From b1592d061662151ea1abe44ed2a38faf262c664b Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Tue, 25 Dec 2018 21:44:08 +0630 Subject: [PATCH] use the draft-17 initial encryption --- internal/crypto/crypto_suite_test.go | 13 ---- internal/crypto/hkdf.go | 59 ---------------- internal/crypto/hkdf_test.go | 68 ------------------- internal/handshake/crypto_setup.go | 13 ++-- internal/handshake/initial_aead.go | 18 ++--- internal/handshake/initial_aead_test.go | 42 ++++++------ vendor/github.com/marten-seemann/qtls/13.go | 25 +++---- vendor/github.com/marten-seemann/qtls/conn.go | 4 +- vendor/github.com/marten-seemann/qtls/hkdf.go | 3 +- vendor/vendor.json | 6 +- 10 files changed, 56 insertions(+), 195 deletions(-) delete mode 100644 internal/crypto/crypto_suite_test.go delete mode 100644 internal/crypto/hkdf.go delete mode 100644 internal/crypto/hkdf_test.go diff --git a/internal/crypto/crypto_suite_test.go b/internal/crypto/crypto_suite_test.go deleted file mode 100644 index 23989a3e..00000000 --- a/internal/crypto/crypto_suite_test.go +++ /dev/null @@ -1,13 +0,0 @@ -package crypto - -import ( - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - - "testing" -) - -func TestCrypto(t *testing.T) { - RegisterFailHandler(Fail) - RunSpecs(t, "Crypto Suite") -} diff --git a/internal/crypto/hkdf.go b/internal/crypto/hkdf.go deleted file mode 100644 index 700d84e8..00000000 --- a/internal/crypto/hkdf.go +++ /dev/null @@ -1,59 +0,0 @@ -package crypto - -import ( - "crypto" - "crypto/hmac" - "encoding/binary" -) - -// HkdfExtract generates a pseudorandom key for use with Expand from an input secret and an optional independent salt. -// copied from https://github.com/cloudflare/tls-tris/blob/master/hkdf.go -func HkdfExtract(hash crypto.Hash, secret, salt []byte) []byte { - if salt == nil { - salt = make([]byte, hash.Size()) - } - if secret == nil { - secret = make([]byte, hash.Size()) - } - extractor := hmac.New(hash.New, salt) - extractor.Write(secret) - return extractor.Sum(nil) -} - -// copied from https://github.com/cloudflare/tls-tris/blob/master/hkdf.go -func hkdfExpand(hash crypto.Hash, prk, info []byte, l int) []byte { - var ( - expander = hmac.New(hash.New, prk) - res = make([]byte, l) - counter = byte(1) - prev []byte - ) - - if l > 255*expander.Size() { - panic("hkdf: requested too much output") - } - - p := res - for len(p) > 0 { - expander.Reset() - expander.Write(prev) - expander.Write(info) - expander.Write([]byte{counter}) - prev = expander.Sum(prev[:0]) - counter++ - n := copy(p, prev) - p = p[n:] - } - - return res -} - -// HkdfExpandLabel HKDF expands a label -func HkdfExpandLabel(hash crypto.Hash, secret []byte, label string, length int) []byte { - const prefix = "quic " - qlabel := make([]byte, 2 /* length */ +1 /* length of label */ +len(prefix)+len(label)+1 /* length of context (empty) */) - binary.BigEndian.PutUint16(qlabel[0:2], uint16(length)) - qlabel[2] = uint8(len(prefix) + len(label)) - copy(qlabel[3:], []byte(prefix+label)) - return hkdfExpand(hash, secret, qlabel, length) -} diff --git a/internal/crypto/hkdf_test.go b/internal/crypto/hkdf_test.go deleted file mode 100644 index 23da821d..00000000 --- a/internal/crypto/hkdf_test.go +++ /dev/null @@ -1,68 +0,0 @@ -package crypto - -import ( - "bytes" - "crypto" - "fmt" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" -) - -var _ = Describe("HKDF", func() { - type testcase struct { - name string - hash crypto.Hash - salt, secret, info, extracted, expanded []byte - } - // test cases taken from https://tools.ietf.org/html/rfc5869#appendix-A - testcases := []testcase{ - { - name: "RFC5869 A.1", - hash: crypto.SHA256, - salt: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc}, - secret: bytes.Repeat([]byte{0x0b}, 22), - info: []byte{0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9}, - extracted: []byte{0x7, 0x77, 0x9, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0xd, 0xdc, 0x3f, 0xd, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0xf, 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5}, - expanded: []byte{0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0xa, 0x90, 0xcf, 0x1a, 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x0, 0x72, 0x8, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65}, - }, - { - name: "RFC5869 A.2", - hash: crypto.SHA256, - salt: []byte{0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf}, - secret: []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f}, - info: []byte{0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff}, - extracted: []byte{0x6, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, 0x6, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c, 0xef, 0x76, 0x0, 0x14, 0x90, 0x46, 0x71, 0x1, 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44}, - expanded: []byte{0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x3, 0x27, 0xa1, 0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34, 0x4f, 0x1, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8, 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, 0x59, 0x4, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0xe, 0x9, 0xda, 0x32, 0x75, 0x60, 0xc, 0x2f, 0x9, 0xb8, 0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87, 0xc1, 0x4c, 0x1, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87}, - }, - { - name: "RFC5869 A.3", - hash: crypto.SHA256, - secret: bytes.Repeat([]byte{0x0b}, 22), - extracted: []byte{0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, 0x7f, 0x33, 0xa9, 0x1d, 0x6f, 0x64, 0x8b, 0xdf, 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, 0x63, 0x77, 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x4}, - expanded: []byte{0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80, 0x2a, 0x6, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8}, - }, - { - name: "RFC5869 A.4", - hash: crypto.SHA1, - salt: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc}, - secret: bytes.Repeat([]byte{0x0b}, 11), - info: []byte{0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9}, - extracted: []byte{0x9b, 0x6c, 0x18, 0xc4, 0x32, 0xa7, 0xbf, 0x8f, 0xe, 0x71, 0xc8, 0xeb, 0x88, 0xf4, 0xb3, 0xb, 0xaa, 0x2b, 0xa2, 0x43}, - expanded: []byte{0x8, 0x5a, 0x1, 0xea, 0x1b, 0x10, 0xf3, 0x69, 0x33, 0x6, 0x8b, 0x56, 0xef, 0xa5, 0xad, 0x81, 0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b, 0x9, 0x15, 0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2, 0xc2, 0x2e, 0x42, 0x24, 0x78, 0xd3, 0x5, 0xf3, 0xf8, 0x96}, - }, - } - - for i := range testcases { - t := testcases[i] - - It(fmt.Sprintf("case %s: extracts", t.name), func() { - Expect(HkdfExtract(t.hash, t.secret, t.salt)).To(Equal(t.extracted)) - }) - - It(fmt.Sprintf("case %s: expands", t.name), func() { - prk := HkdfExtract(t.hash, t.secret, t.salt) - Expect(hkdfExpand(t.hash, prk, t.info, len(t.expanded))).To(Equal(t.expanded)) - }) - } -}) diff --git a/internal/handshake/crypto_setup.go