92#include <botan/internal/tls_cipher_state.h>
94#include <botan/aead.h>
95#include <botan/assert.h>
96#include <botan/secmem.h>
97#include <botan/tls_ciphersuite.h>
98#include <botan/hash.h>
99#include <botan/tls_magic.h>
101#include <botan/internal/hkdf.h>
102#include <botan/internal/hmac.h>
103#include <botan/internal/loadstor.h>
116constexpr size_t NONCE_LENGTH = 12;
126 cs->advance_without_psk();
127 cs->advance_with_server_hello(cipher, std::move(shared_secret), transcript_hash);
138 cs->advance_with_psk(type, std::move(
psk));
154 m_exporter_master_secret = derive_secret(m_early_secret,
"e exp master", transcript_hash);
156 m_salt = derive_secret(m_early_secret,
"derived", empty_hash());
159 m_state = State::EarlyTraffic;
168 auto client_application_traffic_secret = derive_secret(master_secret,
"c ap traffic", transcript_hash);
169 auto server_application_traffic_secret = derive_secret(master_secret,
"s ap traffic", transcript_hash);
176 derive_write_traffic_key(server_application_traffic_secret);
177 m_read_application_traffic_secret = std::move(client_application_traffic_secret);
178 m_write_application_traffic_secret = std::move(server_application_traffic_secret);
182 derive_read_traffic_key(server_application_traffic_secret);
183 m_read_application_traffic_secret = std::move(server_application_traffic_secret);
184 m_write_application_traffic_secret = std::move(client_application_traffic_secret);
187 m_exporter_master_secret = derive_secret(master_secret,
"exp master", transcript_hash);
189 m_state = State::ServerApplicationTraffic;
197 zap(m_peer_finished_key);
203 derive_read_traffic_key(m_read_application_traffic_secret);
207 derive_write_traffic_key(m_write_application_traffic_secret);
212 m_resumption_master_secret = derive_secret(master_secret,
"res master", transcript_hash);
217 m_state = State::Completed;
232 std::vector<uint8_t> nonce(NONCE_LENGTH);
233 store_be(seq_no, nonce.data() + (NONCE_LENGTH-
sizeof(seq_no)));
234 xor_buf(nonce, iv.data(), iv.size());
244 m_encrypt->set_key(m_write_key);
245 m_encrypt->set_associated_data(header);
246 m_encrypt->start(current_nonce(m_write_seq_no, m_write_iv));
247 m_encrypt->finish(fragment);
249 return m_write_seq_no++;
256 BOTAN_ARG_CHECK(encrypted_fragment.size() >= m_decrypt->minimum_final_size(),
257 "fragment too short to decrypt");
259 m_decrypt->set_key(m_read_key);
260 m_decrypt->set_associated_data(header);
261 m_decrypt->start(current_nonce(m_read_seq_no, m_read_iv));
263 m_decrypt->finish(encrypted_fragment);
265 return m_read_seq_no++;
271 return m_encrypt->output_length(input_length);
277 return m_decrypt->output_length(input_length);
283 return m_decrypt->minimum_final_size();
304 (m_state == State::HandshakeTraffic ||
305 m_state == State::ServerApplicationTraffic))
319 if (m_connection_side ==
Connection_Side::Server && m_state != State::ServerApplicationTraffic && m_state != State::Completed)
322 return !m_write_key.empty() && !m_write_iv.empty();
330 if(m_connection_side ==
Connection_Side::Client && m_state != State::ServerApplicationTraffic && m_state != State::Completed)
336 return !m_read_key.empty() && !m_read_iv.empty();
342 return m_hash->name();
358 if(m_encrypt && m_encrypt->name() != cipher.
cipher_algo() &&
359 m_encrypt->name() != cipher.
