Botan 3.11.0
Crypto and TLS for C&
Public Member Functions | List of all members
Botan::TLS::Session_Keys Class Referencefinal

#include <tls_session_key.h>

Public Member Functions

const secure_vector< uint8_t > & aead_key (Connection_Side side) const
const secure_vector< uint8_t > & client_aead_key () const
const std::vector< uint8_t > & client_nonce () const
const secure_vector< uint8_t > & master_secret () const
const std::vector< uint8_t > & nonce (Connection_Side side) const
const secure_vector< uint8_t > & server_aead_key () const
const std::vector< uint8_t > & server_nonce () const
 Session_Keys ()=default
 Session_Keys (const Handshake_State *state, const secure_vector< uint8_t > &pre_master_secret, bool resuming)

Detailed Description

TLS Session Keys

Definition at line 21 of file tls_session_key.h.

Constructor & Destructor Documentation

◆ Session_Keys() [1/2]

Botan::TLS::Session_Keys::Session_Keys ( )
default

◆ Session_Keys() [2/2]

Botan::TLS::Session_Keys::Session_Keys ( const Handshake_State * state,
const secure_vector< uint8_t > & pre_master_secret,
bool resuming )
Parameters
statestate the handshake state
pre_master_secretthe pre-master secret
resumingwhether this TLS session is resumed

Session_Keys Constructor

Definition at line 20 of file tls_session_key.cpp.

22 {
23 BOTAN_ASSERT_NONNULL(state);
24 BOTAN_ASSERT_NONNULL(state->client_hello());
25 BOTAN_ASSERT_NONNULL(state->server_hello());
26
27 const auto& suite = state->ciphersuite();
28 BOTAN_STATE_CHECK(suite.valid());
29
30 const size_t cipher_keylen = suite.cipher_keylen();
31 const size_t mac_keylen = suite.mac_keylen();
32 const size_t cipher_nonce_bytes = suite.nonce_bytes_from_handshake();
33
34 const bool extended_master_secret = state->server_hello()->supports_extended_master_secret();
35
36 const size_t prf_gen = 2 * (mac_keylen + cipher_keylen + cipher_nonce_bytes);
37
38 const uint8_t MASTER_SECRET_MAGIC[] = {0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74};
39
40 const uint8_t EXT_MASTER_SECRET_MAGIC[] = {0x65, 0x78, 0x74, 0x65, 0x6E, 0x64, 0x65, 0x64, 0x20, 0x6D, 0x61,
41 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74};
42
43 const uint8_t KEY_GEN_MAGIC[] = {0x6B, 0x65, 0x79, 0x20, 0x65, 0x78, 0x70, 0x61, 0x6E, 0x73, 0x69, 0x6F, 0x6E};
44
45 auto prf = state->protocol_specific_prf();
46
47 if(resuming) {
48 // This is actually the master secret saved as part of the session
49 m_master_sec = pre_master_secret;
50 } else {
51 std::vector<uint8_t> salt;
52 std::vector<uint8_t> label;
53 if(extended_master_secret) {
54 label.assign(EXT_MASTER_SECRET_MAGIC, EXT_MASTER_SECRET_MAGIC + sizeof(EXT_MASTER_SECRET_MAGIC));
55 salt += state->hash().final(suite.prf_algo());
56 } else {
57 label.assign(MASTER_SECRET_MAGIC, MASTER_SECRET_MAGIC + sizeof(MASTER_SECRET_MAGIC));
58 salt += state->client_hello()->random();
59 salt += state->server_hello()->random();
60 }
61
62 m_master_sec = prf->derive_key(48, pre_master_secret, salt, label);
63 }
64
65 std::vector<uint8_t> salt;
66 std::vector<uint8_t> label;
67 label.assign(KEY_GEN_MAGIC, KEY_GEN_MAGIC + sizeof(KEY_GEN_MAGIC));
68 salt += state->server_hello()->random();
69 salt += state->client_hello()->random();
70
71 const secure_vector<uint8_t> prf_output = prf->derive_key(
72 prf_gen, m_master_sec.data(), m_master_sec.size(), salt.data(), salt.size(), label.data(), label.size());
73
74 const uint8_t* key_data = prf_output.data();
75
76 m_c_aead.resize(mac_keylen + cipher_keylen);
77 m_s_aead.resize(mac_keylen + cipher_keylen);
78
79 // NOLINTBEGIN(readability-container-data-pointer)
80 copy_mem(&m_c_aead[0], key_data, mac_keylen);
81 copy_mem(&m_s_aead[0], key_data + mac_keylen, mac_keylen);
82 // NOLINTEND(readability-container-data-pointer)
83
84 // Key is not used for NULL suites
85 if(cipher_keylen > 0) {
86 copy_mem(&m_c_aead[mac_keylen], key_data + 2 * mac_keylen, cipher_keylen);
87 copy_mem(&m_s_aead[mac_keylen], key_data + 2 * mac_keylen + cipher_keylen, cipher_keylen);
88 } else {
89 BOTAN_STATE_CHECK(suite.null_ciphersuite());
90 }
91
92 // Nonce is not used for NULL suites
93 if(cipher_nonce_bytes > 0) {
94 const uint8_t* c_nonce_bytes = key_data + 2 * (mac_keylen + cipher_keylen);
95 m_c_nonce.assign(c_nonce_bytes, c_nonce_bytes + cipher_nonce_bytes);
96
97 const uint8_t* s_nonce_bytes = key_data + 2 * (mac_keylen + cipher_keylen) + cipher_nonce_bytes;
98 m_s_nonce.assign(s_nonce_bytes, s_nonce_bytes + cipher_nonce_bytes);
99 } else {
100 BOTAN_STATE_CHECK(suite.null_ciphersuite());
101 }
102}
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68

