add tls-exporter api as par RFC 8446, Section 7.5#8
Conversation
This commit introduces tls-exporter api, which is cruial for avoding MITM attack, via channel binding.
There was a problem hiding this comment.
Thanks for the PR.
I agree that adding this functionality to agent15 / kwik is valuable.
However, I'm surprised (to put it mildly) by the errors you made in the implementation of computing the secrets. Did you actually read the RFC you are quoting from? Or is this AI generated (and hallucinated)?
|
|
||
| /** | ||
| * Computes the TLS 1.3 exporter secret (RFC 8446, Section 7.5). | ||
| * The exporter secret is derived from the server's application traffic secret: |
There was a problem hiding this comment.
Wrong. It is derived from the master secret.
| /** | ||
| * Computes the TLS 1.3 exporter secret (RFC 8446, Section 7.5). | ||
| * The exporter secret is derived from the server's application traffic secret: | ||
| * exporter_secret = Derive-Secret(server_application_traffic_secret, "exporter", "") |
There was a problem hiding this comment.
Wrong, should be master secret and the label should be "exp master"
| */ | ||
| public void computeExporterSecret() { | ||
| // Derive-Secret(Secret, Label, Messages) = HKDF-Expand-Label(Secret, Label, Transcript-Hash(Messages), Hash.length) | ||
| // For the exporter, Messages is "" (empty), so Transcript-Hash("") = emptyHash |
| if (serverApplicationTrafficSecret == null) { | ||
| throw new IllegalStateException("Server application traffic secret not available"); | ||
| } | ||
| exporterSecret = hkdfExpandLabel(serverApplicationTrafficSecret, "exporter", emptyHash, hashLength); |
There was a problem hiding this comment.
Wrong label, wrong hash.
The result should be called exporterMasterSecret
| /** | ||
| * Implements the TLS 1.3 exporter function (RFC 8446, Section 7.5): | ||
| * TLS-Exporter(label, context_value, key_length) = | ||
| * HKDF-Expand-Label(exporter_secret, label, context_value, key_length) |
There was a problem hiding this comment.
Actually, the RFC defines:
TLS-Exporter(label, context_value, key_length) =
HKDF-Expand-Label(Derive-Secret(Secret, label, ""),
"exporter", Hash(context_value), key_length)
which is quite different from what you wrote in the comment.
When quic was used with protocols (such as XMPP) using SASL, they may provide a
*-PLUSmechanism with channel binding to mitigate MIMT attack. This commit introduces the tls-exporter api required by channel binding.