aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorPéter Dimitrov <[email protected]>2019-01-15 18:29:48 +0100
committerPéter Dimitrov <[email protected]>2019-01-28 09:37:07 +0100
commita0d770fb9979c295fd0b9f69c9c558e3b8250072 (patch)
treedb83fe2e3eab50842dc62e58bb4c975761aa6c78 /lib/ssl
parent9cdc4cb22a4465709e347c07f240fd6e3a74b490 (diff)
downloadotp-a0d770fb9979c295fd0b9f69c9c558e3b8250072.tar.gz
otp-a0d770fb9979c295fd0b9f69c9c558e3b8250072.tar.bz2
otp-a0d770fb9979c295fd0b9f69c9c558e3b8250072.zip
ssl: Fix key schedule and traffic keys
Fix key schedule and traffic key calculation. Add test for the server side calculation of shared secrets and traffic keys. Change-Id: Ia955e5e8787f3851bdb3170723e6586bdf4548ca
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/src/tls_handshake_1_3.erl3
-rw-r--r--lib/ssl/src/tls_v1.erl21
-rw-r--r--lib/ssl/test/ssl_basic_SUITE.erl293
3 files changed, 308 insertions, 9 deletions
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
index e04242410e..25d495ed3f 100644
--- a/lib/ssl/src/tls_handshake_1_3.erl
+++ b/lib/ssl/src/tls_handshake_1_3.erl
@@ -476,7 +476,8 @@ calculate_security_parameters(ClientKey, SelectedGroup, KeyShare,
cipher_suite = CipherSuite} = SecParamsR,
%% Calculate handshake_secret
- EarlySecret = tls_v1:key_schedule(early_secret, HKDFAlgo , {psk, <<>>}),
+ PSK = binary:copy(<<0>>, ssl_cipher:hash_size(HKDFAlgo)),
+ EarlySecret = tls_v1:key_schedule(early_secret, HKDFAlgo , {psk, PSK}),
PrivateKey = get_server_private_key(KeyShare), %% #'ECPrivateKey'{}
IKM = calculate_shared_secret(ClientKey, PrivateKey, SelectedGroup),
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index df2a421bce..d1a62696cc 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -37,7 +37,7 @@
groups/1, groups/2, group_to_enum/1, enum_to_group/1, default_groups/1]).
-export([derive_secret/4, hkdf_expand_label/5, hkdf_extract/3, hkdf_expand/4,
- key_schedule/3, key_schedule/4,
+ key_schedule/3, key_schedule/4, create_info/3,
external_binder_key/2, resumption_binder_key/2,
client_early_traffic_secret/3, early_exporter_master_secret/3,
client_handshake_traffic_secret/3, server_handshake_traffic_secret/3,
@@ -74,18 +74,24 @@ derive_secret(Secret, Label, Messages, Algo) ->
Context::binary(), Length::integer(),
Algo::ssl_cipher_format:hash()) -> KeyingMaterial::binary().
hkdf_expand_label(Secret, Label0, Context, Length, Algo) ->
+ HkdfLabel = create_info(Label0, Context, Length),
+ hkdf_expand(Secret, HkdfLabel, Length, Algo).
+
+%% Create info parameter for HKDF-Expand:
+%% HKDF-Expand(PRK, info, L) -> OKM
+create_info(Label0, Context0, Length) ->
%% struct {
%% uint16 length = Length;
%% opaque label<7..255> = "tls13 " + Label;
%% opaque context<0..255> = Context;
%% } HkdfLabel;
Label1 = << <<"tls13 ">>/binary, Label0/binary>>,
- LLen = size(Label1),
- Label = <<?BYTE(LLen), Label1/binary>>,
+ LabelLen = size(Label1),
+ Label = <<?BYTE(LabelLen), Label1/binary>>,
+ ContextLen = size(Context0),
+ Context = <<?BYTE(ContextLen),Context0/binary>>,
Content = <<Label/binary, Context/binary>>,
- Len = size(Content),
- HkdfLabel = <<?UINT16(Len), Content/binary>>,
- hkdf_expand(Secret, HkdfLabel, Length, Algo).