cipher_algo() +
"(16)")
369 auto hmac =
HMAC(m_hash->new_object());
370 hmac.set_key(m_binder_key);
371 hmac.update(transcript_hash_with_truncated_client_hello);
372 return hmac.final_stdvec();
381 auto hmac =
HMAC(m_hash->new_object());
382 hmac.set_key(m_finished_key);
383 hmac.update(transcript_hash);
384 return hmac.final_stdvec();
388 const std::vector<uint8_t>& peer_mac)
const
394 auto hmac =
HMAC(m_hash->new_object());
395 hmac.set_key(m_peer_finished_key);
396 hmac.update(transcript_hash);
397 return hmac.verify_mac(peer_mac);
404 return derive_secret(m_resumption_master_secret,
"resumption", nonce.get());
410 if(m_ticket_nonce == std::numeric_limits<
decltype(m_ticket_nonce)>::max())
415 Ticket_Nonce retval(std::vector<uint8_t>(
sizeof(m_ticket_nonce)));
416 store_be(m_ticket_nonce++, retval.data());
422 std::string_view context,
427 m_hash->update(context);
428 const auto context_hash = m_hash->final_stdvec();
429 return hkdf_expand_label(derive_secret(m_exporter_master_secret, label, empty_hash()),
430 "exporter", context_hash, length);
436std::unique_ptr<MessageAuthenticationCode> create_hmac(std::string_view hash)
443Cipher_State::Cipher_State(
Connection_Side whoami, std::string_view hash_function)
444 : m_state(State::Uninitialized)
445 , m_connection_side(whoami)
446 , m_extract(
std::make_unique<HKDF_Extract>(create_hmac(hash_function)))
447 , m_expand(
std::make_unique<HKDF_Expand>(create_hmac(hash_function)))
448 , m_hash(HashFunction::create_or_throw(hash_function))
449 , m_salt(m_hash->output_length(), 0x00)
452 , m_ticket_nonce(0) {}
456void Cipher_State::advance_without_psk()
462 const auto early_secret = hkdf_extract(secure_vector<uint8_t>(m_hash->output_length(), 0x00));
463 m_salt = derive_secret(early_secret,
"derived", empty_hash());
466 m_state = State::EarlyTraffic;
469void Cipher_State::advance_with_psk(PSK_Type type, secure_vector<uint8_t>&& psk)
473 m_early_secret = hkdf_extract(std::move(
psk));
475 const char* binder_label =
486 const auto binder_key = derive_secret(m_early_secret, binder_label, empty_hash());
487 m_binder_key = hkdf_expand_label(binder_key,
"finished", {}, m_hash->output_length());
489 m_state = State::PskBinder;
504 const auto handshake_secret = hkdf_extract(std::move(shared_secret));
506 const auto client_handshake_traffic_secret = derive_secret(handshake_secret,
"c hs traffic", transcript_hash);
507 const auto server_handshake_traffic_secret = derive_secret(handshake_secret,
"s hs traffic", transcript_hash);
511 derive_read_traffic_key(client_handshake_traffic_secret,
true);
512 derive_write_traffic_key(server_handshake_traffic_secret,
true);
516 derive_read_traffic_key(server_handshake_traffic_secret,
true);
517 derive_write_traffic_key(client_handshake_traffic_secret,
true);
520 m_salt = derive_secret(handshake_secret,
"derived", empty_hash());
522 m_state = State::HandshakeTraffic;
526 const bool handshake_traffic_secret)
530 m_write_key = hkdf_expand_label(traffic_secret,
"key", {}, m_encrypt->minimum_keylength());
531 m_write_iv = hkdf_expand_label(traffic_secret,
"iv", {}, NONCE_LENGTH);
534 if(handshake_traffic_secret)
538 m_finished_key = hkdf_expand_label(traffic_secret,
"finished", {}, m_hash->output_length());
542void Cipher_State::derive_read_traffic_key(
const secure_vector<uint8_t>& traffic_secret,
543 const bool handshake_traffic_secret)
547 m_read_key = hkdf_expand_label(traffic_secret,
"key", {}, m_encrypt->minimum_keylength());
548 m_read_iv = hkdf_expand_label(traffic_secret,
"iv", {}, NONCE_LENGTH);
551 if(handshake_traffic_secret)
555 m_peer_finished_key = hkdf_expand_label(traffic_secret,
"finished", {}, m_hash->output_length());
559secure_vector<uint8_t> Cipher_State::hkdf_extract(secure_vector<uint8_t>&& ikm)
const
561 return m_extract->derive_key(m_hash->output_length(), ikm, m_salt, std::vector<uint8_t>());
564secure_vector<uint8_t> Cipher_State::hkdf_expand_label(
565 const secure_vector<uint8_t>& secret,
566 std::string_view label,
567 const std::vector<uint8_t>& context,
568 const size_t length)
const
571 secure_vector<uint8_t> hkdf_label;
572 hkdf_label.reserve(2 +
