github.com/JimmyHuang454/JLS-go@v0.0.0-20230831150107-90d536585ba0/tls/key_schedule.go (about) 1 // Copyright 2018 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "crypto/ecdh" 9 "crypto/hmac" 10 "errors" 11 "fmt" 12 "hash" 13 "io" 14 15 "golang.org/x/crypto/cryptobyte" 16 "golang.org/x/crypto/hkdf" 17 ) 18 19 // This file contains the functions necessary to compute the TLS 1.3 key 20 // schedule. See RFC 8446, Section 7. 21 22 const ( 23 resumptionBinderLabel = "res binder" 24 clientEarlyTrafficLabel = "c e traffic" 25 clientHandshakeTrafficLabel = "c hs traffic" 26 serverHandshakeTrafficLabel = "s hs traffic" 27 clientApplicationTrafficLabel = "c ap traffic" 28 serverApplicationTrafficLabel = "s ap traffic" 29 exporterLabel = "exp master" 30 resumptionLabel = "res master" 31 trafficUpdateLabel = "traffic upd" 32 ) 33 34 // expandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1. 35 func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []byte, length int) []byte { 36 var hkdfLabel cryptobyte.Builder 37 hkdfLabel.AddUint16(uint16(length)) 38 hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 39 b.AddBytes([]byte("tls13 ")) 40 b.AddBytes([]byte(label)) 41 }) 42 hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 43 b.AddBytes(context) 44 }) 45 hkdfLabelBytes, err := hkdfLabel.Bytes() 46 if err != nil { 47 // Rather than calling BytesOrPanic, we explicitly handle this error, in 48 // order to provide a reasonable error message. It should be basically 49 // impossible for this to panic, and routing errors back through the 50 // tree rooted in this function is quite painful. The labels are fixed 51 // size, and the context is either a fixed-length computed hash, or 52 // parsed from a field which has the same length limitation. As such, an 53 // error here is likely to only be caused during development. 54 // 55 // NOTE: another reasonable approach here might be to return a 56 // randomized slice if we encounter an error, which would break the 57 // connection, but avoid panicking. This would perhaps be safer but 58 // significantly more confusing to users. 59 panic(fmt.Errorf("failed to construct HKDF label: %s", err)) 60 } 61 out := make([]byte, length) 62 n, err := hkdf.Expand(c.hash.New, secret, hkdfLabelBytes).Read(out) 63 if err != nil || n != length { 64 panic("tls: HKDF-Expand-Label invocation failed unexpectedly") 65 } 66 return out 67 } 68 69 // deriveSecret implements Derive-Secret from RFC 8446, Section 7.1. 70 func (c *cipherSuiteTLS13) deriveSecret(secret []byte, label string, transcript hash.Hash) []byte { 71 if transcript == nil { 72 transcript = c.hash.New() 73 } 74 return c.expandLabel(secret, label, transcript.Sum(nil), c.hash.Size()) 75 } 76 77 // extract implements HKDF-Extract with the cipher suite hash. 78 func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte { 79 if newSecret == nil { 80 newSecret = make([]byte, c.hash.Size()) 81 } 82 return hkdf.Extract(c.hash.New, newSecret, currentSecret) 83 } 84 85 // nextTrafficSecret generates the next traffic secret, given the current one, 86 // according to RFC 8446, Section 7.2. 87 func (c *cipherSuiteTLS13) nextTrafficSecret(trafficSecret []byte) []byte { 88 return c.expandLabel(trafficSecret, trafficUpdateLabel, nil, c.hash.Size()) 89 } 90 91 // trafficKey generates traffic keys according to RFC 8446, Section 7.3. 92 func (c *cipherSuiteTLS13) trafficKey(trafficSecret []byte) (key, iv []byte) { 93 key = c.expandLabel(trafficSecret, "key", nil, c.keyLen) 94 iv = c.expandLabel(trafficSecret, "iv", nil, aeadNonceLength) 95 return 96 } 97 98 // finishedHash generates the Finished verify_data or PskBinderEntry according 99 // to RFC 8446, Section 4.4.4. See sections 4.4 and 4.2.11.2 for the baseKey 100 // selection. 101 func (c *cipherSuiteTLS13) finishedHash(baseKey []byte, transcript hash.Hash) []byte { 102 finishedKey := c.expandLabel(baseKey, "finished", nil, c.hash.Size()) 103 verifyData := hmac.New(c.hash.New, finishedKey) 104 verifyData.Write(transcript.Sum(nil)) 105 return verifyData.Sum(nil) 106 } 107 108 // exportKeyingMaterial implements RFC5705 exporters for TLS 1.3 according to 109 // RFC 8446, Section 7.5. 110 func (c *cipherSuiteTLS13) exportKeyingMaterial(masterSecret []byte, transcript hash.Hash) func(string, []byte, int) ([]byte, error) { 111 expMasterSecret := c.deriveSecret(masterSecret, exporterLabel, transcript) 112 return func(label string, context []byte, length int) ([]byte, error) { 113 secret := c.deriveSecret(expMasterSecret, label, nil) 114 h := c.hash.New() 115 h.Write(context) 116 return c.expandLabel(secret, "exporter", h.Sum(nil), length), nil 117 } 118 } 119 120 // generateECDHEKey returns a PrivateKey that implements Diffie-Hellman 121 // according to RFC 8446, Section 4.2.8.2. 122 func generateECDHEKey(rand io.Reader, curveID CurveID) (*ecdh.PrivateKey, error) { 123 curve, ok := curveForCurveID(curveID) 124 if !ok { 125 return nil, errors.New("tls: internal error: unsupported curve") 126 } 127 128 return curve.GenerateKey(rand) 129 } 130 131 func curveForCurveID(id CurveID) (ecdh.Curve, bool) { 132 switch id { 133 case X25519: 134 return ecdh.X25519(), true 135 case CurveP256: 136 return ecdh.P256(), true 137 case CurveP384: 138 return ecdh.P384(), true 139 case CurveP521: 140 return ecdh.P521(), true 141 default: 142 return nil, false 143 } 144 } 145 146 func curveIDForCurve(curve ecdh.Curve) (CurveID, bool) { 147 switch curve { 148 case ecdh.X25519(): 149 return X25519, true 150 case ecdh.P256(): 151 return CurveP256, true 152 case ecdh.P384(): 153 return CurveP384, true 154 case ecdh.P521(): 155 return CurveP521, true 156 default: 157 return 0, false 158 } 159 }