+ <<?UINT16(Length), Content/binary>>.
-spec hkdf_extract(MacAlg::ssl_cipher_format:hash(), Salt::binary(),
KeyingMaterial::binary()) -> PseudoRandKey::binary().
@@ -394,7 +400,8 @@ update_traffic_secret(Algo, Secret) ->
-spec calculate_traffic_keys(atom(), atom(), binary()) -> {binary(), binary()}.
calculate_traffic_keys(HKDFAlgo, Cipher, Secret) ->
Key = hkdf_expand_label(Secret, <<"key">>, <<>>, ssl_cipher:key_material(Cipher), HKDFAlgo),
- IV = hkdf_expand_label(Secret, <<"iv">>, <<>>, ssl_cipher:key_material(Cipher), HKDFAlgo),
+ %% TODO: remove hard coded IV size
+ IV = hkdf_expand_label(Secret, <<"iv">>, <<>>, 12, HKDFAlgo),
{Key, IV}.
%% TLS v1.3 ---------------------------------------------------
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 0727505dde..32a336bab7 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -272,7 +272,8 @@ rizzo_tests() ->
tls13_test_group() ->
[tls13_enable_client_side,
tls13_enable_server_side,
- tls_record_1_3_encode_decode].
+ tls_record_1_3_encode_decode,
+ tls13_key_schedule].
%%--------------------------------------------------------------------
init_per_suite(Config0) ->
@@ -4533,6 +4534,277 @@ tls_record_1_3_encode_decode(_Config) ->
ct:log("Decoded: ~p ~n", [DecodedText]),
ok.
+tls13_key_schedule() ->
+ [{doc,"Test TLS 1.3 key schedule"}].
+
+tls13_key_schedule(_Config) ->
+ %% {client} construct a ClientHello handshake message:
+ %%
+ %% ClientHello (196 octets): 01 00 00 c0 03 03 cb 34 ec b1 e7 81 63
+ %% ba 1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12 ec 18 a2 ef 62 83
+ %% 02 4d ec e7 00 00 06 13 01 13 03 13 02 01 00 00 91 00 00 00 0b
+ %% 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
+ %% 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23
+ %% 00 00 00 33 00 26 00 24 00 1d 00 20 99 38 1d e5 60 e4 bd 43 d2
+ %% 3d 8e 43 5a 7d ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a
+ %% af 2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03
+ %% 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06
+ %% 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+ ClientHello =
+ hexstr2bin("010000c0" "0303cb34" "ecb1e781" "63ba1c38"
+ "c6dacb19" "6a6dffa2" "1a8d9912" "ec18a2ef"
+ "6283024d" "ece70000" "06130113" "03130201"
+ "00009100" "00000b00" "09000006" "73657276"
+ "6572ff01" "00010000" "0a001400" "12001d00"
+ "17001800" "19010001" "01010201" "03010400"
+ "23000000" "33002600" "24001d00" "2099381d"
+ "e560e4bd" "43d23d8e" "435a7dba" "feb3c06e"
+ "51c13cae" "4d541369" "1e529aaf" "2c002b00"
+ "03020304" "000d0020" "001e0403" "05030603"
+ "02030804" "08050806" "04010501" "06010201"
+ "04020502" "06020202" "002d0002" "0101001c"
+ "00024001"),
+
+ %% {server} extract secret "early":
+ %%
+ %% salt: 0 (all zero octets)
+ %%
+ %% IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ %% 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ %%
+ %% secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
+ %% e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+ HKDFAlgo = sha256,
+ Salt = binary:copy(<<?BYTE(0)>>, 32),
+ IKM = binary:copy(<<?BYTE(0)>>, 32),
+ EarlySecret =
+ hexstr2bin("33ad0a1c" "607ec03b" "09e6cd98" "93680ce2"
+ "10adf300" "aa1f2660" "e1b22e10" "f170f92a"),
+ {early_secret, EarlySecret} = tls_v1:key_schedule(early_secret, HKDFAlgo, {psk, Salt}),
+
+ %% Get 'ECPrivateKey'{}
+ %%
+ %% -record('ECPrivateKey', {
+ %% version,
+ %% privateKey,
+ %% parameters = asn1_NOVALUE,
+ %% publicKey = asn1_NOVALUE
+ %% }).