580 BOTAN_ARG_CHECK(length <= std::numeric_limits<uint16_t>::max(),
"invalid length");
581 const auto len =
static_cast<uint16_t
>(length);
582 hkdf_label.push_back(get_byte<0>(len));
583 hkdf_label.push_back(get_byte<1>(len));
586 const std::string prefix =
"tls13 ";
587 BOTAN_ARG_CHECK(prefix.size() + label.size() <= 255,
"label too large");
588 hkdf_label.push_back(
static_cast<uint8_t
>(prefix.size() + label.size()));
589 hkdf_label.insert(hkdf_label.end(), prefix.cbegin(), prefix.cend());
590 hkdf_label.insert(hkdf_label.end(), label.cbegin(), label.cend());
594 hkdf_label.push_back(
static_cast<uint8_t
>(context.size()));
595 hkdf_label.insert(hkdf_label.end(), context.cbegin(), context.cend());
598 return m_expand->derive_key(length, secret, hkdf_label, std::vector<uint8_t>() );
601secure_vector<uint8_t> Cipher_State::derive_secret(
602 const secure_vector<uint8_t>& secret,
603 std::string_view label,
606 return hkdf_expand_label(secret, label, messages_hash, m_hash->output_length());
609std::vector<uint8_t> Cipher_State::empty_hash()
const
612 return m_hash->final_stdvec();
618 m_state == State::Completed);
620 m_read_application_traffic_secret =
621 hkdf_expand_label(m_read_application_traffic_secret,
"traffic upd", {}, m_hash->output_length());
623 derive_read_traffic_key(m_read_application_traffic_secret);
629 m_state == State::Completed);
630 m_write_application_traffic_secret =
631 hkdf_expand_label(m_write_application_traffic_secret,
"traffic upd", {}, m_hash->output_length());
633 derive_write_traffic_key(m_write_application_traffic_secret);
640 zap(m_read_application_traffic_secret);
647 zap(m_write_application_traffic_secret);
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_STATE_CHECK(expr)
#define BOTAN_ASSERT_NONNULL(ptr)
#define BOTAN_ARG_CHECK(expr, msg)
static std::unique_ptr< AEAD_Mode > create_or_throw(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
bool can_decrypt_application_traffic() const
size_t decrypt_output_length(const size_t input_length) const
uint64_t decrypt_record_fragment(const std::vector< uint8_t > &header, secure_vector< uint8_t > &encrypted_fragment)
bool can_export_keys() const
static std::unique_ptr< Cipher_State > init_with_psk(const Connection_Side side, const PSK_Type type, secure_vector< uint8_t > &&psk, const Ciphersuite &cipher)
void advance_with_client_hello(const Transcript_Hash &transcript_hash)
size_t minimum_decryption_input_length() const
void advance_with_server_finished(const Transcript_Hash &transcript_hash)
bool must_expect_unprotected_alert_traffic() const
void advance_with_client_finished(const Transcript_Hash &transcript_hash)
bool verify_peer_finished_mac(const Transcript_Hash &transcript_hash, const std::vector< uint8_t > &peer_mac) const
std::string hash_algorithm() const
uint64_t encrypt_record_fragment(const std::vector< uint8_t > &header, secure_vector< uint8_t > &fragment)
static std::unique_ptr< Cipher_State > init_with_server_hello(const Connection_Side side, secure_vector< uint8_t > &&shared_secret, const Ciphersuite &cipher, const Transcript_Hash &transcript_hash)
secure_vector< uint8_t > psk(const Ticket_Nonce &nonce) const
void advance_with_server_hello(const Ciphersuite &cipher, secure_vector< uint8_t > &&shared_secret, const Transcript_Hash &transcript_hash)
bool is_compatible_with(const Ciphersuite &cipher) const
size_t encrypt_output_length(const size_t input_length) const
std::vector< uint8_t > psk_binder_mac(const Transcript_Hash &transcript_hash_with_truncated_client_hello)
secure_vector< uint8_t > export_key(std::string_view label, std::string_view context, size_t length) const
bool can_encrypt_application_traffic() const
Ticket_Nonce next_ticket_nonce()
std::vector< uint8_t > finished_mac(const Transcript_Hash &transcript_hash) const
bool usable_in_version(Protocol_Version version) const
std::string prf_algo() const
std::string cipher_algo() const
std::vector< uint8_t > Transcript_Hash
void zap(std::vector< T, Alloc > &vec)
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
constexpr void store_be(uint16_t in, uint8_t out[2])
std::vector< T, secure_allocator< T > > secure_vector