/src/botan/src/lib/tls/tls12/tls_session_key.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * TLS Session Key |
3 | | * (C) 2004-2006,2011,2016,2019 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/internal/tls_session_key.h> |
9 | | |
10 | | #include <botan/kdf.h> |
11 | | #include <botan/tls_messages.h> |
12 | | #include <botan/internal/tls_handshake_state.h> |
13 | | |
14 | | namespace Botan::TLS { |
15 | | |
16 | | /** |
17 | | * Session_Keys Constructor |
18 | | */ |
19 | | Session_Keys::Session_Keys(const Handshake_State* state, |
20 | | const secure_vector<uint8_t>& pre_master_secret, |
21 | 2.70k | bool resuming) { |
22 | 2.70k | const size_t cipher_keylen = state->ciphersuite().cipher_keylen(); |
23 | 2.70k | const size_t mac_keylen = state->ciphersuite().mac_keylen(); |
24 | 2.70k | const size_t cipher_nonce_bytes = state->ciphersuite().nonce_bytes_from_handshake(); |
25 | | |
26 | 2.70k | const bool extended_master_secret = state->server_hello()->supports_extended_master_secret(); |
27 | | |
28 | 2.70k | const size_t prf_gen = 2 * (mac_keylen + cipher_keylen + cipher_nonce_bytes); |
29 | | |
30 | 2.70k | const uint8_t MASTER_SECRET_MAGIC[] = {0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74}; |
31 | | |
32 | 2.70k | const uint8_t EXT_MASTER_SECRET_MAGIC[] = {0x65, 0x78, 0x74, 0x65, 0x6E, 0x64, 0x65, 0x64, 0x20, 0x6D, 0x61, |
33 | 2.70k | 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74}; |
34 | | |
35 | 2.70k | const uint8_t KEY_GEN_MAGIC[] = {0x6B, 0x65, 0x79, 0x20, 0x65, 0x78, 0x70, 0x61, 0x6E, 0x73, 0x69, 0x6F, 0x6E}; |
36 | | |
37 | 2.70k | auto prf = state->protocol_specific_prf(); |
38 | | |
39 | 2.70k | if(resuming) { |
40 | | // This is actually the master secret saved as part of the session |
41 | 0 | m_master_sec = pre_master_secret; |
42 | 2.70k | } else { |
43 | 2.70k | std::vector<uint8_t> salt; |
44 | 2.70k | std::vector<uint8_t> label; |
45 | 2.70k | if(extended_master_secret) { |
46 | 6 | label.assign(EXT_MASTER_SECRET_MAGIC, EXT_MASTER_SECRET_MAGIC + sizeof(EXT_MASTER_SECRET_MAGIC)); |
47 | 6 | salt += state->hash().final(state->ciphersuite().prf_algo()); |
48 | 2.69k | } else { |
49 | 2.69k | label.assign(MASTER_SECRET_MAGIC, MASTER_SECRET_MAGIC + sizeof(MASTER_SECRET_MAGIC)); |
50 | 2.69k | salt += state->client_hello()->random(); |
51 | 2.69k | salt += state->server_hello()->random(); |
52 | 2.69k | } |
53 | | |
54 | 2.70k | m_master_sec = prf->derive_key(48, pre_master_secret, salt, label); |
55 | 2.70k | } |
56 | | |
57 | 2.70k | std::vector<uint8_t> salt; |
58 | 2.70k | std::vector<uint8_t> label; |
59 | 2.70k | label.assign(KEY_GEN_MAGIC, KEY_GEN_MAGIC + sizeof(KEY_GEN_MAGIC)); |
60 | 2.70k | salt += state->server_hello()->random(); |
61 | 2.70k | salt += state->client_hello()->random(); |
62 | | |
63 | 2.70k | const secure_vector<uint8_t> prf_output = prf->derive_key( |
64 | 2.70k | prf_gen, m_master_sec.data(), m_master_sec.size(), salt.data(), salt.size(), label.data(), label.size()); |
65 | | |
66 | 2.70k | const uint8_t* key_data = prf_output.data(); |
67 | | |
68 | 2.70k | m_c_aead.resize(mac_keylen + cipher_keylen); |
69 | 2.70k | m_s_aead.resize(mac_keylen + cipher_keylen); |
70 | | |
71 | 2.70k | copy_mem(&m_c_aead[0], key_data, mac_keylen); |
72 | 2.70k | copy_mem(&m_s_aead[0], key_data + mac_keylen, mac_keylen); |
73 | | |
74 | 2.70k | copy_mem(&m_c_aead[mac_keylen], key_data + 2 * mac_keylen, cipher_keylen); |
75 | 2.70k | copy_mem(&m_s_aead[mac_keylen], key_data + 2 * mac_keylen + cipher_keylen, cipher_keylen); |
76 | | |
77 | 2.70k | m_c_nonce.resize(cipher_nonce_bytes); |
78 | 2.70k | m_s_nonce.resize(cipher_nonce_bytes); |
79 | | |
80 | 2.70k | copy_mem(&m_c_nonce[0], key_data + 2 * (mac_keylen + cipher_keylen), cipher_nonce_bytes); |
81 | 2.70k | copy_mem(&m_s_nonce[0], key_data + 2 * (mac_keylen + cipher_keylen) + cipher_nonce_bytes, cipher_nonce_bytes); |
82 | 2.70k | } |
83 | | |
84 | | } // namespace Botan::TLS |