+
+ %% {client} create an ephemeral x25519 key pair:
+ %%
+ %% private key (32 octets): 49 af 42 ba 7f 79 94 85 2d 71 3e f2 78
+ %% 4b cb ca a7 91 1d e2 6a dc 56 42 cb 63 45 40 e7 ea 50 05
+ %%
+ %% public key (32 octets): 99 38 1d e5 60 e4 bd 43 d2 3d 8e 43 5a 7d
+ %% ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a af 2c
+ CPublicKey =
+ hexstr2bin("99381de5" "60e4bd43" "d23d8e43" "5a7dbafe"
+ "b3c06e51" "c13cae4d" "5413691e" "529aaf2c"),
+
+ %% {server} create an ephemeral x25519 key pair:
+ %%
+ %% private key (32 octets): b1 58 0e ea df 6d d5 89 b8 ef 4f 2d 56
+ %% 52 57 8c c8 10 e9 98 01 91 ec 8d 05 83 08 ce a2 16 a2 1e
+ %%
+ %% public key (32 octets): c9 82 88 76 11 20 95 fe 66 76 2b db f7 c6
+ %% 72 e1 56 d6 cc 25 3b 83 3d f1 dd 69 b1 b0 4e 75 1f 0f
+ SPrivateKey =
+ hexstr2bin("b1580eea" "df6dd589" "b8ef4f2d" "5652578c"
+ "c810e998" "0191ec8d" "058308ce" "a216a21e"),
+ SPublicKey =
+ hexstr2bin("c9828876" "112095fe" "66762bdb" "f7c672e1"
+ "56d6cc25" "3b833df1" "dd69b1b0" "4e751f0f"),
+
+ %% {server} construct a ServerHello handshake message:
+ %%
+ %% ServerHello (90 octets): 02 00 00 56 03 03 a6 af 06 a4 12 18 60
+ %% dc 5e 6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14 34 da c1 55 77 2e
+ %% d3 e2 69 28 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c9 82 88
+ %% 76 11 20 95 fe 66 76 2b db f7 c6 72 e1 56 d6 cc 25 3b 83 3d f1
+ %% dd 69 b1 b0 4e 75 1f 0f 00 2b 00 02 03 04
+ ServerHello =
+ hexstr2bin("02000056" "0303a6af" "06a41218" "60dc5e6e"
+ "60249cd3" "4c95930c" "8ac5cb14" "34dac155"
+ "772ed3e2" "69280013" "0100002e" "00330024"
+ "001d0020" "c9828876" "112095fe" "66762bdb"
+ "f7c672e1" "56d6cc25" "3b833df1" "dd69b1b0"
+ "4e751f0f" "002b0002" "0304"),
+
+ %% {server} derive secret for handshake "tls13 derived":
+ %%
+ %% PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ %% 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+ %%
+ %% hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ %% 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+ %%
+ %% info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ %% 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ %% 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+ %%
+ %% expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ %% b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+ Hash =
+ hexstr2bin("e3b0c442" "98fc1c14" "9afbf4c8" "996fb924"
+ "27ae41e4" "649b934c" "a495991b" "7852b855"),
+ Hash = crypto:hash(HKDFAlgo, <<>>),
+
+ Info =
+ hexstr2bin("00200d74" "6c733133" "20646572" "69766564"
+ "20e3b0c4" "4298fc1c" "149afbf4" "c8996fb9"
+ "2427ae41" "e4649b93" "4ca49599" "1b7852b8"
+ "55"),
+ Info = tls_v1:create_info(<<"derived">>, Hash, ssl_cipher:hash_size(HKDFAlgo)),
+
+ Expanded =
+ hexstr2bin("6f2615a1" "08c702c5" "678f54fc" "9dbab697"
+ "16c07618" "9c48250c" "ebeac357" "6c3611ba"),
+
+ Expanded = tls_v1:derive_secret(EarlySecret, <<"derived">>, <<>>, HKDFAlgo),
