Botan  2.12.1
Crypto and TLS for C++11
tls_session_key.cpp
Go to the documentation of this file.
1 /*
2 * TLS Session Key
3 * (C) 2004-2006,2011,2016,2019 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/internal/tls_session_key.h>
9 #include <botan/internal/tls_handshake_state.h>
10 #include <botan/tls_messages.h>
11 #include <botan/kdf.h>
12 
13 namespace Botan {
14 
15 namespace TLS {
16 
17 /**
18 * Session_Keys Constructor
19 */
21  const secure_vector<uint8_t>& pre_master_secret,
22  bool resuming)
23  {
24  const size_t cipher_keylen = state->ciphersuite().cipher_keylen();
25  const size_t mac_keylen = state->ciphersuite().mac_keylen();
26  const size_t cipher_nonce_bytes = state->ciphersuite().nonce_bytes_from_handshake();
27 
28  const bool extended_master_secret = state->server_hello()->supports_extended_master_secret();
29 
30  const size_t prf_gen = 2 * (mac_keylen + cipher_keylen + cipher_nonce_bytes);
31 
32  const uint8_t MASTER_SECRET_MAGIC[] = {
33  0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74 };
34 
35  const uint8_t EXT_MASTER_SECRET_MAGIC[] = {
36  0x65, 0x78, 0x74, 0x65, 0x6E, 0x64, 0x65, 0x64, 0x20,
37  0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74 };
38 
39  const uint8_t KEY_GEN_MAGIC[] = {
40  0x6B, 0x65, 0x79, 0x20, 0x65, 0x78, 0x70, 0x61, 0x6E, 0x73, 0x69, 0x6F, 0x6E };
41 
42  std::unique_ptr<KDF> prf(state->protocol_specific_prf());
43 
44  if(resuming)
45  {
46  // This is actually the master secret saved as part of the session
47  m_master_sec = pre_master_secret;
48  }
49  else
50  {
51  std::vector<uint8_t> salt;
52  std::vector<uint8_t> label;
53  if(extended_master_secret)
54  {
55  label.assign(EXT_MASTER_SECRET_MAGIC, EXT_MASTER_SECRET_MAGIC + sizeof(EXT_MASTER_SECRET_MAGIC));
56  salt += state->hash().final(state->version(),
57  state->ciphersuite().prf_algo());
58  }
59  else
60  {
61  label.assign(MASTER_SECRET_MAGIC, MASTER_SECRET_MAGIC + sizeof(MASTER_SECRET_MAGIC));
62  salt += state->client_hello()->random();
63  salt += state->server_hello()->random();
64  }
65 
66  m_master_sec = prf->derive_key(48, pre_master_secret, salt, label);
67  }
68 
69  std::vector<uint8_t> salt;
70  std::vector<uint8_t> label;
71  label.assign(KEY_GEN_MAGIC, KEY_GEN_MAGIC + sizeof(KEY_GEN_MAGIC));
72  salt += state->server_hello()->random();
73  salt += state->client_hello()->random();
74 
75  const secure_vector<uint8_t> prf_output = prf->derive_key(
76  prf_gen,
77  m_master_sec.data(), m_master_sec.size(),
78  salt.data(), salt.size(),
79  label.data(), label.size());
80 
81  const uint8_t* key_data = prf_output.data();
82 
83  m_c_aead.resize(mac_keylen + cipher_keylen);
84  m_s_aead.resize(mac_keylen + cipher_keylen);
85 
86  copy_mem(&m_c_aead[0], key_data, mac_keylen);
87  copy_mem(&m_s_aead[0], key_data + mac_keylen, mac_keylen);
88 
89  copy_mem(&m_c_aead[mac_keylen], key_data + 2*mac_keylen, cipher_keylen);
90  copy_mem(&m_s_aead[mac_keylen], key_data + 2*mac_keylen + cipher_keylen, cipher_keylen);
91 
92  m_c_nonce.resize(cipher_nonce_bytes);
93  m_s_nonce.resize(cipher_nonce_bytes);
94 
95  copy_mem(&m_c_nonce[0], key_data + 2*(mac_keylen + cipher_keylen), cipher_nonce_bytes);
96  copy_mem(&m_s_nonce[0], key_data + 2*(mac_keylen + cipher_keylen) + cipher_nonce_bytes, cipher_nonce_bytes);
97  }
98 
99 }
100 
101 }
void server_hello(Server_Hello *server_hello)
std::string prf_algo() const
secure_vector< uint8_t > final(Protocol_Version version, const std::string &mac_algo) const
const Ciphersuite & ciphersuite() const
size_t cipher_keylen() const
void client_hello(Client_Hello *client_hello)
size_t nonce_bytes_from_handshake() const
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:122
Definition: alg_id.cpp:13
Protocol_Version version() const
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65