b/internal/handshake/crypto_setup.go index f775787a..e5afaab6 100644 --- a/internal/handshake/crypto_setup.go +++ b/internal/handshake/crypto_setup.go @@ -7,7 +7,6 @@ import ( "fmt" "io" - "github.com/lucas-clemente/quic-go/internal/crypto" "github.com/lucas-clemente/quic-go/internal/protocol" "github.com/lucas-clemente/quic-go/internal/utils" "github.com/marten-seemann/qtls" @@ -411,9 +410,9 @@ func (h *cryptoSetup) ReadHandshakeMessage() ([]byte, error) { } func (h *cryptoSetup) SetReadKey(suite *qtls.CipherSuite, trafficSecret []byte) { - key := crypto.HkdfExpandLabel(suite.Hash(), trafficSecret, "key", suite.KeyLen()) - iv := crypto.HkdfExpandLabel(suite.Hash(), trafficSecret, "iv", suite.IVLen()) - pnKey := crypto.HkdfExpandLabel(suite.Hash(), trafficSecret, "pn", suite.KeyLen()) + key := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "key", suite.KeyLen()) + iv := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "iv", suite.IVLen()) + pnKey := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "pn", suite.KeyLen()) pnDecrypter, err := aes.NewCipher(pnKey) if err != nil { panic(fmt.Sprintf("error creating new AES cipher: %s", err)) @@ -441,9 +440,9 @@ func (h *cryptoSetup) SetReadKey(suite *qtls.CipherSuite, trafficSecret []byte) } func (h *cryptoSetup) SetWriteKey(suite *qtls.CipherSuite, trafficSecret []byte) { - key := crypto.HkdfExpandLabel(suite.Hash(), trafficSecret, "key", suite.KeyLen()) - iv := crypto.HkdfExpandLabel(suite.Hash(), trafficSecret, "iv", suite.IVLen()) - pnKey := crypto.HkdfExpandLabel(suite.Hash(), trafficSecret, "pn", suite.KeyLen()) + key := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "key", suite.KeyLen()) + iv := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "iv", suite.IVLen()) + pnKey := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "pn", suite.KeyLen()) pnEncrypter, err := aes.NewCipher(pnKey) if err != nil { panic(fmt.Sprintf("error creating new AES cipher: %s", err)) diff --git a/internal/handshake/initial_aead.go b/internal/handshake/initial_aead.go index 222072af..1a6efb08 100644 --- a/internal/handshake/initial_aead.go +++ b/internal/handshake/initial_aead.go @@ -1,15 +1,15 @@ package handshake import ( - gocrypto "crypto" + "crypto" "crypto/aes" "crypto/cipher" - "github.com/lucas-clemente/quic-go/internal/crypto" "github.com/lucas-clemente/quic-go/internal/protocol" + "github.com/marten-seemann/qtls" ) -var quicVersion1Salt = []byte{0x9c, 0x10, 0x8f, 0x98, 0x52, 0x0a, 0x5c, 0x5c, 0x32, 0x96, 0x8e, 0x95, 0x0e, 0x8a, 0x2c, 0x5f, 0xe0, 0x6d, 0x6c, 0x38} +var quicVersion1Salt = []byte{0xef, 0x4f, 0xb0, 0xab, 0xb4, 0x74, 0x70, 0xc4, 0x1b, 0xef, 0xcf, 0x80, 0x31, 0x33, 0x4f, 0xae, 0x48, 0x5e, 0x09, 0xa0} func newInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective) (Sealer, Opener, error) { clientSecret, serverSecret := computeSecrets(connID) @@ -52,15 +52,15 @@ func newInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective) (Se } func computeSecrets(connID protocol.ConnectionID) (clientSecret, serverSecret []byte) { - initialSecret := crypto.HkdfExtract(gocrypto.SHA256, connID, quicVersion1Salt) - clientSecret = crypto.HkdfExpandLabel(gocrypto.SHA256, initialSecret, "client in", gocrypto.SHA256.Size()) - serverSecret = crypto.HkdfExpandLabel(gocrypto.SHA256, initialSecret, "server in", gocrypto.SHA256.Size()) + initialSecret := qtls.HkdfExtract(crypto.SHA256, connID, quicVersion1Salt) + clientSecret = qtls.HkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size()) + serverSecret = qtls.HkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "server in", crypto.SHA256.Size()) return } func computeInitialKeyAndIV(secret []byte) (key, pnKey, iv []byte) { - key = crypto.HkdfExpandLabel(gocrypto.SHA256, secret, "key", 16) - pnKey = crypto.HkdfExpandLabel(gocrypto.SHA256, secret, "pn", 16) - iv = crypto.HkdfExpandLabel(gocrypto.SHA256, secret, "iv", 12) + key = qtls.HkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16) + pnKey = qtls.HkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic hp", 16) + iv = qtls.HkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12) return } diff --git a/internal/handshake/initial_aead_test.go b/internal/handshake/initial_aead_test.go index f05312a1..3670bc45 100644 --- a/internal/handshake/initial_aead_test.go +++ b/internal/handshake/initial_aead_test.go @@ -12,21 +12,21 @@ import ( var _ = Describe("Initial AEAD using AES-GCM", func() { // values taken from https://github.com/quicwg/base-drafts/wiki/Test-Vector-for-the-Clear-Text-AEAD-key-derivation Context("using the test vector from the QUIC WG Wiki", func() { - connID := protocol.ConnectionID([]byte{0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, 0x57, 0x08}) + connID := protocol.ConnectionID([]byte{0xc6, 0x54, 0xef, 0xd8, 0xa3, 0x1b, 0x47, 0x92}) It("computes the secrets", func() { clientSecret, serverSecret := computeSecrets(connID) Expect(clientSecret).To(Equal([]byte{ - 0x9f, 0x53, 0x64, 0x57, 0xf3, 0x2a, 0x1e, 0x0a, - 0xe8, 0x64, 0xbc, 0xb3, 0xca, 0xf1, 0x23, 0x51, - 0x10, 0x63, 0x0e, 0x1d, 0x1f, 0xb3, 0x38, 0x35, - 0xbd, 0x05, 0x41, 0x70, 0xf9, 0x9b, 0xf7, 0xdc, + 0x0c, 0x74, 0xbb, 0x95, 0xa1, 0x04, 0x8e, 0x52, + 0xef, 0x3b, 0x72, 0xe1, 0x28, 0x89, 0x35, 0x1c, + 0xd7, 0x3a, 0x55, 0x0f, 0xb6, 0x2c, 0x4b, 0xb0, + 0x87, 0xe9, 0x15, 0xcc, 0xe9, 0x6c, 0xe3, 0xa0, })) Expect(serverSecret).To(Equal([]byte{ - 0xb0, 0x87, 0xdc, 0xd7, 0x47, 0x8d, 0xda, 0x8a, - 0x85, 0x8f, 0xbf, 0x3d, 0x60, 0x5c, 0x88, 0x85, - 0x86, 0xc0, 0xa3, 0xa9, 0x87, 0x54, 0x23, 0xad, - 0x4f, 0x11, 0x4f, 0x0b, 0xa3, 0x8e, 0x5a, 0x2e, + 0x4c, 0x9e, 0xdf, 0x24, 0xb0, 0xe5, 0xe5, 0x06, + 0xdd, 0x3b, 0xfa, 0x4e, 0x0a, 0x03, 0x11, 0xe8, + 0xc4, 0x1f, 0x35, 0x42, 0x73, 0xd8, 0xcb, 0x49, + 0xdd, 0xd8, 0x46, 0x41, 0x38, 0xd4, 0x7e, 0xc6, })) }) @@ -34,16 +34,16 @@ var _ = Describe("Initial AEAD using AES-GCM", func() { clientSecret, _ := computeSecrets(connID) key, pnKey, iv := computeInitialKeyAndIV(clientSecret) Expect(key).To(Equal([]byte{ - 0xf2, 0x92, 0x8f, 0x26, 0x14, 0xad, 0x6c, 0x20, - 0xb9, 0xbd, 0x00, 0x8e, 0x9c, 0x89, 0x63, 0x1c, + 0x86, 0xd1, 0x83, 0x04, 0x80, 0xb4, 0x0f, 0x86, + 0xcf, 0x9d, 0x68, 0xdc, 0xad, 0xf3, 0x5d, 0xfe, })) Expect(pnKey).To(Equal([]byte{ - 0x68, 0xc3, 0xf6, 0x4e, 0x2d, 0x66, 0x34, 0x41, - 0x2b, 0x8e, 0x32, 0x94, 0x62, 0x8d, 0x76, 0xf1, + 0xcd, 0x25, 0x3a, 0x36, 0xff, 0x93, 0x93, 0x7c, + 0x46, 0x93, 0x84, 0xa8, 0x23, 0xaf, 0x6c, 0x56, })) Expect(iv).To(Equal([]byte{ - 0xab, 0x95, 0x0b, 0x01, 0x98, 0x63, 0x79, 0x78, - 0xcf, 0x44, 0xaa, 0xb9, + 0x12, 0xf3, 0x93, 0x8a, 0xca, 0x34, 0xaa, 0x02, + 0x54, 0x31, 0x63, 0xd4, })) }) @@ -51,16 +51,16 @@ var _ = Describe("Initial AEAD using AES-GCM", func() { _, serverSecret := computeSecrets(connID) key, pnKey, iv := computeInitialKeyAndIV(serverSecret) Expect(key).To(Equal([]byte{ - 0xf5, 0x68, 0x17, 0xd0, 0xfc, 0x59, 0x5c, 0xfc, - 