+
+ %% {server} extract secret "handshake":
+ %%
+ %% salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
+ %% 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+ %%
+ %% IKM (32 octets): 8b d4 05 4f b5 5b 9d 63 fd fb ac f9 f0 4b 9f 0d
+ %% 35 e6 d6 3f 53 75 63 ef d4 62 72 90 0f 89 49 2d
+ %%
+ %% secret (32 octets): 1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b
+ %% 01 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac
+
+ %% salt = Expanded
+ HandshakeIKM =
+ hexstr2bin("8bd4054f" "b55b9d63" "fdfbacf9" "f04b9f0d"
+ "35e6d63f" "537563ef" "d4627290" "0f89492d"),
+
+ HandshakeSecret =
+ hexstr2bin("1dc826e9" "3606aa6f" "dc0aadc1" "2f741b01"
+ "046aa6b9" "9f691ed2" "21a9f0ca" "043fbeac"),
+
+ HandshakeIKM = crypto:compute_key(ecdh, CPublicKey, SPrivateKey, x25519),
+
+ {handshake_secret, HandshakeSecret} =
+ tls_v1:key_schedule(handshake_secret, HKDFAlgo, HandshakeIKM,
+ {early_secret, EarlySecret}),
+
+ %% {server} derive secret "tls13 c hs traffic":
+ %%
+ %% PRK (32 octets): 1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b 01
+ %% 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac
+ %%
+ %% hash (32 octets): 86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58 ed
+ %% d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8
+ %%
+ %% info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
+ %% 61 66 66 69 63 20 86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58
+ %% ed d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8
+ %%
+ %% expanded (32 octets): b3 ed db 12 6e 06 7f 35 a7 80 b3 ab f4 5e
+ %% 2d 8f 3b 1a 95 07 38 f5 2e 96 00 74 6a 0e 27 a5 5a 21
+
+ %% PRK = HandshakeSecret
+ CHSTHash =
+ hexstr2bin("860c06ed" "c07858ee" "8e78f0e7" "428c58ed"
+ "d6b43f2c" "a3e6e95f" "02ed063c" "f0e1cad8"),
+ CHSTInfo =
+ hexstr2bin("00201274" "6c733133" "20632068" "73207472"
+ "61666669" "6320860c" "06edc078" "58ee8e78"
+ "f0e7428c" "58edd6b4" "3f2ca3e6" "e95f02ed"
+ "063cf0e1" "cad8"),
+
+ CHSTrafficSecret =
+ hexstr2bin("b3eddb12" "6e067f35" "a780b3ab" "f45e2d8f"
+ "3b1a9507" "38f52e96" "00746a0e" "27a55a21"),
+
+ CHSH = <<ClientHello/binary,ServerHello/binary>>,
+ CHSTHash = crypto:hash(HKDFAlgo, CHSH),
+ CHSTInfo = tls_v1:create_info(<<"c hs traffic">>, CHSTHash, ssl_cipher:hash_size(HKDFAlgo)),
+
+ CHSTrafficSecret =
+ tls_v1:client_handshake_traffic_secret(HKDFAlgo, {handshake_secret, HandshakeSecret}, CHSH),
+
+ %% {server} derive secret "tls13 s hs traffic":
+ %%
+ %% PRK (32 octets): 1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b 01
+ %% 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac
+ %%
+ %% hash (32 octets): 86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58 ed
+ %% d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8
+ %%
+ %% info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
+ %% 61 66 66 69 63 20 86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58
