersuites. TLS 1.2 only.
@@ -259,6 +257,19 @@ impl Iv {
     pub(crate) fn value(&self) -> &[u8; 12] { &self.0 }
 }
 
+pub(crate) struct IvLen;
+
+impl hkdf::KeyType for IvLen {
+    fn len(&self) -> usize { aead::NONCE_LEN }
+}
+
+impl From<hkdf::Okm<'_, IvLen>> for Iv {
+    fn from(okm: hkdf::Okm<IvLen>) -> Self {
+        let mut r = Iv(Default::default());
+        okm.fill(&mut r.0[..]).unwrap();
+        r
+    }
+}
 
 struct TLS13MessageEncrypter {
     enc_key: aead::LessSafeKey,
@@ -365,11 +376,7 @@ impl MessageDecrypter for TLS13MessageDecrypter {
 }
 
 impl TLS13MessageEncrypter {
-    fn new(alg: &'static aead::Algorithm,
-           enc_key: &[u8],
-           enc_iv: Iv) -> TLS13MessageEncrypter {
-        let key = aead::UnboundKey::new(alg, enc_key)
-            .unwrap();
+    fn new(key: aead::UnboundKey, enc_iv: Iv) -> TLS13MessageEncrypter {
         TLS13MessageEncrypter {
             enc_key: aead::LessSafeKey::new(key),
             iv: enc_iv,
@@ -378,11 +385,7 @@ impl TLS13MessageEncrypter {
 }
 
 impl TLS13MessageDecrypter {
-    fn new(alg: &'static aead::Algorithm,
-           dec_key: &[u8],
-           dec_iv: Iv) -> TLS13MessageDecrypter {
-        let key = aead::UnboundKey::new(alg, dec_key)
-            .unwrap();
+    fn new(key: aead::UnboundKey, dec_iv: Iv) -> TLS13MessageDecrypter {
         TLS13MessageDecrypter {
             dec_key: aead::LessSafeKey::new(key),
             iv: dec_iv,

diff --git a/src/client/hs.rs b/src/client/hs.rs
@@ -330,7 +330,7 @@ fn emit_client_hello_for_retry(sess: &mut ClientSessionImpl,
         let client_hello_hash = handshake.transcript.get_hash_given(resuming_suite.get_hash(), &[]);
         let client_early_traffic_secret = sess.common
             .get_key_schedule()
-            .derive(SecretKind::ClientEarlyTrafficSecret, &client_hello_hash);
+            .derive_bytes(SecretKind::ClientEarlyTrafficSecret, &client_hello_hash);
         // Set early data encryption key
         sess.common
             .set_message_encrypter(cipher::new_tls13_write(resuming_suite, &client_early_traffic_secret));

diff --git a/src/client/tls13.rs b/src/client/tls13.rs
@@ -125,7 +125,9 @@ pub fn fill_in_psk_binder(sess: &mut ClientSessionImpl,
                           hmp: &mut HandshakeMessagePayload) {
     // We need to know the hash function of the suite we're trying to resume into.
     let resuming = handshake.resuming_session.as_ref().unwrap();
-    let suite_hash = sess.find_cipher_suite(resuming.cipher_suite).unwrap().get_hash();
+    let suite = sess.find_cipher_suite(resuming.cipher_suite).unwrap();
+    let hkdf_alg = suite.hkdf_algorithm;
+    let suite_hash = suite.get_hash();
 
     // The binder is calculated over the clienthello, but doesn't include itself or its
     // length, or the length of its container.
@@ -139,9 +141,8 @@ pub fn fill_in_psk_binder(sess: &mut ClientSessionImpl,
 
     // Run a fake key_schedule to simulate what the server will do if it choses
     // to resume.
-    let mut key_schedule = KeySchedule::new(suite_hash);
-    key_schedule.input_secret(&resuming.master_secret.0);
-    let base_key = key_schedule.derive(SecretKind::ResumptionPSKBinderKey, &empty_hash);
+    let key_schedule = KeySchedule::new(hkdf_alg, &resuming.master_secret.0);
+    let base_key = key_schedule.derive(hkdf_alg, SecretKind::ResumptionPSKBinderKey, &empty_hash);
     let real_binder = key_schedule.sign_verify_data(&base_key, &handshake_hash);
 
     if let HandshakePayload::ClientHello(ref mut ch) = hmp.payload {
@@ -183,9 +184,7 @@ pub fn start_handshake_traffic(sess: &mut ClientSessionImpl,
         // Discard the early data key schedule.
         sess.early_data.rejected();
         sess.common.early_traffic = false;
-        let mut key_schedule = KeySchedule::new(suite.get_hash());
-        key_schedule.input_empty();
-        sess.common.set_key_schedule(key_schedule);
+        sess.common.set_key_schedule(KeySchedule::new_with_empty_secret(suite.hkdf_algorithm));
         handshake.resuming_session.take();
     }
 
