Botan 3.0.0
Crypto and TLS for C&
tls_session_key.cpp
Go to the documentation of this file.
1/*
2* TLS Session Key
3* (C) 2004-2006,2011,2016,2019 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/tls_session_key.h>
9#include <botan/internal/tls_handshake_state.h>
10#include <botan/tls_messages.h>
11#include <botan/kdf.h>
12
13namespace Botan::TLS {
14
15/**
16* Session_Keys Constructor
17*/
19 const secure_vector<uint8_t>& pre_master_secret,
20 bool resuming)
21 {
22 const size_t cipher_keylen = state->ciphersuite().cipher_keylen();
23 const size_t mac_keylen = state->ciphersuite().mac_keylen();
24 const size_t cipher_nonce_bytes = state->ciphersuite().nonce_bytes_from_handshake();
25
26 const bool extended_master_secret = state->server_hello()->supports_extended_master_secret();
27
28 const size_t prf_gen = 2 * (mac_keylen + cipher_keylen + cipher_nonce_bytes);
29
30 const uint8_t MASTER_SECRET_MAGIC[] = {
31 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74 };
32
33 const uint8_t EXT_MASTER_SECRET_MAGIC[] = {
34 0x65, 0x78, 0x74, 0x65, 0x6E, 0x64, 0x65, 0x64, 0x20,
35 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74 };
36
37 const uint8_t KEY_GEN_MAGIC[] = {
38 0x6B, 0x65, 0x79, 0x20, 0x65, 0x78, 0x70, 0x61, 0x6E, 0x73, 0x69, 0x6F, 0x6E };
39
40 auto prf = state->protocol_specific_prf();
41
42 if(resuming)
43 {
44 // This is actually the master secret saved as part of the session
45 m_master_sec = pre_master_secret;
46 }
47 else
48 {
49 std::vector<uint8_t> salt;
50 std::vector<uint8_t> label;
51 if(extended_master_secret)
52 {
53 label.assign(EXT_MASTER_SECRET_MAGIC, EXT_MASTER_SECRET_MAGIC + sizeof(EXT_MASTER_SECRET_MAGIC));
54 salt += state->hash().final(state->ciphersuite().prf_algo());
55 }
56 else
57 {
58 label.assign(MASTER_SECRET_MAGIC, MASTER_SECRET_MAGIC + sizeof(MASTER_SECRET_MAGIC));
59 salt += state->client_hello()->random();
60 salt += state->server_hello()->random();
61 }
62
63 m_master_sec = prf->derive_key(48, pre_master_secret, salt, label);
64 }
65
66 std::vector<uint8_t> salt;
67 std::vector<uint8_t> label;
68 label.assign(KEY_GEN_MAGIC, KEY_GEN_MAGIC + sizeof(KEY_GEN_MAGIC));
69 salt += state->server_hello()->random();
70 salt += state->client_hello()->random();
71
72 const secure_vector<uint8_t> prf_output = prf->derive_key(
73 prf_gen,
74 m_master_sec.data(), m_master_sec.size(),
75 salt.data(), salt.size(),
76 label.data(), label.size());
77
78 const uint8_t* key_data = prf_output.data();
79
80 m_c_aead.resize(mac_keylen + cipher_keylen);
81 m_s_aead.resize(mac_keylen + cipher_keylen);
82
83 copy_mem(&m_c_aead[0], key_data, mac_keylen);
84 copy_mem(&m_s_aead[0], key_data + mac_keylen, mac_keylen);
85
86 copy_mem(&m_c_aead[mac_keylen], key_data + 2*mac_keylen, cipher_keylen);
87 copy_mem(&m_s_aead[mac_keylen], key_data + 2*mac_keylen + cipher_keylen, cipher_keylen);
88
89 m_c_nonce.resize(cipher_nonce_bytes);
90 m_s_nonce.resize(cipher_nonce_bytes);
91
92 copy_mem(&m_c_nonce[0], key_data + 2*(mac_keylen + cipher_keylen), cipher_nonce_bytes);
93 copy_mem(&m_s_nonce[0], key_data + 2*(mac_keylen + cipher_keylen) + cipher_nonce_bytes, cipher_nonce_bytes);
94 }
95
96}
size_t cipher_keylen() const
size_t nonce_bytes_from_handshake() const
std::string prf_algo() const
secure_vector< uint8_t > final(std::string_view mac_algo) const
void server_hello(Server_Hello_12 *server_hello)
const Ciphersuite & ciphersuite() const
std::unique_ptr< KDF > protocol_specific_prf() const
void client_hello(Client_Hello_12 *client_hello)
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:126
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:64