key_schedule.go

     1  // Copyright 2018 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"crypto/ecdh"
     9  	"crypto/hmac"
    10  	"crypto/internal/fips140/mlkem"
    11  	"crypto/internal/fips140/tls13"
    12  	"errors"
    13  	"hash"
    14  	"io"
    15  )
    16  
    17  // This file contains the functions necessary to compute the TLS 1.3 key
    18  // schedule. See RFC 8446, Section 7.
    19  
    20  // nextTrafficSecret generates the next traffic secret, given the current one,
    21  // according to RFC 8446, Section 7.2.
    22  func (c *cipherSuiteTLS13) nextTrafficSecret(trafficSecret []byte) []byte {
    23  	return tls13.ExpandLabel(c.hash.New, trafficSecret, "traffic upd", nil, c.hash.Size())
    24  }
    25  
    26  // trafficKey generates traffic keys according to RFC 8446, Section 7.3.
    27  func (c *cipherSuiteTLS13) trafficKey(trafficSecret []byte) (key, iv []byte) {
    28  	key = tls13.ExpandLabel(c.hash.New, trafficSecret, "key", nil, c.keyLen)
    29  	iv = tls13.ExpandLabel(c.hash.New, trafficSecret, "iv", nil, aeadNonceLength)
    30  	return
    31  }
    32  
    33  // finishedHash generates the Finished verify_data or PskBinderEntry according
    34  // to RFC 8446, Section 4.4.4. See sections 4.4 and 4.2.11.2 for the baseKey
    35  // selection.
    36  func (c *cipherSuiteTLS13) finishedHash(baseKey []byte, transcript hash.Hash) []byte {
    37  	finishedKey := tls13.ExpandLabel(c.hash.New, baseKey, "finished", nil, c.hash.Size())
    38  	verifyData := hmac.New(c.hash.New, finishedKey)
    39  	verifyData.Write(transcript.Sum(nil))
    40  	return verifyData.Sum(nil)
    41  }
    42  
    43  // exportKeyingMaterial implements RFC5705 exporters for TLS 1.3 according to
    44  // RFC 8446, Section 7.5.
    45  func (c *cipherSuiteTLS13) exportKeyingMaterial(s *tls13.MasterSecret, transcript hash.Hash) func(string, []byte, int) ([]byte, error) {
    46  	expMasterSecret := s.ExporterMasterSecret(transcript)
    47  	return func(label string, context []byte, length int) ([]byte, error) {
    48  		return expMasterSecret.Exporter(label, context, length), nil
    49  	}
    50  }
    51  
    52  type keySharePrivateKeys struct {
    53  	curveID CurveID
    54  	ecdhe   *ecdh.PrivateKey
    55  	mlkem   *mlkem.DecapsulationKey768
    56  }
    57  
    58  const x25519PublicKeySize = 32
    59  
    60  // generateECDHEKey returns a PrivateKey that implements Diffie-Hellman
    61  // according to RFC 8446, Section 4.2.8.2.
    62  func generateECDHEKey(rand io.Reader, curveID CurveID) (*ecdh.PrivateKey, error) {
    63  	curve, ok := curveForCurveID(curveID)
    64  	if !ok {
    65  		return nil, errors.New("tls: internal error: unsupported curve")
    66  	}
    67  
    68  	return curve.GenerateKey(rand)
    69  }
    70  
    71  func curveForCurveID(id CurveID) (ecdh.Curve, bool) {
    72  	switch id {
    73  	case X25519:
    74  		return ecdh.X25519(), true
    75  	case CurveP256:
    76  		return ecdh.P256(), true
    77  	case CurveP384:
    78  		return ecdh.P384(), true
    79  	case CurveP521:
    80  		return ecdh.P521(), true
    81  	default:
    82  		return nil, false
    83  	}
    84  }
    85  
    86  func curveIDForCurve(curve ecdh.Curve) (CurveID, bool) {
    87  	switch curve {
    88  	case ecdh.X25519():
    89  		return X25519, true
    90  	case ecdh.P256():
    91  		return CurveP256, true
    92  	case ecdh.P384():
    93  		return CurveP384, true
    94  	case ecdh.P521():
    95  		return CurveP521, true
    96  	default:
    97  		return 0, false
    98  	}
    99  }
   100
View as plain text