cybercyst/go
1
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-05-05 23:53:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

crypto/tls: use crypto/hkdf

Browse Source 
For consistency, prefer crypto/hkdf over crypto/internal/fips140/hkdf.
Both should have the same behavior given the constrained use of HKDF
in TLS.

Change-Id: Ia982b9f7a6ea66537d748eb5ecae1ac1eade68a5
Reviewed-on: https://go-review.googlesource.com/c/go/+/658217
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
qmuntal 2025-03-17 15:50:26 +01:00 committed by Quim Muntal
parent 3033ef0016
commit 83bbf47863
2 changed files with 30 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/crypto/tls/handshake_client_tls13.go
View File

@ -8,8 +8,8 @@ import (
"bytes" "bytes"
"context" "context"
"crypto" "crypto"
"crypto/hkdf"
"crypto/hmac" "crypto/hmac"
"crypto/internal/fips140/hkdf"
"crypto/internal/fips140/mlkem" "crypto/internal/fips140/mlkem"
"crypto/internal/fips140/tls13" "crypto/internal/fips140/tls13"
"crypto/rsa" "crypto/rsa"
@ -90,12 +90,13 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
confTranscript.Write(hs.serverHello.original[:30]) confTranscript.Write(hs.serverHello.original[:30])
confTranscript.Write(make([]byte, 8)) confTranscript.Write(make([]byte, 8))
confTranscript.Write(hs.serverHello.original[38:]) confTranscript.Write(hs.serverHello.original[38:])
acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New, h := hs.suite.hash.New
hkdf.Extract(hs.suite.hash.New, hs.echContext.innerHello.random, nil), prk, err := hkdf.Extract(h, hs.echContext.innerHello.random, nil)
"ech accept confirmation", if err != nil {
confTranscript.Sum(nil), c.sendAlert(alertInternalError)
8, return err
) }
acceptConfirmation := tls13.ExpandLabel(h, prk, "ech accept confirmation", confTranscript.Sum(nil), 8)
if subtle.ConstantTimeCompare(acceptConfirmation, hs.serverHello.random[len(hs.serverHello.random)-8:]) == 1 { if subtle.ConstantTimeCompare(acceptConfirmation, hs.serverHello.random[len(hs.serverHello.random)-8:]) == 1 {
hs.hello = hs.echContext.innerHello hs.hello = hs.echContext.innerHello
c.serverName = c.config.ServerName c.serverName = c.config.ServerName
@ -264,12 +265,13 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
copy(hrrHello, hs.serverHello.original) copy(hrrHello, hs.serverHello.original)
hrrHello = bytes.Replace(hrrHello, hs.serverHello.encryptedClientHello, make([]byte, 8), 1) hrrHello = bytes.Replace(hrrHello, hs.serverHello.encryptedClientHello, make([]byte, 8), 1)
confTranscript.Write(hrrHello) confTranscript.Write(hrrHello)
acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New, h := hs.suite.hash.New
hkdf.Extract(hs.suite.hash.New, hs.echContext.innerHello.random, nil), prk, err := hkdf.Extract(h, hs.echContext.innerHello.random, nil)
"hrr ech accept confirmation", if err != nil {
confTranscript.Sum(nil), c.sendAlert(alertInternalError)
8, return err
) }
acceptConfirmation := tls13.ExpandLabel(h, prk, "hrr ech accept confirmation", confTranscript.Sum(nil), 8)
if subtle.ConstantTimeCompare(acceptConfirmation, hs.serverHello.encryptedClientHello) == 1 { if subtle.ConstantTimeCompare(acceptConfirmation, hs.serverHello.encryptedClientHello) == 1 {
hello = hs.echContext.innerHello hello = hs.echContext.innerHello
c.serverName = c.config.ServerName c.serverName = c.config.ServerName

28
src/crypto/tls/handshake_server_tls13.go
View File

@ -8,8 +8,8 @@ import (
"bytes" "bytes"
"context" "context"
"crypto" "crypto"
"crypto/hkdf"
"crypto/hmac" "crypto/hmac"
"crypto/internal/fips140/hkdf"
"crypto/internal/fips140/mlkem" "crypto/internal/fips140/mlkem"
"crypto/internal/fips140/tls13" "crypto/internal/fips140/tls13"
"crypto/internal/hpke" "crypto/internal/hpke"
@ -572,12 +572,13 @@ func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID)
if err := transcriptMsg(helloRetryRequest, confTranscript); err != nil { if err := transcriptMsg(helloRetryRequest, confTranscript); err != nil {
return nil, err return nil, err
} }
acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New, h := hs.suite.hash.New
hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil), prf, err := hkdf.Extract(h, hs.clientHello.random, nil)
"hrr ech accept confirmation", if err != nil {
confTranscript.Sum(nil), c.sendAlert(alertInternalError)
8, return nil, err
) }
acceptConfirmation := tls13.ExpandLabel(h, prf, "hrr ech accept confirmation", confTranscript.Sum(nil), 8)
helloRetryRequest.encryptedClientHello = acceptConfirmation helloRetryRequest.encryptedClientHello = acceptConfirmation
} }
@ -735,12 +736,13 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
return err return err
} }
// compute the acceptance message // compute the acceptance message
acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New, h := hs.suite.hash.New
hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil), prk, err := hkdf.Extract(h, hs.clientHello.random, nil)
"ech accept confirmation", if err != nil {
echTranscript.Sum(nil), c.sendAlert(alertInternalError)
8, return err
) }
acceptConfirmation := tls13.ExpandLabel(h, prk, "ech accept confirmation", echTranscript.Sum(nil), 8)
copy(hs.hello.random[32-8:], acceptConfirmation) copy(hs.hello.random[32-8:], acceptConfirmation)
} }