+ %% ed d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8
+ %%
+ %% expanded (32 octets): b6 7b 7d 69 0c c1 6c 4e 75 e5 42 13 cb 2d
+ %% 37 b4 e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38
+
+ %% PRK = HandshakeSecret
+ %% hash = CHSTHash
+ SHSTInfo =
+ hexstr2bin("00201274" "6c733133" "20732068" "73207472"
+ "61666669" "6320860c" "06edc078" "58ee8e78"
+ "f0e7428c" "58edd6b4" "3f2ca3e6" "e95f02ed"
+ "063cf0e1" "cad8"),
+
+ SHSTrafficSecret =
+ hexstr2bin("b67b7d69" "0cc16c4e" "75e54213" "cb2d37b4"
+ "e9c912bc" "ded9105d" "42befd59" "d391ad38"),
+
+ SHSTInfo = tls_v1:create_info(<<"s hs traffic">>, CHSTHash, ssl_cipher:hash_size(HKDFAlgo)),
+
+ SHSTrafficSecret =
+ tls_v1:server_handshake_traffic_secret(HKDFAlgo, {handshake_secret, HandshakeSecret}, CHSH),
+
+ %% {server} derive write traffic keys for handshake data:
+ %%
+ %% PRK (32 octets): b6 7b 7d 69 0c c1 6c 4e 75 e5 42 13 cb 2d 37 b4
+ %% e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38
+ %%
+ %% key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+ %%
+ %% key expanded (16 octets): 3f ce 51 60 09 c2 17 27 d0 f2 e4 e8 6e
+ %% e4 03 bc
+ %%
+ %% iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+ %%
+ %% iv expanded (12 octets): 5d 31 3e b2 67 12 76 ee 13 00 0b 30
+
+ %% PRK = SHSTrafficSecret
+ WriteKeyInfo =
+ hexstr2bin("00100974" "6c733133" "206b6579" "00"),
+
+ WriteKey =
+ hexstr2bin("3fce5160" "09c21727" "d0f2e4e8" "6ee403bc"),
+
+ WriteIVInfo =
+ hexstr2bin("000c0874" "6c733133" "20697600"),
+
+ WriteIV =
+ hexstr2bin("5d313eb2" "671276ee" "13000b30"),
+
+ Cipher = aes_128_gcm, %% TODO: get from ServerHello
+
+ WriteKeyInfo = tls_v1:create_info(<<"key">>, <<>>, ssl_cipher:key_material(Cipher)),
+ %% TODO: remove hardcoded IV size
+ WriteIVInfo = tls_v1:create_info(<<"iv">>, <<>>, 12),
+
+ {WriteKey, WriteIV} = tls_v1:calculate_traffic_keys(HKDFAlgo, Cipher, SHSTrafficSecret).
+
+
+
+create_info(Label0, Context0) ->
+ Label1 = << <<"tls13 ">>/binary, Label0/binary>>,
+ LLen = size(Label1),
+ Label = <<?BYTE(LLen), Label1/binary>>,
+ CLen = size(Context0),
+ Context = <<?BYTE(CLen),Context0/binary>>,
+ Content = <<Label/binary, Context/binary>>,
+ Len = size(Content),
+ HkdfLabel = <<?UINT16(32), Content/binary>>.
+
+
%%--------------------------------------------------------------------
%% Internal functions ------------------------------------------------
@@ -5321,3 +5593,22 @@ tls_or_dtls('dtlsv1.2') ->
dtls;
tls_or_dtls(_) ->
tls.
+
+hexstr2bin(S) when is_binary(S) ->
+ list_to_binary(hexstr2list(binary_to_list(S)));
+hexstr2bin(S) ->
+ list_to_binary(hexstr2list(S)).
+
+hexstr2list([$ |T]) ->
+ hexstr2list(T);
+hexstr2list([X,Y|T]) ->
+ [mkint(X)*16 + mkint(Y) | hexstr2list(T)];
+hexstr2list([]) ->
+ [].
+
+mkint(C) when $0 =< C, C =< $9 ->
+ C - $0;
+mkint(C) when $A =< C, C =< $F ->
+ C - $A + 10;
+mkint(C) when $a =< C, C =< $f ->
+ C - $a + 10.