@@ -212,8 +211,8 @@ pub fn start_handshake_traffic(sess: &mut ClientSessionImpl,
     if !sess.early_data.is_enabled() {
         // Set the client encryption key for handshakes if early data is not used
         let write_key = sess.common.get_key_schedule()
-            .derive(SecretKind::ClientHandshakeTrafficSecret,
-                &handshake.hash_at_client_recvd_server_hello);
+            .derive_bytes(SecretKind::ClientHandshakeTrafficSecret,
+                          &handshake.hash_at_client_recvd_server_hello);
         sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
         sess.config.key_log.log(sess.common.protocol.labels().client_handshake_traffic_secret,
                              &handshake.randoms.client,
@@ -222,8 +221,8 @@ pub fn start_handshake_traffic(sess: &mut ClientSessionImpl,
     }
 
     let read_key = sess.common.get_key_schedule()
-        .derive(SecretKind::ServerHandshakeTrafficSecret,
-                &handshake.hash_at_client_recvd_server_hello);
+        .derive_bytes(SecretKind::ServerHandshakeTrafficSecret,
+                      &handshake.hash_at_client_recvd_server_hello);
     sess.common.set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
     sess.config.key_log.log(sess.common.protocol.labels().server_handshake_traffic_secret,
                             &handshake.randoms.client,
@@ -235,8 +234,8 @@ pub fn start_handshake_traffic(sess: &mut ClientSessionImpl,
         let client = if sess.early_data.is_enabled() {
             // Traffic secret wasn't computed and stored above, so do it here.
             sess.common.get_key_schedule()
-                .derive(SecretKind::ClientHandshakeTrafficSecret,
-                        &handshake.hash_at_client_recvd_server_hello)
+                .derive_bytes(SecretKind::ClientHandshakeTrafficSecret,
+                              &handshake.hash_at_client_recvd_server_hello)
         } else {
             key_schedule.current_client_traffic_secret.clone()
         };
@@ -400,8 +399,8 @@ impl hs::State for ExpectEncryptedExtensions {
                 // If no early traffic, set the encryption key for handshakes
                 let suite = sess.common.get_suite_assert();
                 let write_key = sess.common.get_key_schedule()
-                    .derive(SecretKind::ClientHandshakeTrafficSecret,
-                        &self.handshake.hash_at_client_recvd_server_hello);
+                    .derive_bytes(SecretKind::ClientHandshakeTrafficSecret,
+                                  &self.handshake.hash_at_client_recvd_server_hello);
                 sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
                 sess.config.key_log.log(sess.common.protocol.labels().client_handshake_traffic_secret,
                                 &self.handshake.randoms.client,
@@ -827,8 +826,8 @@ impl hs::State for ExpectFinished {
             /* Derive the client-to-server encryption key before key schedule update */
             let key = sess.common
                 .get_key_schedule()
-                .derive(SecretKind::ClientHandshakeTrafficSecret,
-                        &st.handshake.hash_at_client_recvd_server_hello);
+                .derive_bytes(SecretKind::ClientHandshakeTrafficSecret,
+                              &st.handshake.hash_at_client_recvd_server_hello);
             Some(key)
         } else {
             None
@@ -843,7 +842,7 @@ impl hs::State for ExpectFinished {
         let handshake_hash = st.handshake.transcript.get_current_hash();
         let read_key = sess.common
             .get_key_schedule()
-            .derive(SecretKind::ServerApplicationTrafficSecret, &handshake_hash);
+            .derive_bytes(SecretKind::ServerApplicationTrafficSecret, &handshake_hash);
         sess.config.key_log.log(sess.common.protocol.labels().server_traffic_secret_0,
                                 &st.handshake.randoms.client,
                                 &read_key);
@@ -854,7 +853,7 @@ impl hs::State for ExpectFinished {
 
         let exporter_secret = sess.common
             .get_key_schedule()
-            .derive(SecretKind::ExporterMasterSecret, &handshake_hash);
+            .derive_bytes(SecretKind::ExporterMasterSecret, &handshake_hash);
         sess.config.key_log.log(sess.common.protocol.labels().exporter_secret,
                                 &st.handshake.randoms.client,
                                 &exporter_secret);
@@ -892,7 +891,7 @@ impl hs::State for ExpectFinished {
         hs::check_aligned_handshake(sess)?;
         let write_key = sess.common
             .get_key_schedule()
-            .derive(SecretKind::ClientApplicationTrafficSecret, &handshake_hash);
+            .derive_bytes(SecretKind::ClientApplicationTrafficSecret, &handshake_hash);
         sess.config.key_log.log(sess.common.protocol.labels().client_traffic_secret_0,
                                 &st.handshake.randoms.client,
                                 &write_key);
@@ -934,9 +933,9 @@ impl ExpectTraffic {
     fn handle_new_ticket_tls13(&mut self, sess: &mut ClientSessionImpl, m: Message) -> Result<(), TLSError> {
         let nst = extract_handshake!(m, HandshakePayload::NewSessionTicketTLS13).unwrap();
         let handshake_hash = self.handshake.transcript.get_current_hash();
-        let resumption_master_secret = sess.common
-            .get_key_schedule()
-            .derive(SecretKind::ResumptionMasterSecret, &handshake_hash);
+        let key_schedule = sess.common.get_key_schedule();
+        let resumption_master_secret =
+            key_schedule.derive(key_schedule.algorithm(), SecretKind::ResumptionMasterSecret, &handshake_hash);
         let secret = sess.common
             .get_key_schedule()
             .derive_ticket_psk(&resumption_master_secret, &nst.nonce.0);