-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support exporter secrets, as defined in RFC 5705 & 8446 #482
Conversation
I tested with (or against) openssl s_server -keymatexport test -- though that's only the client side I tested (with various protocol versions). |
@@ -411,9 +414,11 @@ let epoch_of_session server peer_name protocol_version = function | |||
let epoch : epoch_data = common_data_to_epoch session.common_session_data13 server peer_name in | |||
{ | |||
epoch with | |||
protocol_version = protocol_version ; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
while here, I thought it'd be nice to actually include the TLS_1_3 in the epoch ;) (read: this was a bug before, and is fixed now)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the TLS<1.3 looks convincing. For TLS 1.3 I need to dig through the relevant RFCs a bit more to understand it, but I don't see anything concerning :-)
| #tls_before_13 as v -> | ||
let seed = | ||
let base = | ||
match e.side with | ||
| `Server -> Cstruct.append e.peer_random e.own_random | ||
| `Client -> Cstruct.append e.own_random e.peer_random | ||
in | ||
match context with | ||
| None -> base | ||
| Some data -> | ||
let len = Cstruct.create 2 in | ||
Cstruct.BE.set_uint16 len 0 (String.length data); | ||
Cstruct.concat [ base ; len ; Cstruct.of_string data ] | ||
in | ||
Handshake_crypto.pseudo_random_function v e.ciphersuite | ||
length e.master_secret label seed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks convincing to me from RFC 5705.
match e.protocol_version with | ||
| `TLS_1_3 -> | ||
let hash = | ||
let cipher = Option.get (Ciphersuite.ciphersuite_to_ciphersuite13 e.ciphersuite) in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is safe because we're on `TLS_1_3
.
Ciphersuite.hash13 cipher | ||
in | ||
let ems = e.exporter_master_secret in | ||
let prk = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is Derive-Secret(Secret, label, "")
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, so, there's (from RFC 8446):
Derive-Secret(Secret, Label, Messages) =
HKDF-Expand-Label(Secret, Label,
Transcript-Hash(Messages), Hash.length)
and now:
let derive_secret_no_hash hash prk ?length ?(ctx = Cstruct.empty) label =
let length = match length with
| None -> Mirage_crypto.Hash.digest_size hash
| Some x -> x
in
let info = hkdflabel label ctx length in
trace "prk" prk ;
let key = Hkdf.expand ~hash ~prk ~info length in
trace ("derive_secret: " ^ label) key ;
key
so, derive-secret is indeed a Hkdf.expand
with the secret (exporter_master_secret), and the "Messages" are "" -- this means we've to hash the empty string.
The only thing not discussed in here is the hkdflabel
-- but that simply constructs the label out of label and context (well, and rfc 8446 again:
struct {
uint16 length = Length;
opaque label<7..255> = "tls13 " + Label;
opaque context<0..255> = Context;
} HkdfLabel;
and that's what the OCaml function hkdflabel
does as well. ;)
Handshake_crypto13.derive_secret_no_hash | ||
hash prk ~ctx:(Mirage_crypto.Hash.digest hash ctx) | ||
~length "exporter" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And this is HKDF-Expand-Label(prk, "exporter", Hash(context_value), key_length)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
short answer is yes, see the description above on that derive-secret is very similar (well, implemented in terms of hkdf-expand-label).
Co-authored-by: Reynir Björnsson <reynir@reynir.dk>
let resumption_secret = Handshake_crypto13.resumption session.master_secret (log <+> mfin) in | ||
let session = { session with resumption_secret ; client_app_secret ; server_app_secret } in | ||
let exporter_master_secret = Handshake_crypto13.exporter session.master_secret log in | ||
let resumption_secret = Handshake_crypto13.resumption session.master_secret (log <+> mfin) in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, RFC 8446 specifies the resumption secret to cover the client finished, while the exporter master secret only goes until server finished.
@@ -342,7 +342,8 @@ let answer_client_hello ~hrr state ch raw = | |||
|
|||
let session = | |||
let common_session_data13 = { session'.common_session_data13 with master_secret = master_secret.secret } in | |||
{ session' with common_session_data13 ; master_secret (* TODO ; exporter_secret *) } | |||
let exporter_master_secret = Handshake_crypto13.exporter session.master_secret log in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as mentioned above, the exporter secret only goes until the server finished, this is why we can nicely compute it here (and the resumption secret is computed at another place to include the client finished).
what is not part of this PR is the early_exporter_master_secret -- I thought I'd delay this until there's someone requesting it. |
@hannesm: Good job! Can you look for "tls-exporter"? Little details, to know easily:
Thanks in advance. |
Hello, I'd be curious what you mean by Best, Hannes |
CHANGES: * tls: provide Engine.export_key_material, which implements RFC 5705 (and 8446) TLS EKM (mirleft/ocaml-tls#482 @hannesm) * tls: fix protocol_version in Engine.epoch (TLS 1.3 always pretended TLS 1.0) (mirleft/ocaml-tls#482 @hannesm) * tls: add the side (`` `Client `` or `` `Server ``) to epoch_data (mirleft/ocaml-tls#482 @hannesm) * BREAKING tls: Engine.epoch - return result instead of custom variant (mirleft/ocaml-tls#483 @hannesm)
@Neustradamus if you need the RFC you mentioned above, please open a new issue with slightly more details: what and why should be supported by ocaml-tls. thanks a lot. |
@hannesm: I will do a new ticket like I have done for a lot of others projects ^^ Already a good job done! Linked to: |
CHANGES: * tls: provide Engine.export_key_material, which implements RFC 5705 (and 8446) TLS EKM (mirleft/ocaml-tls#482 @hannesm) * tls: fix protocol_version in Engine.epoch (TLS 1.3 always pretended TLS 1.0) (mirleft/ocaml-tls#482 @hannesm) * tls: add the side (`` `Client `` or `` `Server ``) to epoch_data (mirleft/ocaml-tls#482 @hannesm) * BREAKING tls: Engine.epoch - return result instead of custom variant (mirleft/ocaml-tls#483 @hannesm)
//cc @reynir