Support exporter secrets, as defined in RFC 5705 & 8446 #482
Conversation
|
I tested with (or against) openssl s_server -keymatexport test -- though that's only the client side I tested (with various protocol versions). |
| @@ -411,9 +414,11 @@ let epoch_of_session server peer_name protocol_version = function | |||
| let epoch : epoch_data = common_data_to_epoch session.common_session_data13 server peer_name in | |||
| { | |||
| epoch with | |||
| protocol_version = protocol_version ; | |||
There was a problem hiding this comment.
while here, I thought it'd be nice to actually include the TLS_1_3 in the epoch ;) (read: this was a bug before, and is fixed now)
| | #tls_before_13 as v -> | ||
| let seed = | ||
| let base = | ||
| match e.side with | ||
| | `Server -> Cstruct.append e.peer_random e.own_random | ||
| | `Client -> Cstruct.append e.own_random e.peer_random | ||
| in | ||
| match context with | ||
| | None -> base | ||
| | Some data -> | ||
| let len = Cstruct.create 2 in | ||
| Cstruct.BE.set_uint16 len 0 (String.length data); | ||
| Cstruct.concat [ base ; len ; Cstruct.of_string data ] | ||
| in | ||
| Handshake_crypto.pseudo_random_function v e.ciphersuite | ||
| length e.master_secret label seed |
There was a problem hiding this comment.
This looks convincing to me from RFC 5705.
| match e.protocol_version with | ||
| | `TLS_1_3 -> | ||
| let hash = | ||
| let cipher = Option.get (Ciphersuite.ciphersuite_to_ciphersuite13 e.ciphersuite) in |
There was a problem hiding this comment.
This is safe because we're on `TLS_1_3.
| Ciphersuite.hash13 cipher | ||
| in | ||
| let ems = e.exporter_master_secret in | ||
| let prk = |
There was a problem hiding this comment.
This is Derive-Secret(Secret, label, "")?
There was a problem hiding this comment.
yes, so, there's (from RFC 8446):
Derive-Secret(Secret, Label, Messages) =
HKDF-Expand-Label(Secret, Label,
Transcript-Hash(Messages), Hash.length)
and now:
let derive_secret_no_hash hash prk ?length ?(ctx = Cstruct.empty) label =
let length = match length with
| None -> Mirage_crypto.Hash.digest_size hash
| Some x -> x
in
let info = hkdflabel label ctx length in
trace "prk" prk ;
let key = Hkdf.expand ~hash ~prk ~info length in
trace ("derive_secret: " ^ label) key ;
keyso, derive-secret is indeed a Hkdf.expand with the secret (exporter_master_secret), and the "Messages" are "" -- this means we've to hash the empty string.
The only thing not discussed in here is the hkdflabel -- but that simply constructs the label out of label and context (well, and rfc 8446 again:
struct {
uint16 length = Length;
opaque label<7..255> = "tls13 " + Label;
opaque context<0..255> = Context;
} HkdfLabel;
and that's what the OCaml function hkdflabel does as well. ;)
| Handshake_crypto13.derive_secret_no_hash | ||
| hash prk ~ctx:(Mirage_crypto.Hash.digest hash ctx) | ||
| ~length "exporter" |
There was a problem hiding this comment.
And this is HKDF-Expand-Label(prk, "exporter", Hash(context_value), key_length)?
There was a problem hiding this comment.
short answer is yes, see the description above on that derive-secret is very similar (well, implemented in terms of hkdf-expand-label).
Co-authored-by: Reynir Björnsson <reynir@reynir.dk>
| let resumption_secret = Handshake_crypto13.resumption session.master_secret (log <+> mfin) in | ||
| let session = { session with resumption_secret ; client_app_secret ; server_app_secret } in | ||
| let exporter_master_secret = Handshake_crypto13.exporter session.master_secret log in | ||
| let resumption_secret = Handshake_crypto13.resumption session.master_secret (log <+> mfin) in |
There was a problem hiding this comment.
FWIW, RFC 8446 specifies the resumption secret to cover the client finished, while the exporter master secret only goes until server finished.
| @@ -342,7 +342,8 @@ let answer_client_hello ~hrr state ch raw = | |||
|
|
|||
| let session = | |||
| let common_session_data13 = { session'.common_session_data13 with master_secret = master_secret.secret } in | |||
| { session' with common_session_data13 ; master_secret (* TODO ; exporter_secret *) } | |||
| let exporter_master_secret = Handshake_crypto13.exporter session.master_secret log in | |||
There was a problem hiding this comment.
as mentioned above, the exporter secret only goes until the server finished, this is why we can nicely compute it here (and the resumption secret is computed at another place to include the client finished).
|
what is not part of this PR is the early_exporter_master_secret -- I thought I'd delay this until there's someone requesting it. |
|
@hannesm: Good job! Can you look for "tls-exporter"? Little details, to know easily:
Thanks in advance. |
Hello, I'd be curious what you mean by Best, Hannes |
CHANGES: * tls: provide Engine.export_key_material, which implements RFC 5705 (and 8446) TLS EKM (mirleft/ocaml-tls#482 @hannesm) * tls: fix protocol_version in Engine.epoch (TLS 1.3 always pretended TLS 1.0) (mirleft/ocaml-tls#482 @hannesm) * tls: add the side (`` `Client `` or `` `Server ``) to epoch_data (mirleft/ocaml-tls#482 @hannesm) * BREAKING tls: Engine.epoch - return result instead of custom variant (mirleft/ocaml-tls#483 @hannesm)
|
@Neustradamus if you need the RFC you mentioned above, please open a new issue with slightly more details: what and why should be supported by ocaml-tls. thanks a lot. |
|
@hannesm: I will do a new ticket like I have done for a lot of others projects ^^ Already a good job done! Linked to: |
CHANGES: * tls: provide Engine.export_key_material, which implements RFC 5705 (and 8446) TLS EKM (mirleft/ocaml-tls#482 @hannesm) * tls: fix protocol_version in Engine.epoch (TLS 1.3 always pretended TLS 1.0) (mirleft/ocaml-tls#482 @hannesm) * tls: add the side (`` `Client `` or `` `Server ``) to epoch_data (mirleft/ocaml-tls#482 @hannesm) * BREAKING tls: Engine.epoch - return result instead of custom variant (mirleft/ocaml-tls#483 @hannesm)
//cc @reynir