Botan 3.11.0
Crypto and TLS for C&
tls_session_key.cpp
Go to the documentation of this file.
1/*
2* TLS Session Key
3* (C) 2004-2006,2011,2016,2019 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/tls_session_key.h>
9
10#include <botan/kdf.h>
11#include <botan/mem_ops.h>
12#include <botan/tls_messages_12.h>
13#include <botan/internal/tls_handshake_state.h>
14
15namespace Botan::TLS {
16
17/**
18* Session_Keys Constructor
19*/
20Session_Keys::Session_Keys(const Handshake_State* state,
21 const secure_vector<uint8_t>& pre_master_secret,
22 bool resuming) {
23 BOTAN_ASSERT_NONNULL(state);
24 BOTAN_ASSERT_NONNULL(state->client_hello());
25 BOTAN_ASSERT_NONNULL(state->server_hello());
26
27 const auto& suite = state->ciphersuite();
28 BOTAN_STATE_CHECK(suite.valid());
29
30 const size_t cipher_keylen = suite.cipher_keylen();
31 const size_t mac_keylen = suite.mac_keylen();
32 const size_t cipher_nonce_bytes = suite.nonce_bytes_from_handshake();
33
34 const bool extended_master_secret = state->server_hello()->supports_extended_master_secret();
35
36 const size_t prf_gen = 2 * (mac_keylen + cipher_keylen + cipher_nonce_bytes);
37
38 const uint8_t MASTER_SECRET_MAGIC[] = {0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74};
39
40 const uint8_t EXT_MASTER_SECRET_MAGIC[] = {0x65, 0x78, 0x74, 0x65, 0x6E, 0x64, 0x65, 0x64, 0x20, 0x6D, 0x61,
41 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74};
42
43 const uint8_t KEY_GEN_MAGIC[] = {0x6B, 0x65, 0x79, 0x20, 0x65, 0x78, 0x70, 0x61, 0x6E, 0x73, 0x69, 0x6F, 0x6E};
44
45 auto prf = state->protocol_specific_prf();
46
47 if(resuming) {
48 // This is actually the master secret saved as part of the session
49 m_master_sec = pre_master_secret;
50 } else {
51 std::vector<uint8_t> salt;
52 std::vector<uint8_t> label;
53 if(extended_master_secret) {
54 label.assign(EXT_MASTER_SECRET_MAGIC, EXT_MASTER_SECRET_MAGIC + sizeof(EXT_MASTER_SECRET_MAGIC));
55 salt += state->hash().final(suite.prf_algo());
56 } else {
57 label.assign(MASTER_SECRET_MAGIC, MASTER_SECRET_MAGIC + sizeof(MASTER_SECRET_MAGIC));
58 salt += state->client_hello()->random();
59 salt += state->server_hello()->random();
60 }
61
62 m_master_sec = prf->derive_key(48, pre_master_secret, salt, label);
63 }
64
65 std::vector<uint8_t> salt;
66 std::vector<uint8_t> label;
67 label.assign(KEY_GEN_MAGIC, KEY_GEN_MAGIC + sizeof(KEY_GEN_MAGIC));
68 salt += state->server_hello()->random();
69 salt += state->client_hello()->random();
70
71 const secure_vector<uint8_t> prf_output = prf->derive_key(
72 prf_gen, m_master_sec.data(), m_master_sec.size(), salt.data(), salt.size(), label.data(), label.size());
73
74 const uint8_t* key_data = prf_output.data();
75
76 m_c_aead.resize(mac_keylen + cipher_keylen);
77 m_s_aead.resize(mac_keylen + cipher_keylen);
78
79 // NOLINTBEGIN(readability-container-data-pointer)
80 copy_mem(&m_c_aead[0], key_data, mac_keylen);
81 copy_mem(&m_s_aead[0], key_data + mac_keylen, mac_keylen);
82 // NOLINTEND(readability-container-data-pointer)
83
84 // Key is not used for NULL suites
85 if(cipher_keylen > 0) {
86 copy_mem(&m_c_aead[mac_keylen], key_data + 2 * mac_keylen, cipher_keylen);
87 copy_mem(&m_s_aead[mac_keylen], key_data + 2 * mac_keylen + cipher_keylen, cipher_keylen);
88 } else {
89 BOTAN_STATE_CHECK(suite.null_ciphersuite());
90 }
91
92 // Nonce is not used for NULL suites
93 if(cipher_nonce_bytes > 0) {
94 const uint8_t* c_nonce_bytes = key_data + 2 * (mac_keylen + cipher_keylen);
95 m_c_nonce.assign(c_nonce_bytes, c_nonce_bytes + cipher_nonce_bytes);
96
97 const uint8_t* s_nonce_bytes = key_data + 2 * (mac_keylen + cipher_keylen) + cipher_nonce_bytes;
98 m_s_nonce.assign(s_nonce_bytes, s_nonce_bytes + cipher_nonce_bytes);
99 } else {
100 BOTAN_STATE_CHECK(suite.null_ciphersuite());
101 }
102}
103
104} // namespace Botan::TLS
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114
Botan::TLS::Handshake_Hash::final
secure_vector< uint8_t > final(std::string_view mac_algo) const
Definition tls_handshake_hash.cpp:17
Botan::TLS::Handshake_State
Definition tls_handshake_state.h:59
Botan::TLS::Handshake_State::client_hello
void client_hello(std::unique_ptr< Client_Hello_12 > client_hello)
Definition tls_handshake_state.cpp:47
Botan::TLS::Handshake_State::server_hello
void server_hello(std::unique_ptr< Server_Hello_12 > server_hello)
Definition tls_handshake_state.cpp:58
Botan::TLS::Handshake_State::ciphersuite
const Ciphersuite & ciphersuite() const
Definition tls_handshake_state.cpp:137
Botan::TLS::Handshake_State::hash
Handshake_Hash & hash()
Definition tls_handshake_state.h:171
Botan::TLS::Handshake_State::protocol_specific_prf
std::unique_ptr< KDF > protocol_specific_prf() const
Definition tls_handshake_state.cpp:192
Botan::TLS::Session_Keys::Session_Keys
Session_Keys()=default
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Generated by doxygen 1.15.0