0x0a, 0x2b, 0x0b, 0xcf, 0xb1, 0x87, 0x35, 0xec, + 0x2c, 0x78, 0x63, 0x3e, 0x20, 0x6e, 0x99, 0xad, + 0x25, 0x19, 0x64, 0xf1, 0x9f, 0x6d, 0xcd, 0x6d, })) Expect(pnKey).To(Equal([]byte{ - 0xa3, 0x13, 0xc8, 0x6d, 0x13, 0x73, 0xec, 0xbc, - 0xcb, 0x32, 0x94, 0xb1, 0x49, 0x74, 0x22, 0x6c, + 0x25, 0x79, 0xd8, 0x69, 0x6f, 0x85, 0xed, 0xa6, + 0x8d, 0x35, 0x02, 0xb6, 0x55, 0x96, 0x58, 0x6b, })) Expect(iv).To(Equal([]byte{ - 0x32, 0x05, 0x03, 0x5a, 0x3c, 0x93, 0x7c, 0x90, - 0x2e, 0xe4, 0xf4, 0xd6, + 0x7b, 0x50, 0xbf, 0x36, 0x98, 0xa0, 0x6d, 0xfa, + 0xbf, 0x75, 0xf2, 0x87, })) }) }) diff --git a/vendor/github.com/marten-seemann/qtls/13.go b/vendor/github.com/marten-seemann/qtls/13.go index 3e89baa0..6ba7b0fd 100644 --- a/vendor/github.com/marten-seemann/qtls/13.go +++ b/vendor/github.com/marten-seemann/qtls/13.go @@ -116,9 +116,9 @@ func (ks *keySchedule13) setSecret(secret []byte) { salt := ks.secret if salt != nil { h0 := hash.New().Sum(nil) - salt = hkdfExpandLabel(hash, salt, h0, "derived", hash.Size()) + salt = HkdfExpandLabel(hash, salt, h0, "derived", hash.Size()) } - ks.secret = hkdfExtract(hash, secret, salt) + ks.secret = HkdfExtract(hash, secret, salt) } // Depending on role returns pair of key variant to be used by @@ -168,7 +168,7 @@ func (ks *keySchedule13) deriveSecret(secretLabel secretLabel) []byte { ks.handshakeCtx = ks.transcriptHash.Sum(nil) } hash := hashForSuite(ks.suite) - secret := hkdfExpandLabel(hash, ks.secret, ks.handshakeCtx, label, hash.Size()) + secret := HkdfExpandLabel(hash, ks.secret, ks.handshakeCtx, label, hash.Size()) if keylogType != "" && ks.config != nil { ks.config.writeKeyLog(keylogType, ks.clientRandom, secret) } @@ -177,8 +177,8 @@ func (ks *keySchedule13) deriveSecret(secretLabel secretLabel) []byte { func (ks *keySchedule13) prepareCipher(trafficSecret []byte) cipher.AEAD { hash := hashForSuite(ks.suite) - key := hkdfExpandLabel(hash, trafficSecret, nil, "key", ks.suite.keyLen) - iv := hkdfExpandLabel(hash, trafficSecret, nil, "iv", ks.suite.ivLen) + key := HkdfExpandLabel(hash, trafficSecret, nil, "key", ks.suite.keyLen) + iv := HkdfExpandLabel(hash, trafficSecret, nil, "iv", ks.suite.ivLen) return ks.suite.aead(key, iv) } @@ -256,8 +256,8 @@ CurvePreferenceLoop: hsServerTrafficSecret := hs.keySchedule.deriveSecret(secretHandshakeServer) c.out.setKey(c.vers, hs.keySchedule.suite, hsServerTrafficSecret) - serverFinishedKey := hkdfExpandLabel(hash, hsServerTrafficSecret, nil, "finished", hashSize) - hs.clientFinishedKey = hkdfExpandLabel(hash, hs.hsClientTrafficSecret, nil, "finished", hashSize) + serverFinishedKey := HkdfExpandLabel(hash, hsServerTrafficSecret, nil, "finished", hashSize) + hs.clientFinishedKey = HkdfExpandLabel(hash, hs.hsClientTrafficSecret, nil, "finished", hashSize) // EncryptedExtensions hs.keySchedule.write(hs.hello13Enc.marshal()) @@ -616,7 +616,8 @@ func (c *Conn) deriveDHESecret(ks keyShare, secretKey []byte) []byte { return nil } -func hkdfExpandLabel(hash crypto.Hash, secret, hashValue []byte, label string, L int) []byte { +// HkdfExpandLabel HKDF expands a label +func HkdfExpandLabel(hash crypto.Hash, secret, hashValue []byte, label string, L int) []byte { prefix := "tls13 " hkdfLabel := make([]byte, 4+len(prefix)+len(label)+len(hashValue)) hkdfLabel[0] = byte(L >> 8) @@ -709,7 +710,7 @@ func (hs *serverHandshakeState) checkPSK() (isResumed bool, alert alert) { hs.keySchedule.setSecret(s.pskSecret) binderKey := hs.keySchedule.deriveSecret(secretResumptionPskBinder) - binderFinishedKey := hkdfExpandLabel(hash, binderKey, nil, "finished", hashSize) + binderFinishedKey := HkdfExpandLabel(hash, binderKey, nil, "finished", hashSize) chHash := hash.New() chHash.Write(hs.clientHello.rawTruncated) expectedBinder := hmacOfSum(hash, chHash, binderFinishedKey) @@ -780,7 +781,7 @@ func (hs *serverHandshakeState) sendSessionTicket13() error { // tickets might have the same PSK which could be a problem if // one of them is compromised. ticketNonce := []byte{byte(i)} - sessionState.pskSecret = hkdfExpandLabel(hash, resumptionMasterSecret, ticketNonce, "resumption", hash.Size()) + sessionState.pskSecret = HkdfExpandLabel(hash, resumptionMasterSecret, ticketNonce, "resumption", hash.Size()) ticket := sessionState.marshal() var err error if c.config.SessionTicketSealer != nil { @@ -1010,8 +1011,8 @@ func (hs *clientHandshakeState) doTLS13Handshake() error { c.in.setKey(c.vers, hs.keySchedule.suite, serverHandshakeSecret) // Calculate MAC key for Finished messages. - serverFinishedKey := hkdfExpandLabel(hash, serverHandshakeSecret, nil, "finished", hashSize) - clientFinishedKey := hkdfExpandLabel(hash, clientHandshakeSecret, nil, "finished", hashSize) + serverFinishedKey := HkdfExpandLabel(hash, serverHandshakeSecret, nil, "finished", hashSize) + clientFinishedKey := HkdfExpandLabel(hash, clientHandshakeSecret, nil, "finished", hashSize) msg, err := c.readHandshake() if err != nil { diff --git a/vendor/github.com/marten-seemann/qtls/conn.go b/vendor/github.com/marten-seemann/qtls/conn.go index 27761e50..07f36895 100644 --- a/vendor/github.com/marten-seemann/qtls/conn.go +++ b/vendor/github.com/marten-seemann/qtls/conn.go @@ -241,8 +241,8 @@ func (hc *halfConn) setKey(version uint16, suite *cipherSuite, trafficSecret []b } hc.version = version hash := hashForSuite(suite) - key := hkdfExpandLabel(hash, trafficSecret, nil, "key", suite.keyLen) - iv := hkdfExpandLabel(hash, trafficSecret, nil, "iv", suite.ivLen) + key := HkdfExpandLabel(hash, trafficSecret, nil, "key", suite.keyLen) + iv := HkdfExpandLabel(hash, trafficSecret, nil, "iv", suite.ivLen) hc.cipher = suite.aead(key, iv) for i := range hc.seq { hc.seq[i] = 0 diff --git a/vendor/github.com/marten-seemann/qtls/hkdf.go b/vendor/github.com/marten-seemann/qtls/hkdf.go index 5503b595..bc91e47d 100644 --- a/vendor/github.com/marten-seemann/qtls/hkdf.go +++ b/vendor/github.com/marten-seemann/qtls/hkdf.go @@ -45,7 +45,8 @@ func hkdfExpand(hash crypto.Hash, prk, info []byte, l int) []byte { return res } -func hkdfExtract(hash crypto.Hash, secret, salt []byte) []byte { +// HkdfExtract generates a pseudorandom key for use with Expand from an input secret and an optional independent salt. +func HkdfExtract(hash crypto.Hash, secret, salt []byte) []byte { if salt == nil { salt = make([]byte, hash.Size()) } diff --git a/vendor/vendor.json b/vendor/vendor.json index e7bf4ea7..c5afee20 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -45,10 +45,10 @@ "revisionTime": "2018-11-11T22:04:28Z" }, { - "checksumSHA1": "uFoImp0yipfjtMPgqBVX/ANxgv8=", + "checksumSHA1": "FDYRKDgqEto8ahW65hY3RruQLmg=", "path": "github.com/marten-seemann/qtls", - "revision": "f6f31023778222dcf2b2ca83a6f5880ee94741c3", - "revisionTime": "2018-09-29T20:20:13Z" + "revision": "061d608f3d22ea089c4c9039e1216eea999b9341", + "revisionTime": "2018-12-25T08:07:48Z" }, { "checksumSHA1": "9TPZ7plxFmlYtMEv2LLXRCEQg7c=",