References BOTAN_ASSERT_NONNULL, BOTAN_STATE_CHECK, Botan::TLS::Handshake_State::ciphersuite(), Botan::TLS::Handshake_State::client_hello(), Botan::copy_mem(), Botan::TLS::Handshake_Hash::final(), Botan::TLS::Handshake_State::hash(), Botan::TLS::Handshake_State::protocol_specific_prf(), and Botan::TLS::Handshake_State::server_hello().

Member Function Documentation

◆ aead_key()

const secure_vector< uint8_t > & Botan::TLS::Session_Keys::aead_key ( Connection_Side side) const
inline

Definition at line 48 of file tls_session_key.h.

48 {
49 return (side == Connection_Side::Client) ? client_aead_key() : server_aead_key();
50 }
Botan::TLS::Session_Keys::server_aead_key
const secure_vector< uint8_t > & server_aead_key() const
Definition tls_session_key.h:31
Botan::TLS::Session_Keys::client_aead_key
const secure_vector< uint8_t > & client_aead_key() const
Definition tls_session_key.h:26

References Botan::TLS::Client, client_aead_key(), and server_aead_key().

Referenced by Botan::TLS::Connection_Cipher_State::Connection_Cipher_State().

◆ client_aead_key()

const secure_vector< uint8_t > & Botan::TLS::Session_Keys::client_aead_key ( ) const
inline
Returns
client AEAD key

Definition at line 26 of file tls_session_key.h.

26{ return m_c_aead; }

Referenced by aead_key().

◆ client_nonce()

const std::vector< uint8_t > & Botan::TLS::Session_Keys::client_nonce ( ) const
inline
Returns
client nonce

Definition at line 36 of file tls_session_key.h.

36{ return m_c_nonce; }

Referenced by nonce().

◆ master_secret()

const secure_vector< uint8_t > & Botan::TLS::Session_Keys::master_secret ( ) const
inline
Returns
TLS master secret

Definition at line 46 of file tls_session_key.h.

46{ return m_master_sec; }

◆ nonce()

const std::vector< uint8_t > & Botan::TLS::Session_Keys::nonce ( Connection_Side side) const
inline

Definition at line 52 of file tls_session_key.h.

52 {
53 return (side == Connection_Side::Client) ? client_nonce() : server_nonce();
54 }
Botan::TLS::Session_Keys::server_nonce
const std::vector< uint8_t > & server_nonce() const
Definition tls_session_key.h:41
Botan::TLS::Session_Keys::client_nonce
const std::vector< uint8_t > & client_nonce() const
Definition tls_session_key.h:36

References Botan::TLS::Client, client_nonce(), and server_nonce().

Referenced by Botan::TLS::Connection_Cipher_State::Connection_Cipher_State().

◆ server_aead_key()

const secure_vector< uint8_t > & Botan::TLS::Session_Keys::server_aead_key ( ) const
inline
Returns
server AEAD key

Definition at line 31 of file tls_session_key.h.

31{ return m_s_aead; }

Referenced by aead_key().

◆ server_nonce()

const std::vector< uint8_t > & Botan::TLS::Session_Keys::server_nonce ( ) const
inline
Returns
server nonce

Definition at line 41 of file tls_session_key.h.

41{ return m_s_nonce; }

Referenced by nonce().

The documentation for this class was generated from the following files:
Generated by doxygen 1.15.0